March 31, 2011

About the Samsung “Keylogger” Story: Who’s to Blame and What We Can Learn From It

Yesterday, Network World shocked the Internet with a report that, allegedly, Samsung had installed a keylogger in its R series of laptops.

The whistleblower was a security researcher named Mohammed Hassan of NetSec. In the Network World piece, he explained how two computers he bought, both R series, carried within the commercial keylogger StarLogger. A company rep confirmed its existence on the phone after he called customer service to complain.

Needless to say, Network World’s scoop was quickly covered by many popular blogs like Engadget and ReadWriteWeb. It was about to go supernova today as consumer publications and daily newspapers joined the fray.

The opposite happened. A day after the original post went up, we finally found out it was a false-positive. It turns out Sunbelt’s Vipre (not mentioned in the original Network World piece) mistook a language-specific folder within Windows for an actual keylogger.

I’ve been thinking about this episode a lot. I would like to share some conclusions with you.

1. Why did Network World choose to publish Mr. Hassan’s findings?

They wanted to be first — it’s important to be the first source of breaking news for traffic purposes
They contacted Samsung’s PR dept but didn’t hear back for a whole week (that was awfully nice of them — some wouldn’t wait a full 24 hours)
Mr. Hassan included a purported quote by a Samsung rep, which gave his story more credibility

2. Why did it take so long for Samsung to address the problem?

They thought, correctly, that Mr. Hassan and Network World didn’t do their due diligence
They didn’t see Network World’s emails — there’s always a chance that the publication failed to go through the proper channels, or that someone on Samsung’s side dropped the ball

3. Why did the other blogs cover the story as well?

The fact that Network World covered it gave them enough material (claim/counterclaim) to go ahead with the story
Mr. Hassan had a statement from Samsung admitting the existence of StarLogger
There was a clear, immediate risk to other Samsung customers — it was a matter of public service to inform everyone as quickly as possible

In the end, I think there were three main factors that made this into a story. They were:

a) Mr. Hassan didn’t scan his PC with a second security suite. He didn’t submit his findings to a tech support community forum either — including Sunbelt’s. I still can’t fathom how a security expert didn’t think it would be wise to seek a second opinion before accusing Samsung publicly.

b) If what Mr. Hassan wrote is true, a Samsung rep confirmed his suspicions. What probably happened was that the rep didn’t understand what he was referring to. If Samsung had put Mr. Hassan in touch with a high-level manager right away, maybe they would have avoided the whole thing.

c) Samsung PR failed to respond on a timely fashion. They should have gone back to Network World right away, literally a week ago. It would have been easy then to defuse the situation. There’s no excuse for not getting back to a member of the press immediately in a situation like this.

Finally, I would like to do a mea culpa here: when I tweeted about this yesterday, I should have made it clear it was alleged — that Samsung was being accused of something, not that they were automatically guilty. That was my fault and I apologize.

We all have much to learn from this. Let me hear your thoughts in the comments!

Filed under Samsung keylogger Network World false-positive Vipre Hassan Engadget Gizmodo