Samsung Keylogger Stories a False Alarm

Trailrunner7 writes "The panic that arose yesterday about Samsung allegedly shipping laptops that contained a pre-installed keylogger turns out to have been a complete mistake after further investigation by security researchers and the company itself. In fact, the controversy was the result of a false positive from one commercial antimalware suite and nothing else. Several outlets reported on Wednesday that Samsung laptops had been found to contain a keylogger known as StarLogger right out of the box from the factory. However, upon closer inspection by security companies, the folder on the laptops that supposedly contained the malware was actually a directory that is part of Windows' multi-language support."

epic FAIL

[pasv]

We believed someone who used a 3rd rate antivirus and didnt verify with a kernel debugger? FAIL on all our parts especially the "security researcher" who so thoroughly researched this one

Re:epic FAIL

We believed someone who used a 3rd rate antivirus and didnt verify with a kernel debugger? FAIL on all our parts especially the "security researcher" who so thoroughly researched this one

You wouldn't even need a kernel debugger. I think just a basic examination of the binary itself, and maybe some network traffic capturing would have ruled this "malware" detection out as a false positive.

Re:epic FAIL

[Whalou]

If you consider this an epic fail on the part of security experts, the HBGary incident must be a legen...

wait for it

...dary fail.

Re:epic FAIL

There was no security researcher who thoroughly researched it. It was some random stupid ass blogger. And someone posted it to Slashdot and it got promoted to the front page because it was inflammatory and would get lots of hits.

This is the future of news; random dilhole bloggers will post the news because nobody is willing to pay for "real" (although maybe biased) reporting.

Re:epic FAIL

[Mascot]

From what I read, it wasn't even question of a binary. The mere presence of a _folder_ with the offending name triggered the AV. That AV's gotto be the new benchmark as far as being crappy goes.

Re:epic FAIL

[cf18]

Indeed.

- an antivirus software that rise alarm base on a two letter directory name inside \Windows , even when it is empty.

- a "security researcher" that take the alarm at face value and never check if is actually there, check if the process run, what kind of content it was logging and where it is sending them.

- a low level support manager confirm the software's existence, probably thinking about the fan speed and temperature monitoring software.

Re:epic FAIL

[pasv]

Sure you could do binary analysis and network traffic capturing but both of these things can be veiled in obscurity. Binary analysis is often extremely time consuming (especially if the author of said (spy|mal)ware is using anti-debugging tricks and self encryption which prevents normal strings from being extracted). As for the network monitoring it's possible to use stenography to pipe out information in things as obscure as DNS requests and outgoing TCP headers. But there is nothing that says keylogger quite like a hook seen from a kernel debugger. Gotta go to the source. Can't say this StarKeylogger would employ any of these techniques tho. I'm feeling just as lazy as the person who pointed said keylogger out in the first place.

Re:epic FAIL

[maxume]

All of us? What about the people independent of Samsung that researched it further and provided some evidence that it wasn't true?

My initial reaction was more along the lines of "That sounds unlikely" than "Burn them!".

Re:epic FAIL

[19thNervousBreakdown]

Heh I remember reading the line where he said that it definitely wasn't a false positive because it had never had one before, and going .... "what? Well, the part where he captures the network information or at the very least sees the log files on his disk somewhere must be coming soon." Nope! Just another credulous fool. By the end I was wondering how the hell he could claim that Samsung was logging every keystroke, when even if it was installed, in all likelihood Starlogger can be configured to do a number of different things.

The part about it being "completely undetectable" gave me a chuckle too. That's not something you should say without some sort of qualifier, but he just kept on going about how bad-ass his investigation was.

The main thing is though, no real evidence has been given either way (although given the ease of verifying his claim, the fact that it's an accusation, and its extraordinary nature, the burden of proof should clearly go on the accuser's shoulders) so either vilifying or exonerating Samsung is silly at this point. Besides, what did they think they were admitting to? Apparently there is some sort of information-gathering going on, and any at all without clear prior notice to the user and the user's acceptance is ... unacceptable.

Re:epic FAIL

[John+Saffran]

Not to blow my own horn, but there were some of us who were sceptical of the story until it was proven by independent sources (http://slashdot.org/comments.pl?sid=2061772&cid=35673170).

Basically the qualifications of the author aren't technical and he's commenting on a technical topic and the story was lacking on details so such a big claim couldn't (and shouldn't) be taken at face value without independent validation.

In this case the independent validation seems to very strongly refute the claim, which is unfortunate for the author's reputation .. I hope he's learned a lesson from this, nobody needs security people talking about things they don't understand.

Re:epic FAIL

[BlueKitties]

It's not an EPIC FAIL, it's marketing at its finest. I've never heard of VIPRE until this morning when I saw the news. Honestly, I wouldn't be surprised if they made it all up just to get attention. If not, that's probably the most profitable false positive in history (save me the medical diagnosis puns...)

Re:epic FAIL

[LordLimecat]

FAIL on the part of everyone who blindly believes some slashdot story that doesnt name the supervisor, or any details of methodology, or any details beyond the finders name.

I mean seriously, do people really take all slashdot stories at face value?

Re:epic FAIL

I mean seriously, do people really take all slashdot stories at face value?

I don't know. I've never read TFAs.

Re:epic FAIL

[omnichad]

The folder being empty could simply mean rootkit, though it would be a terrible fail of a rootkit not to hide the folder itself. The fact that the folder is actually a standard part of Windows is the worst fact.

