
Confirmed: Samsung is not shipping keyloggers - illdave
http://www.f-secure.com/weblog/archives/00002133.html
======
Construct
This is a good reminder to always do your homework before making such a strong
accusation. Samsung's reputation is probably largely undamaged, other than
among people who just read the headlines on news aggregator sites. Even
searching for 'Samsung Key Logger' pulls up mostly articles about the false
alarm situation.

Mohamed Hassan [MSIA, CISSP, CISA and graduate of the Master of Science in
Information Assurance (MSIA) program from Norwich University in 2009 as the
original article prominently states], on the other hand, is probably not so
lucky. Any Google search on his name from now on will probably reveal this
whole debacle. Furthermore, I wouldn't be surprised if he just opened himself
up to legal action by Samsung.

~~~
JamieEi
It should also be a good reminder to all of the people on HN who jumped to the
conclusion that this guy was right on very sketchy evidence. This place is
influential. We should do better.

~~~
machrider
HN had many skeptical comments right off the bat. I guess simply publicizing
this story before its confirmed is bad, but it's also how you shine light on
an issue - in this case, clearing Samsung of any wrongdoing.

Reddit fared much worse, IMO, in that people continued to upvote the wrong
story after the truth was out. The correction has been posted but isn't
anywhere near the front page.

~~~
machrider
Update - reddit has come around to the truth. :)

------
nickolai
I'm no expert of Antivirus software, but figuring whether something is a
threat by its _folder name_ ??? With all the money going into the industry?
That has to be some sort of april fool's prank gone really bad.

~~~
jpr
Isn't the whole "security industry" a prank gone bad?

~~~
JoachimSchipper
Not _everything_ is useless. Code auditing is not necessarily useless; looking
at the physical security of smart cards is not necessarily useless (but it
looks like they could use some tougher certifications); pentesting/social
engineering can have its uses.

That said, "security appliances" and other magical solutions tend to be rather
imperfect. tptacek (of <http://insecure.org/stf/secnet_ids/secnet_ids.pdf>)
may have something to say about that, too.

~~~
ryan-allen
Everyone I've met who's been working in the "IT Security Industry" have been
exceptionally coy about what they test for and how. After a few drinks I've
managed to get out that they're testing for "XSS, and SQL injection, you know
things like that".

It stinks of proprietary crap and I wonder what it would look like if they
took a more OSS approach? When you can't even talk about XSS testing without a
bit of prodding as if it's something exceptional it really makes me wonder
what on earth these guys are selling.

~~~
JoachimSchipper
I've never done anything with them, but e.g.
<http://www.rootlabs.com/engineer-job.html> sounded a lot more interesting
than what you describe. On the open-source front, you find stuff like
Metasploit, nmap, Snort, previously Nessus (forked as OpenVAS), web stuff like
Nikto, etc.

Don't forget that lots of "programmers" are barely-skilled and working on VBA
macros - one label can cover a wide range of skill.

------
CaptainZapp
I can't help it. But the whole "security software" business really reminds me
of the mob.

 _Nice laptop you have here; would be a shame if something would happen to
it!_

~~~
alecco
You mean the "antivirus software" industry.

~~~
burgerbrain
Since when have these guys limited themselves to just being antivirus vendors?

~~~
alecco
Precisely.

------
cake
If you Google
[http://www.google.com/search?q=samsung+keylogger+monitor+the...](http://www.google.com/search?q=samsung+keylogger+monitor+the+performance+of+the+machine)

You'll have thousands of quotes from a so-called "Samsung supervisor" who
"said it's used to "monitor the performance of the machine and to find out how
it is being used."

What is this bullshit ? From where did the quote come from ?

Amazing how most are just copy-paste. It just prove that very few online news
websites verify their source if the keylogger claim is false.

------
todd3834
_"The findings are false-positive proof since I have used the tool that
discovered it for six years now and I am yet to see it misidentify an item
throughout the years."_

Mohamed's lesson: Just because you were unable to prove a false-positive with
the same program for 6 years doesn't mean there weren't any.

------
pkteison
The laptop story yesterday led me to learn about CarrierIQ on my cell phone,
which was equally disturbing. Maybe the laptop was a false alarm, but my
Samsung cell phone did indeed have a keylogger on it. So I'm not inclined to
cut them a lot of slack right now. <http://forum.xda-
developers.com/showpost.php?p=11763089>

------
unreal37
"A lie can travel halfway round the world while the truth is putting on its
shoes." -- often attributed to Mark Twain

The original article was so poorly fact checked. It really reflects poorly on
Mohamed Hassan (and all his fancy yet meaningless credentials) and M. E. Kabay
(who apparently worships Mr Hassan unquestioningly). I will not hold my breath
out for a public apology from either of those two, although they are the ones
who owe Samsung one.

And the irony is in fact delicious. A security expert finds a virus using an
anti-virus scanner tool, and confirms it with some call center employee with
the company. What does being a "security expert" have to do with any of that?
My 10 year old nephew could have done that!

------
elessar0x3
I like this whole debacle. I think it ended well. HN, and the power of news
aggregating/forum/linking sites wield a decent amount of media power. I like
that - because it's one of the instances where the collective mind has greater
intelligence than any one individual. It confirms the notion that tech
producers need to pay attention to the tech community and shortens the
distance between the two, which I think is a good thing.

------
ryan-allen
This has got to get to 400+ points. For those who took the day off and will
continue to believe the sensationalism before it pops off the front page? To
be damned!

