216 comments

[ 4.9 ms ] story [ 203 ms ] thread
It would be interesting to hear from the HN community, people with Samsung laptops, if they've had this happen, or if they check now, if this keylogger is discovered.
I've got an R580, had a quick look in the Windows folder and can't see any SL folder.
Currently on an R720 and I've no SL folder, either.

I've poked around various locations on the machine and run some scans with a number of different tools, but I've discovered nothing untoward, as yet.

My attestation is somewhat of an irrelevance, however, as I've no way of accurately replicating the environment in which Mr Hassan carried out his research. It looks as though I shall simply have to wait and see how this all plays out over the coming days.

I have a Samsung Q210 Aura Seven, I could not find any folders called "SL" or any other suspicious things so far on the preinstalled Windows Vista.
NC10 here, nothing crazy on mine.
Given US law enforcement's use of surveillance on individuals with certain foreign ties, in order to faithfully replicate this it might require someone named "Mohamed" unfortunately.
Talk about burying the lede...

And what does he mean by "After the initial set up of the laptop"? What exactly did he do? Couldn't it just mean that the security software he is using to do the scan or the media he is using is infected? I just think this sounds fishy until he's verified it with a completely different set of tools.

Not only that, but there are legit reasons to include a keylogger as part of a laptop build out. Every computer has, or should have, this kind of auditing capacity. The question is a) whether it's turned on by default and b) whether any information is being transmitted on the sly. In all likelihood, this was either some sort of mistake, or the keylogger is intended for use by the computer's owner -- not by Samsung.

EDIT: Sorry for scaring people. Listen, I HATE keyloggers and other invasive software. Here:

http://bit.ly/2U3iAH

My point was that I can see a legit need for low-level auditing by whoever owns the PC. Including such a package that's turned off by default, might be better than forcing a worried parent to sift through 12 keyloggers on Google, half of which are malware, a quarter of which don't work, in order to find out if her 12-year-old is composing YouTube dances and uploading them to 4chan.

Why should my computer have auditing capability, without my explicit knowledge or me making the decision to put it there? Who is it good for?
> Who is it good for?

Someone who desires to keep track of a user's key strokes, for example a corporation. This is coming from someone who consents to monitoring every day.

While I agree it is not good for the singular, non-ignorant person, I'm sure there's a massive market for "Corporate Consumers" who'd like to save a buck instead of spending effort configuring a system.

About having the capability of auditing, I suppose it saves production costs to have one laptop with a switch, as opposed to two laptops with slight hardware or software differences.

Right I could see this being part of some child usage monitoring package. It may be part of some crapware that comes with the computer. I bet Samsung is scrambling right now to find out which crapware vendor included it and will find out it part of a net monitoring suite.
Yeah, and your house should have cameras too. Just in case you are up to no good.
The only people who don't want cameras in their house are those with something hide.
Or those who fancy sex on the dinner table without spectators? That's a relatively crass example (sorry), but the privacy implication is clear when you put it in those terms. My home is my home, and what I do behind my door is my business.

I'm surprised you're getting voted up. As much as I disagree with most of the privacy agenda, a lot of their fights are the only thing stopping us from turning Orwellian.

Nothing to hide is pretty arbitrary, too; you mean you have nothing to hide under our current laws. So sure, let them bring the cameras in. Then they'll rewrite the law and you'll suddenly have something to hide.

What most people do not get is: We all (as in every single one of us) have something to hide. I'd say those, who really think they do not, are just crazy.

Credit card numbers, medical conditions, who we have sex with, who we want to have sex with, who we do not want to have sex with, even whether we want to have sex at all etc. pp. We usually do not urinate or masturbate in front of others because we all have something to hide.

If you consider this it's easy to get his sarcasm.

^ Presumably, heyitsnick meant this sarcastically.
Maybe, and if that were the case, the number of people the sarcasm is missing means it could have been communicated better. Watch his karma swing around -- I'm not the only one that missed it, apparently. It certainly wasn't a good spot for it, because he's responding to sarcasm.
It's a popular mantra made by politicians any time they want to introduce a new anti-privacy measure. This mantra and his version especially is so farcical, I think it's obvious to the majority of readers that his tongue is firmly in his cheek.
Ha, I posted that I wondered if I was going to come back to a -4 or a +4 karma :)

Yes it was sarcastic. As other commenters said, it's a very common and senseless rhetoric used by anti-privacy politicians. Applying it to an extreme example (like camera in your home) was meant to demonstrate how daft such a stance is.

But I disagree, I think it was a very good spot for it: In my mind, some of the best irony is when it's nearly indistinguishable from truth. So I will take the swinging karma as a complement :D

Fair enough! This crow is delicious, want some?
I thought it was brilliant.
It's also a worrying illustration of how far the anti-privacy agenda has progressed, when people can think you're seriously advocating surveillance cameras in private homes.
Hey guys, I disagree with codingthewheel's idea, too, but we need to get a little meta here:

His comment is not spam.

His comment caused discussion.

His comment is an opinion, not a false fact.

There are no personal attacks of any kind in his comment, and his language is fine.

His argument is simply unpopular.

None of your responses indicate any of the usual legitimate reasons for downvoting.

So why the downvotes? Do you really want HN to be an echo chamber instead of an arena of civil discussion?

I think the downvoting in this case is equivalent to saying 'your point of view is dangerous'.
Then that's what someone should say, and then promptly get upvoted. Some questions need to be asked, alternative points of view made, and then shown to the world why it's a bad idea; we shouldn't hide them from view to be missed so someone else can make the same mistake.
No, the equivalent would be to click reply, and then type "I think that your point of view is dangerous."
Meaning can be inferred from the down-voting. I think that was probably the meaning behind most of the negative votes.

