Luuuuucccyyy! You got some 'splanin' to do!

Bought a Samsung computer recently? Might want to run a malware check on it as it appears they may be intentionally installing a keylogger on it without telling you. Security consultant Mohamed Hassan has written an article for Network World that explains how he discovered the software . . . → Read More: [UPDATED] Samsung appears to be installing keyloggers on new computers they sell.]]>

Luuuuucccyyy! You got some 'splanin' to do!

Bought a Samsung computer recently? Might want to run a malware check on it as it appears they may be intentionally installing a keylogger on it without telling you. Security consultant Mohamed Hassan has written an article for Network World that explains how he discovered the software on two new Samsung computers he purchased:

While setting up a new Samsung computer laptop with model number R525 in early February 2011, I came across an issue that mirrored what Sony BMG did six years ago.  After the initial set up of the laptop, I installed licensed commercial security software and then ran a full system scan before installing any other software. The scan found two instances of a commercial keylogger called StarLogger installed on the brand new laptop. Files associated with the keylogger were found in a c:\windows\SL directory.

According to a Starlogger description, StarLogger records every keystroke made on your computer on every window, even on password protected boxes.

Hassan removed the software and continued on his merry way until some system trouble prompted him to return the laptop and purchase another higher-end Samsung from a different store. When he got home he found that it also had the StarLogger software on it:

Again, after the initial set up of the laptop, I found the same StarLogger software in the c:\windows\SL folder of the new laptop. The findings are false-positive proof since I have used the tool that discovered it for six years now and I am yet to see it misidentify an item throughout the years. The fact that on both models the same files were found in the same location supported the suspicion that the hardware manufacturer, Samsung, must know about this software on its brand-new laptops.

Once might have been an anomaly, but twice makes it pretty clear that this was by design. Given the fiasco with the Sony BMG rootkit a couple of years back you’d think Samsung would know better than to pull something like this, but, just like Sony before them, they tried to claim no knowledge of the software:

On March 1, 2011, I called and logged incident 2101163379 with Samsung Support (SS). First, as Sony BMG did six years ago, the SS personnel denied the presence of such software on its laptops. After having been informed of the two models where the software was found and the location, SS changed its story by referring the author to Microsoft since “all Samsung did was to manufacture the hardware.” When told that did not make sense, SS personnel relented and escalated the incident to one of the support supervisors.

The supervisor who spoke with me was not sure how this software ended up in the new laptop thus put me on hold. He confirmed that yes, Samsung did knowingly put this software on the laptop to, as he put it, “monitor the performance of the machine and to find out how it is being used.”

In other words, Samsung wanted to gather usage data without obtaining consent from laptop owners.

Yeah, that’s a bullshit answer. Keyloggers don’t monitor performance, they monitor your fucking keyboard. Hence the name KEYLOGGER. This particular keylogger is also capable of taking screenshots and emailing them along with the captured data without you ever knowing about it. Imagine buying a brand new computer and doing some online shopping or banking without knowing that it’s recording everything you type and sending it back to the manufacturer. Well, some of you probably don’t have to imagine that happening to you.

I can’t think of a single legitimate reason for Samsung to be capturing that kind of data. What are they really using it for? How are they securing it? How long are they keeping it? What makes them think this is even remotely legal?

This is particularly annoying as I like a lot of things Samsung makes, the LCD monitors on my desk are from Samsung. I don’t own any computers made by them and I’ll definitely think twice before picking one up. The only question now is how long before the class action lawsuit is filed.

[Updated 9:35AM 3/31/11] Samsung didn’t waste anytime looking into this and it appears that they may be the victim of a false positive according to this article at CrunchGear:

Word comes from Samsung’s official Korean language blog, Samsung Tomorrow, that the company was able to recreate the incident and a keylogger is not on a factory-fresh notebook. The company states that the VIPRE security software used by the original whistleblower mistakenly reports the Microsoft Slovene language folder (c:\windows\SL) as the commercially available Starlogger keylogger. See the screenshot above for the proof — or if you have a R525 or R540 notebook, recreate the test yourself. As it sits right now though, it seems Samsung didn’t follow Acer’s lead and ship infected notebooks.

This is good news indeed. I can imagine Samsung wanted to nip this potential PR disaster in the bud as quickly as possible.

Oh my! It's so scandalous!

