The story looked like stop-the-presses material: A user had singlehandedly caught a major manufacturer installing keylogging software on its laptops.
On Tuesday, Network World published that allegation. Mohammed Hassan, founder of the Toronto security-consulting firm NetSec, wrote that he’d made a shocking discovery after checking a new Samsung laptop with a commercial security program: “The scan found two instances of a commercial keylogger called StarLogger installed on the brand-new laptop. Files associated with the keylogger were found in a c:\windows\SL directory.”
Hassan then repeated this exercise on a second Samsung laptop and got the same results.
A keylogger, for the uninitiated, records every single keystroke, sends those records to a third party and does so without detection. It is the gravest sort of security threat imaginable on a computer, since it trumps cryptic passwords, strong encryption and other standard security measures.
Hassan noted an earlier case of a big-name company concealing malware on a computer — Sony BMG’s foolish attempt in 2005 to enforce copying restrictions on an audio CD by having it silently install a “rootkit” on Windows computers — and concluded that Samsung was up to the same mischief. In a follow-up post, he cited the admission of an unnamed Samsung tech-support rep who eventually admitted that the Korean firm had put the software there to “monitor the performance of the machine.”
Computer-security professor Mitch Kabay concluded that second post by noting that Network World hadn’t gotten a response from three Samsung PR reps in a week. He ended the piece with a bang: Good luck, Samsung! We see a class-action lawsuit in your future…”
The story promptly went viral, at which point Samsung took notice and pledged to investigate the matter with Hassan. And the truth turned out to be something much less dramatic: The security tool he’d used, GFI Security’s VIPRE, had been confused by a directory added by Microsoft’s Windows Live software. There was never any keylogger.
GFI’s general manager, Alex Eckelberry, took the blame for the false alarm in a sheepish blog post Thursday morning, saying “we have no one to blame but ourselves.” He wrote that VIPRE normally looks at folder paths as a last resort and was confused by a windows\sl directory that doesn’t exist in a standard Windows 7 installation, but which Windows Live adds to store its Slovenian-language files. “Samsung started pre-installing Windows Live, including all the languages, and there you have the problem we’re having today.”
But the story should have looked fishy from the start. The whole point of keylogging is not to be found out, so why would a keylogger park itself in an easily found, obviously named directory? (Those of you who have battled malware infestations know how deeply these programs will bury themselves.)
Further, why would Samsung want to do something as crazy as record every keystroke of all its users? How would that fit into any possible business model for the firm? If you have to impute James Bond villain behavior to a company to make a theory work, you may need to rethink your theory.
Sure, Samsung PR should not have blown off Network World’s inquiry, and its tech-support employee shouldn’t have talked about things beyond his or her knowledge. But those things happen all the time; you can’t give them too much weight.
You’ll hear a useful saying for this kind of story in any good newsroom: If your mother says she loves you, check it out.