I actually believe that it's okay to use voting to express whether you agree or disagree with a point. Where's the harm?

I think that the experience of reading HN is enhanced when there's contrast between popular and unpopular ideas. If a post is unpopular, it doesn't mean that I don't read it. If anything, I might pay more attention to it.

In some cases its lack of popularity might spark more debate; like it has in this case.

Downvoting discourages future posts. Then there won't be any posts that disagree with the prevailing sentiment.
If I believe something, I'll post it even if it is going to prove unpopular. I'd hope most people would do the same.

I don't believe down-voting discourages discussion .. I'd argue it often provokes it.

Downvoting does more than that. It can hide a discussion, and regardless, it certainly buries it.

Not that I have been able to figure out the magic that gets you the ability to downvote, but I don't really feel the need.

(comment deleted)
There is a Karma threshold to be able to downvote or flag a comment/submission, so you simply don't see the option yet.

But indeed it sinks discussions, since the points are one the ways (not the only one) to sort comments.

Apparently it has to do with how much karma you've accumulated. I magically got the ability to downvote some time last week, without any effort on my part.
You're just over 500 karma; I'm around 140 as I write this. So I guess I have a ways to go. :)

Not that I'm really worried about it one way or another, though.

I actually believe that it's okay to use voting to express whether you agree or disagree with a point. Where's the harm?

This is a bad point of view and is what is leading to the degradation of HN as a place for people who see the world through a different lens. We have already lost a lot of beautiful minds due to heard voting. Downvoating is for items that do not belong on HN, nothing more nothing less. If you downvote because you do not agree with an idea you are actively suppressing discussion, no matter how strongly you disagree. Many time from people more brilliant that ourselves.

The voting mechanism is a tool. People choose to use tools in whichever way they see fit. A culture will develop and form according to the norms which are set around group usage.

On HN people I've found that many people use voting to signal whether they agree (or disagree) with something. If that wasn't the case, I'd see my karma rise - rather than rise, fall and fluctuate.

As far as I can tell, if something shouldn't be on HN, we have the ability to flag a post.

I can agree that a post shouldn't needless be hammered into negative space, just as a person's point of view shouldn't be needlessly trampled on in meat-space. But I think that down-voting in general has found a place.

We can say that it might be better to never down-vote - but many users have the ability, and it's a regular practice. Neglecting the fact is a little like ignoring the fact the emperor is wearing no clothes.

As far as I can tell, if something shouldn't be on HN, we have the ability to flag a post.

You cannot flag comments downvoting is there to discourage, trolls and abuse.

We can say that it might be better to never down-vote - but many users have the ability, and it's a regular practice. Neglecting the fact is a little like ignoring the fact the emperor is wearing no clothes.

I am well aware of that and it has lead to a decline in the standard that HN used to be (while my account may not reflect it I have been around here for a long time, and witnessed the decline first hand). It has been complained about on HN ad nasium. No one is neglecting the fact that it happens, I am just stating that doing so makes HN a worse place the results are obvious and have already lead to some valuable people leaving.

To flag a comment, click on 'link' and then 'flag'.

I think the decline is largely due to a rise in meta-discussion about HN and a rise in articles which are mainly designed to self-promote their authors.

I apologise for playing my part in the first ... ;P

To flag a comment, click on 'link' and then 'flag'.

Thank you, you learn something new every day.

If voting was meant to indicate agreement or disagreement, then EVERYBODY would be able to downvote.
For all intents and purposes, anyone can downvote. A few hous worth of groupthink comments will get you the ability.

Really this is all silly, if you upvote for agreement, why not the opposite?

The meta-purpose of karma is to promote good, civil discussions. I think that downvoting for disagreement runs counter to this purpose.
The harm is that the voting system is designed as a step towards hiding (or at least not highlighting) posts which get downvoted. So downvoting prevents the experience which you yourself agree is desirable, that of seeing both popular and unpopular ideas represented.

That being said, I strongly believe that if a system is being misused, it is the system not the users which are at fault. In this case, my first suggestion (doubtless in need of refinement) is that there should be prominent agree/disagree buttons on every post to allow everyone to express their opinion, and then a separate "flag" link for people to mark spam or useless comments.

I don't believe the system does hide posts. It creates differentiation between low ranking and high ranking posts.

I rarely ignore the comments at the bottom of a page - in fact, sometimes the least interesting comments are those that are highest ranked.

What's the difference between having upvote / downvote buttons and agree / disagree buttons?

Well, that certainly elucidates your point of view: thank you.

But although the system never makes posts inaccessible (to do so would, I'm sure, elicit complaints of "censorship"), it does, if you're using a normally configured browser, grey out negative-voted comments so that they require deliberate effort to read (by -4, you need to highlight them with the mouse). It moves lower-voted posts down the page: even if you have time to read every post, which many people don't, you probably lose focus and pay less attention by the time you get down there. And it reduces the karma of people who make downvoted posts, which some people probably care about (e.g. because they lose/don't get the ability to downvote) and some people probably don't, but which is clearly intended as discouragement.

I think it's clear that the system is designed with the assumption that posts that get downvoted are posts that it intends to discourage. (And I think it's agreed for purposes of this discussion that spam and useless comments are deserving of discouragement in a way that comments one happens to disagree with are not.)

I think the voting system probably provides some interesting metrics about users personality types; e.g. whether they have brutal/gentle personality traits etc.

I wonder if this kind of metric is used in ycombinator interviews?