Re:epic FAIL

[recoiledsnake]

First line of the article:

Mohamed Hassan, MSIA, CISSP, CISA is the founder of NetSec Consulting Corp, a firm that specializes in information security consulting services. He is a senior IT Security consultant and an adjunct professor of Information Systems in the School of Business at the University of Phoenix

Then a whole lot of fluff about the Sony root kit fiasco.

The money quote:

The findings are false-positive proof since I have used the tool that discovered it for six years now and I am yet to see it misidentify an item throughout the years.

That seems to be some very concrete proof.

Then some ramblings about how a class action lawsuit will come out of this. I too smell a lawsuit but not against Samsung.

Re:epic FAIL

[jdgeorge]

Apparently there is some sort of information-gathering going on, and any at all without clear prior notice to the user and the user's acceptance is ... unacceptable.

That's copmletely unsubstantiated.

Re:epic FAIL

[countertrolling]

How does a kernel debugger(de-bugger, interesting concept) detect hardware keyloggers on a chip?

Re:epic FAIL

[molnarcs]

We believed someone who used a 3rd rate antivirus and didnt verify with a kernel debugger? FAIL on all our parts especially the "security researcher" who so thoroughly researched this one

Agreed, though I'm quite happy with the results of this FAIL - it showed what would happen if indeed, Samsung installed a keylogger. Sooner or later a company would have decided this to be a good idea. So it's kind of nice to have this small shitstorm without actual damage. The linked article uses such strong wordings as "the panic that arose yesterday" ... good! Companies should be reminded from time to time how sensitive this issue is...

Re:epic FAIL

[ifrag]

It could have been worse, they could have scanned it with McAfee and rendered the machine unable to boot.

Re:epic FAIL

[19thNervousBreakdown]

Yeah, that wasn't worded great, it sounds like too strong of a suspicion. By "apparently" I meant "it appears that", which is not the same as "it is certain". The admission was from a Samsung tech, according to the person who posted the unsubstantiated accusation in the first place. That part of his claim I don't doubt, but who knows what the tech thought he was referring to. It is odd enough that I think it bears looking into though, especially if you are or plan on being one of their customers. They wouldn't be the first to accidentally admit to something when they were being accused of something else.

Re:epic FAIL

[deapbluesea]

Basically the qualifications of the author aren't technical and he's commenting on a technical topic and the story was lacking on details so such a big claim couldn't (and shouldn't) be taken at face value without independent validation.

Congratulations, you've just described 99% of /. posters

Re:epic FAIL

[Nevo]

It wouldn't. But neither would an antivirus program.

Re:epic FAIL

[Zenaku]

Of course. Especially the ones posted tomorrow.

Re:epic FAIL

[InlawBiker]

Yet it did not stop every Blog and media outlet on the planet, including Slashdot, from picking up the story. Welcome to the blogs-as-news era.

Re:epic FAIL

[mysidia]

We believed someone who used a 3rd rate antivirus and didnt verify with a kernel debugger? FAIL on all our parts especially the "security researcher" who so thoroughly researched this one

This is so big a fail... I declare April fools came early this year.... and fooled even the security researcher this time.

Or maybe it's part of a 3-day countdown type event.

Re:epic FAIL

[JCCyC]

No, wait, let me guess: the folder name was system32 and the AV recommended to delete it!

Re:epic FAIL

[jimicus]

I've used VIPRE for years now. It actually is a quality product.

Except for when it false-positives over the presence of an empty folder which is actually a part of a correct Windows installation in certain circumstances.

(Having said that, if I were to blacklist a piece of software every time I found one stupid bug, I'd very soon run out of software I could run)

Re:epic FAIL

[amicusNYCL]

The mere presence of a _folder_ with the offending name triggered the AV. That AV's gotto be the new benchmark as far as being crappy goes.

Sort of like writing an anti-virus program which checks for files called "virus.exe" and calling it secure. Reminds me of mod_security for Apache, and how it blocks things called "shell.php" (and possibly other extensions) from executing just based on the same. Pretty retarded view of "security". It took me forever to figure out why the PHP files that were hosting our Flash courseware shells weren't running when everything else was. Turns out it was a "security" measure, thanks to mod_security. It really helps to instill a lot of confidence that mod_security is competent in any way.

Re:epic FAIL

[TheVelvetFlamebait]

I too was sceptical of the story, but unfortunately I have no such proof of my scepticism. Instead of posting about my scepticism, I just passively accepted that it was part of slashdot's long slide into uselessness, and into its current position as the Fox News for nerds.

Mod me flamebait if you like, but at least I'm on topic.

Re:epic FAIL

[countertrolling]

Then we should all know where a keylogger will go if one is desired. It will only be uncovered by accident.

Re:epic FAIL

[Fractal+Dice]

Just to sure ... we are certain that today's version of the truth is more reliable than yesterdays? We aren't just setting ourselves up for more egg on our faces?

Re:epic FAIL

[jordan314]

I had the same problem with not being able to blog about the command rm -rf /. Thanks, mod_security.

Re:epic FAIL

[darth+dickinson]

Reminds me of my days as a NetWare admin. For those that might not know, NetWare servers use DOS to bootstrap, then run a program called "server.exe" to launch the server OS.