Apparently that’s all it took for a Georgia high school principal to fire English teacher Ashley Payne:

“He just asked me, ‘Do you have a Facebook page?’” Payne said. “And you know, I’m confused as . . . → Read More: Innocuous picture on Facebook gets a teacher fired.]]> Take a look at the following picture and tell me what’s wrong with it:

Oh my! It's so scandalous!

Apparently that’s all it took for a Georgia high school principal to fire English teacher Ashley Payne:

“He just asked me, ‘Do you have a Facebook page?’” Payne said. “And you know, I’m confused as to why I am being asked this, but I said, ‘Yes.’ And he said, ‘Do you have any pictures of yourself up there with alcohol?’”

In fact, the picture that concerned the principal – showing Payne holding a glass of wine and a mug of beer – was on her Facebook page. There was also a reference to a local trivia contest with a profanity in its title.

Payne was told a parent of one of her students called to complain. And then, Payne says, she was given a choice: resign or be suspended.

“He told me that I needed to make a decision before I left, or he was going to go ahead and suspend me,” she said.

She resigned. Attorney Richard Storrs is fighting to get Payne’s job back.

via Did the Internet Kill Privacy? – CBS Sunday Morning – CBS News.

Again, this was a PUBLIC high school as opposed to, say, a private religious school of some sort. Apparently the idea that a young teacher might partake of both beer and wine was too much for those delicate Georgia sensibilities.

Here’s the kicker, and why the topic of the CBS articles is about the Internet and privacy, Payne thought she had set her FB privacy settings so that the picture wouldn’t be public:

But here’s the really troubling part: Payne had used the privacy settings on Facebook. She thought that only her closest friends could see her vacation photos or her use of the “B” word.

“I wouldn’t use it in a classroom, no,” she said. “But Facebook is not the classroom. And it’s not open to the students of my classroom. They are not supposed to see it. I have privacy in place so they don’t see it.”

I would argue that even if they did manage to see it, which apparently they could have, there’s nothing present that should be a concern. She’s not half-naked in the picture, she’s not obviously drunk, she’s not breaking any laws, and swearing outside of work shouldn’t be grounds for dismissal. (If it is, I’m in big, big trouble.)

The rest of the article is the usual ‘we’ve lost all sense of privacy in the Internet age’ stuff that’s no surprise to anyone who’s been paying attention. Though as an interesting aside, I did try the Reputation.com website that the reporter used to learn what personal info was on the net:

Michael Fertik, a Harvard Law School grad who runs a company called Reputation.com, came up with information I thought was private. I was wrong.

“I think this is your Social Security number,” Fertik said. It was!

He also revealed what he called my “online reputation,” based mainly on where I happen to live.

“Our query is pretty confident that you’re a Democrat and pretty confident that you’re a Catholic,” Fertik said.

“But that may not be correct,” said Moriarty.

“It may just not be correct,” he explained.

And then there’s something that could cause a real headache down the road …

“There’s an Erin F. Moriarty who grew up just a few miles where you did, who has been convicted of serving alcohol to minors,” Fertik said. “And it’d be very easy for a machine to confuse you and that person, and to think that you are a convicted criminal.”

They offer a free scan to give you a taste of what they can find. I came away from it totally unimpressed. I put in “Les Jenkins” and the email address I most commonly use with it (les@stupidevilbastard.com) and it failed to find me. I tried my jenkinsonline.net email address and it still didn’t find me. Then I tried my full first name and my SEB email address.

That was enough for it to kind of find me. It listed my name as Lesley R Jenkins (my middle initial is a T), got my age right at being 43 and having been born in August of 1967, and listed my address as still being in Orion Township, MI. I’ve not lived there for over 12 years now. When I went to the next step it congratulated me for not having any significant personal info on the Internet. Well, I thought, considering that’s technically not my real full name and I no longer live there, I’m not at all surprised by that revelation.

Considering that putting “Les Jenkins” into Google will list me in 7 of the first 10 results (and the first 4 results to boot), it should go without saying that I’m not at all difficult to find on the Internet. SEB, Twitter, and my LinkedIn profile pages are all right there with all manner of publicly viewable info about me and without getting my middle initial wrong. This doesn’t speak well to the data gathering ability of the folks at Reputation.com.

