Forgot your password?
typodupeerror
Security IT

Samsung Keylogger Stories a False Alarm 183

Posted by CmdrTaco
from the everyone-sit-down-and-chill-out dept.
Trailrunner7 writes "The panic that arose yesterday about Samsung allegedly shipping laptops that contained a pre-installed keylogger turns out to have been a complete mistake after further investigation by security researchers and the company itself. In fact, the controversy was the result of a false positive from one commercial antimalware suite and nothing else. Several outlets reported on Wednesday that Samsung laptops had been found to contain a keylogger known as StarLogger right out of the box from the factory. However, upon closer inspection by security companies, the folder on the laptops that supposedly contained the malware was actually a directory that is part of Windows' multi-language support."
This discussion has been archived. No new comments can be posted.

Samsung Keylogger Stories a False Alarm

Comments Filter:
  • epic FAIL (Score:5, Insightful)

    by pasv (755179) on Thursday March 31, 2011 @09:36AM (#35677212) Homepage
    We believed someone who used a 3rd rate antivirus and didnt verify with a kernel debugger? FAIL on all our parts especially the "security researcher" who so thoroughly researched this one
    • by Whalou (721698)
      If you consider this an epic fail on the part of security experts, the HBGary incident must be a legen...

      wait for it

      ...dary fail.
    • Re:epic FAIL (Score:5, Interesting)

      by cf18 (943501) on Thursday March 31, 2011 @09:59AM (#35677420)
      Indeed.

      - an antivirus software that rise alarm base on a two letter directory name inside \Windows , even when it is empty.

      - a "security researcher" that take the alarm at face value and never check if is actually there, check if the process run, what kind of content it was logging and where it is sending them.

      - a low level support manager confirm the software's existence, probably thinking about the fan speed and temperature monitoring software.

      • by omnichad (1198475)

        The folder being empty could simply mean rootkit, though it would be a terrible fail of a rootkit not to hide the folder itself. The fact that the folder is actually a standard part of Windows is the worst fact.

      • Re:epic FAIL (Score:4, Informative)

        by recoiledsnake (879048) on Thursday March 31, 2011 @10:52AM (#35677996)

        First line of the article:

        Mohamed Hassan, MSIA, CISSP, CISA is the founder of NetSec Consulting Corp, a firm that specializes in information security consulting services. He is a senior IT Security consultant and an adjunct professor of Information Systems in the School of Business at the University of Phoenix

        Then a whole lot of fluff about the Sony root kit fiasco.

        The money quote:

        The findings are false-positive proof since I have used the tool that discovered it for six years now and I am yet to see it misidentify an item throughout the years.

        That seems to be some very concrete proof.

        Then some ramblings about how a class action lawsuit will come out of this. I too smell a lawsuit but not against Samsung.

      • by exomondo (1725132)

        - a "security researcher" that take the alarm at face value and never check if is actually there, check if the process run, what kind of content it was logging and where it is sending them.

        He didn't take it at face value, he did an 'in-depth analysis' and concluded that the malware was 'undetectable', you insensitive clod!

    • Heh I remember reading the line where he said that it definitely wasn't a false positive because it had never had one before, and going .... "what? Well, the part where he captures the network information or at the very least sees the log files on his disk somewhere must be coming soon." Nope! Just another credulous fool. By the end I was wondering how the hell he could claim that Samsung was logging every keystroke, when even if it was installed, in all likelihood Starlogger can be configured to do a numbe

      • by jdgeorge (18767)

        Apparently there is some sort of information-gathering going on, and any at all without clear prior notice to the user and the user's acceptance is ... unacceptable.

        That's copmletely unsubstantiated.

        • Yeah, that wasn't worded great, it sounds like too strong of a suspicion. By "apparently" I meant "it appears that", which is not the same as "it is certain". The admission was from a Samsung tech, according to the person who posted the unsubstantiated accusation in the first place. That part of his claim I don't doubt, but who knows what the tech thought he was referring to. It is odd enough that I think it bears looking into though, especially if you are or plan on being one of their customers. They would

    • Re:epic FAIL (Score:5, Insightful)

      by John Saffran (1763678) on Thursday March 31, 2011 @10:09AM (#35677536)
      Not to blow my own horn, but there were some of us who were sceptical of the story until it was proven by independent sources (http://slashdot.org/comments.pl?sid=2061772&cid=35673170).

      Basically the qualifications of the author aren't technical and he's commenting on a technical topic and the story was lacking on details so such a big claim couldn't (and shouldn't) be taken at face value without independent validation.

      In this case the independent validation seems to very strongly refute the claim, which is unfortunate for the author's reputation .. I hope he's learned a lesson from this, nobody needs security people talking about things they don't understand.
      • Basically the qualifications of the author aren't technical and he's commenting on a technical topic and the story was lacking on details so such a big claim couldn't (and shouldn't) be taken at face value without independent validation.