I think this is a promising line of thinking, the idea that there should be more than one kind of vote. There is confusion as to what the single up/down means, and this is not helped by the fact that the single karma value actually matters for things (the ability to downvote at all or the level of obscuration of the comment). It is certainly not helpful if everyone has a different opinion of what that arrow should mean.

From a UI perspective, there are tradeoffs. Multiple vote options means better sorting, more thorough meaning. It also means more confusion and more work.

Also, instead of single vote tallies, has there been social experimentation with preferential voting systems on comments? (This still has the problem of needing more than one flavor of preference.)

Preferential voting systems? You mean like people voting on whether you or lwhi gave the better answer to my comment?
Yeah. But maybe with multiple votes, we already effectively have this. The problem is that those votes are counted internally not as preference order but as total number of votes, adding to a user's general karma score.
A downvote is a vote to remove a post from the discussion. (Or at least make it less visible.)

Downvoting posts you disagree with amounts to an attempt to suppress contrary opinion.

If down-voted comments were unavailable to view, I'd definitely agree with you.
In my view, it's ok to downvote something you something disagree with until it gets back down to 1 point. Then downvotes start to censor it and I think it harms discussion unless that comment is one of the things the grandparent commenter was talking about.
That sounds really reasonable - I agree. Although, I think I'd probably bring a point that I personally find abhorrent into negative points.
I respectfully disagree. Notice how I'm replying instead of downvoting. Downvoting something you disagree with is just pure laziness. You're too lazy to reply so you just downvote, which contributes to burying the opinion of someone else.

You should focus on upvoting. Downvotes should be reserved for abusive, trolling, or spam comments.

I don't personally downvote things I disagree with (If it's presented well I sometimes upvote) but I think it's acceptable. If it wasn't supposed to be that way, it would be "flag" with no downvote option. I also personally think downvote should be removed from the UI completely but...
Great point, but I wasn't aware that there are "usual, legitimate" reasons for downvoting, and that these are well-known enough that you can call them the usual reasons. Seems like everybody just uses their best judgment.

That said, I didn't downvote him, I simply didn't vote. I don't feel a need to vote on everything, and that extends to downvoting.

> but I wasn't aware that there are "usual, legitimate" reasons for downvoting

Yup, there are. Here: http://ycombinator.com/newsguidelines.html

(A clear deviation of the guidelines deserves a downvote, a clear compliance does not. Like any law, there is a grey area in between requiring some amount of judgement. But these guidelines still stand to ground the discussion around what is/isn't a "usual, legitimate" reason for downvoting.)

As I misunderstood him, I'd like to undo my downvote. It sucks that it's not possible to undo votes on this site.
I downvoted your comment. Meta comments are useless and distract from the on-topic discussion. Yes, I realize this is also a meta comment.
Please don't use URL shorteners.
I've never (almost never) posted a link to one of my sites in an HN comment. I'd rather not have naked links in this venue. Apologies.
Nobody is scared, don't flatter yourself. Your attitude is simply invasive and pointy-haired. Couple that with using a URL-shortened blind link where you are supposedly establishing some kind of safe-computing credibility, and I can only LOL.

Worried parents?! Now you're really getting dangerous. I hope you think long and hard before having children if this is the kind of treatment you expect to give them. If you have a 12 year old who is already uploading "dances" (?) to YT/chans, you have much bigger problems than a computer or the internet (hint: mirror).

I had a chuckle at this. The use of "pointy-haired" was at least creative. And yeah, I believe parents have the right to spy on their kids, especially when it comes to the net. Largely, I'd add, because of people like you (trolls).
Keylogging your children is an admission that you've lost the parenting game.
It's certainly not a sure thing, but given the poor track record for OEMs, the fact that this guy has a master's in an IT field, that it happened on 2 different model laptops, and that Network World chose to publish it, I'm inclined to believe him. After all, if he's done this "initial setup" on other laptops in the past and not detected this keylogger, Samsung probably has a part to play in this.
This is easy enough to verify, confirm, or deny independently. All you need is another security expert to come to the same conclusion, and it's confirmed. Likewise, another security expert can invalidate the conclusion just as easily. There's not much ambiguity in the outcome.
If you read the follow up article (linked to from the original) Samsung actually confirmed that they install the software.
Someone confirmed that they install software to monitor some kind of usage data:

* When told that did not make sense, SS personnel relented and escalated the incident to one of the support supervisors.

The supervisor who spoke with me was not sure how this software ended up in the new laptop thus put me on hold. He confirmed that yes, Samsung did knowingly put this software on the laptop to, as he put it, "monitor the performance of the machine and to find out how it is being used."*

http://www.networkworld.com/newsletters/sec/2011/040411sec1....

Just playing devil's advocate here but I wouldn't trust a "support supervisor" to know what he's talking about. He could be talking about the task manager for all we know. He could be just saying whatever he thinks will make this dude get off the phone so he can go grab lunch.

This in no way compares to the Sony Rootkit fiasco. Even if the keylogger is still there I'll hardly doubt that Samsung installed it on purpose.
He should have analyzed the SL configuration to see where the logged keystrokes are sent. That'd have been interesting to see. Now it's just guesswork.
It's an interesting one.

If it was Samsung's responsibility (big if at this stage obviously) then I'd actually be more scared if they didn't install it on purpose.

I get that large corporations intentionally do bad things for money but I kind of assume that they're competent enough that they don't accidentally let their master install for a new laptop get infected with a key logger. I'm not saying that I believe them to be completely competent, just that the level of cock ups I expect from them doesn't run to this.

For me if they did install it accidentally then that's worse than them installing it deliberately for some ill considered audit or support purpose.

This for me, is the root of the problem.

I don't believe any corporation can be 'good' or 'evil'. Corporations are comprised of people - some of whom will choose to do 'bad things'.

