

Samsung blames security software false positive for StarLogger issue. - nickolai
http://www.tgdaily.com/security-features/55096-samsung-denies-preinstalling-spyware

======
motters
The moral of the tale here is that if you're going to be making allegations of
this kind you really need to be quite confident about your research, and be
able to back it up with detailed information such as the contents of the
relevant directory and comparisons of the files therein. Not engaging in a
certain amount of diligence leaves the journalist open to both reputational
risk and the possibility of libel litigation.

~~~
pbhjpbhj
>"Not engaging in a certain amount of diligence leaves the journalist open to
both reputational risk and the possibility of libel litigation."

// Samsung gave an authoritative answer via their senior support personnel
corroborating the [false] positive report of an installed key-logger from a
previously trustworthy system analysis tool. I'd say that was diligent.

I don't think Samsung can win a libel case against someone who published what
they themselves confirmed to be the truth (despite this revelation that they
in fact lied).

This does leave the possibility that the report that it was confirmed by
senior support was fabricated; in which case a libel suit would be back on.

~~~
jarek
I don't run a _security consultancy_ , but I'd have considered checking if
another tool says anything. Or just looking in the directory using another OS
to see what's actually in the dreaded C:\Windows\SL.

~~~
pbhjpbhj
>" _Or just looking in the directory using another OS_ "

// What good will that do, so I see that it's C:\Windows\SL\WinSL.exe how do I
tell without decompiling it that it's a keylogger? Certainly one could go
further to test it but if the company that installed the drive image confirms
it's a keylogger it seems reasonable to me to not check further.

If they denied it then yes it needs further corroboration but practically ...

~~~
jarek
"so I see that it's C:\Windows\SL\WinSL.exe how do I tell without decompiling
it that it's a keylogger?"

You might have to ask an, uh, security consultant.

~~~
pbhjpbhj
It was rhetorical, I actually saw someone answer this the other day though for
one of the popular MS Windows keylogging techniques (it was probably on
here?).

------
tikna
Now Networkworld and Mr. Hassan should answer why they made such a baseless
allegations?

Someone working in Security firm (NetSec Consulting) should have idea of they
are saying.

~~~
ghaff
Assuming things are as they appear to be from the Samsung response (as, IMO,
seems very likely), one of the things that strikes me here was that the
"research" that a security "expert" conducted seems incredibly sloppy.

Did he actually look in the Windows/SL directory? Did he compare the contents
to those that StarLogger actually installs (a trial version is available for
download)? This seems like pretty basic stuff. Did he ask Microsoft what a
Windows/SL directory might be?

~~~
dereg
This situation reminds me of the HBGary incident. This guy is actually _paid_
to know what he's talking about, and he has no clue what he's talking about.
And this isn't cake-making, it's security! Preposterous.

~~~
prawn
And the potential for damage to Samsung is significant. The story was front
page of The Age's web site (major Melbourne publication). Even an updated
headline akin to "Samsung denies shipping laptops with secret spyware" is
potentially damaging.

The Age article does note:

"Network World said it contacted three public relations officers at Samsung
for comment and gave them a week to send back their comments. 'No one from the
company replied,' it said."

------
dionysianstanza
Mr Hassan's research, which appears to grow in tenuousness with each passing
hour, was the sole basis for countless technology news articles that cited
this alleged security issue yesterday.

To go public with such questionable supporting evidence seems unfathomable
from someone who is, ostensibly, qualified enough to know better.

I sincerely hope any forthcoming apology and subsequent abjuration is given an
equal amount of publicity.

~~~
ja27
Well he did graduate from the Master of Science in Information Assurance
(MSIA) program at Norwich University in 2009.

~~~
GiraffeNecktie
Norwich is apparently a military college
<http://en.wikipedia.org/wiki/Norwich_University>

------
Maakuth
F-Secure didn't find it either, and hasn't seen a peak in StarLogger
detections: <http://www.f-secure.com/weblog/archives/00002132.html>

~~~
nickolai
Next entry actually deals with this exact issue :

<http://www.f-secure.com/weblog/archives/00002133.html>
<http://news.ycombinator.com/item?id=2391289>

It's even getting triggered by an empty SL folder apparently. Looks a lot like
some sort of poor taste april fool's prank to me. Come on! A security warning
from a folder name... _Really?_

------
minalecs
If this is true, sadly the damage has already been done. How many people are
going to think Samsung ships with a keylogger ?

~~~
fname
Agreed and now Samsung may be the ones who lauch the lawsuit. Though, how many
people will hire NetSec consulting after blindly following the output of
security scanning software? I mean, did he even look in the SL folder?

~~~
dereg
The damage done to Samsung via this false accusation will far outweigh the
costs borne by NetSec. I'm against frivolous lawsuits, but I wouldn't mind if
Samsung delivered one his way.