I was applying a service pack to a NW6 server, and part of that SP was an updated "server.exe". Well, MacAfee decided that "server.exe" was a virus and just silently deleted it after it was extracted, without even telling me. Killed two servers before I figured out what was going on.

And yes, I know that MacAfee AV is TRWTF...but it was what the school system had standardized on at the time.

Re:epic FAIL

[Vegemeister]

+4 Sad but true.

Re:epic FAIL

[jc42]

The mere presence of a _folder_ with the offending name triggered the AV. That AV's gotto be the new benchmark as far as being crappy goes.

It's hardly anything new. There was this notorious case from 8 years ago, when the RIAA sent threatening C&D letters to Professor Peter Usher at Penn State, because his web site contained files with "Usher" in their name, including several .mp3 files. So the RIAA concluded that he was illegally distributing songs by the band Usher. As in this case, they looked only at the file names, and couldn't be bothered to check the files' contents. You can read lots about this case by googling "Professor Usher copyright" (without the quotes).

The problem has long existed outside the computer industry. The TSA has blocked people from flying simply because their surname was the same as (or sometimes just similar to) a name on their do-not-fly list. Security agencies have done this for ages, and every year we read of a number of arrests of people with names similar to a name on an arrest warrant.

This sort of thing has probably happened to a number of people reading this forum. Maybe they'll speak up ...

Re:epic FAIL

[jc42]

Or maybe it's part of a 3-day countdown type event.

So tomorrow we'll probably have a story about a real keylogger that was discovered somewhere else in a Samsung (or maybe another company's) product. But nobody will believe it because of the date, so the password harvest will proceed until a few million people are victims of identity theft.

Re:epic FAIL

[exomondo]

- a "security researcher" that take the alarm at face value and never check if is actually there, check if the process run, what kind of content it was logging and where it is sending them.

He didn't take it at face value, he did an 'in-depth analysis' and concluded that the malware was 'undetectable', you insensitive clod!

Re:epic FAIL

[mysidia]

But nobody will believe it because of the date, so the password harvest will proceed until a few million people are victims of identity theft.

Par for the course on Slashdot.

But why do you say until a few million people are victims?

Why would it stop at a few million?

Re:epic FAIL

[Riceballsan]

indeed, an unexpected empty folder it is reasonable enough to send a flag assuming the conditions of the antivirus are set reasonably high, removing an unnecessary and easily replaceable part of a windows install isn't really a huge deal, well giving it a name is kinda silly though, you'd think the AV would just give a heuristic "suspicious" warning instead of pretending it knows what it is. I have seen vipre at a few companies I've worked for and can't say much bad about it. I've never seen or heard of a major virus issue on its watch in any of the companies and I've never seen critical components killed, and that's more then I can say for most AV's with central management capability.

Then why the adminision of guilt?

Samsung did knowingly put this software on the laptop to, as he put it, "monitor the performance of the machine and to find out how it is being used."

Re:Then why the adminision of guilt?

[TheCRAIGGERS]

Yeah, but wasn't the admission of guilt quoted from an email of the original finder? It's not like we saw a Samsung press release on this.

Re:Then why the adminision of guilt?

[LordLimecat]

This is why they didnt give you a supervisors name, or any further details on the phone call. There was nothing resembling evidence; it was all rumor and assertion.

Re:Then why the adminision of guilt?

[MobileTatsu-NJG]

Samsung did knowingly put this software on the laptop to, as he put it, "monitor the performance of the machine and to find out how it is being used."

I see no admission of guilt. Instead I see an answer to a question that probably didn't use the word 'keylogger'.

Re:Then why the adminision of guilt?

[X.25]

Samsung did knowingly put this software on the laptop to, as he put it, "monitor the performance of the machine and to find out how it is being used."

Do you think this was official Samsung statement, or customer's interpretation of some random answer he received from a random person (that probably had no idea what he was talking about, but wanted to get rid of annoying customer asap) in a random call center?

I actually can't believe this story was taken seriously for even a split second, considering complete lack of any research or evidence.

Oh well, anything is news these days.

Re:Then why the adminision of guilt?

[Scott+Scott]

Because it isn't at all possible that they managed to reach a support person using the standard "whatever it is, it's a feature that somehow helps you" misdirect to try to end the phone conversation in record time. Sure, the article was poorly researched to begin with, but that part wasn't necessarily bogus. It's fallacious to assume that because some of the story was factually inaccurate, the entirety of the story is factually inaccurate. Not that I put any kind of stock in such a citation; however, it is increasingly common even among more reputable news outlets to make generic citations rather than relaying more useful details.

Re:Then why the adminision of guilt?

[yuhong]

Of course, it would be better to say "I will report it and we may investigate why it happened.", which is just as short.

Appropriate quote

[_merlin]

The following fortune quote accompanied this story for me:

It is not good for a man to be without knowledge, and he who makes haste with his feet misses his way. -- Proverbs 19:2

Disturbingly appropriate, considering the story is about people jumping all over a false assumption. But I'm constantly surprised at the number of times a Windows installation with full multilingual support trips anti-malware or anti-virus software. Don't these guys even use their MSDN subscriptions to get a full set of Windows installs to test against?

Re:Appropriate quote

[Stenchwarrior]

Fuck to the yes! I only put AV on computers now a days to make end users feel warm and cozy. Then when they bring it back in 6 months later I install the ones that actually work. Too bad they don't prevent.

