Many moons ago, 1991 to be exact, I found Ivar being installed in Macintosh labs. It was an extension to System 6 that gave remote control of the audio. The attacker had to use a fake “bomb” prompt to get users to restart their system and load the extension (a camouflaged opt-in method), but otherwise it was a silent and easy way to listen and even speak to remote users without them knowing.

I treated it as malware and removed it, but lets just say it also was great for practical jokes.

“This is your computer speaking…I need a break! Please shut me down.”

This WEEK in TECH (TWiT) now reports similar surveillance “apps” for smart phones have been found in the wild. Today, however, it is no laughing matter as apps are developed and driven by large marketing companies who intend to surreptitiously collect as much information as possible because (ironically) they don’t really know who they are dealing with.

Robert Scoble …it actually is listening to the audio, it’s not recording audio but it’s recording a fingerprint of the audio signature of the room.

Becky Worley What?

Robert Scoble So you can tell. Yeah here is why they’re doing that. He says that what we’re trying to do is make it possible for a lot people to go to, let’s say, a Lady Gaga concert and all these shooting pictures will know where the performer is because everybody is aiming at the same place and we’re listening to the audio signature of the room to join everybody into a one Color space and they expect to be able to show you why the closest picture that’s being taken of that event.

Leo Laporte Oh that’s interesting.

Robert Scoble So if somebody is in the front row, the big people in the back row will see pictures that the front row is shooting.

Leo Laporte What do you think of the argument that that is all a red herring and that really the reason they got $41 million is because they figured out a way to collect all sorts of info – it really scares me that they got the mic on, all sorts of information about their users which they will be able to sell, I mean it’s – there’s no sense in the $41 million unless you assume they are up to something clever.

That’s a lot of lettuce just to spy on random people. I wonder if the Shazam app developers are double-checking their ethics.

The TWiT team clearly object to the opt-out surveillance of these new apps; they even call it a flaw in Apple security! Heh, well, users are choosing to download and install them. Unlike the Ivar extension, where we had to infiltrate a system the old fashioned way, surveillance now is being engineered as a service — bundled with a giant carrot.

Leo Laporte I have to tell you I – as soon as I thought about it for half a minute I erased Color immediately and I would recommend anybody who listens this show to immediately erase that program.

Brian Brushwood Nobody under 25 will hear that advice, that’s…

Leo Laporte Because there is a – now that I know that it’s also doing sound analysis, that really creeps me out. This is a real flaw in Apple’s permissions system, at no point where we informed that this program was turning on the microphone. I don’t care if they say they’re not using it they’re turning on the microphone in my phone and they never told me that. That’s bad news.

Robert Scoble Well I told you on my show on Thursday.

Becky Worley They didn’t tell me that when I downloaded the Grey’s Anatomy iPad app.

Leo Laporte What? It listens to YouTube?

Becky Worley It listens to the TV to figure out where it is in the show so that it can sync, it simulcast of iPad information to where you are in the show.

Brian Brushwood Wow.

Ok, this is where I put on my giant hat of contrariness.

I predict people under 25 not only anticipate this better than those who are over 25, they already have more natural countermeasures from growing up within the system.

Humans have a natural instinct for freedom of thought. It is nonsense to suggest that those under 25 lack the desire to resist authority.

Those who are raised under a constant surveillance threat will more easily adopt methods like phone swapping, temporariness, and sharing. They will intentionally break the bonds of information that older generations have a hard time protecting or letting go.

In other words, the first generation to taste the surveillance carrots probably will see something worth the trade-off in privacy — even if it is just to do something cool and new and different. Subsequent generations will not be so easily fooled.

The new data is in. When I presented for the PCI Security Alliance and SafeNet at RSA in 2009 I used breach data in datalossdb.org to show that PCI DSS was working and we could prove it.

The following two reports explain this trend in much greater detail. I will handle them individually later, but for now here are a couple highlights:

Verizon has posted the “2011 Data Breach Investigations Report”

After four years of increasing losses culminating in 2008’s record-setting 361 million, we speculated whether 2009’s drop to 144 million was a fluke or a sign of things to come. 2010’s total of less than four million compromised records seems to suggest it was a sign.

Imperva has posted “PCI’s Impact on Security Quantified”

PCI is very effective in reducing breaches but it seems many companies don’t believe it.