“Is there any point to which you would wish to draw my attention?”

“To the curious incident of the dog in the night-time.”

“The dog did nothing in the night-time.”

“That was the curious incident,” remarked Sherlock Holmes.

Holmes realizes the guard dog didn’t bark because it knew the perpetrator of the crime. The absence of an expected happenstance is a signal.

This is what I was getting at when I was writing about spreadsheet errors being a signal that institutions are more robust than they initially appear. The spreadsheets they depend on have a surprisingly high error rate, but these errors are only rarely transmitted to their public behavior.

This was on my mind again this week because of the outcry over the Transportation Security Administration’s new screening measures that take nearly-naked photos of passengers or, for those who opt out, an invasive pat-down. The TSA claims that this policy strikes a balance between privacy and security, and that “We have to ensure that each person getting on every flight is secure.”

Which is not really news. The TSA justifies everything they do by saying it’s “for security purposes” like a magician says “abracadabra”. Words are uttered but no meaning is produced, the speaker is filling time while they do whatever they like.

When you look at those security purposes, the dog isn’t barking. There are no attacks on “soft targets” where people congregate like malls, churches, sporting events, and airport security lines. If the terrorists existed, why don’t they attack?

Carl Sagan pointed out pointed out that “absence of evidence is not evidence of absence”, but he said it because he was dealing with cranks who tried to shift the burden of proof to scientists to disprove their weird theories about flying saucers instead of proving that they exist. Where’s the burden of proof for these searches?

No one disputes that terrorists do exist, the question is whether they’re adequately addressed by existing law enforcement or if the government has reason to employ low-trained workers to grope 3 year olds. U.S. law does not default to requiring everyone to submit to searches, it requires that law enforcement prove in warrants or articulable facts why each search is needed by the particular circumstances. Blanket searches are permitted to enforce immigration and import law, but searches of the person of every domestic airline passenger are far removed from that need.

In short, the TSA hasn’t made a case for these searches, let alone proved it or gotten judicial approval, and the curious incident of the terrorist in the strip mall is an indication we need to pay attention.

And this morning their development site had a new banner on it:

A classy response beats threatening a Lawyerclypse. And it’s a darn good sign given that public trust is a big part of their business model, which is all I’m going to say on the matter for 27 days or so.

The puzzle is run by Cambrian House, a mysteeeeerious stealth startup that has only a teaser page online. If there’s one thing that annoys me more than Flash puzzle-level games, it’s stealth startups.

So I went poking around some more and found a development copy of their website. And much to my surprise, it’s actually a darn cool business idea. So cool that after I wrote a whole “Mwaha, I’m raising the curtain early!” post I thought better of it and am only going to post this for now. It was clever and fun, there’s going to be a ridiculous amount of buzz around this company when it launches. And I got to register as user #9, which was damn funny when I noticed their “About Us” page lists 17 employees.

Confidential to CH in Calgary: it’s really tacky to litter your URLs with “.php” and get variables. Put the following in your .htaccess file and have index.php take apart the URL with the PHP code below and route to your different pages. URLs like “/community/member/Harkins” look much nicer than “/community/member-profile.php?users_id=9″. (Or ask me about mod_rewrite.)

<Location /secret_development_environment>
    Order Deny,Allow
    Deny from all
    Allow from 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 .cambrianhouse.com
</Location>

RewriteEngine On
RewriteCond    %{REQUEST_FILENAME}  -d [OR]
RewriteCond    %{REQUEST_FILENAME}  -f
RewriteRule     ^(.*)$  - [L]

RewriteRule ^(index.*) - [QSA,L]
RewriteRule ^([^.]*)$ /index.php [QSA,L]

 
function url_parse() {
        $url = $_SERVER['REQUEST_URI'];
 
        // we don't want to pass get vars or anchor tags on to the script
        if (strpos($url, '?'))
                $url = substr($url, 0, strpos($url, '?'));
        if (strpos($url, '#'))
                $url = substr($url, 0, strpos($url, '#'));
 