EDIT: I mean, this is the only tech news site I read. I don't know if I'm in
the same boat so to speak.

~~~
Devilboy
Got your wish, 400+ now!

------
nate23342
Customer service Reps would NEVER have the authority to tell you that there is
secret Key Logger on your computer. So if a customer Rep is telling you
something like that, he is either trying to get fired or there is a
miscommunication.

------
spacemanaki
Wow, what a waste of everyone's time:

> [UPDATE 3/31/11: Mich Kabay writes: A Samsung executive personally flew from
> Newark, N.J., to Burlington, Vt., carrying two unopened boxes containing new
> R540 laptop computers. These units were immediately put under seal and
> details recorded for chain-of-custody records. At 17:40, Dr Peter
> Stephenson, Director of the Norwich University Center for Advanced Computing
> and Digital Forensics, began the detailed forensic analysis of the disks. We
> expect results by Monday.]

[http://www.networkworld.com/newsletters/sec/2011/040411sec1....](http://www.networkworld.com/newsletters/sec/2011/040411sec1.html)

------
zachahack
Certs after your name are no substitute for common sense and good practices.

------
crististm
Great news... but what's with the SL folder? The report does not say what SL
folder contains on a new laptop. Anyway, pretty dumb to check for viruses by
folder name.

~~~
jws
Slovene language support files. SL is their ISO 639-1 code.

<http://www.samsungtomorrow.com/1071>

~~~
lell
there's a separate folder in C:\Windows for every supported language? that
seems so messy.

------
falcolas
Perhaps I read it wrong, but the article never says Samsung didn't ship a
keylogger, it just indicates that the AV software can make false positives
based on a folder.

Can we get a link to an article that actually checks a Samsung laptop (and
lists their methodology, not this "Duh, there were not any keyloggers")
instead of anecdotal evidence and attacking the previous reseaerchers methods?

Even if the previous guy was wrong, at least he listed all his methods for
review.

~~~
kenjackson
The article says two things:

1) The whole saga was caused by a bad antivirus alert. This story never even
happens if not for that.

2) They checked a set of Samsung laptops and found no trace of keylogger
software. See <http://www.f-secure.com/weblog/archives/00002132.html>

Is there more you'd like to see be done?

~~~
falcolas
Yes (I did see the link back to the original article). Specifically, I'd like
some more information about their methodology.

1) How did they verify there were no key loggers (is their AV program set to
identify StarLogger instances) 2) What subset of Samsung laptops did they
check 3) Did they check from more than one source 4) Did they verify that the
laptops they checked haven't been wiped & reimaged with the local store's base
computer image (such as with Best Buy)

With out some of this basic data, their findings are perhaps more suspect than
the original article (not that I believe Samsung is doing this, I just
disagree that their conclusions are as cut and dried as they, and the link
title, indicate).

~~~
kenjackson
At this point we have no more evidence that Samsung has keyloggers than
Thinkpads or MacBook Pros.

We really should be doing what you suggest for all brands and models of
laptops. There's no evidence to suggest a specific issue with Samsung at this
point.

Even the antivirus manufacturer who detected the problem has acknowledged they
made a mistake.

[http://sunbeltblog.blogspot.com/2011/03/samsung-laptops-
do-n...](http://sunbeltblog.blogspot.com/2011/03/samsung-laptops-do-not-have-
keylogger.html)

A pretty first class post in my opinion.

It would be like a newspaper reporting that "Falcolas kills 5 people!" And
then turns out that you actually saved five people from drowning, and the
newspaper prints a retraction. But then someone says, "But can you prove he
didn't also kill five people at some point along the way? No one has really
come out to say that he's never killed five people." Sure you may have, but at
that point we have no reason to believe you have moreso than anyone else.

~~~
falcolas
Sorry if I'm being unclear, but I simply have an issue with their conclusions
(and the article title), particularly since their article doesn't support it.

Absence of evidence is not evidence of absence. An absence of evidence, plus
noting the problem of the AV, is all that this article has.

The Ars Technica article [1] draws much better conclusions - "Samsung laptop
keylogger almost certainly a false positive". It's a significantly more
accurate conclusion than "Confirmed: Samsung is Not Shipping Keyloggers",
given the data that we have at this point.

[1] [http://arstechnica.com/hardware/news/2011/03/samsung-
laptop-...](http://arstechnica.com/hardware/news/2011/03/samsung-laptop-
keylogger-almost-certainly-a-false-positive.ars)

------
16s
False positives are the bane of IT security products in general. I would say
that 90% of issues reported are FPs and the end user is expected to figure
that out, confirm then double confirm before reporting it as a _potential_
issue.

------
Trufa
Though it is easy to say now, looking back, Mr. Hassan's investigation was far
less in depth that it should have been for such a serious accusation.

------
visakhcr
From the original post which started all
this:[http://www.networkworld.com/newsletters/sec/2011/032811sec2....](http://www.networkworld.com/newsletters/sec/2011/032811sec2.html)

"After an in-depth analysis of the laptop, my conclusion was that this
software was installed by the manufacturer, Samsung. I removed the keylogger
software, cleaned up the laptop, and continued using the computer."

So, the author, Mohamed Hassan was able to uninstall a software which was
never installed? I think he would have deleted the folder in question and
called that un-installing!!

------
tiki-tiki
Well, I'm not longer buying Samsung anyway. That's for sure.

~~~
estel
Care to explain why?

~~~
richbradshaw
They named a folder SL. Two letter folder name on a non unix system?

~~~
burgerbrain
Nice try at a cheap jab, but 3 or 4 character directory names are typical of
unix systems, not 2.

[https://secure.wikimedia.org/wikipedia/en/wiki/Filesystem_Hi...](https://secure.wikimedia.org/wikipedia/en/wiki/Filesystem_Hierarchy_Standard)
Not a single 2 letter directory name.

------
perspective
I sure hope someone got fired for that one _snicker_

------
originalgeek
"It is better to remain silent and be thought a fool than to open one's mouth
and remove all doubt." --Abraham Lincoln

