Viruses Revealed: The Economics of Authoring

"Viruses Revealed", which I wrote with Robert Slade and Urs Gattiker, isn’t exactly my latest book. In fact, it was published by Osborne in 2001, and has been out of print for several years. Still, I have some fond memories of it: for a start, it was my first book in the security arena as one of the main authors. While the book was well-received at its time not much attention has been paid to it recently, so it was a pleasant  surprise to see a very positive recent review here.

(I’m not sure I did ever thank Paul Baccas for a nice review in Virus Bulletin: if not, thanks, Paul! Perhaps I should also thank Rob for his own review, which if nothing else proves conclusively that Canadians are not always as dour and prosaic as you might think.) 

Canadian flights of fancy aside, why am I telling you about a review of a book that’s out of print, and from which I expect to derive little or no income in the near future? Well, I appreciate readiing that it’s a "hype-free, no-nonsense book", since that’s exactly what it was intended to be, not to mention what I want my work here to be. :)

However, that blog also makes a point that I think is particularly worth discussing here.

"If there is one negative thing about the book, is its age, exemplified by the following quote: Some vendors claim to receive reports of as many as 20 new viruses a week."

He quite rightly points out that the number of malware variants (depending on your definition of a variant) seen in a day nowadays is in the thousands: in fact, our lab routinely sees something in the order of 100,000 or more unique samples (not variants!) in a day. Well, of course, there are issues that we’d address quite differently if we were writing the book now:

  • We wouldn’t spend much time talking about MS-DOS, except in a historical context, and we’d talk a great deal more about later Windows versions (and Linux, and OS X)
  • We wouldn’t be talking nearly so much about viruses, and a lot more about things that barely rated a mention in 2000/2001 like backdoor Trojans and botnets.
  • We’d be talking at much more length about convergence: not only in terms of malware, but also the increasing blurring of boundaries between spam, scam, malware and other kinds of attack, from social engineering to hardhat hacking.
  • We’d be talking about the after-effects of the change from hobbyist virus-writers to professional criminals using bots, Trojans, fake security software and so on.

The blog recognizes this: "Of course there is nothing the authors could have done at the time of the writing to avoid this issue, but it would be really nice if an updated edition would to appear (either free or for pay – this book is definitely worth its money!)."

Well, thank you again for that recommendation. Unfortunately, Osborne had no interest in doing a second edition (or a "Malware Revealed"), and nor did our agent manage to excite much interest in it from other publishers. (It’s usually hard to convince a mainstream publisher that there’s any money in a book about computer malware, and I count myself lucky that I’ve actually managed to be a main author on two, and to have contributed malware-related content to a number of others.) Lucky, but not rich. There isn’t, in fact, much money to be made of writing security books, and it’s probably only because of the hefty prices of most such books that make them a viable market for some publishers.

"How do you make a million dollars out of writing about security?"
"Start with two million…."

Anyway, we now own the rights to Viruses Revealed, despite the fact that Google and a certain vx (virus exchange) site seem to think they’re entitled to do what they like with it. Google are currently dealing with a class action that (if I understand it rightl) looks likely to result in their being able to scan and charge for an out-of-print book unless the owner of the copyright actively objects. The vx site, having no doubt decided that spending many moons on writing the thing doesn’t entitle us to making any money out of it, has scanned the whole thing and put it on their web site. (That’s not news, by the way: I first noticed it years ago, when I took an interest in the fact that pirated PDF versions of some of my other books were freely available through other channels: for all I know, it’s been there since the book was first published.)

I’m not going to give you the URL for that site: partly because it is a vx site, and I can’t vouch for the safety of every page to which it links, partly because it isn’t really appropriate for a security vendor to give links to a vx site, but mostly because it really irritates me that some oik with an unhealthy interest in replicative malware should consider himself entitled to decide whether and when we should give the fruits of our labour away, even though at the the time we were actually considering giving it away oursleves  via Project Gutenberg or something similar. Perhaps we should still do something like that. Personally, I’d rather make individual chapters available, which would give us the opportunity to do some minimal updating. Unfortunately, doing the sort of major update that would be really useful probably isn’t going to happen unless there’s some funding forthcoming. We’ve both done a fair amount of pro bono work (Rob especially) but it’s nice to eat occasionally…

Still, ESET does publish links to useful resources: if one of us does find time to put some of this content somewhere less contentious, we’ll certainly let you know. But first of all, there’s this other 2nd edition project I have to think about….

Director of Malware Intelligence


ESET Threatblog (TinyURL with preview enabled):
ESET Threatblog notifications on Twitter:
ESET White Papers Page:

Securing Our eCity community initiative:

Author David Harley, ESET

  • well i for one would like to see the it available on line on a non-vx site.

    i understand the desire to update it, but that will take time and energy and who knows when the updated version will be complete (technically, perhaps the answer is never, since things are always a little obsolete by the time we commit them to the written word). i say this not as a critic, by the way, but as someone who himself has content out there that has needed updating for quite sometime and it just never seems to get done.

    putting the original online would likely require fare less work or time and might well serve as a stop-gap while a 2nd edition is being worked on.

    oh, and thank you for *not* directly contributing to the page rank of a vx site. i wish more people would make that choice..

    • Thanks, Kurt.

      We don’t actually have the full original PDF version to make available, and don’t own it in that form. (It’s the content we own.)

      You’re quite right, of course: the book was slightly out-of-date before it hit the shelves, and some of the content wouldn’t be worth making available now without huge updates. The resources chapter, for instance. And the chances of a full scale update are slim.

      I like the idea of making some of it available though, even if it means republishing chapters with caveats like “not updated since 2001”. Rob and I will have to discuss how best to do it.

      And you’re right (again), I would feel very uncomfortable raising a vx site’s page rank, even if I was sure the content I was pointing to was harmless.

Follow us

Copyright © 2017 ESET, All Rights Reserved.