Viruses Revealed: The Economics of Authoring

"Viruses Revealed", which I wrote with Robert Slade and Urs Gattiker, isn't exactly my latest book. In fact, it was published by Osborne in 2001, and has been out of print for several years. Still, I have some fond memories of it: for a start, it was my first book in the security arena as one of the main authors. While the book was well-received at its time not much attention has been paid to it recently, so it was a pleasant  surprise to see a very positive recent review here.

(I'm not sure I did ever thank Paul Baccas for a nice review in Virus Bulletin: if not, thanks, Paul! Perhaps I should also thank Rob for his own review, which if nothing else proves conclusively that Canadians are not always as dour and prosaic as you might think.)

Canadian flights of fancy aside, why am I telling you about a review of a book that's out of print, and from which I expect to derive little or no income in the near future? Well, I appreciate readiing that it's a "hype-free, no-nonsense book", since that's exactly what it was intended to be, not to mention what I want my work here to be. :)

However, that blog also makes a point that I think is particularly worth discussing here.

"If there is one negative thing about the book, is its age, exemplified by the following quote: Some vendors claim to receive reports of as many as 20 new viruses a week."

He quite rightly points out that the number of malware variants (depending on your definition of a variant) seen in a day nowadays is in the thousands: in fact, our lab routinely sees something in the order of 100,000 or more unique samples (not variants!) in a day. Well, of course, there are issues that we'd address quite differently if we were writing the book now:

• We wouldn't spend much time talking about MS-DOS, except in a historical context, and we'd talk a great deal more about later Windows versions (and Linux, and OS X)
• We wouldn't be talking nearly so much about viruses, and a lot more about things that barely rated a mention in 2000/2001 like backdoor Trojans and botnets.
• We'd be talking at much more length about convergence: not only in terms of malware, but also the increasing blurring of boundaries between spam, scam, malware and other kinds of attack, from social engineering to hardhat hacking.
• We'd be talking about the after-effects of the change from hobbyist virus-writers to professional criminals using bots, Trojans, fake security software and so on.

The blog recognizes this: "Of course there is nothing the authors could have done at the time of the writing to avoid this issue, but it would be really nice if an updated edition would to appear (either free or for pay – this book is definitely worth its money!)."

Well, thank you again for that recommendation. Unfortunately, Osborne had no interest in doing a second edition (or a "Malware Revealed"), and nor did our agent manage to excite much interest in it from other publishers. (It's usually hard to convince a mainstream publisher that there's any money in a book about computer malware, and I count myself lucky that I've actually managed to be a main author on two, and to have contributed malware-related content to a number of others.) Lucky, but not rich. There isn't, in fact, much money to be made of writing security books, and it's probably only because of the hefty prices of most such books that make them a viable market for some publishers.

"How do you make a million dollars out of writing about security?"
"Start with two million...."

Anyway, we now own the rights to Viruses Revealed, despite the fact that Google and a certain vx (virus exchange) site seem to think they're entitled to do what they like with it. Google are currently dealing with a class action that (if I understand it rightl) looks likely to result in their being able to scan and charge for an out-of-print book unless the owner of the copyright actively objects. The vx site, having no doubt decided that spending many moons on writing the thing doesn't entitle us to making any money out of it, has scanned the whole thing and put it on their web site. (That's not news, by the way: I first noticed it years ago, when I took an interest in the fact that pirated PDF versions of some of my other books were freely available through other channels: for all I know, it's been there since the book was first published.)

I'm not going to give you the URL for that site: partly because it is a vx site, and I can't vouch for the safety of every page to which it links, partly because it isn't really appropriate for a security vendor to give links to a vx site, but mostly because it really irritates me that some oik with an unhealthy interest in replicative malware should consider himself entitled to decide whether and when we should give the fruits of our labour away, even though at the the time we were actually considering giving it away oursleves  via Project Gutenberg or something similar. Perhaps we should still do something like that. Personally, I'd rather make individual chapters available, which would give us the opportunity to do some minimal updating. Unfortunately, doing the sort of major update that would be really useful probably isn't going to happen unless there's some funding forthcoming. We've both done a fair amount of pro bono work (Rob especially) but it's nice to eat occasionally...

Still, ESET does publish links to useful resources: if one of us does find time to put some of this content somewhere less contentious, we'll certainly let you know. But first of all, there's this other 2nd edition project I have to think about....

David Harley
Director of Malware Intelligence