        Congratulations, you've just described 99% of /. posters

      • I too was sceptical of the story, but unfortunately I have no such proof of my scepticism. Instead of posting about my scepticism, I just passively accepted that it was part of slashdot's long slide into uselessness, and into its current position as the Fox News for nerds.

        Mod me flamebait if you like, but at least I'm on topic.

    • It's not an EPIC FAIL, it's marketing at its finest. I've never heard of VIPRE until this morning when I saw the news. Honestly, I wouldn't be surprised if they made it all up just to get attention. If not, that's probably the most profitable false positive in history (save me the medical diagnosis puns...)
    • FAIL on the part of everyone who blindly believes some slashdot story that doesnt name the supervisor, or any details of methodology, or any details beyond the finders name.

      I mean seriously, do people really take all slashdot stories at face value?

    • I've seen a few people mention it already in previous articles but I'm actually beginning to wonder myself if this is an orchestrated FUD campaign against Samsung. The actors story was, well, a complete fucking non-story too.

      Rogue Apple fanboy, or Apple PR getting a bit twitchy about Android and Samsung's Galaxy phones and tablet perhaps?

      Will be interesting to see if this anti-Samsung FUD continues or if it's mere coincidence that two FUD stories have been posted about Samsung in such a short period.

      • I was a little leery of the actors story too even though I don't consider Samsung (or any other large corporation for that matter) as being the paragons of ethics, but in this case I'm guessing that it was just a case of an id10t shooting off at the mouth rather than someone paid to spread propaganda.

        If he was paid to write that I hope for his sake it was enough to retire on because now his credibility in the field is effectively negative (ie. people will avoid him). For me the worst thing he's done is t
    • by molnarcs (675885)

      We believed someone who used a 3rd rate antivirus and didnt verify with a kernel debugger? FAIL on all our parts especially the "security researcher" who so thoroughly researched this one

      Agreed, though I'm quite happy with the results of this FAIL - it showed what would happen if indeed, Samsung installed a keylogger. Sooner or later a company would have decided this to be a good idea. So it's kind of nice to have this small shitstorm without actual damage. The linked article uses such strong wordings as "the panic that arose yesterday" ... good! Companies should be reminded from time to time how sensitive this issue is...

    • Yet it did not stop every Blog and media outlet on the planet, including Slashdot, from picking up the story. Welcome to the blogs-as-news era.

    • Just to sure ... we are certain that today's version of the truth is more reliable than yesterdays? We aren't just setting ourselves up for more egg on our faces?
  • by Anonymous Coward

    Samsung did knowingly put this software on the laptop to, as he put it, "monitor the performance of the machine and to find out how it is being used."

    • Yeah, but wasn't the admission of guilt quoted from an email of the original finder? It's not like we saw a Samsung press release on this.

    • Re: (Score:3, Insightful)

      by LordLimecat (1103839)

      This is why they didnt give you a supervisors name, or any further details on the phone call. There was nothing resembling evidence; it was all rumor and assertion.

    • Samsung did knowingly put this software on the laptop to, as he put it, "monitor the performance of the machine and to find out how it is being used."

      I see no admission of guilt. Instead I see an answer to a question that probably didn't use the word 'keylogger'.

    • by X.25 (255792)

      Samsung did knowingly put this software on the laptop to, as he put it, "monitor the performance of the machine and to find out how it is being used."

      Do you think this was official Samsung statement, or customer's interpretation of some random answer he received from a random person (that probably had no idea what he was talking about, but wanted to get rid of annoying customer asap) in a random call center?

      I actually can't believe this story was taken seriously for even a split second, considering complete lack of any research or evidence.

      Oh well, anything is news these days.

  • Appropriate quote (Score:5, Insightful)

    by _merlin (160982) on Thursday March 31, 2011 @09:38AM (#35677238) Homepage Journal

    The following fortune quote accompanied this story for me:

    It is not good for a man to be without knowledge, and he who makes haste with his feet misses his way. -- Proverbs 19:2

    Disturbingly appropriate, considering the story is about people jumping all over a false assumption. But I'm constantly surprised at the number of times a Windows installation with full multilingual support trips anti-malware or anti-virus software. Don't these guys even use their MSDN subscriptions to get a full set of Windows installs to test against?

    • Turn on the TV. Go to any "News" site. Everything is designed to make you react in some way. They especially like to find the most "outraged" person and interview them.
      It is a bit sad. People will freak out about stuff like this and demand action, yet your government erodes your rights and destroys your country a little bit more each day and the same people are quite.
      Tell me /., where is the outrage for things that matter?

