[Construct]

This is a good reminder to always do your homework before making such a strong accusation. Samsung's reputation is probably largely undamaged, other than among people who just read the headlines on news aggregator sites. Even searching for 'Samsung Key Logger' pulls up mostly articles about the false alarm situation.

Mohamed Hassan [MSIA, CISSP, CISA and graduate of the Master of Science in Information Assurance (MSIA) program from Norwich University in 2009 as the original article prominently states], on the other hand, is probably not so lucky. Any Google search on his name from now on will probably reveal this whole debacle. Furthermore, I wouldn't be surprised if he just opened himself up to legal action by Samsung.

[JamieEi]

It should also be a good reminder to all of the people on HN who jumped to the conclusion that this guy was right on very sketchy evidence. This place is influential. We should do better.

[jedsmith]

I think the vast majority of top-level comments on that item considered the information dubious or were holding out for independent confirmation; I don't think HN leapt to a conclusion. My comment, one of the less obvious, was more from a good-idea perspective instead of assuming the story was true -- I had not decided yet.

Overall in that item I think HN did better than you imply, unless you mean the upvotes the item received.

[drzaiusapelord]

I did my part and questioned this from the beginning only to be 'corrected' by other HN commentators. A competent person would have displayed logs, packet captures, stacktraces, etc. This guy just said "my infallible tools caught it" and those who want to believe in conspiracy theories just believed it. It was obvious from the get go that Mr. Credentials was just using an off the shelf definition based scanner.

Meanwhile, the shitty media outlets that irresponsibly spread this got all the ad impressions they wanted. The problem with truth is that its not as profitable as BS. How many people will ever read the corrections?

[machrider]

HN had many skeptical comments right off the bat. I guess simply publicizing this story before its confirmed is bad, but it's also how you shine light on an issue - in this case, clearing Samsung of any wrongdoing.

Reddit fared much worse, IMO, in that people continued to upvote the wrong story after the truth was out. The correction has been posted but isn't anywhere near the front page.

[machrider]

Update - reddit has come around to the truth. :)

[gphil]

I agree completely with this sentiment. It's important to remember that the vast majority of "journalism" on the web isn't conducted very professionally.

[albedoa]

Thankfully, it looked to be very few people. His article was written--and his tests were conducted--just about as poorly as they could have been. It was a huge show, and HN caught on quickly as far as I can tell.

[grannyg00se]

To be fair, Mohamed Hassan did contact Samsung support and they didn't clear up the issue. In fact, I believe they may have even confirmed that there was a key logger installed! At that point his due dilligence has been done and he has confirmation. He doesn't need to do anything further than that. Shame on Samsung support for such a pathetic showing.

[dereg]

He did not fulfill his due diligence. Not if they're going to add this to the article: "Mohamed Hassan, MSIA, CISSP, CISA is the founder of NetSec Consulting Corp, a firm that specializes in information security consulting services. He is a senior IT Security consultant and an adjunct professor of Information Systems in the School of Business at the University of Phoenix."

If they're going to pass him off as an expert, then he better be doing analysis that a normal lay-man can't do. If he has the credentials, then why is he basing his claim off of a conversation with low-level customer support?

[raghava]

Wait, University of Phoenix? Isn't it the same university associated with scams and sham degrees, am I wrong?

[brudgers]

UoP is accredited by the same board which accredits University of Michigan. [http://www.phoenix.edu/about_us/accreditation.html] For whatever that is worth.

They have experienced difficulty regarding the rates at which students receiving Federal Financial Aid graduate - i.e. their issues are based on low graduation rates and not based on being a diploma mill.

Disclosure: my spouse teaches for UoP part time.

[jedsmith]

They have also received criticism for the large number of loan defaults, and lobbying to change how the loan default statistics are calculated to make their numbers look better (at least according to Frontline). Same program also mentioned private for-profit schools account for a quarter of all student aid in the country, a disproportionally high number since they are not a quarter of our schools.

[brudgers]

Public universities have large numbers of lobbyists serving their interests as well.

UoP had about 400,000 students at the time the Frontline piece was produced - that's seven Ohio State Columbus's [http://www.osu.edu/osutoday/stuinfo.php] so number of schools is not perhaps the best measure.

Rightly or wrongly, because UoP has open enrollment they admit more students who are eligible for Federal Financial Aid than most schools because of the population they enroll.

And nothing in the Frontline piece accused UoP of being a diploma mill as was implied by the prior comment to which I responded. A criticism of their business model is a different indictment altogether.

