This is a good reminder to always do your homework before making such a strong accusation. Samsung's reputation is probably largely undamaged, other than among people who just read the headlines on news aggregator sites. Even searching for 'Samsung Key Logger' pulls up mostly articles about the false alarm situation.
Mohamed Hassan [MSIA, CISSP, CISA and graduate of the Master of Science in Information Assurance (MSIA) program from Norwich University in 2009 as the original article prominently states], on the other hand, is probably not so lucky. Any Google search on his name from now on will probably reveal this whole debacle. Furthermore, I wouldn't be surprised if he just opened himself up to legal action by Samsung.
It should also be a good reminder to all of the people on HN who jumped to the conclusion that this guy was right on very sketchy evidence. This place is influential. We should do better.
I think the vast majority of top-level comments on that item considered the information dubious or were holding out for independent confirmation; I don't think HN leapt to a conclusion. My comment, one of the less obvious, was more from a good-idea perspective instead of assuming the story was true -- I had not decided yet.
Overall in that item I think HN did better than you imply, unless you mean the upvotes the item received.
I did my part and questioned this from the beginning only to be 'corrected' by other HN commentators. A competent person would have displayed logs, packet captures, stacktraces, etc. This guy just said "my infallible tools caught it" and those who want to believe in conspiracy theories just believed it. It was obvious from the get go that Mr. Credentials was just using an off the shelf definition based scanner.
Meanwhile, the shitty media outlets that irresponsibly spread this got all the ad impressions they wanted. The problem with truth is that its not as profitable as BS. How many people will ever read the corrections?
HN had many skeptical comments right off the bat. I guess simply publicizing this story before its confirmed is bad, but it's also how you shine light on an issue - in this case, clearing Samsung of any wrongdoing.
Reddit fared much worse, IMO, in that people continued to upvote the wrong story after the truth was out. The correction has been posted but isn't anywhere near the front page.
I agree completely with this sentiment. It's important to remember that the vast majority of "journalism" on the web isn't conducted very professionally.
Thankfully, it looked to be very few people. His article was written--and his tests were conducted--just about as poorly as they could have been. It was a huge show, and HN caught on quickly as far as I can tell.
To be fair, Mohamed Hassan did contact Samsung support and they didn't clear up the issue. In fact, I believe they may have even confirmed that there was a key logger installed! At that point his due dilligence has been done and he has confirmation. He doesn't need to do anything further than that. Shame on Samsung support for such a pathetic showing.
He did not fulfill his due diligence. Not if they're going to add this to the article:
"Mohamed Hassan, MSIA, CISSP, CISA is the founder of NetSec Consulting Corp, a firm that specializes in information security consulting services. He is a senior IT Security consultant and an adjunct professor of Information Systems in the School of Business at the University of Phoenix."
If they're going to pass him off as an expert, then he better be doing analysis that a normal lay-man can't do. If he has the credentials, then why is he basing his claim off of a conversation with low-level customer support?
They have experienced difficulty regarding the rates at which students receiving Federal Financial Aid graduate - i.e. their issues are based on low graduation rates and not based on being a diploma mill.
They have also received criticism for the large number of loan defaults, and lobbying to change how the loan default statistics are calculated to make their numbers look better (at least according to Frontline). Same program also mentioned private for-profit schools account for a quarter of all student aid in the country, a disproportionally high number since they are not a quarter of our schools.
Public universities have large numbers of lobbyists serving their interests as well.
UoP had about 400,000 students at the time the Frontline piece was produced - that's seven Ohio State Columbus's [http://www.osu.edu/osutoday/stuinfo.php] so number of schools is not perhaps the best measure.
Rightly or wrongly, because UoP has open enrollment they admit more students who are eligible for Federal Financial Aid than most schools because of the population they enroll.
And nothing in the Frontline piece accused UoP of being a diploma mill as was implied by the prior comment to which I responded. A criticism of their business model is a different indictment altogether.
Not sham degrees, exactly. They require the absolute minimum level of educational achievement necessary to edge over the fuzzy line between a diploma mill and legitimate education. Students go to UoP to get a piece of paper that helps their career and that they would generally be incapable of acquiring at a real university, while in exchange UoP is there to milk the students for every federally-guaranteed loan they can qualify for.
Students go to UoP to get a piece of paper that helps their career ... while in exchange UoP is there to milk the students for every federally-guaranteed loan they can qualify for.
However, using Hassan's affiliation with UoP as a means of questioning his qualifications is a bit of a stretch. Given the rate at which bricks and mortar universities churn out graduates with advanced degrees for which there is little employment opportunity on physical campuses, online schools like UoP wind up as the best available option for new MS's and PHD's with an interest in teaching such as Hassan particularly those with one foot in the commercial world.
It's worse than that. The whole article was a fluff piece rambling about his awesome credentials and comparing the discovery to the discovery of Sony's rootkit and was written to create hype rather than show concrete evidence. And why needlessly break the article into two parts except to garner page hits?
The money quote:
>The findings are false-positive proof since I have used the tool that discovered it for six years now and I am yet to see it misidentify an item throughout the years.