        //remove leading slash and possible trailing slash, store in $url
        if (substr($url, 0, 1) == '/')
                $url = substr($url, 1);
        if (substr($url, -1) == '/')
                $url = substr($url, 0, -1);
        if ($url == '/')
                $url = '';
        $url = explode('/', $url);
        
        return($url);
}

Everywhere I’ve seen this story it’s “Look at what that wacky MPAA is up to again”, but that’s not even half the story. FedEx chose to allow the MPAA to start nosing through its packages and the announcement describes the program as “amazingly successful” despite not catching a single pirate. The only logical conclusion is that FedEx doesn’t want your business anymore. And that’s easy enough to oblige.

You want a little healthy fear in your life, it keeps you from trying to pet those cute little bear cubs. In business, it keeps you paying attention to things like what the competition is up to, to if your burn rate is sustainable, and how important those last few bugs are.

Most NDAs exist because of two different and worthwhile fears: early competition and secret sauce. If you and two buddies have read Getting Real and struck out on your own to start a web-based business, you’d like to delay the day that knockoffs start appearing. Alternatively, if you’re Google, you have hordes of resourceful competitors and abusers who’d love to mine the offhand comments of your engineers.

But the nearly-as-common motivator behind NDAs is shame. You could call it fear of being found incompetent, but the word for that is shame. A shame-powered NDA will invariably be described as an important security measure, but the business is covering up that it runs everything in a slipshod, last-minute, “this is good for now and we need it” manner. Most organizations just barely work and spend their time lurching between crises, which is mildly disconcerting in an interdependent society but handy for breaking the spirit of idealistic young college graduates.

An NDA easily slips from being protection against competitors to being protection against customers, so companies have to be regularly act introverted, maybe stare into a candle while holding a crystal, and make sure they’re being honest with themselves about why they have an NDA.

So think about yours. If you’re not thinking about how to balance tipping your hand and bragging about how cool you are, something’s terribly wrong.

As it goes, the article presents a decent solution: if the keyboard might be insecure, use the mouse and some free software to enter your password. Of course, this solution makes a shoulder-surfing attack far easier, and creates a new opportunity for hardware video interception. (Both of these attacks are, admittedly, not as cheap and subtle as hardware keylogging.)

The key to this problem is the word “insecure” in the last paragraph. Hardware keyloggers intercept plaintext communication. Except for a few security products, all computer peripherals communicate in unencrypted plaintext.

Perhaps USB3 (just guessing randomly at the Next Big Standard) could implement some kind of public-key cryptosystem. When you plug in a device you’d be given a prompt like “Does your Initech 104-key US-English Ubertype Keyboard have 5524 44F2 0CF6 3FB8 CB03 458C 6BA3 D6BF AF80 2CAA engraved on it somewhere?” (You’ve got to have it engraved by the manufacturer, otherwise you’ll be defeated by a ten-cent sticker. Even high-tech solutions have to exist in the real world.)

The technology for this already exists (though there’s some hurdles to clear for peripherals plugged in after boot time), but the biggest problems are price and user education. It’s very unlikely that most users will ever be targets for this attack, so the cost of establishing a new standard for peripherals and buying hardware that meets it is unreasonable.

More important than this is that users won’t know what this is or why it matters. It would be worth the extra training in situations that require a high degree of security (banking, the military, etc.) but most users would never bother to check the PK fingerprint and would just click “Sure, I checked it” to get on with their work (leaving them open to man-in-the-middle attacks). After a decade or two the understanding would probably percolate to the user community at large. (Or we could switch to wireless peripherals — we’ve had enough war/spy movies that everyone understands radio is trivial to intercept.) Anyone see other significant flaws with this approach?

Of course, security is an arms race and the next attack is to perform the interception in the hardware itself, calling for transparent cases and tamper-evident seals. And so on, and so on…