Re:Appropriate quote

[Twinbee]

Or alternatively: "Before pointing fingers, properly research first", which is terser, less pretentious, and made in 20 seconds by yours truly. Also it has the advantage that it doesn't come from a book with lots of false information.

Re:Appropriate quote

[LordLimecat]

Antivirus are a useful second line of defense, the first line being "keep your crap up to date". I mean, otherwise you cant protect yourself from that 0-day that the vendor wont have a patch for for 2 weeks, even though all the AV firms have a definition out tomorrow.

And if a virus attempts to spread through network share (by replacing folders with EXEs with folder icons), having an AV that detects it is really useful.

Re:Appropriate quote

[mlts]

I have found that AdBlock does far more to keep malware off a system than any antivirus program out there. Couple that with a decent firewall/NAT box/router, common sense about not running downloaded stuff, and a solid backup system, and that will pretty much make for malware-free computer usage. Using sandboxie doesn't hurt either.

Re:Appropriate quote

[tlhIngan]

Problem is, in the ever-changing world, one of the thing is to accuse first and ask questoins later, in order to get those website hits and oh-so-sweet advertiser revenue.

The first ones to break the stories gets the hits and eyeballs. The ones to do the research get left by the wayside, mostly unread while everyone else spreads mistruths because they never saw the followup, read beyond the headline, etc. Hell, it happens on /. too.

Re:Appropriate quote

[Ja'Achan]

Or apply the Sagan standard "extraordinary claims require extraordinary evidence".

Unfortunately, "Company puts spyware on their products" is no longer an extraordinary claim

Re:Appropriate quote

[snowgirl]

Windows 7 installs its Slovenian information in C:\Windows\sl-SI... so no, a Windows installation with full multilingual support would not trip up this anti-malware/anti-virus scanner (apparently VIPRE)

Don't these guys even use their MSDN subscriptions to get a full set of Windows installs to test against?

Your suggestion actually fails to fix the problem at all.

Re:Samsung Keylogger Stories a False Alarm

[neo12]

At least Samsung is not a Chinese company.

Oh noes

[Haedrian]

Quick! Call the worldwide boycott off before the entire company loses its 13.5Billion revenue.

On a related note, could Samsung sue the journalists for libel?

Re:Oh noes

[Sonny+Yatsen]

Even if they could, which I doubt, why would they want to bring extra attention to this when it'll just go away tomorrow?

Re:Oh noes

[MarkGriz]

Could? More like should.

The title of the article was not "Did Samsung install keylogger on its laptop computers?"

No, the title was "Samsung installs keylogger on its laptop computers", though it looks like they've updated it now to
"UPDATE: Samsung keylogger could be false alarm"

Great journalism there. Leap out of the gate screaming "keylogger!!!!" with zero fact checking, but later back off and say "oops we could be wrong"

Re:Oh noes

[Stenchwarrior]

mod this guy up

Re:Oh noes

[LordLimecat]

Everyone who left a comment decrying Samsung in the last article is just as much to blame. You give approval to such antics by your reaction.

Re:Oh noes

[erroneus]

Because apparently only Slashdot users know about the Streissand effect. Governments and every business on the planet seem not to have heard of it.

Re:Oh noes

[jimicus]

The Streisand effect is generally associated with people doing something silly, realising their mistake and then trying to shut the door after the proverbial horse has bolted.

In this case, I think the thing most likely to invoke the Streisand effect would be if the blogger tried to cover up the whole sorry episode by trying to bully sites mentioning either the original article or the subsequent debunking. I reckon Samsung, OTOH, could sue the blogger with relatively little fear of Streisanding. As long as they didn't try to sue everyone else for reporting the story.

Good for Slashdot for following up

[HawkinsD]

At least Slashdot has the journalistic ethics to post the follow-up. Good for them. I note that Network World is doing the same.

Yes, I said "journalistic" in the same sentence as "Slashdot." It's important.

Re:Good for Slashdot for following up

[MarkGriz]

Yet the original story still has not been updated to correct the error.
So much for journalistic ethics.

Re:Good for Slashdot for following up

[jones_supa]

True.

Re:Good for Slashdot for following up

[Blakey+Rat]

Wouldn't it be better if they updated the *original* story with the correction, instead of posting a new one?

Anybody linking to this story on Slashdot is still linking to an uncorrected version. It's not enough to correct the article; you have to correct the article at the same URL.

Re:Good for Slashdot for following up

[1u3hr]

At least Slashdot has the journalistic ethics to post the follow-up. Good for them.

They're not posting this as penance, they haven't apologised or retracted the original story; they're doing it to gain hits. Same reason they posted the first story without confirmation.

Slashdot has no claim to being described as "journalism", or has any demonstrable professional ethics.

Re:Good for Slashdot for following up

[wygit]

the "Part two" on the story has been updated. http://bit.ly/ib5R38

UPDATE 3/31/11: Samsung has issued a statement saying that the finding is false. The statement says the software used to detect the keylogger, VIPRE, can be fooled by Microsoft's Live Application multi-language support folder. This has been confirmed at F-Secure and two other publications, here and here. Still no explanation for why Samsung originally confirmed the keylogger's existence to Hassan, as seen below.

UPDATE 3/31/11: GFI Labs, the maker of VIPRE, has issued an explanation and apology for generating the false positives that led to these articles: "We apologize to the author Mohamed Hassan, to Samsung, as well as any users who may have been affected by this false positive."