    • by Twinbee (767046)

      Or alternatively: "Before pointing fingers, properly research first", which is terser, less pretentious, and made in 20 seconds by yours truly. Also it has the advantage that it doesn't come from a book with lots of false information.

    • by tlhIngan (30335)

      Problem is, in the ever-changing world, one of the thing is to accuse first and ask questoins later, in order to get those website hits and oh-so-sweet advertiser revenue.

      The first ones to break the stories gets the hits and eyeballs. The ones to do the research get left by the wayside, mostly unread while everyone else spreads mistruths because they never saw the followup, read beyond the headline, etc. Hell, it happens on /. too.

    • by snowgirl (978879)

      Windows 7 installs its Slovenian information in C:\Windows\sl-SI... so no, a Windows installation with full multilingual support would not trip up this anti-malware/anti-virus scanner (apparently VIPRE)

      Don't these guys even use their MSDN subscriptions to get a full set of Windows installs to test against?

      Your suggestion actually fails to fix the problem at all.

  • Quick! Call the worldwide boycott off before the entire company loses its 13.5Billion revenue.

    On a related note, could Samsung sue the journalists for libel?

    • Even if they could, which I doubt, why would they want to bring extra attention to this when it'll just go away tomorrow?

      • by erroneus (253617)

        Because apparently only Slashdot users know about the Streissand effect. Governments and every business on the planet seem not to have heard of it.

        • by jimicus (737525)

          The Streisand effect is generally associated with people doing something silly, realising their mistake and then trying to shut the door after the proverbial horse has bolted.

          In this case, I think the thing most likely to invoke the Streisand effect would be if the blogger tried to cover up the whole sorry episode by trying to bully sites mentioning either the original article or the subsequent debunking. I reckon Samsung, OTOH, could sue the blogger with relatively little fear of Streisanding. As long as

    • Re:Oh noes (Score:5, Insightful)

      by MarkGriz (520778) on Thursday March 31, 2011 @09:56AM (#35677394)

      Could? More like should.

      The title of the article was not "Did Samsung install keylogger on its laptop computers?"

      No, the title was "Samsung installs keylogger on its laptop computers", though it looks like they've updated it now to
      "UPDATE: Samsung keylogger could be false alarm"

      Great journalism there. Leap out of the gate screaming "keylogger!!!!" with zero fact checking, but later back off and say "oops we could be wrong"

  • by HawkinsD (267367) on Thursday March 31, 2011 @09:41AM (#35677252)

    At least Slashdot has the journalistic ethics to post the follow-up. Good for them. I note that Network World is doing the same.

    Yes, I said "journalistic" in the same sentence as "Slashdot." It's important.

    • by MarkGriz (520778)

      Yet the original story still has not been updated to correct the error.
      So much for journalistic ethics.

      • by wygit (696674)

        the "Part two" on the story has been updated. http://bit.ly/ib5R38 [bit.ly]

        UPDATE 3/31/11: Samsung has issued a statement saying that the finding is false. The statement says the software used to detect the keylogger, VIPRE, can be fooled by Microsoft's Live Application multi-language support folder. This has been confirmed at F-Secure and two other publications, here and here. Still no explanation for why Samsung originally confirmed the keylogger's existence to Hassan, as seen below.

        UPDATE 3/31/11: GFI Labs, the m

        • by hellop2 (1271166)
          You said, "Still no explanation for why Samsung originally confirmed the keylogger's existence to Hassan, as seen below."

          Then you say, "GFI Labs, the maker of VIPRE, has issued an explanation and apology"

          So why do you think Samsung confirmed the existence of a Samsung installed keylogger?
    • True.
    • by Blakey Rat (99501) on Thursday March 31, 2011 @12:14PM (#35678874)

      Wouldn't it be better if they updated the *original* story with the correction, instead of posting a new one?

      Anybody linking to this story on Slashdot is still linking to an uncorrected version. It's not enough to correct the article; you have to correct the article at the same URL.

      • by idontgno (624372)
        The appropriate journalistic response is, apparently, a feeble Emily-Litella-esqe "...never mind" after the end of a long-winded, spittle-flinging, completely off-topic rant.
    • by 1u3hr (530656)

      At least Slashdot has the journalistic ethics to post the follow-up. Good for them.

      They're not posting this as penance, they haven't apologised or retracted the original story; they're doing it to gain hits. Same reason they posted the first story without confirmation.

      Slashdot has no claim to being described as "journalism", or has any demonstrable professional ethics.

  • Makes no sense (Score:4, Insightful)

    by StillNeedMoreCoffee (123989) on Thursday March 31, 2011 @09:44AM (#35677272)

    The earlier article quoted Samsung as admitting to placing the software on their computers to gather information. Either that part of the earlier story is false or the current one is. This is not good journalism.