It boggles the mind how a founder of security consulting company can be so clueless. But most of HN and the tech news site like Slashdot fell for this with completely knee-jerk reactions, so I guess I am not surprised and the people behind his fiasco got the publicity they wanted. And remember HB Gary?
I am sure this hoopla would've cost Samsung some real damage in sales and they might be considering legal action. As Churchill said:
"A lie gets halfway around the world before the truth has a chance to get its pants on."
But yet they said yes... I wonder if I call them up and ask, "hey, Samsung CS, did you guys install a flurb-yulb-gumbler on my new laptop?", will they say, "yes, we use those to violate your privacy."
It was still incredibly disingenuous and dishonest. There is no way any person of reasonable IT knowledge would go to tech support for information on engineering decisions. He was fishing for confirmation and he got it - I have strong doubts about Mr. Hasan's intentions when he contacted support.
He did talk to customer support, and once in a while, I'd rather have a false alarm (keeping it to the level of information, rather than lawsuits) now and then, than something like this actually happening and kept under the radar.
>To be fair, Mohamed Hassan did contact Samsung support and they didn't clear up the issue. In fact, I believe they may have even confirmed that there was a key logger installed! At that point his due dilligence has been done and he has confirmation. He doesn't need to do anything further than that. Shame on Samsung support for such a pathetic showing.
Extraordinary claims require extraordinary evidence. Especially when the person making claims is the founder of a security company. His due diligence consisted of things like "The software I used is false-positive proof since I am using it from 6 years". "I have done this on two different laptops with same results, so it must be Samsung's fault". Huh?
Everything that he did was just shameful. Suggesting class-action, writing two articles essentially saying the same thing (in a "2-part series"), shoving our faces with his credentials (that obviously didn't do much for him), claiming that his anti-virus program never had false positives, drawing comparisons to the Sony rootkit debacle, etc.
I hope this guy has it coming to him. If he's going to put his creds up like that, he's putting himself out there as an informed source. You expect that sort of sensationalism from journalists, not from a security "expert". Shameful work, overall.
I'm no expert of Antivirus software, but figuring whether something is a threat by its _folder name_ ??? With all the money going into the industry? That has to be some sort of april fool's prank gone really bad.
AV software is written to pass the tests of AV software reviewers. This is subtly but importantly different from "written to accurately detect and block malware"; in particular, it's extremely difficult for a reviewer to test an AV's ability to block completely novel malware (unless they're a malware author themselves or connected with someone who is). So, people tend to set the AV software to scanning a folder full of known samples and judging the software on how many it detected (this is a nice, easy metric: you can make bar graphs out of it!) - in this situation, if chucking in a signature for C:\windows\SL gives you an easy extra malware detection at the cost of a false positive (that no reviewer's going to spot anyway), it's a no brainer.
Not everything is useless. Code auditing is not necessarily useless; looking at the physical security of smart cards is not necessarily useless (but it looks like they could use some tougher certifications); pentesting/social engineering can have its uses.
Everyone I've met who's been working in the "IT Security Industry" have been exceptionally coy about what they test for and how. After a few drinks I've managed to get out that they're testing for "XSS, and SQL injection, you know things like that".
It stinks of proprietary crap and I wonder what it would look like if they took a more OSS approach? When you can't even talk about XSS testing without a bit of prodding as if it's something exceptional it really makes me wonder what on earth these guys are selling.
I've never done anything with them, but e.g. http://www.rootlabs.com/engineer-job.html sounded a lot more interesting than what you describe. On the open-source front, you find stuff like Metasploit, nmap, Snort, previously Nessus (forked as OpenVAS), web stuff like Nikto, etc.
Don't forget that lots of "programmers" are barely-skilled and working on VBA macros - one label can cover a wide range of skill.
I've met some guys who were pretty fit in encryption topics / key management etc on whole corporations. And it actually works, so you rarely hear about that. Quite some skills are needed to master that actually.
You'll have thousands of quotes from a so-called "Samsung supervisor" who "said it's used to "monitor the performance of the machine and to find out how it is being used."
What is this bullshit ? From where did the quote come from ?
Amazing how most are just copy-paste.
It just prove that very few online news websites verify their source if the keylogger claim is false.
"The findings are false-positive proof since I have used the tool that discovered it for six years now and I am yet to see it misidentify an item throughout the years."
Mohamed's lesson: Just because you were unable to prove a false-positive with the same program for 6 years doesn't mean there weren't any.
The laptop story yesterday led me to learn about CarrierIQ on my cell phone, which was equally disturbing. Maybe the laptop was a false alarm, but my Samsung cell phone did indeed have a keylogger on it. So I'm not inclined to cut them a lot of slack right now.
http://forum.xda-developers.com/showpost.php?p=11763089
"A lie can travel halfway round the world while the truth is putting on its shoes." -- often attributed to Mark Twain
The original article was so poorly fact checked. It really reflects poorly on Mohamed Hassan (and all his fancy yet meaningless credentials) and M. E. Kabay (who apparently worships Mr Hassan unquestioningly). I will not hold my breath out for a public apology from either of those two, although they are the ones who owe Samsung one.