Re:Good for Slashdot for following up

[idontgno]

The appropriate journalistic response is, apparently, a feeble Emily-Litella-esqe "...never mind" after the end of a long-winded, spittle-flinging, completely off-topic rant.

Re:Good for Slashdot for following up

[oldhack]

That's no journalistic ethics. Slashdot has no standard, and puts up anything, especially dupes. Taco probably put it up thinking it was a dupe.

Right, taco?

Re:Good for Slashdot for following up

[hellop2]

You said, "Still no explanation for why Samsung originally confirmed the keylogger's existence to Hassan, as seen below."

Then you say, "GFI Labs, the maker of VIPRE, has issued an explanation and apology"

So why do you think Samsung confirmed the existence of a Samsung installed keylogger?

Makes no sense

[StillNeedMoreCoffee]

The earlier article quoted Samsung as admitting to placing the software on their computers to gather information. Either that part of the earlier story is false or the current one is. This is not good journalism.

Re:Makes no sense

It was confirmed by a low level support person who may or may not have understood what was going on.

All the PR and Legal depts had "No Comment" till it was more thoroughly researched.

Re:Makes no sense

In one of the original articles he says he contacted support. So this statement is likely from some support drone who had no idea what the customer was talking about. He probably jumped to conclusions because he has to handle support tickets in 30 seconds or less.

What I've learned from support contacts is to NEVER explain anything. They won't bother understanding what you wrote. State in a single sentence what you want to have done. They'll ignore everything else. Seriously, one sentence only. If you write two or three they will either be ignored altogether or trigger completely unrelated keywords that result in nonsensical preformulated responses.

Support doesn't have the attention span to handle complex issues like this.

Re:Makes no sense

[Culture20]

Escalate me to tier 3. Thank you for doing the needful.

Re:Makes no sense

[DocSavage64109]

That's what they want you to believe. This is obviously a smear campaign to cover up their keylogger.

I don't care about facts.

[mevets]

I still hate the keylogging bastards that they are, and I want to see the whole company in jail...

So the keylogger

[Grand+Facade]

is a Microsoft product?????

Re:So much for being a CISA CISSP MSIA ...

[WrongSizeGlass]

But the original writer and now famous Security researcher is MSIA, CISSP, CISA ... That must say something no ? what do you mean Security Certification are worthless ?

I believe you forgot LOL, SOL and GTFO.

What about their use of Carrier IQ on Android?

[Bill+Dimm]

http://yro.slashdot.org/comments.pl?sid=2061772&cid=35672358

Hold on a second.

[Conspiracy_Of_Doves]

Where did this quote come from, then?

monitor the performance of the machine and to find out how it is being used

Re:Hold on a second.

[Skuld-Chan]

Could have been the poor tech in India had no idea what the question was to begin with...

That quote could have been attributed to system monitoring software used to conserve battery usage for instance.

Re:Hold on a second.

[jeek]

Do we even have confirmation that Samsung's tech support is India-based, or is this more FUD/speculation?

Re:Hold on a second.

[pclminion]

Where did the quote come from? It came from an idiot, apparently. If it was true, only an idiot would admit to it. If it was not true, only an idiot would say it was. I tend to discount what idiots say, as should you.

All those who knew that this was obviously false when it was posted yesterday, raise your hands and link to your comments:

"This is not believable." Oh, and let me reiterate. Anyone who actually believed a company would do something like this, is a god damned moron. I mean seriously, what the fuck people?

Re:Hold on a second.

[Conspiracy_Of_Doves]

Yeah, like no music company would ever put rootkits on their CDs either.

Re:Hold on a second.

[pclminion]

1) The purpose of Sony's rootkit, while unethical, at least made sense. A catch-all keylogger makes no fucking sense. There's "evil with a purpose" and then theres "fucking insano poking at the dragon cuz I'm coked up." What Sony did was the former. What Samsung was alleged to have done is clearly the latter.

2) Sony got smacked down for it. They had to recall their CDs, they were sued in various class actions and various countries. They admitted it was a fuckup and they got slammed for it.

Critical thinking, try it sometime.

Re:Hold on a second.

[Conspiracy_Of_Doves]

The purpose of Sony's rootkit, while unethical, at least made sense.

And what if the purpose was "pushing the envelope on how much they can get away with on gathering information on their users"?

Sony got smacked down for it.

And if this had been true, Samsung would have been smacked down for it.

Critical thinking, try it sometime.

Are you always this much of a worthless, piece-of-shit, asshole?

Re:Hold on a second.

[pclminion]

Are you always this much of a worthless, piece-of-shit, asshole?

If my expectation of some minimal level of brain activity in people who make potentially defamatory claims counts as that, then yes.

Re:Hold on a second.

[Conspiracy_Of_Doves]

No, your expectation is that everyone else should come to the same conclusion as you from the very instant that a new subject enters their field of view.

Re:So much for being a CISA CISSP MSIA ...

[John+Saffran]

No it doesn't mean that they're worthless .. they're just not technical certifications so in this case we should've been sceptical (like I said in the original story, http://slashdot.org/comments.pl?sid=2061772&cid=35673170) because the certifications aren't relevant to the abilities required to make an informed comment.