Digital technology provides a huge amount of power to those who have access to it. People are necessarily subject to human emotions and motivations - some will choose to do things which place people at risk.

Transparency and division of power within an organisation needs to be set-up and maintained to prevent abuses from occurring .. but I'd imagine, in most cases the stage has already been set to allow this kind of thing to happen without a corporation's knowledge.

> I kind of assume that they're competent

"Never attribute to malice that which is adequately explained by stupidity."

Sufficiently advanced stupidity is indistinguishable from malice.
Possibly I should be clearer.

I assume them to be broadly technically competent in so much as they won't let their master install get infected with a key logger.

I'm happy to accept that they may be incompetent when it comes to making decisions about whether it would be a good idea to install a key logger for support or audit purposes.

Well, if this turns out to be true, no more Samsung in my family.
However, a scan result does not mean much, a full proof would be if he found the keystrokes actually logged in some file and/or being sent to somewhere.

Btw, I am typing this from a Samsung R510 laptop. Fortunetaly I don't use crappy windows. I run Gentoo Linux.

"Fortunetaly (sic) I don't use crappy windows. I run Gentoo Linux."

A reasonable observation followed by a stupid effectively ad hominem attack. The reason your Linux PC is free from the Samsung keylogger (if it does exist) is only because there's little to no incentive to bother with attacking Linux users. Do you really believe Microsoft has spent billions in research and hiring the brightest minds in technology to create an inherently insecure OS, or is it more likely that the incredibly large userbase creates much greater incentives for security attacks?

No, the reason his computer does not have the keylogger is because he installed an operating system other than the one it came with (assuming the story is accurate). Even if he had reinstalled Windows, he would not have it.
Unless the BIOS knows how to install Windows keyloggers in Windows root partitions and Linux keyloggers in Linux root partitions.
Unless of course he needed to install any video,network, chipset, audio, bluetooth etc drivers from Samsung's site in which case all bets are off.
Sure, but this doesn't substantiate calling Windows stupid, which by itself implies fault with the OS.
Windows is not a man (or person), and therefore cannot possibly be the target of an "ad hominem" attack.
To attack a company or product based on opinion rather than fact is the same fallacy.
Luckily, I'm using OS X, so I don't have anything as gauche as a keylogger to worry about.

I have a much classier Keyboard Concierge.

The fact that Macs are statistically less likely to be infected by malware does not mean they are immune. It just means, that most malware-authors are more interested in windows because of the larger number of potential victims.

(Who came up with the idea to spin the fact that Macs are less attractive to black-hats into Macs being more secure anyway?)

He was obviously joking. Did you miss the concierge bit?
This wasn't so much aimed as a direct response to the joke but rather a general comment towards the fact that there are actually people who want to believe that Macs are actually more secure then any other computer. Sorry for being so unclear.
Gentoo is good but paranoid penguins prefer Linux From Scratch :)
Except for the teams of people patching software for security holes and issuing those updates automatically through a package manager?
I wonder where it stores all this logged information. Despite a lot of references to the Sony rootkit, the author doesn't specifically call this a rootkit other than to say it's "completely undetectable" (not really). There's also mention of traces of the program being found in c:\windows\SL, which means its not very well hidden. More information is required.
I would have expected this to show up from many different sources. The fact that only one person is reporting this makes the story somewhat suspect. Surely he's not the only Samsung owner to run a malware scan.
> Surely he's not the only Samsung owner to run a malware scan.

On a machine he just bought, without installing anything else?

Besides, someone has to be first.

He noticed this back in February so I'd think that's a fairly long time to be the only report. A few other things bothered me about the article: the heavy handed reference to Sony's rootkit, as others noted, is inappropriate since the Sony rootkit was clearly a deliberate decision. In this case, the most we can say at this point in time is that he found a keylogger on a Samsung computer. Whether it was put there deliberately or not is unknown. Which leads to my further gripes with the headline (which flatly implies that it was deliberate), with the fact that he didn't retain the evidence but chose to write about it (which means noone can verify his findings), and with his apparent lack of curiousity about whether the keylogger was operational and where it might be sending its data.
On March 1, 2011, I called and logged incident 2101163379 with Samsung Support.

...

The supervisor confirmed that Samsung did knowingly put this software on the laptop to "monitor the performance of the machine and to find out how it is being used."

Someone could verify it by buying a laptop and checking to see if the keylogger exists. Someone with more money to spend than me, anyway :P
If it is just a user testing program they would only put it on a random small percentage of machines - otherwise you would be swamped by the amount of data. You might also have biased data if you only put it on a particular model and a large number of them were bought be a single corporation or school district
It seems much more likely that the AV exe that he is running is infected.
He mentioned the models of Samsung laptops that he had access to. Perhaps someone on this HN thread could verify?
Mohamed Hassan, MSIA, CISSP, CISA graduated from the Master of Science in Information Assurance (MSIA) program from Norwich University in 2009

Really bad way to start an article. Who cares about all these qualifications? Did he find a key logger and how did Samsung respond?

Unfortunately, they have decided to make us wait for the response. That seems really lame IMHO.

I think it means that the author does/did not expect you to be the target audience. To you, an appeal to authority does not mean much, but for someone who does not have much technological knowledge, it may have some weight.

Maybe they were trying to pull views from yahoo finance or something?

Perhaps he wasn't getting any response from Samsung, and posted this to prod them into action. Still this seems like a really terrible way to end an article:

In the next article, Mr Hassan discusses how Samsung responded to his discovery.

