As previously reported, the BULLRUN document is very interesting. One line stands out to me:
"Cryptanalytic capabilities
- Are extremely difficult and costly to acquire
- Require a long lead time "
There is a tie-in with the export law. Look at 740.17:
"(B) Other technology. Encryption technology classified under ECCN 5E002 except technology for “cryptanalytic items,” “non-standard cryptography” or any “open cryptographic interface,” to any non-“government end-user” located in a country not listed in Country Group D:1 or E:1 of Supplement No. 1 to part 740 of the EAR."
They do not like "non-standard cryptography." I take from this that while it is true that well known algorithms are the safest in terms of receiving the most scrutiny, new less scrutinized algorithms may still offer a practical defense.
Of course they don't like unknown cryptography. It easily makes automatic decryption impossible. That means that the NSA needed scarce expert-time for each customly secured communications. No agency in the world has the ressources to pull that off for many connections. That is the reason why they love Google and Facebook, and why I stay away from these services.
But here on HN, many folks like their mantra of "security by obscurity is bad" too much. Personally, I think many of those who repeat that didn't think for themselves.
Using unknown cryptography is not security through obscurity. If the encryption is legit, then it's good. The problem is when you are relying solely on obscurity without the encryption.
It's the ivory tower problem. I agree with you and the parent post.
Parent said:
"new less scrutinized algorithms may still offer a practical defense"
But in my experience that P word there is unknown to ivory tower dwellers. And so the practical peasants end up getting unrealistic (but theoretically correct) advice.
"Cryptanalytic capabilities - Are extremely difficult and costly to acquire - Require a long lead time "
There is a tie-in with the export law. Look at 740.17:
"(B) Other technology. Encryption technology classified under ECCN 5E002 except technology for “cryptanalytic items,” “non-standard cryptography” or any “open cryptographic interface,” to any non-“government end-user” located in a country not listed in Country Group D:1 or E:1 of Supplement No. 1 to part 740 of the EAR."
They do not like "non-standard cryptography." I take from this that while it is true that well known algorithms are the safest in terms of receiving the most scrutiny, new less scrutinized algorithms may still offer a practical defense.