Notes to self:

[Stenchwarrior]

Pick up milk and eggs

Pick up dry-cleaning

Don't use VIPRE.

Wife's Laptop

[Cytlid]

My wife has a Samsung R580 which is almost a year newer than the laptops the guy mentioned in the article. I was going to scan it with some decent rootkit programs (like f-secure blacklight or rootkit revealer) only to find out some of my favorites don't work with 64bit Win7. I wrote to the guy who wrote the article, asking about the name of the "commercial security scanner" he installed. He never replied back. I booted my wife's laptop into Linux last night using a Live CD, and performed some find commands for supporting files of the StarLogger program (which showed up in a google search). Nothing. I was thinking if this was true, hers was exempt because it was almost a year older. Turns out, I find out today, I did more research than this supposedly "phd security expert" had.

Re:Wife's Laptop

[Cytlid]

That should read that her laptop is a year _older_ not newer... oops. We all make mistakes.

Re:Wife's Laptop

[ISurfTooMuch]

You did more research, but this idiot got all the press. He thought he had something, so he ran to the media with it, and they ate it up. Of course, he looks really stupid now, but that's only because others were more thorough.

Inb4...

[supersloshy]

Inb4 all of the commenters from the previous Samsung article come in here and act like they didn't assume that the keylogger was real, didn't yell about how Samsung should/will be persecuted for this, and didn't ask for people to boytt Samsung ;)...

I always hear Slashdotters complaining about "moral panic" and complaining about the "idiots" who don't do their research before making claims... How is this any different? Really, it's no different. Is the level of "corporate hate" on Slashdot really that high as to exclude any common sense (apparently not so common) when dealing with a subject like this where it's impossible to tell whether he was right? He said he was right in the previous article, but why did you blindly trust him? All it takes for a simple, non-assuming comment is to add "If this is true," to the beginning of your comments. It isn't very hard and it doesn't make you look like an idiot when the entire reason you said those things turned out to be bullcrap.

where is the outrage?

[pablo_max]

Turn on the TV. Go to any "News" site. Everything is designed to make you react in some way. They especially like to find the most "outraged" person and interview them.
It is a bit sad. People will freak out about stuff like this and demand action, yet your government erodes your rights and destroys your country a little bit more each day and the same people are quite.
Tell me /., where is the outrage for things that matter?

Won't slow down your PC!

[evilgrug]

The tagline for VIPRE AntiVirus is 'Finally Antivirus Software That Won't Slow Down Your PC!'.

I guess we know why. Who wants to spend all those CPU cycles searching through binaries both in RAM and on disk, comparing them against a database of virus patterns, and performing advanced heuristics checks when it's so much easier to match directory names and call it a day?

Re:So much for being a CISA CISSP MSIA ...

[Stenchwarrior]

Those are not technical certs. Anyone with the ability to understand the auditing process, computers or otherwise, will pass the exam.

Slovenian StarLogger

[BitterKraut]

From Samsung's comment at http://www.samsungtomorrow.com/1071 it seems that the security program used identified the folder as StarLogger based solely on the fact that the folder's name is SL for Slovene. Incredible.

Re:Slovenian StarLogger

[LordStormes]

Wouldn't that folder be in nearly every Windows install? Or is that something that's only installed when you turn that language on in the Windows setup? Otherwise, it should have been pretty easy for VIPRE to test that condition. Do we know if Mr. Security Expert had the Slovenian language installed?

Re:Slovenian StarLogger

[jcla]

I checked my newly purchased Samsung laptop last night after I saw the article and it had the /sl folder on it, but it took about half a second and an ounce of brainpower to notice that there was a large number of similar directories that all looked like language/country codes. And they all had the same kind of non-executable file in them. I'm not Slovenian. J

Re:Slovenian StarLogger

[ElusiveJah]

Hey people, don't you notice that all these "false-positive, fail!" posts and links chain cite single post on this resource as Samsung's official statement. Now look at whois and see Samsung is not it's owner.
First "keylogger!!!" hype with weak background, then another "false-positive!!!" hype with even weaker one, then ?...
That's the nature of today's online media.

P.S. Excuse my English plz

Re:Slovenian StarLogger

[snowgirl]

I checked my newly purchased Samsung laptop last night after I saw the article and it had the /sl folder on it, but it took about half a second and an ounce of brainpower to notice that there was a large number of similar directories that all looked like language/country codes. And they all had the same kind of non-executable file in them.

I'm not Slovenian.

J

What kind of files? Were they all "*.mui"? Windows 7 (and Windows Vista) use c:\Windows\sl-SI for the Slovenian localizatons...

IANS either, but I have just installed the Slovenian Windows 7 language pack, and Slovenian Windows Live Essentials.

Re:Slovenian StarLogger

[snowgirl]

Correction: Windows Live Photo Gallery installs a screensaver to the root Windows directory, which produces a C:\Windows\SL directory if you have the Slovenian language pack installed. However, this shouldn't be exactly hard to check if this is the case, since it's a single MUI file...

77c443b0c85b67a89bb57edcca491d66 *WLXPGSS.SCR.mui

Anything else in there is not from Windows or Windows Live Essentials.

IT World standard practice

[PhreakOfTime]

My initial reaction was more along the lines of "That sounds unlikely" than "Burn them!".

My initial response was;
It's a Network World/IT World article, so its probably made up garbage that will be debunked within hours.

And look at that... it was. Shocking.