    • Re: (Score:3, Informative)

      by Anonymous Coward

      It was confirmed by a low level support person who may or may not have understood what was going on.

      All the PR and Legal depts had "No Comment" till it was more thoroughly researched.

  • by mevets (322601) on Thursday March 31, 2011 @09:44AM (#35677276)

    I still hate the keylogging bastards that they are, and I want to see the whole company in jail...

  • is a Microsoft product?????

  • Pick up milk and eggs

    Pick up dry-cleaning

    Don't use VIPRE.

  • Wife's Laptop (Score:4, Interesting)

    by Cytlid (95255) on Thursday March 31, 2011 @10:04AM (#35677476)
    My wife has a Samsung R580 which is almost a year newer than the laptops the guy mentioned in the article. I was going to scan it with some decent rootkit programs (like f-secure blacklight or rootkit revealer) only to find out some of my favorites don't work with 64bit Win7. I wrote to the guy who wrote the article, asking about the name of the "commercial security scanner" he installed. He never replied back. I booted my wife's laptop into Linux last night using a Live CD, and performed some find commands for supporting files of the StarLogger program (which showed up in a google search). Nothing. I was thinking if this was true, hers was exempt because it was almost a year older. Turns out, I find out today, I did more research than this supposedly "phd security expert" had.
    • by Cytlid (95255)
      That should read that her laptop is a year _older_ not newer... oops. We all make mistakes.
    • You did more research, but this idiot got all the press. He thought he had something, so he ran to the media with it, and they ate it up. Of course, he looks really stupid now, but that's only because others were more thorough.

  • by supersloshy (1273442) on Thursday March 31, 2011 @10:06AM (#35677486)

    Inb4 all of the commenters from the previous Samsung article come in here and act like they didn't assume that the keylogger was real, didn't yell about how Samsung should/will be persecuted for this, and didn't ask for people to boytt Samsung ;)...

    I always hear Slashdotters complaining about "moral panic" and complaining about the "idiots" who don't do their research before making claims... How is this any different? Really, it's no different. Is the level of "corporate hate" on Slashdot really that high as to exclude any common sense (apparently not so common) when dealing with a subject like this where it's impossible to tell whether he was right? He said he was right in the previous article, but why did you blindly trust him? All it takes for a simple, non-assuming comment is to add "If this is true," to the beginning of your comments. It isn't very hard and it doesn't make you look like an idiot when the entire reason you said those things turned out to be bullcrap.

  • by evilgrug (915703) on Thursday March 31, 2011 @10:09AM (#35677528)

    The tagline for VIPRE AntiVirus is 'Finally Antivirus Software That Won't Slow Down Your PC!'.

    I guess we know why. Who wants to spend all those CPU cycles searching through binaries both in RAM and on disk, comparing them against a database of virus patterns, and performing advanced heuristics checks when it's so much easier to match directory names and call it a day?

  • by BitterKraut (820348) on Thursday March 31, 2011 @10:21AM (#35677640)
    From Samsung's comment at http://www.samsungtomorrow.com/1071 [samsungtomorrow.com] it seems that the security program used identified the folder as StarLogger based solely on the fact that the folder's name is SL for Slovene. Incredible.
  • "Mohamed Hassan, MSIA, CISSP, CISA is the founder of NetSec Consulting Corp, a firm that specializes in information security consulting services. He is a senior IT Security consultant and an adjunct professor of Information Systems in the School of Business at the University of Phoenix."

    And is now the laughing-stock of the IT security world.

    Nice job moron!
  • I don't think it will ever be appropriate to remove the hyphen from "anti-malware". "Antivirus", sure, but "antimal" will always be too close to "animal" for easy parsing as a compound word.

  • by ashidosan (1790808) on Thursday March 31, 2011 @11:41AM (#35678522)

    John Graham-Cumming has an excellent, level-headed response [jgc.org] to Mohamed Assan's entire "research."

    Also confirmed at F-Secure [f-secure.com].

  • Good work, Slashdot. Maybe you'll be a tad more cautious before reported bogus news, eh?

    As for individual posters: How many of the people who screamed vitriol at Samsung will now apologize? How many of those who vowed to boycott Samsung in yesterday's thread will admit they were wrong?

    I'll bet very few.

    We live in a society where people treat indignation like a drug, always ready to believe the negative, always looking to be a victim. Sad times for the species indeed. Will people learn from this, and
  • The post from yesterday had this line in it. "After initial denials, Samsung has admitted they did this, saying it was to 'monitor the performance of the machine and to find out how it is being used."
  • That's what they'd like you to believe . . .

  • that corporations have become so powerful and governments so blase about the rule of law that a goodly chunk of even this crowd accepted this story as quite possibly true.

"There is no distinctly American criminal class except Congress." -- Mark Twain

Working...