(comment deleted)
Isn't networkworld targeted towards tech oriented people?
It was mentioned because the author of the column (M.E. Kabay) used to be a director of the same program at Norwich University that Hassan got his master's from, and as he said, "it is a pleasure to collaborate with an alumnus." Basically it's a shout-out to the university.
Somewhat ironic now that the whole story turns out, not only to be false, but the result of stunningly inept research. Yeay Norwich!
When I read the article there was a link directly to part 2 at the end of the first part.

http://www.networkworld.com/newsletters/sec/2011/040411sec1....

"He confirmed that yes, Samsung did knowingly put this software on the laptop to, as he put it, "monitor the performance of the machine and to find out how it is being used."

If it's true I wonder if Samsung actually does that deliberately or were their production systems hit by some malware.
It's possible --- and the customer service manager he was talking to just said anything to get off the phone, even if it meant lying about something he didn't understand. Maybe he didn't even realize it would paint his company in a bad light.
The findings are false-positive proof since I have used the tool that discovered it for six years now and I am yet to see it misidentify an item throughout the years.

Thus, it is false-positive proof? Why wouldn't he test it against other tools? Why wouldn't he try to find out as much about this as you can before writing an accusatory article?

Further, why is he running a full-system security scan on a fresh installation of Windows? Is that normal? If this is a genuine accusation of wrongdoing, then I think that the actual sequence of events and his entire methodology should be disclosed.

Wow, that's a lot of faith in the AV industry and definition based AV. Perhaps Mr. Security Consultant should realize the limitations of his tools and the importance of doing random samples. He seriously saw this on one laptop and is accusing Samsung of a conspiracy?

Not that I put anything above big multinational companies, but some due dilligance would be nice. I guess its all about selling ad impressions. Facts, accuracy, and responsibility come last.

He seriously saw this on one laptop and is accusing Samsung of a conspiracy?

He saw it on TWO laptops.

Not that I put anything above big multinational companies, but some due dilligance would be nice.

He called Samsung to report the issue and had Samsung supervisor confirm that keyloggers are knowingly installed on Samsung laptops in order to monitor usage.

He saw it on TWO laptops.

Using the same methodology and the same software - granted, it's "false-positive proof", but there are variables here he didn't account for. Methodology matters.

Samsung supervisor

No, Samsung SUPPORT supervisor. I'm comfortable going out on a limb and hypothesizing that:

A) The Samsung Support Supervisor knew exactly as much about the situation as the author - that is, Nothing. He called telephone support, not the engineering department.

B) It's entirely possible said supervisor bullshitted something that sounded plausible and positive. Again, it's a call center support supervisor, not a press release or any sort of official statement by the company.

The author has an extremely small sample, a very small amount of extremely limited evidence, and nothing that could be called a credible statement from Samsung.

IF Samsung is knowingly doing this it's a terrible policy and a serious problem. IF it's for the reason the supervisor said, it's Incredibly bad policy. IF the article is true, it's possibly criminal. We don't have enough evidence to claim that yet, and until more testing is done and Samsung makes a statement, it's not an Incident, it's a curious event that certainly calls for further investigation.

Really? Confirmation from a 1-800 support monkey? We're really grasping at straws here.
> Further, why is he running a full-system security scan on a fresh installation of Windows? Is that normal?

If you're a bit paranoid or don't trust the manufacturer (with good reason, apparently) it makes perfect sense to run a scan on a fresh system after initial setup. It's probably not a normal thing to do - pausing all usage of the system to check it for malware - but it makes sense.

> the actual sequence of events and his entire methodology should be disclosed.

Eh, not really. We just need to run the same scans (using lots of different software) on other Samsung laptops, both the same and different models, and see if it detects the logger. If the logger is found, then he's right, if it's not than he's wrong (and probably it's his own software which is infected). His methodology only matters if no supporting evidence for infection is found.

> If you're a bit paranoid or don't trust the manufacturer (with good reason, apparently) it makes perfect sense to run a scan on a fresh system after initial setup.

That's what I mean. If he had reason to not trust them, then he should share his reasoning. It would help us to understand why he was conducting a post-installation scan in the first place. It is not normal behavior otherwise.

> Eh, not really. We just need to run the same scans (using lots of different software) on other Samsung laptops, both the same and different models, and see if it detects the logger.

Very true. I meant that it would help us to maximize our success with duplicating his method, which would translate into a higher detection rate if the logger actually exists. If one isn't found, it would help us figure out why he might be seeing what he sees.

> That's what I mean. If he had reason to not trust them, then he should share his reasoning.

From the end of the article:

> Mohamed Hassan, MSIA, CISSP, CISA is the founder of NetSec Consulting Corp, a firm that specializes in information security consulting services.

Most likely a client discovered what appeared to be a keylogger and brought it to NetSec for investigation. Part of that process would have likely been to purchase a new Samsung laptop as part of a simulation to figure out how the keylogger may have been installed. Finding it on a fresh purchase must have been quite surprising!

(comment deleted)
It's a disappointing cliff-hanger ending. Without more information it's impossible to say whether this is just some malware accident or a deliberate policy by Samsung. I'm inclined to think that the former situation is more likely.
The link to the part where someone from Samsung confirms they installed the keylogger so they could lern how people use the machines.
So if youy use a Samsung machine in a lawyers office, or in a classified role or anywhere subject to HIPA presumably you should switch brands - or face a negligence charge?

Could be an expensive mistake on Samsung's part - especially if somebody decides that lawyers, governemnt, hospitals also shouldn't use any Samsung phones, copiers, printers etc 'just in case'

Is there not a hole in this argument? Why wouldn't he first question the store at which he bought both of these Samsung laptops? This isn't solid evidence that the source of the keylogger is from the hardware manufacturer and is borderline defamation.
The following line from the article in question leads me to believe that he did not purchase the second laptop from the same store.

