I have to say I am impressed. Barracuda Networks has come forward on their blog with a simple and clear explanation for the breach — three basic mistakes in security management.

This latest incident brings home some key reminders for us, including that:

• You can’t leave a Web site exposed nowadays for even a day (or less)
• Code vulnerabilities can happen in places far away from the data you’re trying to protect
• You can’t be complacent about coding practices, operations or even the lack of private data on your site – even when you have WAF technology deployed

I agree with them 120%. That level of disclosure is commendable on its own as a sign of honesty and root-cause analysis. However what really impresses me is that they then recommend their product and end up with a very subtle sales spin. The breach analysis could be taken as an example of how to use a control to reduce the risk of security management mistakes.

The Barracuda Web Application Firewall in front of the Barracuda Networks Web site was unintentionally placed in passive monitoring mode and was offline through a maintenance window that started Friday night (April 8 ) after close of business Pacific time.

In other words the incident review suggests that their WAF would have blocked the attacks when configured properly. Don’t you want to buy a WAF now?

The breach is subtly boiled down to an “unintentional” decision to put control in maintenance/passive mode (OWASP Risk A6-Security Misconfiguration). It exposed their database to automated vulnerability scans from the Internet. They might have caught the vulnerability themselves if they had run the same scans earlier (OWASP Risk A1-Injection); or they might have prevented data exposure by keeping it better isolated and segmented. Both of these are covered in their announcement but at the end of the day they are selling WAFs. So it is interesting to hear in this context from them that their product could have blocked the blind SQL injection that caused their breach.

A German politician named Malte Spitz sued his mobile provider (Deutsche Telekom) for access to all the information they were storing on him. When they released the information to him he published six months of calls, texts and Internet usage on an interactive map. German law has since improved its privacy.

Meanwhile, other countries, including the United States, still track users via mobile phones as well as wireless accessories (e.g. BlueToad). Here is an example of what it looked like on Spitz’s map:

Deutsche Welle just posted an interesting interview with him.

Yes, it was quite shocking to see 35,000 pieces of information about my past six months. And it was also so detailed that there was some information where I was at some events that I didn’t even remember. So seeing the interactive visualization, I remembered: ‘Oh yeah, this was the day I was here and there, and so on.’

It was quite shocking because I thought it would be maybe 5,000 pieces of information. But 35,000 pieces of information, when you break it down, that means each day, there are 200 pieces of information. So if you have five to seven hours of sleeping time, so you have like, between the morning and evening, you have maybe 150 pieces of information – every five to 10 minutes my mobile operator knows where I am.

Gareth Rees posted an amusing and detailed review of encapsulation failures, in the context of mobile game apps.

When objects interact with each other, the outcome of events can depend on the properties of several objects. For example, when two objects collide the result depends on the properties of both objects. Consider collisions in a game with bullets, people, and tanks:

• Bullet/bullet: both unaffected (treat as if they didn’t collide).
• Bullet/tank: bullet ricochets, tank unaffected.
• Bullet/person: bullet vanishes, person damaged.
• Tank/tank: both tanks stop.
• Tank/person: person stops, tank unaffected.
• Person/person: both people stop.

You can coerce this kind of table of interactions into the straightjacket of single-dispatch method calls, but the results are pretty ugly however you do it. (It’s no coincidence that the main motivating example in Wikipedia’s multiple dispatch article is collision resolution.)

But there are more subtle examples where the naïve approach goes wrong.

Many moons ago, 1991 to be exact, I found Ivar being installed in Macintosh labs. It was an extension to System 6 that gave remote control of the audio. The attacker had to use a fake “bomb” prompt to get users to restart their system and load the extension (a camouflaged opt-in method), but otherwise it was a silent and easy way to listen and even speak to remote users without them knowing.

I treated it as malware and removed it, but lets just say it also was great for practical jokes.

“This is your computer speaking…I need a break! Please shut me down.”

This WEEK in TECH (TWiT) now reports similar surveillance “apps” for smart phones have been found in the wild. Today, however, it is no laughing matter as apps are developed and driven by large marketing companies who intend to surreptitiously collect as much information as possible because (ironically) they don’t really know who they are dealing with.

Robert Scoble …it actually is listening to the audio, it’s not recording audio but it’s recording a fingerprint of the audio signature of the room.

Becky Worley What?

Robert Scoble So you can tell. Yeah here is why they’re doing that. He says that what we’re trying to do is make it possible for a lot people to go to, let’s say, a Lady Gaga concert and all these shooting pictures will know where the performer is because everybody is aiming at the same place and we’re listening to the audio signature of the room to join everybody into a one Color space and they expect to be able to show you why the closest picture that’s being taken of that event.

Leo Laporte Oh that’s interesting.

Robert Scoble So if somebody is in the front row, the big people in the back row will see pictures that the front row is shooting.

Leo Laporte What do you think of the argument that that is all a red herring and that really the reason they got $41 million is because they figured out a way to collect all sorts of info – it really scares me that they got the mic on, all sorts of information about their users which they will be able to sell, I mean it’s – there’s no sense in the $41 million unless you assume they are up to something clever.

That’s a lot of lettuce just to spy on random people. I wonder if the Shazam app developers are double-checking their ethics.

The TWiT team clearly object to the opt-out surveillance of these new apps; they even call it a flaw in Apple security! Heh, well, users are choosing to download and install them. Unlike the Ivar extension, where we had to infiltrate a system the old fashioned way, surveillance now is being engineered as a service — bundled with a giant carrot.

Leo Laporte I have to tell you I – as soon as I thought about it for half a minute I erased Color immediately and I would recommend anybody who listens this show to immediately erase that program.

Brian Brushwood Nobody under 25 will hear that advice, that’s…

Leo Laporte Because there is a – now that I know that it’s also doing sound analysis, that really creeps me out. This is a real flaw in Apple’s permissions system, at no point where we informed that this program was turning on the microphone. I don’t care if they say they’re not using it they’re turning on the microphone in my phone and they never told me that. That’s bad news.

Robert Scoble Well I told you on my show on Thursday.

Becky Worley They didn’t tell me that when I downloaded the Grey’s Anatomy iPad app.

Leo Laporte What? It listens to YouTube?

Becky Worley It listens to the TV to figure out where it is in the show so that it can sync, it simulcast of iPad information to where you are in the show.

Brian Brushwood Wow.

Ok, this is where I put on my giant hat of contrariness.

I predict people under 25 not only anticipate this better than those who are over 25, they already have more natural countermeasures from growing up within the system.

Humans have a natural instinct for freedom of thought. It is nonsense to suggest that those under 25 lack the desire to resist authority.

Those who are raised under a constant surveillance threat will more easily adopt methods like phone swapping, temporariness, and sharing. They will intentionally break the bonds of information that older generations have a hard time protecting or letting go.

In other words, the first generation to taste the surveillance carrots probably will see something worth the trade-off in privacy — even if it is just to do something cool and new and different. Subsequent generations will not be so easily fooled.