I have a friend who likes to sent me IT World articles. It's become a running joke how bad their articles are written. Well, a joke to me at least, he still thinks they are some sort of reputable news source for all things IT and that I am just 'picking on them'.

Re:So much for being a CISA CISSP MSIA ...

[sglane81]

Not to mention these gems:

I installed ... security software ... The scan found two instances of a commercial keylogger called StarLogger ... This key logger is completely undetectable ...

So, this program found something which couldn't be found. Check.

After an in-depth analysis of the laptop, my conclusion was that this software was installed by the manufacturer, Samsung. I removed the keylogger software, cleaned up the laptop

Removed the keylogger by removing the folder? Check.

I found the same StarLogger software in the c:\windows\SL folder of the new laptop. The findings are false-positive proof since I have used the tool that discovered it for six years now and I am yet to see it misidentify an item throughout the years.

So, "false-positive proof." Good to know that your extensive experience running an anti-virus program has yielded perfect results. Don't worry about the fact that you don't actually know what you're talking about.

... logged incident 2101163379 with Samsung Support (SS). First, as Sony BMG did six years ago, the SS personnel denied ... SS changed its story ... SS personnel relented and escalated the incident ...

Can we claim Godwin here? I have a feeling Samsung Support doesn't refer to itself as the SS.

You obviously have some kind of agenda, Mohamed Hassan, MSIA, CISSP, CISA. I know now to never trust anything NetSec Consulting Corp does. Also, congrats on being an "adjunct professor of Information Systems in the School of Business at the University of Phoenix."

FUD Campaign

[Xest]

I've seen a few people mention it already in previous articles but I'm actually beginning to wonder myself if this is an orchestrated FUD campaign against Samsung. The actors story was, well, a complete fucking non-story too.

Rogue Apple fanboy, or Apple PR getting a bit twitchy about Android and Samsung's Galaxy phones and tablet perhaps?

Will be interesting to see if this anti-Samsung FUD continues or if it's mere coincidence that two FUD stories have been posted about Samsung in such a short period.

Re:FUD Campaign

[John+Saffran]

I was a little leery of the actors story too even though I don't consider Samsung (or any other large corporation for that matter) as being the paragons of ethics, but in this case I'm guessing that it was just a case of an id10t shooting off at the mouth rather than someone paid to spread propaganda.

If he was paid to write that I hope for his sake it was enough to retire on because now his credibility in the field is effectively negative (ie. people will avoid him). For me the worst thing he's done is that he might have damaged the credibility of real security researchers through this stunt.

Expert?!? LOL

Seriously?
"Mohamed Hassan, MSIA, CISSP, CISA is the founder of NetSec Consulting Corp, a firm that specializes in information security consulting services. He is a senior IT security consultant and an adjunct professor of Information Systems in the School of Business at the University of Phoenix. "
Goes to show you all that credentials do mean a thing.

And according to Register "Hassan investigated the matter before working on a story for NetWork World that compared the incident to the infamous Sony BMG rootkit fiasco of 2005."
LOL that's some amazing investigation skill for a security consultant. Turns out he was using a 3rd rate antivirus software, didn't bother to verify the result is correct (finding actual evidence of the keylogger program or use another antivirus to verify), and it was Microsoft software and not Samsung related at all.

He needs to hang up his jacket as a security "expert"

Re:Foot in mouth awards

And the 2010 Foot in Mouth award goes to...

The writer AND the "security researcher" both of whom put the credibility of their school, degree, and certifications at risk.

I sense two egos deflated for the better.

You should really included Slashdot community there as well, as we jumped on crucifying them based on no evidence whatsoever, just the word of a random blogger.

"Extraordinary claims require extraordinary evidence"
-- Carl Sagan

Their phones still ship with one

They ship CarrierIQ on their Android phones on Sprint. It's hooked in to read all sms messages, button presses, etc.
http://forum.xda-developers.com/showpost.php?p=11763089

Security Expert?

[stinkbomb]

"Mohamed Hassan, MSIA, CISSP, CISA is the founder of NetSec Consulting Corp, a firm that specializes in information security consulting services. He is a senior IT Security consultant and an adjunct professor of Information Systems in the School of Business at the University of Phoenix."

And is now the laughing-stock of the IT security world.

Nice job moron!

Re:So much for being a CISA CISSP MSIA ...

[RoverDaddy]

Removed the keylogger by removing the folder? Check

I'm guessing that by 'removing the keylogger', he meant 'let the anti-virus' software do its default recommended action'.

Re:One word:

[jeek]

Is "One" the slovenian translation of the English word "Three"?

antimal-ware

[HTH+NE1]

I don't think it will ever be appropriate to remove the hyphen from "anti-malware". "Antivirus", sure, but "antimal" will always be too close to "animal" for easy parsing as a compound word.

Knee-jerk response is awesome

[ashidosan]

John Graham-Cumming has an excellent, level-headed response to Mohamed Assan's entire "research."

Also confirmed at F-Secure.

Who will apologize for the pitchforks and torches?

[ChaoticCoyote]

Good work, Slashdot. Maybe you'll be a tad more cautious before reported bogus news, eh?

As for individual posters: How many of the people who screamed vitriol at Samsung will now apologize? How many of those who vowed to boycott Samsung in yesterday's thread will admit they were wrong?

I'll bet very few.