"I returned that laptop to the store where I bought it and bought a higher Samsung model (R540) from another store."

I will wait for confirmation/proof in either direction before drawing any conclusion regarding possible "defamation" on the authors part.

Indeed, we shouldn't jump to any conclusions. My point was that the author appears to already have, especially given the article's title. There are lots of situations that could explain to origin of the malware (reseller, pre-installed bloatware, etc), but the author chose one.
This strikes me as dubious at best. I think a more likely explanation is that his detection software is flagging anything with the path "c:\windows\SL" as malware.

He says "This key logger is completely undetectable," which is clearly untrue (he has allegedly detected it).

If it's logging his keystrokes, it's either storing them locally or sending them off somewhere else, or both. If he's as qualified as he says, he should be able to find out which (find a file that increases in size after a lot of keystrokes, use Wireshark...).

Yeah, except Samsung admitted that they installed it in the followup article.
I stand corrected, and should have read the followup article.

I don't think the Samsung "confirmation" brings me to 50% confidence that Samsung actually was logging and capturing people's keystrokes, though.

I would still like to see what the keylogger is actually doing - storing, transmitting, what?

(comment deleted)
Uh no they didn't, this guy has said this is what he was told on a phone call. Samsung has not released a public statement saying this is what they actually do.

Without confirmation from anyone else that has a Samsung laptop (have just checked my brother's bought 2 months ago and found nothing) this really should be taken with a grain of salt.

> I think a more likely explanation is that his detection software is flagging anything with the path "c:\windows\SL" as malware.

"SL" stands for "Samsung Laptop," some manufacturer-specific software?

Off-topic: I wrote a very primitive passive keystroke logger a few years ago (just to demonstrate how they work). I still have the source code and folks email me about it often:

https://github.com/16s/16k

My example is really trivial and it only works on Windows, but it works well and demonstrates the concept of passive keystroke logging. Unlike system wide hooks, passive logging just monitors the key states. Sort of like when you are playing a video game and press the 'P' key. The game pauses because it's monitoring the P key's state (up or down) and can tell when it changes. Extend that concept to the entire keyboard and you have a passive keystroke logger.

Passive loggers are more challenging to detect as well and they run just fine as a normal user (no need to be root).

Stumbled across the same function (GetAsyncKeyState) when I was a kid....mainly because I couldn't figure out hooks.

They are not difficult to detect though. Emulate an (obscure) keystroke, wait 5sec and do you own GetAsyncKeyState. If its cleared then another app pulled the keystate via GetAsyncKeyState.

A low-level keyboard hook (that's a specific kind of Windows hook) does not need root either. It still only monitors the session that the hooking app is running in the context of.
Just use SetWindowsHookEx() with WH_KEYBOARD_LL. Here's some ancient proof of concept code I wrote for detecting user activity (keyboard and mouse):

https://gist.github.com/a95f198292c9e453e054

This was originally to be used with malware that needs to run when the user is away from their workstation. You can access p->vkCode in KeyboardProc() to see which keys are pressed.

One interesting thing to note is that if you remove the invisible window/message pumping loop, the program behaves erratically when processing the low-level inputs. I never looked into this.

This is really really easy to detect for malware analysts. One of the first things you look for in memory on a compromised system is hooking. Most rootkits use hooks at different levels to hide or monitor things.

Strangely, on a clean system most hooks tend to be from the Antivirus (usually hooking filesystem calls for on demand scans).

Definitely. Any amateur effort will generally involve SetWindowsHookEx() + DLL injection to capture keystrokes. The intention was to move this up to ring 0 eventually, but I decided to work on more lucrative things instead.
Actually, I'm speaking at DC4420[1] on the 20th of April on evading defence mechanisms, I think I might bring this up there.

[1] - http://www.dc4420.org/

Cool, I will check it out.
"Here's some ancient proof of concept code I wrote for detecting user activity .. This was originally to be used with malware that needs to run..."

Are you implying that you wrote malware?

I was considering it a long time ago. It was fun to poke around Win32 internals and you could (potentially) make a lot of money.
This is a very naive implementation.

Better off using a keyboard hook or GetAsyncKeyState as someone suggested.

And if you want to write a 'real' implementation, you write a keyboard filter driver. Or hook NtUserGetAsyncKeyState.

It does use GetAsyncKeyState. Did you not read the source code? It works extremely well too (with regard to accuracy). Try the pre-compiled binary.

// From the source code:

ks = GetAsyncKeyState( kiter->first );

My apologies. I hadn't mean to suggest GAKS.

However there are many known problems with implementations using GAKS. Bad implementations make heavy use of CPU and it's easily detectable. The methods I suggested later in my post are far superior.

It also very wrong to claim that _this_ is how keyloggers are implemented. This technique has been deprecated some time ago.

So, has ANYONE verified this independently yet?
Could be any number of reasons for this. The store may have messed up and had its computers infected by a virus. Or Samsung itself. Or user error, like other people pointed out already.

What I would be interested to know is if the logger actually phones home, and if so, to where. That would give fairly conclusive proof if Samsung did it or someone else. If it's just logging stuff locally then what's the point? Maybe Samsung (if Samsung is indeed the culrpit) could claim it's for tech support reasons?

Am I the only one that wipes the OEM operating system as soon as I buy a computer? Even if I'm putting Windows right back on it?

I started doing it because of the crap they bundle in there, but this seems like an unintended good reason to do so as well.

The only problem is that now you have to find a way to download the iso's from microsofts' servers to do it now because most laptop manufacturers only give recovery media that gives you all the crapware when you reinstall.

