Path: utzoo!utgpu!jarvis.csri.toronto.edu!rutgers!netnews.upenn.edu!vax1.cc.lehigh.edu!sei.cmu.edu!krvw From: exspes@gdr.bath.ac.uk (P E Smee) Newsgroups: comp.virus Subject: Re: Shrink-Wrapped Software Message-ID: <0008.9001161848.AA10905@ge.sei.cmu.edu> Date: 16 Jan 90 11:17:59 GMT Sender: Virus Discussion List Lines: 45 Approved: krvw@sei.cmu.edu In article <0013.9001151235.AA07390@ge.sei.cmu.edu> WHMurray@DOCKMASTER.ARPA wr ites: >Vendors can help by using labelled shrink-wrap. To the extent that >users come to expect such labelling, the re-wrap strategy becomes less >effective and efficient for the retailer. Users can protect themselves >and discourage this risky practice by refusing to deal with retailers >that offer them the right to return. Two points here: The first is (far as I know) unique to the UK. We virtually never SEE shrink-wraps. The reason is that (allegedly to prevent theft) the software shops display only the empty boxes on their shelves. The contents are removed to be stored behind the counter, and are replaced in the box when you buy the software. (Yes, it occasionally causes problems. My copy of Dungeon Master turned out to include a Falcon registration card. Sigh.) For big-selling software (read, popular games) they will probably also have some unopened boxes behind the counter; but for more serious stuff, the opened copy is probably the only one they've got. And, you can't just take your business elsewhere, because they all do this. (Records, prerecorded cassettes, CD's, and videotapes are all also marketed this way.) Second problem is more general, in that you are also thereby more or less guaranteeing that the retailer will not be willing to demo a package to you before you buy it. For a lot of packages, particularly the serious (and expensive) ones, you can't really tell from the manufacturers' puff whether the product will do what you need -- or, indeed, anything useful at all. Again, for popular products this might be eased, but for things with a limited market -- well, the dealer is hardly going to invest in a separate demo copy of something which only sells a copy a month or so. What's really needed is some way that the maker can include, separate from the disk, some form of 'signature' which can be used with a publicly available verification program, so that you could scan the disk with the verifier, and compare the output with the provided signature. Akin to a checksum, but sufficiently complex that any change to the disk would be detected. (There's a thesis topic for the next 10 years' worth of Masters candidates. :-) The problem should be easier than the corresponding ideas for protecting 'user' disks, as there should be no reason for a distribution disk to EVER change once it has left the maker's hands. - -- Paul Smee, Univ of Bristol Comp Centre, Bristol BS8 1TW, Tel +44 272 303132 Smee@bristol.ac.uk :-) (..!uunet!ukc!gdr.bath.ac.uk!exspes if you MUST)