Anyway, the point I wanted to make is that Payne’s firing is pretty fucking ridiculous regardless of how public or private that picture happens to be. There’s nothing any reasonable person would consider objectionable about it and, even if there was, so long as she’s not taking it into the classroom it shouldn’t be a problem.

A Brownsville high school teacher has been suspended for 30 days without pay after she appeared in a picture someone else posted on Facebook that included a male stripper at a bridal shower.

[...] Board member Stella Broadwater says the suspension is appropriate because the photo became public, but . . . → Read More: This Just In: Teachers not allowed to have a life outside of school.]]> How’s this for being totally unfair:

A Brownsville high school teacher has been suspended for 30 days without pay after she appeared in a picture someone else posted on Facebook that included a male stripper at a bridal shower.

[...] Board member Stella Broadwater says the suspension is appropriate because the photo became public, but member Sandra Chan says it was too harsh because the teacher had no control over the photo being posted.

via Teacher suspended over stripper photo – Pittsburgh Post Gazette.

It’d be one thing if the teacher had printed out this picture and passed it around to her students, but to be suspended because someone else posted the picture on Facebook is pretty stupid. Granted I’ve not seen the picture in question, but I’m not sure it should matter much. Short of staying home and never doing anything outside of work, I’m not sure how she had any control over the posting of the pic.

This also reflects one of the problems with Facebook’s move towards removing the privacy options that it has traditionally made available to its users. As these barriers come down you’ll be reading about more and more news items like this as pictures that were once thought to be limited to family and friends become viewable by the public at large.

There are already a number of sites popping up to chronicle embarrassing Facebook postings including Failbook.com from the folks who brought us I Can Has Cheezeburger? I mean, do you really want wall updates like this one viewable by the whole world?

It’s embarrassing enough that your mom knows you’re brushing up on AMAZING SEX, but what happens when a potential employer is able to do a Google search and has this come up? At least the Failbook.com folks remove last names and blur pics. Google isn’t going to do that.

OK, I’ve gotten off on a tangent here so allow me to wrap this up. The point I’m trying to make is that, sure, the idiot in the above screenshot probably shouldn’t have posted something like that if he didn’t want folks (including his mom) to know about it, but the teacher that got suspended didn’t post the picture that got her in trouble and that’s not fair. Which is basically my point.

“There’s virtually no branch of the U.S. government that . . . → Read More: Turns out we’re already living in a surveillance state.]]> The new FISA “compromise” bill that the Senate is about to pass makes me angry just to think about, but deep down I’ve long suspected that our government pretty much spies on us with impunity already. This Baltimore Sun news article pretty much confirms that suspicion:

“There’s virtually no branch of the U.S. government that isn’t in some way involved in monitoring or surveillance,” said Matthew Aid, an intelligence historian and fellow at the National Security Archives at The George Washington University. “We’re operating in a brave new world.”

[...] The Bush administration argues that the privacy and civil liberties protections in place for surveillance not covered by the FISA rules are “unprecedented.” In addition to the data-mining, use of financial transaction databases and satellite imagery, the surveillance includes monitoring the travel patterns of airline passengers.

[...] But critics say the safeguards don’t always work. Some blunders in the use of such protections have become public. New Yorker writer Lawrence Wright wrote in January about one such experience. In 2002, while he was researching The Looming Tower, his Pulitzer Prize-winning book on al-Qaida, two members of an FBI terrorism task force arrived at his home. Why, they asked, had his daughter been speaking with someone in the United Kingdom who was in touch with suspected al-Qaida operatives?

It wasn’t his daughter, he told them flatly. Wright himself had made the calls. And the person he contacted was a British civil rights lawyer who had asked him not to speak with her clients, some of whom are relatives of Ayman al-Zawahiri, Osama bin Laden’s chief lieutenant.

“My daughter is no terrorist – she went to high school with the Bush twins,” Wright said. “I was taken aback. They were apparently monitoring my phones.”

Wright said he was particularly surprised because he was aware of protections supposedly in place to conceal his name and other identifying information that would have been gathered during the creation of transcripts of the call.

Wright said he doubted the government would have been able to get a warrant for the information, and he said he didn’t know how the FBI obtained his daughter’s name, let alone got the impression that she was communicating with the British lawyer.

