Well, this clearly needs to get its own item. Yesterday we linked to a story about how Samsung is supposedly installing keyloggers onto its laptops to track user behaviour. Samsung immediately launched an investigation into the matter, and has come to a rather humbling conclusion: the guy coming up with the story is incompetent, and Samsung has the evidence to prove it.
Mohamed Hassan, who initially supposedly found the keylogger, ran a security program on his brand new Samsung laptop, and that program came to the conclusion that the keylogger StarLogger was installed in the %SystemRoot%\sl
. However, Samsung immediately investigated the matter, and came to a rather humbling conclusion. Well, humbling for Hassan, that is.
It’s a simple test you can even repeat at home, and several people have confirmed that it indeed works. Basically, what we’re seeing here, is a security program giving a false positive. Steps to reproduce Hassan’s results are as follows:
- Create the directory
%SystemRoot%\sl
- Download and install VIPRE
- It will identify the folder created in step 1 as StarLogger
Now, to Hassan’s credit, I’m not entirely sure where Samsung got the idea from that Hassan used VIPRE; I can find no reference to the tool in Hassan’s articles. However, it might be that Samsung has more information than we do, since Hassan contacted Samsung about this, and probably mentioned to Samsung which tool he used. We have to believe Samsung on their blue eyes here, I guess (Dutch saying, no idea if it works in English).
You might be wondering – why would there be an sl
directory in my Windows system folder? Well, it’s not there by default for sure, but it’s created by the Live application suite for multi-language support. I would love to test this out myself, but obviously, I’m not going to infect my computer with antivirus software that i’ve never heard of. Or even those that I have heard of. Especially not the ones I have heard of.
However, comments on the web indicate that Samsung’s three-step process indeed reliably produces the same outcome. It’s pretty sad that a story so light on details can spread so fast. We also posted the story, so we contributed to that, so apologies from us, too. We did have a question mark though, so, yeah.
I’m not going to infect my computer with antivirus software […]
I like the way you worded that, Thom. I agree 100% with the fact that antivirus software are infectious (I often say myself that they are worse than viruses) and I’d love to read an article from you on the topic.
Actually, the only antirivus software I tolerate is MS security essentials. Contrary to all the other over-bloated antivirus, it has a minimal GUI and never gets in my way.
But yeah, I’ve been running an XP machine for 10 years without an antivirus and haven’t got any problems. I guess that’s because I don’t install every .exe that pass by.
Not being aware of a problem does not necessarily mean you dont have one.
Not all problems found their way into people’s machine through installing shaky programs, some find their way through exploits of bugs found on pretty high profile and widely used applications.
The best way to be sure is to reinstall and start afresh, you should do that as soon as possible
If you haven’t been infected you’re lucky. You do minimize your risky behaviour which helps reduce the odds, but not installing anti-virus on windows is still a horrible idea.
It depends. If your home network is behind a firewall and you are using AdBlock and FlashBlock on your browser then you’re already pretty secure. Most viruses and malware these days come from open ports on your network, or via ads, so blocking both of them goes a long way.
I personally hate using antivirus, they bog the PC down and slow everything, and with some common sense, a firewall and AdBlock+FlashBlock I have only gotten one malware attack so far. The one malware program that did get on my PC actually came through Windows Live Messenger and after that I quickly switched over to eMesene.
If you’re not feeling comfortable not running any antivirus software on your PC, that’s OK.
It doesn’t mean that others have to feel that way, nor that they’re taking any risk not doing so.
Saying so it actually quite insulting.
My opinion ( shared by many, many security experts and industry security standards) was a purely technical one. It was not in any way personal, and should not be taken as such.
Yeah +1 for that wording. I always say that you’re probably better off with viruses than running Norton, for instance. But the best solution is of course, MSE – low resource use (unnoticable even on low-end ATOM netbooks), stays out of the way, does one job and does it well (one of the very few tools from MS that follow the UNIX philosophy).
I second that too. I gave up on running antivirus for my personal workstations somewhere between Windows NT4 and 98 and never looked back (and by workstations, I mean, nobody else but me touches them). I did manage to get infected maybe twice in all that time, but that was a long time ago, and nothing that grants changing my position on the subject matter…
However I would NEVER recommend that to anybody I know – I think it is something that a true power user has to naturally come to the conclusion him/herself. So I duly install it for anyone that asks for my help reinstalling Windows, and also try to keep track of the best ones, even though I don’t use them myself…
What was it with Samsung saying “yes, we did put a key logger there” as linked in the first article? Sounds odd to say something like that right away, unless they confused this finding with some other “performance monitoring” program they install.
Regarding how they knew he was using VIPRE, I cannot find the link anymore but after the first news I followed links and ended up in some forum where they discussed the VIPRE program. Maybe Samsung’s people found that from there, too.
Well, it’s conceivable that the original security “expert” could be lying about that. I’m not saying he is, but it’s possible especially in an internet article. Anyone can fake an email header.
I’ve read that the first was given by a bottom level support guy (though I’ve read it in /. comments, so I’m not sure).
If this is indeed true, it would support Samsung’s case, since I doubt the would announce their evil masterplan to every single employee of theirs.
So, it turns out that the supervisor from Samsung’s support seems to be incompetent, because he is the one that is confirming that (sort of, probably not knowing what this is). I wouldn’t install any anti-virus, too, such software is written by the same people that write viruses Thom, the blue eyes saying seems to be known all around the world, but for sure it works in Bulgaria. Made me laugh.
The correct phrase in English would be, “we have to take Samsung at their word,” or, “we have to take Samsung’s word for it.” http://dictionary.reference.com/browse/take+someone+at+his+or+her+w…
Edited 2011-03-31 13:52 UTC
And in Norwegian the phrase would be to believe something on someone’s “~A|rlige ansikt” which translates to “honest face”.
