Lessons from the “Samsung Keylogger”

On March 30, NetworkWorld.com published a report with the breathless headline: “Samsung installs keylogger on its laptop computers.” The next day, the story evaporated with an Emily Litella-style “never mind..” Along the way, though,  Samsung’s reputation was besmirched and NetworkWorld ended up looking foolish. Therte’s a lot we can learn from this sorry episode.

1. The original post (you have to find it among the updates; Google’s cached version has disappeared) should have raised a lot of red flags for NetworkWorld editors. Written by Mohamed Hassan of NetSec consulting Group with M.E. Kabay of Norwich University, it said flatly that Samsung had installed a commercial keylogger called StarLogger on a new R525 laptop. The authors failed to identify the software used to identify the keylogger. They also went on at great length gratuitously comparing the situation to a 2005 case where sony BMG distributed a music CD that installed a rootkit on PCs without ever explaining any relationship between the cases. The piece ended: “Samsung! We see a class action suit in your future.”
2. The piece failed to explain what possible motivation Samsung would have for installing a keylogger, Sony BMG, though its actions were stupid and illegal, at least had an anti-piracy motive.
3. There’s a real question of whether  Samsung was given a fair opportunity to respond. Hassan reported his findings to technical support and, after escalating the issue, was told the software had been installed “monitor the performance of the machine and to find out how it is being used.”  Assuming the accuracy of the report, the lesson is obvious. Corporate employees at any level should not offer uninformed opinions or speculation, especially on matters with potential legal implications. Kabay writes: “We contacted three public relations officers for Samsung for comment about this issue and gave them a week to send us their comments. No one from the company replied.” We need more detail on the nature of these efforts. If Samsung PR indeed blew the inquiries off, they share in the blame for what ensued.
4. The software responsible for finding the “keylogger” was eventually identified as Sunbelt GFI Security’s VIPRE. The identification was based on finding a directory called C:\Windows\SL on the machines. StarLogger creates such a directory Unfortunately, so does the obscure but entirely innocent Slovenian language support of Microsoft Windows Live.
5. To its immense credit, GFI came forward quickly to admit the mistake. In its GFI Labs blog, General Manager Alex Eckelberry explained how the error occurred and said: “We apologize to the author Mohamed Hassan, to Samsung, as well as any users who may have been affected by this false positive.” Eckelberry is right: False positives happen and they can cause a lot of grief. When one slips through, the best course is to fix it quickly and apologize.
6. Hassan and Kabay are both identified as security experts, but their expertise in this case seems to have been limited to running an antivirus program and unquestioningly accepting its findings. They present no evidence that they attempted to instrument the computer to find out whether a keylogger was collecting or sending out data. It’s not clear they ever looked inside the C:\Windows\SL directory.
7. NetworkWorld hasn’t apologized to anyone, which is inexcusable.