And the irony is in fact delicious. A security expert finds a virus using an anti-virus scanner tool, and confirms it with some call center employee with the company. What does being a "security expert" have to do with any of that? My 10 year old nephew could have done that!
I like this whole debacle. I think it ended well. HN, and the power of news aggregating/forum/linking sites wield a decent amount of media power. I like that - because it's one of the instances where the collective mind has greater intelligence than any one individual. It confirms the notion that tech producers need to pay attention to the tech community and shortens the distance between the two, which I think is a good thing.
This has got to get to 400+ points. For those who took the day off and will continue to believe the sensationalism before it pops off the front page? To be damned!
EDIT: I mean, this is the only tech news site I read. I don't know if I'm in the same boat so to speak.
Customer service Reps would NEVER have the authority to tell you that there is secret Key Logger on your computer. So if a customer Rep is telling you something like that, he is either trying to get fired or there is a miscommunication.
> [UPDATE 3/31/11: Mich Kabay writes: A Samsung executive personally flew from Newark, N.J., to Burlington, Vt., carrying two unopened boxes containing new R540 laptop computers. These units were immediately put under seal and details recorded for chain-of-custody records. At 17:40, Dr Peter Stephenson, Director of the Norwich University Center for Advanced Computing and Digital Forensics, began the detailed forensic analysis of the disks. We expect results by Monday.]
Great news... but what's with the SL folder? The report does not say what SL folder contains on a new laptop.
Anyway, pretty dumb to check for viruses by folder name.
Perhaps I read it wrong, but the article never says Samsung didn't ship a keylogger, it just indicates that the AV software can make false positives based on a folder.
Can we get a link to an article that actually checks a Samsung laptop (and lists their methodology, not this "Duh, there were not any keyloggers") instead of anecdotal evidence and attacking the previous reseaerchers methods?
Even if the previous guy was wrong, at least he listed all his methods for review.
Yes (I did see the link back to the original article). Specifically, I'd like some more information about their methodology.
1) How did they verify there were no key loggers (is their AV program set to identify StarLogger instances)
2) What subset of Samsung laptops did they check
3) Did they check from more than one source
4) Did they verify that the laptops they checked haven't been wiped & reimaged with the local store's base computer image (such as with Best Buy)
With out some of this basic data, their findings are perhaps more suspect than the original article (not that I believe Samsung is doing this, I just disagree that their conclusions are as cut and dried as they, and the link title, indicate).
At this point we have no more evidence that Samsung has keyloggers than Thinkpads or MacBook Pros.
We really should be doing what you suggest for all brands and models of laptops. There's no evidence to suggest a specific issue with Samsung at this point.
Even the antivirus manufacturer who detected the problem has acknowledged they made a mistake.
It would be like a newspaper reporting that "Falcolas kills 5 people!" And then turns out that you actually saved five people from drowning, and the newspaper prints a retraction. But then someone says, "But can you prove he didn't also kill five people at some point along the way? No one has really come out to say that he's never killed five people." Sure you may have, but at that point we have no reason to believe you have moreso than anyone else.
Sorry if I'm being unclear, but I simply have an issue with their conclusions (and the article title), particularly since their article doesn't support it.
Absence of evidence is not evidence of absence. An absence of evidence, plus noting the problem of the AV, is all that this article has.
The Ars Technica article [1] draws much better conclusions - "Samsung laptop keylogger almost certainly a false positive". It's a significantly more accurate conclusion than "Confirmed: Samsung is Not Shipping Keyloggers", given the data that we have at this point.
1) What was in the SL directory? F-Secure claims the certified guy never inspected it. What about them, did they inspect it? They could have easily asked Hassan for a copy (insert appropriate caveats here about trusting sources). Sounds like they didn't even find one on their own, so how can they assert they know what it does not contain? They might not have gotten one of the laptops with the payload; that doesn't mean they don't exist.
2) How did the SL directory get there? F-Secure didn't even offer a theory.
3) Is Samsung installing keyloggers on a subset (random sample) of their machines?
4) I'd like to see it stated clearly, with no weasel words: Is F-Secure under contract with Samsung or do they have any business relationship with Samsung whatsoever? If not, are they angling for one?
False positives are the bane of IT security products in general. I would say that 90% of issues reported are FPs and the end user is expected to figure that out, confirm then double confirm before reporting it as a potential issue.
"After an in-depth analysis of the laptop, my conclusion was that this software was installed by the manufacturer, Samsung. I removed the keylogger software, cleaned up the laptop, and continued using the computer."
So, the author, Mohamed Hassan was able to uninstall a software which was never installed? I think he would have deleted the folder in question and called that un-installing!!
Mohamed Hassan [MSIA, CISSP, CISA and graduate of the Master of Science in Information Assurance (MSIA) program from Norwich University in 2009 as the original article prominently states], on the other hand, is probably not so lucky. Any Google search on his name from now on will probably reveal this whole debacle. Furthermore, I wouldn't be surprised if he just opened himself up to legal action by Samsung.