[gamble]

Not sham degrees, exactly. They require the absolute minimum level of educational achievement necessary to edge over the fuzzy line between a diploma mill and legitimate education. Students go to UoP to get a piece of paper that helps their career and that they would generally be incapable of acquiring at a real university, while in exchange UoP is there to milk the students for every federally-guaranteed loan they can qualify for.

[jrockway]

Students go to UoP to get a piece of paper that helps their career ... while in exchange UoP is there to milk the students for every federally-guaranteed loan they can qualify for.

Wait, so just like a real university?

[marcomonteiro]

Sorry, but I thought this was hilarious.

[burgerbrain]

Selective quoting much?

[brudgers]

However, using Hassan's affiliation with UoP as a means of questioning his qualifications is a bit of a stretch. Given the rate at which bricks and mortar universities churn out graduates with advanced degrees for which there is little employment opportunity on physical campuses, online schools like UoP wind up as the best available option for new MS's and PHD's with an interest in teaching such as Hassan particularly those with one foot in the commercial world.

[recoiledsnake]

It's worse than that. The whole article was a fluff piece rambling about his awesome credentials and comparing the discovery to the discovery of Sony's rootkit and was written to create hype rather than show concrete evidence. And why needlessly break the article into two parts except to garner page hits?

The money quote:

>The findings are false-positive proof since I have used the tool that discovered it for six years now and I am yet to see it misidentify an item throughout the years.

It boggles the mind how a founder of security consulting company can be so clueless. But most of HN and the tech news site like Slashdot fell for this with completely knee-jerk reactions, so I guess I am not surprised and the people behind his fiasco got the publicity they wanted. And remember HB Gary?

I am sure this hoopla would've cost Samsung some real damage in sales and they might be considering legal action. As Churchill said:

"A lie gets halfway around the world before the truth has a chance to get its pants on."

Well, atleast I can say I called it, even after the so called Samsung confirmation. http://news.ycombinator.com/item?id=2389141

[scott_s]

I don't expect customer support to know what a keylogger is, much less know if their own systems have them installed.

[oconnore]

But yet they said yes... I wonder if I call them up and ask, "hey, Samsung CS, did you guys install a flurb-yulb-gumbler on my new laptop?", will they say, "yes, we use those to violate your privacy."

[potatolicious]

It was still incredibly disingenuous and dishonest. There is no way any person of reasonable IT knowledge would go to tech support for information on engineering decisions. He was fishing for confirmation and he got it - I have strong doubts about Mr. Hasan's intentions when he contacted support.

[baltcode]

He did talk to customer support, and once in a while, I'd rather have a false alarm (keeping it to the level of information, rather than lawsuits) now and then, than something like this actually happening and kept under the radar.

[mootothemax]

I'd rather have a false alarm ... now and then, than something like this actually happening and kept under the radar.

I've heard the same kind of reasoning from people who forward on those "Microsoft will send a prize for the most emails sent!"-type emails.

The problem is: there has to be a minimum level of credibility, otherwise we'd be swamped with every man and his dog making claims like these.

[recoiledsnake]

>To be fair, Mohamed Hassan did contact Samsung support and they didn't clear up the issue. In fact, I believe they may have even confirmed that there was a key logger installed! At that point his due dilligence has been done and he has confirmation. He doesn't need to do anything further than that. Shame on Samsung support for such a pathetic showing.

Extraordinary claims require extraordinary evidence. Especially when the person making claims is the founder of a security company. His due diligence consisted of things like "The software I used is false-positive proof since I am using it from 6 years". "I have done this on two different laptops with same results, so it must be Samsung's fault". Huh?

[dereg]

Everything that he did was just shameful. Suggesting class-action, writing two articles essentially saying the same thing (in a "2-part series"), shoving our faces with his credentials (that obviously didn't do much for him), claiming that his anti-virus program never had false positives, drawing comparisons to the Sony rootkit debacle, etc.

I hope this guy has it coming to him. If he's going to put his creds up like that, he's putting himself out there as an informed source. You expect that sort of sensationalism from journalists, not from a security "expert". Shameful work, overall.

[recoiledsnake]

He's founder of NetSec Consulting Corp. I am sure this is great advertisement for it. Or maybe it was orchestrated to generate publicity.

[w1ntermute]

> Any Google search on his name from now on will probably reveal this whole debacle.

Actually, he has a sufficiently common name that those results will be relegated to the 2nd or 3rd page of search results within a few weeks:

http://www.google.com/search?q=Mohamed+Hassan

[cubix]

Probably not if you throw in a few relevant keywords like 'security'.

[levigross]

certificate fail!