Marsu42 said:
I 100% agree on this, and review by *competent* peers is the one thing that discovered my cited examples of cryptography manipulation. Alas, in the case of DES it was only suspicion for decades, the NSA was discovered quicker with their latest scheme only a few years after introducing their trojan horse algorithm.
The thing I'm arguing against is the popular fallacy that open source equals high quality (yo, u there, OpenSSL?) and that security by obscurity is a bad thing. Imho there's nothing wrong with obscurity once you have a solid foundation to build it upon and always assume the obscurity layer won't protect you.
Good to hear we're on the same page. The rule of thumb about security through obscurity often gets boiled down to "it's bad," but a more nuanced view is that it's an important part of a layered security model as you say.
Marsu42 said:
but my guess is that those shadowy organizations are still way ahead
An appeal to authority isn't worth much
*, but Schneier says that the Snowden documents (incl. those that haven't been published) suggest that the NSA has no fundamental cryptanalytic breakthroughs beyond what's public, and they have no computation breakthroughs beyond what's public.
Marsu42 said:
Is questionable. Do you really think the most hardened algorithms are public, like the facial recognition tech of LR6 is up to NSA standard?
Getting back to LR facial recognition, it's likely not as sophisticated as what an intelligence agency would use ... which is all the more reason to not fear it in commercial photo management software. This started with me wondering what facial recognition in Lightroom has to do with overzealous intelligence agencies. From what we've talked about, not much!
* (1) Schneier could be in the dark about their current capabilities (2) he could be lying (3) the NSA still has a ton of supercomputers, and (4) NSA does a lot outside of breaking public crypto that's still cause for concern.