No not that all around the world as you might think. It didn’t work on me. It probably would not work on Asians at least. (I am not a racist. I myself am originated from Asia
By reading the original text, it’s clear that the author didn’t bother to do any form of investigation. Based on the result of a tool and a statistic of two, he starts making wild unfounded claims. Why is this even mentioned on OSAlert ?
Seriously, it’s not hard to keep an archive of the offending binaries, it’s not rocket-science.
And he definitely deserves the flack he is getting.
I’m not sure which side to believe on this one, but if Hassan really was using Vipre, he deserves to be ridiculed. That program has a history of false positives worse than most. It’s become famous in certain circles for misidentifying accessibility products, such as screen readers and magnifiers, as Malware and removing them without consulting the user.
It’s not just Vipre it seems, some other never heard AV-tools are also mistaking SL-folder as virus.
Epic failure from 2 people who claim to be security experts!
Well, it always seems that those willing to call themselves experts are usually the least knowledgeable.
“We have to believe Samsung on their blue eyes here, I guess (Dutch saying, no idea if it works in English).”
Not really, but that’s because they actually fought the Nazis.
:>
I believe this guy just changed jobs! If he is still a security expert, then Websters dictionary should redifine the word “expert”.
It’s not fair to publicly label someone as incompetent on a news site. Hassan jumped to conclusions too early and made a terrible mistake. Literally, everyone makes mistakes. The next time you make a hasty mistake, I will write an public new article calling you incompetent.
There’s also a lesson to be learned; bringing this ‘issue’ to Samsung’s attention first would have been a classier method of resolution and saved embarrassment.
And you’d be right. I’ve been incompetent on several occasions in the past, and I sure as hell will be incompetent in the future.
I beg to differ. An expert cannot afford to make childish mistakes like this.
He made a stupid mistake and unfortunately he publicised his findings on the Internet. There is no way to correct this with publicly printing a correction highlighting the stupidity of the mistake.
OSAlert is, to some extent, labelling themselves as incompetent – they should really have checked that there was good evidence to backup the claims. I don’t think they will be making the same mistake any time soon.
It is a little worrying that this story got any credence. The author has spent years (at least 18 months) studying for a masters degree in Information Assurance and what skills has he come out with at the end of it?
He has learnt how to run a virus scanner. It seems he has also learnt that they can sometimes provide false positives. How does he verify that it isn’t a false positive? Well, he doesn’t need to, because the software has never (to his knowledge) reported a false positive in his experience. I don’t think I will bother pointing out all the holes in that piece of Swiss cheese reasoning.
The letters after his name are curious, he has an MSc in Information Architecture and a couple of certs CISSP and CISA (a systems auditing degree, primarily for accounts who already hold a CIMA). I wonder what his bachelors was in, if he holds one?
People should wait a bit before linking stories like this hot off the press.
For a list of false positives performance see below.
http://www.virusbtn.com/index (Virus Bulletin)
http://www.av-comparatives.org/ (AV Comparatives)
In the past month I bought a Samsung laptop. Nice lappy. Don’t use Vipre, though. NIS2011 didn’t flag it.
Yesterday I checked the Samsung laptop I bought in November and there was no “C:\Windows\SL” directory.
This said: I did not find any evidence for such a keylogger…
I didn’t even know that samsung made laptops.
Well this is good news, now I don’t have Samsung Lappy’s but I do have their Plasma, a few monitors, drives, etc. I really like their products and this news threw me for a spin.
Now for network world to report this without really basic validation of the claims does throw serious egg in their face.
Did anyone really believe it? I never did (and probably never will) buy a Samsung computer, but really… even though I barely read into the original article, it seemed like something was up with it. I didn’t care anyway (couldn’t care less about their computers, really), so I didn’t think much of it, but I thought the whole claim seemed a bit far-fetched.
The whole Sony rootkit situation was ridiculous and it’s amazing that a company (ANY company) could have let that go, but this one seems (to me) even worse if it were to be true. And this is not Sony, so it’s a bit less likely in my opinion. Samung, unlike Sony, has always seemed to me like a relatively decent company compared to many of them out there. While Sony practically shot themselves in the foot, this would be like amputating a leg. That’s just not exactly something I could imagine a more trustworthy company like Samsung doing.
Not at all… especially since you’re talking about Koreans…
Incidentally, American surveys have found that people in general envy blue and green eyes, but judge their owners as dishonest. Maybe the Dutch have a different perception on the latter, one more aligned with the hypotheses of evolutionary psychology (American surveys aren’t terribly fond of evolution, either).
http://www.psychologytoday.com/blog/the-scientific-fundamentalist/2…
In journalism, that’s not a question mark; it’s a cavuto. Named for Neil Cavuto of Fox News, the cavuto allows lazy and/or intentionally deceptive journalists to make up any alarming statement with little or no connection to reality and present it as a headline.
http://www.thedailyshow.com/watch/wed-september-13-2006/the-questio…
With the pace of Web news, it’s inevitable that more and more stories will just provide the lead with a cavuto on it rather than investigating, determining, and writing up the actual story. It’s all in the name of keeping up with the headlines.
phd students these days are not what they used to be. it’s a good think he screwed up and make a fool of himself while still a student, rather than as someone with actual responsibility.
Most consumers have no clue that many anti-malware programs miss important infections, while many others yield false positives. The lesson — always install and use more than one anti-malware program for good cross-checking and results verification.
The public seems to have been lulled into a sense of security with MSE and rely on it alone to protect their Windows systems. MSE is an excellent product! But relying on it alone violates the fundamental principle that you need more than a single product to avoid false positives and negatives.
Unfortunately this public attitude guarantees malware problems will continue in the years ahead with Windows computers.