Cisco Blogs


Cisco Blog > Security

Trust, Reliability, and the Downside of the Fast-Twitch Twittoblogosphere

It is clear that we are in a transition with regards to the way information is published and consumed. Old school media such as newspapers and network news are in decline or are, like the New York Times and the Wall Street Journal, looking for new ways to remain relevant.

The rise of social media as a source of news has both positive and negative aspects. On the positive side the speed of social media has proven hard to match. For example, on November 23, 2010, North Korea shelled Yeongyeong Island in South Korea. My first notification about that event was via Twitter and it was only later that I was able to get confirmation via CNN. Similarly on March 11, 2011, when the earthquake and subsequent tsunami hit Japan with tragic consequences, my first notification was again via Twitter. Clearly first-mover advantage goes to social media, largely due to the lack of overhead and the few barriers to and low cost of publishing.

Recently we saw one of the weaknesses to the often knee-jerk, fast-twitch responses that social media can create with the unfortunate accusations that were falsely leveled at Samsung; statements accusing the Korean manufacturer of putting keylogging software on its laptops.

It all started with a Network World article where Mohammad Hassan did a guest piece for the respected M. E. Kabay. Hassan wrote that he felt he had come across an issue with Samsung laptops. He believed that he had found evidence of StarLogger, a commercial keylogger, installed on two different Samsung laptops. Unfortunately he didn’t realize that what he had found was a Slovenian language directory for Windows Live, C:\Windows\SL, not the default install directory for the keylogger.

GFI Labs, to their immense credit, takes the fall for this in a post titled “Samsung Laptops do not have a keylogger (and it was our fault)” where they explain how this happened. They have a product, VIPRE Antivirus, which supports an aggressive heuristic detection mode. They go on to explain that, in general, virus detection may be done with file signatures, such as when you look for specific files; behavior, such as when you look for the virus or malware to do certain things; or heuristics, such as when you look for what is similar to known viruses in order to go around the techniques that malware authors use to avoid detection.

In the case of GFI VIPRE, the presence of the directory C:\Windows\SL, which is the default install directory of the StarLogger keylogger, was a heuristic trigger that kicked off a false positive that caused the AV system to notify Hassan that he had a keylogger on his laptop. Unfortunately, sometime after the heuristics for VIPRE was written, Microsoft started using the directory C:\Windows\SL for the Slovenian language files for Windows Live, thus triggering alerts on two of Hassan’s Samsung laptops.

To make things worse, it seems that some confusion on the part of the support staff that Hassan contacted may have compounded the problem, with an evidently mistaken supervisor telling Hassan that Samsung put the software on laptops to “monitor the performance of the machine and to find out how it is being used.” A statement that likely went a long way toward reinforcing the false positive.

In a world where investigative journalism ran on timelines somewhat longer than the five minute news cycles of Twitter, it might have been possible for someone to dig in and use some other tools to determine whether or not a keylogger, or other malware, was actually shipping with the laptops. Determining whether or not a commercial application, even a stealthy one, is installed or not, isn’t rocket science.

However, once the story broke on Network World, many were eager to throw the URL into a URL shortener like bit.ly and then broadcast it to their followers, where many were using sensationalistic linkbait. This of course triggered a wave of blog posts, which then triggered additional waves of tweets, and so the cycle continued.

Then people began to realize that the information was wrong, which triggered another race to tweet about how Samsung didn’t put keyloggers on their laptops. Those tweets triggered another wave of blog posts, which triggered more tweets. And so on, and so on, and so on.

And thus in the end we are left with a question of trust. Sure, Twitter and other social media vehicles are fast, but can you trust them? Like with many things, it appears that the answer is more nuanced than a simple yes or no, and it takes me back to advice that Pete Hernan, who ran escalations for now defunct Riverstone Networks told me “Consider the information, but also consider the source”.

As social media vehicles and other Web 2.0/3.0 vehicles become more central, determining whether or not a particular source is reliable is also going to become more important. Recently Ars Technica posted a great piece on Information Credibility on Twitter, a piece of research by Castillo, Medoza, and Poblete. One of the central conclusions was that reputation was a key factor (one which Cisco uses in our security products) and they saw that “those with the most invested in the service—in terms of past activity, followers, and friends—tend to convey more accurate information.” Indeed, the authors state “low credible news is mostly propagated by users who have not written many messages in the past,” a statement which takes me back to the days of AOL, with mailboxes full of promotional floppy discs and the breathless forwarding of urgent virus warnings and hoaxes about being paid to forward email. I guess we have come full circle.

In the end, Samsung builds good products. Their laptops don’t have keyloggers and they build nice smartphones and tablets. Indeed, speaking of nice tabs and phones, some of the new Samsung tabs and phones, including the Galaxy Tab and the Galaxy S 2 smartphones, will soon start shipping with Cisco AnyConnect; software which will enhance, rather than break, security on the device.

First mover is nice, but as recent events have shown, perhaps even considering the source is not enough, it may be best to adopt the Ronald Reagan approach, “Trust but Verify” or perhaps better yet the X-Files approach, “Trust No One” ;-)

Tags: , ,

In an effort to keep conversations fresh, Cisco Blogs closes comments after 60 days. Please visit the Cisco Blogs hub page for the latest content.

1 Comments.


  1. I would like to say thanks to you for this blog write-up, it is quite informative and valuable. I’ve had numerous negative encounters with spyware and adware, and it can be really irritating to cope with. One time I needed to re-install Windows because of some basic spyware that I never took care of. Another time My partner and i experienced some voice randomly announcing stuff to me about some item My spouse and i earned, it was subsequently extremely discouraging.I am about to save your website and come again frequently. Thank you once more

       0 likes