Mohamed Hassan had just installed anti-malware software on his new Samsung laptop when, much to his surprise, the software alerted him to the presence of a keystroke logger. A brand-new machine, and it was apparently already recording every password and username he typed. He returned the computer for an unrelated reason, and bought a second Samsung laptop to replace it. Lo and behold, the same keylogger was apparently found on this new machine.

Naturally, he asked Samsung about this, only to receive a range of confused answers. Initially the support person he talked to denied any Samsung involvement, claiming "all Samsung did was to manufacture the hardware." On escalating the issue, supervisor claimed to have no idea how the software might have got onto his PC; Hassan was then told that Samsung installed the software so that it could "monitor the performance of the machine and to find out how it is being used."

If true, this would set a worrying precedent. Hassan drew parallels with Sony's 2005 rootkit debacle. Then, Sony included rootkits on the data tracks of certain audio CDs that prevented accurate ripping of the audio tracks—an action that resulted in payouts to a number of state governments, and restitution to customers.

This keyboard logger is a whole lot more sinister, however, given its enormous scope for compromising sensitive, personal information. The logger in question, identified as StarLogger and stored in directory C:WindowsSL, is designed to be "completely undetectable" and can silently e-mail its logs to an arbitrary address—giving whoever installed it a detailed view of everything you do on your computer. It also has a screen capture facility, so even if you, for example, visit your bank's website by using a bookmark (rather than typing its address into your browser), StarLogger can still disclose all the relevant information.

If Samsung were indeed installing key loggers on its laptops, then legal repercussions would be an inevitability, just as they were for Sony.

Upon further examination, however, the allegations appear to be incorrect. Samsung is claiming that the result is simply a false positive. The anti-malware software used by Hassan, VIPRE, is apparently misidentifying a folder created by Windows Live Essentials. The "SL" in C:WindowsSL does not stand for StarLogger at all—it stands for Slovenian. Windows Live Essentials installs a screensaver to the directory.

After Samsung made its claim, security software company F-Secure went a step further, and demonstrated that VIPRE will indeed identify a directory named C:WindowsSL as StarLogger—even if the directory is empty. While still not absolute, definitive proof that Hassan's laptops were free of malware, this is compelling evidence that VIPRE is prone to emitting erroneous, untrustworthy results—erroneous results that would explain away these allegations.

Neither Hassan nor NetworkWorld, who published his claims, provided any evidence beyond the directory name; no logging binaries, no logs, no e-mail traffic or screenshots. Hassan also explicitly disclaims the possibility of a false positive, though his logic for doing so boils down to "it's never done it before." Absent concrete evidence to the contrary, Samsung's explanation is both highly credible and completely innocuous, suggesting that Hassan and NetworkWorld jumped the gun.

Even in the extremely unlikely event that such evidence were to be revealed, Samsung might not be the culprit. An unscrupulous reseller looking to make a quick buck could have installed the logger, so it might be restricted to systems bought from one particular vendor. A similar attack may have been made at a factory, surreptitiously infecting system images before they left the factory—it's not unknown for viruses to infect new systems, or installation media, as a result of contamination (accidental or otherwise) in a disk duplicator.

One might also wonder why a Samsung support person made such an incriminating (and astonishing) claim—perhaps a misunderstanding, or simply an effort to get an argumentative customer off the line.

Nonetheless, a false positive is far and away the most likely explanation. After all, which company would want to become the next Sony?