It wasn't that long ago that you got actual windows install media when you bought a computer.

> It wasn't that long ago that you got actual windows install media when you bought a computer.

Oh, I'm afraid that was actually quite a long time ago.

However, the last time I checked, Microsoft did impose a condition that mostly affected laptop manufacturers, such that they were required to provide any genuine Windows customer with real Windows media on request, rather than just some not-quite-real-Windows recovery media. Is this no longer the case?

If that is still a requirement for installing OEM Windows on laptops for sale, maybe a campaign where a significant fraction of Samsung laptop customers suddenly started demanding real media would attract the attention of whatever fool thought this was a good idea. This is not mutually exclusive with an expensive class action lawsuit, of course. }:-)

(comment deleted)
Ah, excellent - next time my parents by a laptop, I'll have them ask for the disk. My dad's laptop crashed awhile back, and he had nothing to reinstall on it. :/
Back in... 2006?, when purchasing a Dell I put down $10 to receive a plain Jane XP Pro installation disk, in addition to the crapware-infested restore disk that came with it by default.

More recently, helping a friend with a Dell purchase, I could no longer find that option in the online order flow. Maybe if you call them and ask...

(I'm not a regular Dell purchaser.)

I've reinstalled Windows on Dell computers for friends that didn't have the discs. I just called Dell, and they mailed me a plain Windows install disc for free. Awesome! I'm not sure if they still do that.

With HP, I wasn't even able to pay for an install disc of any sort, and since the recovery portion of the HD was gone I had to buy a copy of Windows. I'll never buy an HP computer for this reason.

I'll add that that disk was actually stolen in a burglary. When I subsequently needed to reinstall, a friend burned a copy of his XP Pro disk and mailed it. In combination with the code on the license sticker on the machine, this worked fine.

(I'm hesitant to download an image from an unknown source.)

I don't know about Windows 7 -- I seem to recall reading that installation disks for it work somewhat differently, but I don't recall the details.

If you look you can get the windows 7 isos from microsofts' servers (or in this case their distribution network through digital river).

These have worked for my OEM licenses, XP though I remember you needed to use the disk with the correct service pack to install with your software key. (A sp1 key wouldn't work with a sp2 disk and vica versa.)

Links? I'd definitely be interested in this seeing as how I just bought a Lenovo and want to wipe it.
google: windows 7 iso (first result) (mydigitallife)

The links that say msft-dnl.digitalrivercontent are the same as when you buy online (at least when I bought my win 7 professional license for my desktop the iso linked is the same as the one I downloaded).

Those are probably the only ones I would trust, make sure you are indeed going to digitalrivercontent website, download appropriate language and version/arch (prof, home prem 64 or 32)

I believe the links on that page (also cited by a few other pages I encountered) are pre-SP1. Does anyone know of comparable links for ISO's that have SP1 incorporated (which is what I assume is now shipping with new PC's).

In my case, I'm in the position of occasionally needing to support others who have e.g. Win 7 (most recently, actually, someone with Vista). Sometimes, it's simplest to simply back up their data and re-install. But I may need to supply an installation disk; even if they have one, part of the solution may be installing from a disk minus all the crapware.

I don't do this work regularly, so I'm not part of a community that's constantly, physically swapping disks and utilities and whatnot.

CS and engineering students should be able to obtain this for free through MSDNAA.
If you request an original copy from your retailer they have to (are supposed to) give it to you and can only charge you a fee for the media, which is usually $10-25.

This applies for the first few months, thereafter you can call Microsoft and within a few prompts they will send it out to you, often for free.

Should work in most countries, and is a bit of a backdoor way of getting original install disks.

There is also a way in the EU to get a free linux distro disk if you request it, which was part of the EU antitrust settlement but I can't remember what that was (all of these consumer rights features were part of one settlement or another)

Yes. The majority of regular people would never do that, or even know where to start.
Unfortunately not just regular people. Last time a new employee was hired to my team, the teamlead said just give him this laptop previously used by an external consultant, don't bother formatting it or removing old profiles, just make sure it works. And we're the software development division in the company.
Yea, some colleagues of mine thought that installing a fresh OS on their laptop would "break" it. The software engineering workforce has its range of very good and very bad employees.
That _can_ happen if the newer OS doesn't have the correct drivers available. I'm a "wiper" but I have spent many an hour trying to get simple functionality working again on a fresh install.
I know that we (IT Folks) are all used to the concept of system images which can be used to deploy fresh builds/images to machines that are based on standards. Further we are used to the idea of VMs that run in clusters/clouds etc. and we are used to virtual desktop environments that run as a terminal interface to a VDI backend, finally we are also familiar checking out files for source control etc.

I believe that we are close to being able to 'check-out' a system image that would be downloaded as a VM to a machine (physical machine) where it runs locally as a fully installed OS - but then can be 'checked in' and released once done. A new physical machine comes along and we check out our image.

We can further abstract the user profile data and have it follow the user (there is a company that was recently bought that does this piece... I cant recall the name).

The idea is high-layer virtualization. Where we had virtualized machine, OS, APP and recently infrastructure such as storage - we have virtualized profiles as well. Soon we will have virtual installs.

There is a hybrid model I wrote about some years ago, posted recently to HN as well - which is similar to the Atrix concept. You have all your user profile data on the mobile device and you effectively check-in to a KVM for better screen and input.

I am not sure about the dock of the Atrix, if it has a CPU and GPU for bigger/faster/better -- but this is what I am referring to.

The data profile is tied to the person. Everything else floats - when the use-case calls for better CPU/GPU you check-out the physical device...