We live in a society where people treat indignation like a drug, always ready to believe the negative, always looking to be a victim. Sad times for the species indeed. Will people learn from this, and stop believing everything they read? One can only hope (a fool's hope, but hope nonetheless.)

Samsung "Admitted" To The Keylogger

[mastershake82]

I think the part that gave the most merit to the original claim is that Samsung "admitted" to it. However, in retrospect, it's easy to see what may have happened... here is the quote about Samsung admitting to the problem:

"The supervisor who spoke with me was not sure how this software ended up in the new laptop thus put me on hold. He confirmed that yes, Samsung did knowingly put this software on the laptop to, as he put it, "monitor the performance of the machine and to find out how it is being used.""

What seems to have happened is the person called technical suppport at Samsung... people trained to help you with your computer not booting, overheating, optical drive malfunctions, dead pixels on the LCD, etc, etc, etc and asked something that they would have of course known nothing about. I'm going to go out on a limb and make some assumptions... I may be completely wrong, but I've seen this played out in the phone support industry when I worked there more times than I can count. I'm sure, like every other phone based support line, they are trained that when they don't know the answer to something, to make a ticket and someone more knowledgeable will call them back. I assume that because the person was escalated to a supervisor, he did not find that option satisfactory and wanted an answer to his odd request RIGHT THAT MOMENT. Enter the supervisor. At this point, the supervisor will say whatever it takes to appease the upset customer... I'm sure something in the Samsung support database about their performance monitoring software lined up in the tiniest way with the customers finding, so the supervisor gave him that info, and there we go... an "admission" by Samsung.

If you hate corporations, I'm sure that's enough for you... and someone paid by Samsung saying something about a Samsung product is the be all end all of any situation... but realistically... if they want to provide you with affordable devices with reasonable support, they can't afford to put a "lawyer technician IT superman" on the receiving end of every call...

tl;dr if you try and whine hard enough, you can get a phone support tech to say anything you want

Someone some where needs to get sued.

[GigG]

The post from yesterday had this line in it. "After initial denials, Samsung has admitted they did this, saying it was to 'monitor the performance of the machine and to find out how it is being used."

A Simple Mistake?

[hduff]

That's what they'd like you to believe . . .

It is tellingly sad

[ThatsNotPudding]

that corporations have become so powerful and governments so blase about the rule of law that a goodly chunk of even this crowd accepted this story as quite possibly true.

So you mean all those love letters

[makubesu]

I'd been typing on my Samsung machine will never get to the beautiful key log reader? I'm so alone Slashdot!

Monte Python comes to mind

[ItsJustAPseudonym]

"What makes you think she is a witch?"

"She turned me into a newt!.........Well I got better."

Re:So much for being a CISA CISSP MSIA ...

[Just+Some+Guy]

Can we claim Godwin here? I have a feeling Samsung Support doesn't refer to itself as the SS.

No. The National Socialists don't own the registered trademark on "SS".

False story? FALSE STORY?!!

[Lou57]

Dammit, I so wanted to hate another company.

Re:Stupid Researcher. Stupid Windows Live, though?

[snowgirl]

Because it doesn't install there. I just installed the Slovenian Windows Live Essentials, and there is no C:\Windows\SL directory, there is a C:\Windows\sl-SI directory though from installing the Slovenian language pack.

Modern Windows versions use languagecode-COUNTRYCODE for all of its localizations. There would never be a reason why a modern version of Windows would put localization data in C:\Windows\SL...

Re:Stupid Researcher. Stupid Windows Live, though?

[snowgirl]

Corrections: Windows Live Photo Gallery installs a Screensaver (which all have to be in C:\Windows, or Windows can't find them... retarded, right?) and that for some godforsaken reason uses a bare languagecode directory for its MUI files. (Even though the rest of Windows has moved on from that, since you know, pt-PT and pt-BR are actually both equally supported... I think they're tier three.)

Re:Who will apologize for the pitchforks and torch

[hellop2]

I agree!

All you sinners repent now! I'm talking to you Anonymous Coward!! Also:

matt_gaia (228110) "Samsung, and hopefully one they'll be sued to hell over."
amicusNYCL (1538833) "Welcome to my shitlist, Samsung."
noc007 (633443) "Damn you Samsung"
Quinn_Inuit (760445) "I don't think either of us would take a Samsung computer of any sort for free at this point"
metrometro (1092237) "The answer is criminal charges for wiretapping. Throw the CEO and their corporate council in jail,"
echucker (570962) "Samsung's tech support guy already admitted to it."
Lead Butthead (321013) "Don't buy their product, and let everyone you know why"

pclminion (145572) "I mean, literally, unbelievable. I do not believe it. And anyone else who believes it without some proof apart from what this dude says, is a god damned moron. Apparently that's most of the people in this thread."

Monkey Balls

[Mana+Mana]

"falsepositive" WTF? Anyone who read yesterday's article read that dumbass nigga say, `and it can't be a false positive, 'cause, like, you know, I've been using this application whom I bought legally and licensed well like 6 years ago and it's been always reliable. And like, you know, further and shit, moreover I have an MSIA. You know.'

Well color me a dumb nigga too cauz, likez, I thought he was referring to his/a lil ole MS cert. But I redz all the wayz to the endz and found out 'twas a Master.

Re:Monkey Balls

[Mana+Mana]

I meant to add the keyword du jour should've been: falsefalsepositive