I personally wouldn't compare these two incidents but just wanted to remind you that the Lenovo incident was malicious by design. This one can, and most likely will, be attributed to carelessness.
The article suggests that as well, the way I read it:
"Actually, the purpose of the software is to recognize whether a special key has been pressed or released. Instead, however, the developer has introduced a number of diagnostic and debugging features to ensure that all keystrokes are either broadcasted through a debugging interface or written to a log file in a public directory on the hard-drive.
This type of debugging turns the audio driver effectively into a keylogging spyware."
Carelessness sounds like a fairly reasonable explanation, simply applying Hanlon's razor. :)
> Carelessness sounds like a fairly reasonable explanation, simply applying Hanlon's razor. :)
On the other hand: If you do believe that there exist software on most computers where a security hole has deliberately left in (and since Snowden you should), applying Occam's razor will tell you that it probably looks like "innocent incompetence", since considering the typical software quality this gives rather plausible deniability.
To be fair, logging keystrokes to a debug log sounds like something I might have done if I had to write and/or debug such a piece of code.
Then again, I probably would have wrapped that code in an #ifdef so it is only present in debug builds.
Come to think of it, I have done something like this, except I only logged keystrokes the application received directly, and I did wrap it in an #ifdef, although my motive was more along the lines of preventing the debug log from filling up the customers' hard drives. ;-)
