We've been thinking about it wrong: The norm has been Insecurity by obscurity
The Crypto AG CIA backdoor story (2020) clarifies to me much of the neverending flood of "outlaw strong crypto" thinkpieces and "lawful access" (a/k/a mandated backdoors) proposals.
I realised today that the whole #SecurityByObscurity discussion was missing a major insight: For much of the Cold War period, the operational standard has been instead #InsecurityByObscurity
Crypto AG was an allegedly secure system which was, obscure to the public, insecure. And that insecurity (along with fear, suprise, ruthless efficiency, and an almost fanatical devotion to the Pope), seems to have been a key element of US and #FiveEyes surveillance capabilities from the 1950s onward. (I'm aware Crypto AG's role under the CIA begain ~1970.) More recent stories of package intercepts (where backdoors are installed on specific equipment), zero-day hacks (such as are routinely purchased and exploited by Cellebrite, Palantir, the NSO Group, and others, is the logical extension of Crypto AG methods. As is putting a surveillance device in the pockets of the population that the surveillance targets themselves fight amongst themselves to buy.
Our information systems, technology, devices, and infrastructure are, obscure to us, insecure. And we fall for it again and again.
Because while the cryptography of the NSA and Five Eyes, as well as their counterparts worldwide, is no doubt prodigious, the cheapest way to break through a wall is to go around it. By far.
And virtually all the continuous whinging since the early 1990s about the hazards of emerging strong crypto makes vastly more sense in this context. The agencies know their own strengths, weaknesses, and secret weapons. And have been trying to preserve their advantage. (Even though this ultimately puts us all at vastly greater risk.) Their policy recommendations have been premised on this, even if they've been unwilling to admit this publicly.
But yeah, insecurity by obscurity as an operational norm. Describes much of the present Web as well.
Adapted from an earlier Mastodon thread: https://mastodon.social/@natecull/106112437055287730
#CryptoAG #security #surveillance #surveillanceCapitalism #surveillanceState #infosec #infotech