~~~
jerf
It's OK to be against "frivolous lawsuits" without thinking that every lawsuit
is automatically frivolous. There are a lot of frivolous lawsuits in the world
today but that doesn't mean the concept of libel should be discarded, and that
it sometimes actually happens and should be prosecuted. No contradiction.

Samsung may choose to magnanimous and not sue, with a bit of cleverness they
can spin this such that they get more out of that than any lawsuit they could
possibly file... but it will be their choice, and if they do sue I won't hold
it against them. It'd be fair.

------
jarin
Maybe a good followup article should be "Security Researcher Uses Dumbest
Antivirus Program Ever"

~~~
lylejohnson
As of this writing, Network World has updated the original story's title to
read "Samsung keylogger could be false alarm". I guess they're not quite ready
to give up.

~~~
kenjackson
"Obama birth certificate may be legit. But eyewitnesses at his birth have
still not come forward. And several potentials have died over the past 50
years. Suspicious? You decide."

------
billpg
I only took it seriously after I read that someone at Samsung had confirmed
the presence of "auditing software". If it's not StarLogger, what was this
person refering to?

~~~
ghaff
Even assuming that the conversation took place and was accurately recorded, I
don't put a lot of credence in it. It's front-line tech support we're talking
about here after all. Some guy has called them up and is trying to find out
something about a Windows\SL directory and monitoring software and so forth
and they just want him off the phone.

I've had plenty of nonsense spouted to me when a tech support person doesn't
understand my problem or how to deal with it.

~~~
pbhjpbhj
>It's front-line tech support we're talking about here after all.

 _In the report_ it was second line and they consulted some other authority
(manual, person, we don't know; could have lied) in order to provide an answer
to the question of whether the keylogger was installed by Samsung.

Why do they want him off the phone, don't they get paid according to customer
contact time? The longer he's on the phone the more money the company makes.

~~~
nkassis
No,a friend of mine worked in a large call center it's usually the opposite,
you have a quota of how many people you help in a day. Calls that run too long
can hurt you. If you consistently take too long they assume your not helping
and fire you.

~~~
adamcw
I have worked in several call centers and well past tier one support. Having
people on the line costs money, you are instructed to get them off the line as
soon as possible.

For tier 1 or 2 support, they are also working off a script, and very few reps
actually know what's happening outside of that script. Forcing them off script
is the quickest way to get bad information and for them to likely get
punished.

~~~
pbhjpbhj
>Having people on the line costs money

The only times I've had to ring support have been to get recovery disks or
initiate a return or what have you. However on those occasions they always
wanted to walk me through the whole script ("yes I turned it off and on again,
send me the disc please, yes I checked my network cable, ... could you ...,
yes I ran check disk, ..., etc., etc.").

But then at €1.70 or whatever a minute I kinda expect that.

How do you lose money when they're billing at sort of rate? How do you make
more money by completing calls quickly?

Prepaid support obviously different.

~~~
adamcw
Entry tier support usually are fairly inexperienced reps. They are expected to
stick to the script, because they typically don't know enough to go off-
script. It can make an individual call longer, but it makes most calls shorter
by standardizing the procedures that fix most cases.

The scripts are designed for solving issues that novice users have. That said,
you are putting the rep in a position of possibly getting disciplined if you
try to force them off script. At least at some of the places I've worked in
the past. (I don't do support now, this was several years ago.)

------
neurolysis
Wow... to accuse such a major corporation of something as serious as
installing keyloggers on their client's PCs without evidence is one thing, but
to then change your story entirely when it turns out you have completely
fudged the facts is another, and speaks volumes about the integrity of both
the author and Network World...

------
simonsquiff
A number of people here pointed out that the writer's original claim to be
false positive proof simply because he'd used the tool for a long time was
ridiculous. Unfortunately for him he's learning this the hard way.

"The findings are false-positive proof since I have used the tool that
discovered it for six years now and I am yet to see it misidentify an item
throughout the years."

------
notphilatall
What is going on with Samsung? This should have (a) raised all PR alarms as
soon as it got traction on the internet, and (b) should NOT have taken >24h
for someone to track down what they're installing in C:\windows\SL

At least it reminds us why the underdog sometimes has the upper hand, I
suppose.

------
grammaton
So if Samsung _isn't_ shipping key loggers, then why did one of their people
act as if they were?

~~~
rayval
They didn't. Instead, a harried customer support person answered a confusing
question with a nondescript answer. One could paraphrase it as: "Well, Mister
Caller, I have no idea what software you are talking about, but if there is
any such software on the system, it would be to make sure the system is
running properly."

