The moral of the tale here is that if you're going to be making allegations of this kind you really need to be quite confident about your research, and be able to back it up with detailed information such as the contents of the relevant directory and comparisons of the files therein. Not engaging in a certain amount of diligence leaves the journalist open to both reputational risk and the possibility of libel litigation.
>"Not engaging in a certain amount of diligence leaves the journalist open to both reputational risk and the possibility of libel litigation."
// Samsung gave an authoritative answer via their senior support personnel corroborating the [false] positive report of an installed key-logger from a previously trustworthy system analysis tool. I'd say that was diligent.
I don't think Samsung can win a libel case against someone who published what they themselves confirmed to be the truth (despite this revelation that they in fact lied).
This does leave the possibility that the report that it was confirmed by senior support was fabricated; in which case a libel suit would be back on.
I don't run a security consultancy, but I'd have considered checking if another tool says anything. Or just looking in the directory using another OS to see what's actually in the dreaded C:\Windows\SL.
>"Or just looking in the directory using another OS"
// What good will that do, so I see that it's C:\Windows\SL\WinSL.exe how do I tell without decompiling it that it's a keylogger? Certainly one could go further to test it but if the company that installed the drive image confirms it's a keylogger it seems reasonable to me to not check further.
If they denied it then yes it needs further corroboration but practically ...
Something like http://www.virustotal.com/ allows you to run a file through a zillion scanning engines. If almost none flag it as malware, you've either found a new sample or a false positive. You'd hope that they've at least checked such a service.
It was rhetorical, I actually saw someone answer this the other day though for one of the popular MS Windows keylogging techniques (it was probably on here?).
Assuming things are as they appear to be from the Samsung response (as, IMO, seems very likely), one of the things that strikes me here was that the "research" that a security "expert" conducted seems incredibly sloppy.
Did he actually look in the Windows/SL directory? Did he compare the contents to those that StarLogger actually installs (a trial version is available for download)? This seems like pretty basic stuff. Did he ask Microsoft what a Windows/SL directory might be?
This situation reminds me of the HBGary incident. This guy is actually paid to know what he's talking about, and he has no clue what he's talking about. And this isn't cake-making, it's security! Preposterous.
And the potential for damage to Samsung is significant. The story was front page of The Age's web site (major Melbourne publication). Even an updated headline akin to "Samsung denies shipping laptops with secret spyware" is potentially damaging.
The Age article does note:
"Network World said it contacted three public relations officers at Samsung for comment and gave them a week to send back their comments. 'No one from the company replied,' it said."
My guess is that Mr Hassan is an independent consultant, and NetSec Consulting is his contracting vehicle.
To be fair to him, Samsung did turn around and say, "Yeah we're keylogging, problem?" or words to that effect. If he's not a technical security consultant then that might be enough for him to go to the press (especially if he felt stiffed by Samsung).
Not all security roles are technical, not all consultants are either, it's entirely possible that he's a policy or risk kind of guy.
'To be fair to him, Samsung did turn around and say, "Yeah we're keylogging, problem?" or words to that effect.'
May I observe that the only reason we think that Samsung confirmed this is from the words of a source that is now appearing not to be trustworthy in the first place? If this "security consultant" couldn't verify the actual existence of a key logger in the first place, why do we trust him to accurately relay a conversation with support? I don't really accept it as fact that Samsung confirmed anything in particular at any point; the possibility that this guy heard what he wanted to hear is too significant to ignore.
The most straight forward way to find out what the Samsung created SL directory does is to ask Samsung. Which apparently he did.
I would suggest that wading through a corporate customer service call center's escalation process is reasonable evidence of due diligence. And I find it somewhat more likely that a call center employee affirmed the SL directory was for keylogging to clear the case than that Mr. Hassan fabricated a story about the call and Samsung's confirmation.
Hassan's allegation has all the marks of a mistake due to inexperience rather than fabrication because it is just too easy to disprove.
Not only that, but the guy continues to use the same install of windows after discovering the issue. He then has more issues with the laptop and returns it for ANOTHER Samsung.
First off, if I even remotely sense that there is malware on my machine it gets an immediate format. Second, why in Thor's name would you buy from Samsung again? I get the impression he's a guy with a little knowledge that thinks he has this whole computer thing figured out. If you are going to make these types of allegations and publish them, you have to approach it scientifically and verify your results.
Maybe I'm cynical, but I'm going to tend towards "guy becomes very unhappy with samsung for unknown reason, guy lies about keylogger".
Because I agree - if you were going to tend to make a big fuss about this (as I would) and I had determined it looked like Samsung installed the first one (as he claimed) in no way would I ever get samsung laptop #2. Not to mention, not even checking the contents of the directory before reporting it widely.
Pretty decent approach to tarnish their reputation too, if it happened that way. To get an estimate of reach, the HN story "Samsung installs keyloggers" currently has 477 votes - it seems quite unlikely the retraction will get that much exposure.
The security industry is full of quacks like this. In fact, I'd say the number of frauds and snake oil salesmen FAR outweigh the number of legitimate and intelligent security folks.
