Thu 31 Mar, 2011
Tags: computer security, incompetency, information security, internet security, security
If you’re unfortunate enough not to have someone in your family or circle of friends who builds computer systems, you may have had the unfortunate experience of buying a new computer at a retail store and, on unboxing and setting it up, being confronted with a significant amount of preinstalled nonsense that you neither want nor need. Usually, this includes such things as “trial versions” of games, “trial” versions of antivirus programs, “helpful” extensions to the web browser, assorted other “previews” of software, generally some sort of “maintenance” console from the system manufacturer, links to one or more ISPs setup procedures, etc., that require several hours’ cleaning in order to be rid of them.
If you have the misfortune of buying a system from Samsung, however, you may have found a little something more. NetworkWorld broke a story yesterday where a security professional found a clear instance of spyware being preinstalled by the manufacturer.
Spyware, as the name implies, is the term for software intended to covertly gather information from a system and report it back to some other party without the user’s knowledge or consent. In this case, it was a kind of program known as a keylogger: it intercepted keyboard input and logged it for transmission back to, apparently, Samsung–meaning that any documents, usernames, passwords, credit card numbers, social security numbers, names, addresses, or what have you that are entered on the keyboard, regardless of the context or location of the entering, would be logged by the system for inspection by Samsung.
Systems have been compromised by malicious software before being shipped in the past–Seagate had an incident in 2007 where some of its home-user Maxtor drives shipped with an outdated virus due to contamination at the drive manufacturing plant–but in this case the action appears to have been purposeful, as Samsung has admitted to purposely installing the software on the systems.
This recalls the Sony rootkit debacle from ’06–Sony had purposely built onto CDs a data track designed to be run by user’s computers that would install software specifically for the purpose of restricting music copying. In this case, not only was the rootkit largely ineffective, but Sony was brought up before the FTC and restricted to such an extent that business refactoring was necessary in order to continue to operate in the United States.
The FTC stated at that time that installing software that creates a security risk to the consumer without the user’s consent is forbidden. This apparently did not stop Samsung from violating, clearly, the letter and the spirit of that decision in installing malicious (to the user) software on the system.
Fortunately, there is a–relatively–easy fix for all of the problems above. Installing an operating system onto the computer other than the one the manufacturer provided is a sure way to prevent both the installation of bloated advertising programs and vendor-provided malicious software.
It’s an unfortunate extra step, but so long as vendors continue to prove they cannot be trusted with consumers’ information, it’s a necessary step.
A word of caution: the Windows license key printed on the case will likely not work with a regular Windows installation disk; that key is keyed to what’s known as the OEM version of the operating system–that is, the one that is distributed on the computer. You will either have to purchase (or obtain by some other means) a license for Windows from another source, or choose a Linux distribution (such as Ubuntu or Fedora) that can be obtained without cost.
A post on the best ways to bribe the local computer geek into setting this up for you will be written shortly.
Several sources (engadget and Ars Technica, specifically) are now reporting that the keylogger detected was likely a false positive. The statement by the customer support supervisor was, in this case, likely due to a misunderstanding of the question being asked.
That being said, it is still a good idea to either build your own system or wipe and install your own OS on a vendor-supplied system, if only to keep off unnecessary bloat.