It’s somewhat ironic to note that the new FISA bill actually has more civil liberties protections than the other domestic spying programs that aren’t covered by it. It makes me feel foolish for getting so worked up about the new FISA rules because, really, the cows got out of the barn a long time ago. There’s been reports of various abuses and misuses of these programs for years now and every time a government agency gets new powers, such as the FBI and its “security letters” thanks to the Patriot Act, it’s usually not too long before we hear about them being abused. If anything I suppose I should be angry that the new FISA bill provides the government with even more power it can abuse, not that they haven’t abused the system under the old rules already. They’re just trying to make it quasi-legal to do so now that everyone knows about it.

US intel chief wants carte blanche to peep all ‘Net traffic – ArsTechnica.com

While short on specifics, the New Yorker piece recognizes that any plan requiring the kind . . . → Read More: Director of National Intelligence says he must spy on you to keep you safe!]]> This article from ArsTechnica about an interview the Director of National Intelligence, Mike McConnell, gave to The New Yorker will send a few shivers down your spine:

US intel chief wants carte blanche to peep all ‘Net traffic – ArsTechnica.com

While short on specifics, the New Yorker piece recognizes that any plan requiring the kind of authority McConnell envisions is apt to be a hard sell: “Americans will have to trust the government not to abuse the authority it must have in order to protect our networks, and yet, historically the government has not proved worthy of that trust.” McConnell acknowledges that his initiative is bound to spark debate that will make recent wrangling over reforms to the Foreign Intelligence Surveillance Act seem like “a walk in the park compared to this.”

How broad are the powers needed to keep our servers safe? According to the article, in order for cyberspace to be policed, Internet activity will have to be closely monitored. Ed Giorgio, who is working with McConnell on the plan, said that would mean giving the government the authority to examine the content of any e-mail, file transfer, or Web search. “Google has records that could help in a cyber-investigation,” he said. Giorgio warned me, “We have a saying in this business: ‘Privacy and security are a zero-sum game.’”

Sayings like that, says security guru Bruce Schneier, “are why the police aren’t in charge; security and privacy are complimentary. Privacy is part of our security against government abuse. If they were really zero-sum, we would have seen mass immigration into East Germany.”

If the Director gets his way he’ll be looking at every single bit of data you send over the Internet. All in the interest of keeping you safe, of course. Never would they abuse that power. Honest. You can trust them. Really.

And if you believe that…

    Well, from now on you had better do it under your own name and not a pseudonym or there could be fines and/or jailtime in your future (read the Cnet . . . → Read More: Being “annoying” online - now against the law.]]>     Do you post on blogs? Send jokes to colleagues? Say anything at all that might be construed by anyone as objectionable?

    Well, from now on you had better do it under your own name and not a pseudonym or there could be fines and/or jailtime in your future (read the Cnet article here). It seems that on January 6th of this year “president” Bush signed a law called the ‘Violence against Women and Department of Justice Reauthorization Act” which has an section embedded in it (section 113 to be precise) which is titled “Preventing Cyberstalking”. So far everything I have written here seems pretty innocuous, designed to keep women and girls from being stalked and harrassed by online predators, and I’m all for that.  If I had ANY trust in our current pro-torture, pro-spying, pro-empire, criticism averse administration I might not even bat an eye at this. But I don’t have any trust left.

    How do you define annoying? If I asked 10 people for specific examples of what annoys them I am willing to bet I would get 10 different answers. Something that I find annoying, like prosteletizing, might be sacrosanct to someone else – so who decides? Bush probably finds it annoying that his spy ring has been exposed.  I find it absolutely necessary and downright patriotic. Since the audiences for his townhall meetings are preselected I bet he finds surprise questions and contrary opinions annoying. I find them amusing.

    Because I always post my annoying opinions under my own name, Eric Paulsen, I am safe from fines and jail time (at least in theory), but… why make it necessary that an “annoying” post be under a persons real name and not a psuedonym? Why would an administration that was developing the Total Information Awareness database (an enormous datamining tool), that thinks it is okay to tap the phone calls and read the e-mails of American citizens, and is trying to give the Executive branch limitless powers (“If this were a dictatorship, it’d be a heck of a lot easier…just as long as I’m the dictator…” G. W. Bush—Washington, DC, Dec 18, 2000) want your real name attached to an “annoying” post. That’s a real puzzler there. Yup, a real puzzler.

    Well, here’s another post for my NSA file.