It's even getting triggered by an empty SL folder apparently. Looks a lot like some sort of poor taste april fool's prank to me. Come on! A security warning from a folder name... _Really?_
Mr Hassan's research, which appears to grow in tenuousness with each passing hour, was the sole basis for countless technology news articles that cited this alleged security issue yesterday.
To go public with such questionable supporting evidence seems unfathomable from someone who is, ostensibly, qualified enough to know better.
I sincerely hope any forthcoming apology and subsequent abjuration is given an equal amount of publicity.
Agreed and now Samsung may be the ones who lauch the lawsuit. Though, how many people will hire NetSec consulting after blindly following the output of security scanning software? I mean, did he even look in the SL folder?
The damage done to Samsung via this false accusation will far outweigh the costs borne by NetSec. I'm against frivolous lawsuits, but I wouldn't mind if Samsung delivered one his way.
It's OK to be against "frivolous lawsuits" without thinking that every lawsuit is automatically frivolous. There are a lot of frivolous lawsuits in the world today but that doesn't mean the concept of libel should be discarded, and that it sometimes actually happens and should be prosecuted. No contradiction.
Samsung may choose to magnanimous and not sue, with a bit of cleverness they can spin this such that they get more out of that than any lawsuit they could possibly file... but it will be their choice, and if they do sue I won't hold it against them. It'd be fair.
As of this writing, Network World has updated the original story's title to read "Samsung keylogger could be false alarm". I guess they're not quite ready to give up.
"Obama birth certificate may be legit. But eyewitnesses at his birth have still not come forward. And several potentials have died over the past 50 years. Suspicious? You decide."
I only took it seriously after I read that someone at Samsung had confirmed the presence of "auditing software". If it's not StarLogger, what was this person refering to?
Even assuming that the conversation took place and was accurately recorded, I don't put a lot of credence in it. It's front-line tech support we're talking about here after all. Some guy has called them up and is trying to find out something about a Windows\SL directory and monitoring software and so forth and they just want him off the phone.
I've had plenty of nonsense spouted to me when a tech support person doesn't understand my problem or how to deal with it.
>It's front-line tech support we're talking about here after all.
In the report it was second line and they consulted some other authority (manual, person, we don't know; could have lied) in order to provide an answer to the question of whether the keylogger was installed by Samsung.
Why do they want him off the phone, don't they get paid according to customer contact time? The longer he's on the phone the more money the company makes.
No,a friend of mine worked in a large call center it's usually the opposite, you have a quota of how many people you help in a day. Calls that run too long can hurt you. If you consistently take too long they assume your not helping and fire you.
I have worked in several call centers and well past tier one support. Having people on the line costs money, you are instructed to get them off the line as soon as possible.
For tier 1 or 2 support, they are also working off a script, and very few reps actually know what's happening outside of that script. Forcing them off script is the quickest way to get bad information and for them to likely get punished.
The only times I've had to ring support have been to get recovery disks or initiate a return or what have you. However on those occasions they always wanted to walk me through the whole script ("yes I turned it off and on again, send me the disc please, yes I checked my network cable, ... could you ..., yes I ran check disk, ..., etc., etc.").
But then at €1.70 or whatever a minute I kinda expect that.
How do you lose money when they're billing at sort of rate? How do you make more money by completing calls quickly?
Entry tier support usually are fairly inexperienced reps. They are expected to stick to the script, because they typically don't know enough to go off-script. It can make an individual call longer, but it makes most calls shorter by standardizing the procedures that fix most cases.
The scripts are designed for solving issues that novice users have. That said, you are putting the rep in a position of possibly getting disciplined if you try to force them off script. At least at some of the places I've worked in the past. (I don't do support now, this was several years ago.)
Now of course both are fundamentally flawed. In fact, top-down control of call center agents is fundamentally flawed, and call center agents are not industrial workers.
This was the Network World article describing the support call in which someone confirmed software was installed to "monitor the performance of the machine and to find out how it is being used."
As others have pointed out it's not exactly a smoking gun.
I hope the powers that be don't either (after seeing that support ID number), but it does highlight some internal things that I've been observing over the last few months which will not be posted here.
Wow... to accuse such a major corporation of something as serious as installing keyloggers on their client's PCs without evidence is one thing, but to then change your story entirely when it turns out you have completely fudged the facts is another, and speaks volumes about the integrity of both the author and Network World...
A number of people here pointed out that the writer's original claim to be false positive proof simply because he'd used the tool for a long time was ridiculous. Unfortunately for him he's learning this the hard way.
"The findings are false-positive proof since I have used the tool that discovered it for six years now and I am yet to see it misidentify an item throughout the years."
What is going on with Samsung? This should have (a) raised all PR alarms as soon as it got traction on the internet, and (b) should NOT have taken >24h for someone to track down what they're installing in C:\windows\SL
At least it reminds us why the underdog sometimes has the upper hand, I suppose.
They didn't. Instead, a harried customer support person answered a confusing question with a nondescript answer. One could paraphrase it as: "Well, Mister Caller, I have no idea what software you are talking about, but if there is any such software on the system, it would be to make sure the system is running properly."
