Feb 18 1991

It’s shareware, not virusware

No Gravatar

[Originally © 1991 Rob Rosenberger; transferred copyright on 11 Nov 91 to IDG Communications, Inc., 375 Chochituate Road, Framingham MA 01701. Reprinted with permission of Computerworld. Originally appeared in Computerworld, 18 Feb 91 issue.]

Shareware gets a bum rap. Pick up any major newspaper or magazine and you’ll find experts mentioning an epidemic of viruses in shareware programs. “Use only retail software,” they warn. Many companies and federal agencies take this advice and ban shareware, ignoring the fact at least 52 companies have spread viruses in tens of thousands of copies of shrinkwrapped retail packages.

Originally appeared in Com­pu­ter­world, 18 Feb 91 issue.

Many stores today accept returns on opened packages, presenting the threat of viruses in re-shrinkwrapped software. An Egghead outlet recently gave $750 to a man infected after store employees put a returned product back on the shelf. Egghead claims it has since “clarified” its policy on software returns, but they don’t have a monopoly on computer stores.

COMDEX and PC EXPO trade shows have problems with viruses spread by people manning the booths. Microcom, the company behind Virex and Virex-PC, scored a publicity coup last year by sending people to inspect computers at PC EXPO. They wound up cleansing dozens of infected systems at no charge. Microcom vice president Robert Capon says this parallels his experience at every major convention since 1988: “we’ve bailed out more companies attending trade shows than you could imagine.”

Compare this to the shareware industry’s record of spreading viruses. 1990 saw shareware’s first recorded case of infected master disks. The author shipped four infected floppies; all four recipients detected it on their own and returned or destroyed them. This occurred fully two years after the first of many similar events involving retail master disks.

Why does shareware have such a fantastic track record compared to the retail industry? The answer lies in bulletin boards and disk vendors, the two major distribution channels for shareware today. Most people who obtain programs this way constantly look over their shoulders, reducing the chance a virus will get into the system.

Disk vendors serve as a clearing house for good shareware. They usually get programs direct from the authors and scan for viruses before offering it to customers. Retail stores can’t check the disks they sell without breaking a shrinkwrap seal in the process.

Bulletin board operators, known as “sysops,” have dealt successfully with the threat of malicious software for over a decade. Even so, most BBS users double-check the sysop by running virus detection programs on every piece of software they download.

Virus expert Rich Levin has watched the shareware industry since the early 1980s and claims “people who use bulletin boards and shareware usually practice better virus safety measures.” Indeed, in 1987 the BBS community received the first IBM PC software written specifically to stop infections — at a time when Peter Norton still dismissed viruses as an “urban legend.” (Norton now sells antivirus software.)

The next time you go to a computer store, remember this: most of the antivirus software they sell either started out as shareware or use techniques developed for the BBS community. Microcom, for example, proudly admits its Virex-PC program came from the mind of a shareware author.

Why the bum rap?

If we have so many horror stories in retail software and so few in shareware, why does shareware get a bum rap?

  • It seems so plausible. You can get a virus if you share software. Shareware thrives on people who share software. Bulletin boards carry a lot of shareware. Therefore people assume they account for a large number of infections.
  • Experts label their assumptions as fact. Reporters talk to computer security consultants to get the information (and quotes) they need for a story, yet a survey by Empirical Research Systems shows almost half of these experts formed their opinions on viruses just by reading newspapers. This means the non-computer press literally feeds consultants information, which they regurgitate for other reporters who write more stories, which other consultants read… This same poll concluded by estimating only 1/3 of computer security experts have an adequate knowledge of the virus threat.
  • Retail stores tell it to customers. Software stores make money from retail software. If a customer expresses concerns about paying so much for a retail program, a store employee can shrug his shoulders, point to any number of experts, and say “we don’t sell viruses.”

Does this mean Corporate America will suddenly greet shareware with open arms? No. Many companies need to control incoming software so they can standardize on specific packages and deter software piracy. In these cases, a wise supervisor will restrict the trial use of shareware without slapping a complete ban on it.

People must conquer their irrational fears before they can confront the real virus threat. Ignorance thrives on hysteria, and hysteria has blamed shareware for spreading the majority of viruses.