But then you have to go the laptop makers site for any extra drivers - how do you know that they don't have the keylogger in them?

Although Intel's own drivers now work better for most embedded Intel chipsets than the crap the laptop maker puts out

You may be. I'm an experienced software dev and I've never done that with any of our family's windows machines. That'll be changing.
(comment deleted)
http://www.networkworld.com/newsletters/sec/2011/040411sec1....

Samsung responds to installation of keylogger on its laptop computers

The supervisor who spoke with me was not sure how this software ended up in the new laptop thus put me on hold. He confirmed that yes, Samsung did knowingly put this software on the laptop to, as he put it, "monitor the performance of the machine and to find out how it is being used."

In other words, Samsung wanted to gather usage data without obtaining consent from laptop owners.

[…]

We contacted three public relations officers for Samsung for comment about this issue and gave them a week to send us their comments. No one from the company replied.

Thank heavens this was software based - now imagine if they shipped keyboard firmware with a built in keylogger! Who knows, may be some do - that would be nearly impossible to detect as they can encrypt it.

On a related note - My bank requires me to use a on-screen virtual keyboard to log into the online account. The keys of this virtual keyboard are randomly rearranged every time it is invoked. That could certainly beat keyloggers.

(comment deleted)
(comment deleted)
Which bank? That is very smart. Is the virtual keyboard built into the website (i.e., Javascript)?
ING Direct has something similar for entering your PIN.
You'd think so, but actually there exist keyloggers that take screenshots on mouseclicks, precisely to bypass this.
Of course :) On the other hand, security is about putting as many deterrents as practically possible - nothing can be 100% secure. So to that extent it is still better to have measures like on screen keyboard than not. And then even if you somehow perfected the on-screen keyboard to not give out screenshots - there is always browser based malware that can send your session or creds to the attacker without bothering about keylogging!
I've played around with a few, and imho most of the common ones easily available on public torrent trackers have the ability to take screenshots on mouseclicks, with a nice little animation pointing out where the mouse pointer was when the click event happened too.

'Keystroke' logs include text, pictures and even videos in these toolkits.

Basically if you've been taken over by keystroke logging malware, it'd be safest to assume that everything on the machine's been compromised.

My bank requires me to use a on-screen virtual keyboard to log into the online account.

That is ridiculous.

But cheaper than sending each user a $1 SecurID token.
This is why the insistence of people like RMS and Theo de Raadt on completely open firmware and drivers is important.

Binary blob drivers aren't "convenient," they are a violation of your privacy.

The ACPI and EFI firmware interfaces in newer PCs are particularly bad in this respect.

Can you please explain in wihich respect ACPI and EFI is worse than BIOS ?
I'd guess it's because BIOS doesn't require OS drivers to work properly.
EFI is basically binary DRM spyware, and by specification it's impossible to build a fully open source EFI BIOS:

http://www.wilderssecurity.com/showthread.php?t=236384

http://archive.fosdem.org/2007/interview/ronald+g+minnich

ACPI drivers are bytecode blobs that the BIOS passes to the kernel, and expects the kernel to interpret in priveleged mode:

http://lwn.net/2001/0704/kernel.php3

With the old PC BIOS and APM, it is possible to implement a fully Free Software firmware, with no 3rd party binary crap or DRM malware. http://www.coreboot.org/ does this.

Well, this rules out my plan to buy a Series 9 for travel.

Hopefully the supervisor he talked to was just blowing smoke and trying to get him to go away. If this is legitimately approved by Samsung, somebody needs their head examined.

Or failing that, they should loan me their laptop after they've done some banking and online shopping on it.

That's kinda mind blowing.

Use of such a laptop in the UK would appear to contravene the Computer Misuse Act (on at least a count of unauthorised computer access), if you have a Samsung with this software I suggest you hire a good lawyer and shop around for investment opportunities for your payout.

What are the chances that Samsung have also breached government secrets acts with this in several countries!?

What's mind blowing is that anybody believes what a support department says.
I'm trusting the report here but it was at least second level and they referred somewhere for help with the query so it appears it was 3rd level support. Certainly attributable to the company in such a case.
The second part is more interesting, but it doesn't give any indication as to whether the keylogger was installed on a small number of internal test machines which then accidentally escaped into consumerland, or whether this is a more widespread practice. If it is widespread then Samsung are really entering a world of pain in terms of lawsuits.
If you think logically, why they would even do that? What can they get out of logged data. Can you give me the answer?

I think you are exaggerating this thing too much.

Let me pull on a conspiracy theorists hat here, and give one possible reason:

When you purchase a laptop, at least in my experience, it records the serial number of the laptop purchased. Now, generally you don't purchase a laptop in cash (At least in the states, but that really has to do with overzealous cops who think anything over a hundred dollars is drug money), you use a credit/check card. What this means is at checkout they have an address, and name (From the card) and a serial number.

You go home, and type away, log in to Facebook, do whatever you normally do, all the while keylogger is running away in the background. NSA walks over to Samsung and says "Hey, can we get those keylogger results? Great, here's your million dollars", takes those, then sees that John Doe is searching for poison on Google. They run off, and arrest him.

Basically, that information would be NSA's wetdream.

Is this true? Probably not, but it's one possible motive.

I am skeptical this is true. Some phone tech support guy overseas is not official confirmation of official policy. I would like to see more widespread confirmation ('happened to me too!') before people start dumping on Samsung.

Also missing, evidence it was turned installed and running at bootup, evidence it was sending information anywhere. It should be fairly easy to use the laptop, connect to the internet, and see what data is sent to what server, owned by whom. THAT is evidence. These are just random unimportant files in some random directory until then.