AfterDawn: Tech news

GFI apologizes over Samsung keylogger claim, no one else does yet

Written by James Delahunty (Google+) @ 02 Apr 2011 3:20 User comments (3)

GFI apologizes over Samsung keylogger claim, no one else does yet GFI, the company that owns the VIPRE security products, has apologized for its part in a claim made earlier this week that Samsung pre-installed keylogging software on new laptops.
The headlines of Samsung pre-loading spying software on its laptops made waves online on Wednesday and through Thursday. The claim was originally published by NetworkWorld.com through a guest contributor, Mohommad Hassan. Some contributions were also made to the articles by Mich Kabay.

Original Reports - Disocvery

The two part report from Hassan and Kabay separates the story into the discovery of the keylogging software, and then Samsung's response and alleged admission to it being there.

Some problems with the claims were immediately noticeable. Firstly, on the discovery article, Hassan claims to have been alerted to the presence of the threat on a new Samsung R525 by a "commercial security software" he installed on the system. Hassan never names the security product that fingered the threat, which is bizarre by itself in such a report, and taking into account the gravity of the accusation against Samsung.

Nevertheless, the security product did flag the C:WindowsSL directory as the "StarLogger" keylogger, a commercial tool used for spying on activities. This was also the case for a second Samsung laptop, R540, that he got weeks later after experiencing problems with the video display driver in the R525.

Hassan interpreted the presence of the same alleged threat on two Samsung laptops, discovered by the same security software, as supporting his own position that the manufacturer had placed it there. He ruled out a false positive since he had been using the tool that discovered it for six years and never experienced one.

This turned out to be a disastrous assumption on his part. After contacting Hassan, Samsung did its own tests and quickly confirmed that there is no keylogger on either laptop. Instead, VIPRE security software incorrectly reported the C:WindowsSL directory as the StarLogger program.

GFI apologizes for false positive

Using a company blog, Alex Eckelberry, general manager of GFI Security, posted an apology. He acknowledged that VIPRE did produce a false positive for a directory used for the Slovenian language with Windows Live products. Unfortunately, the same directory is also known to be used with StarLogger.

"The detection was based off of a rarely-used and aggressive VIPRE detection method, using folder paths as a heuristic. I want to emphasize 'rarely', as these types of detections are seldom used, and when they are, they are subject to an extensive peer review and QA process," Eckelberry wrote.

"We apologize to the author Mohamed Hassan, to Samsung, as well as any users who may have been affected by this false positive. False positives do happen, its inevitable and like all antivirus companies, we continually strive to improve our detections, while reducing any chance of a false positive. This one (admittedly, an incredibly embarrassing one) made it through our processes, and I have met with the senior managers in the area this morning to handle what happened and to continue to improve our processes."

Samsung admission of guilt?

According to a NetworkWorld.com article posted on Thursday, it was this reliance on the accuracy of VIPRE's scan results and "oral confirmation" that ultimately led to the mistake. The oral confirmation refers to an alleged admission that Samsung does install the software on its laptops to, "monitor the performance of the machine and to find out how it is being used."

This admission allegedly comes from a supervisor of Samsung Support, which Hassan was transfered to by tech support staff. "The supervisor who spoke with me was not sure how this software ended up in the new laptop thus put me on hold. He confirmed that yes, Samsung did knowingly put this software on the laptop," Hassan wrote.

This alleged confession is also very bizarre and it would be interesting to hear something from Samsung about this claim. Still, we're not entirely sure that the word of a tech support supervisor should have been used as actual evidence of guilt.

So what has happened since?

According to updates posted on NetworkWorld.com, Samsung handed over two fresh laptops for analysis, probably just to be thorough.

[UPDATE 3/31/11: Mich Kabay writes: A Samsung executive personally flew from Newark, N.J., to Burlington, Vt., carrying two unopened boxes containing new R540 laptop computers. These units were immediately put under seal and details recorded for chain-of-custody records. At 17:40, Dr Peter Stephenson, Director of the Norwich University Center for Advanced Computing and Digital Forensics, began the detailed forensic analysis of the disks. We expect results by Monday.]

It also seems that most outlets that reported the incident have since updated their articles to reflect the discovery that it was all just a false positive and nothing more. However, there are still some questions that need to be answered. I had pointed out in my original article about this that it was taking a very long time for NetworkWorld.com, the source of this false accusation, to update their articles about it, and had also posted a graphic they were using to advertise the story on their mainpage.

They did eventually remove the graphic and post an item stating that Samsung has been "cleared" of the accusation. Later articles include one about GFI's apology and explanation of the false positive, and the latest on the site now is titled, "Bad assumptions lead to false claim about Samsung laptops."

Even though the original article title has since been changed to "UPDATE: Samsung keylogger could be false alarm", it still is listed in NetworkWorld.com's "Most Read" list as "Samsung installs keylogger on its laptop computers" (as shown on the left).

This is somewhat disappointing, especially since GFI posted an apology to Hassan and Samsung for VIPRE's mistake. The point that should be made is GFI really doesn't have to apologize to either. Perhaps it owes Hassan an apology as a customer of his products for the mistake, but it does not owe an apology to Samsung (perhaps it does to Microsoft for flagging a folder used with Windows Live software, but a public apology even for that would be a bit much.)

False positives are just a reality that has to be dealt with when using security products such as VIPRE. GFI never made any accusation about Samsung installing any spying software on its laptops, and is certainly not responsible for Hassan doing so, Kabay contributing to it or NetworkWorld publishing and promoting it as fact.

This same stance is mirrored in comments on the NetworkWorld articles, as well as GFI's own blog. Readers point out that the ones left to apologize are the ones carrying sole responsibility for the mess.

Perhaps an apology will be made after the two laptops Samsung provided for "forensic" analysis is finished - by Monday. One has to question why Samsung even needs to prove its innocence any further than it already has, perhaps it just wants it to be as clear as possible. Either way, let's wait on the results of his forensic test. I don't think there will be any surprises.

Tags: Samsung
Previous Next  

3 user comments

12.4.2011 4:16

Quote:

False positives are just a reality that has to be dealt with when using security products such as VIPRE

That isn't really true...VIPRE can't detect viruses, so they have no excuse for false positives. They should issue a public apology for making VIPRE.


22.4.2011 10:52

Now here's where I don't understand it, Samsung gets reamed for keylogging their laptops because they spy on you through it. Sony gets away with doing it to PS3....

This message has been edited since its posting. Latest edit was made on 02 Apr 2011 @ 10:54

32.4.2011 21:40

Anyone who was still loyal to Sony after OtherOS removal doesn't care how bad sony screws them.



Comments have been disabled for this article.

News archive