"The weakness of "security through obscurity" is so well known as to be obvious. Yet major hardware manufacturers, citing the need to protect intellectual property, often require a non-disclosure agreement (NDA) before allowing access to technical documentation. "
I believe the actual reason for "security through obscurity" is that it's a delay tactic used against well-funded adversaries.
There's an inherent problem in security. A company, existing in the private sector, could never hope to overcome the infinite resources of a nation state. It's literally, mathematically, financially impossible.
A nation state could even apply a rule like, if they know a particular technology was developed by roughly 500 engineers at some company, a nation state could employ 5x the number of engineers used; simply as a rule. So in this case, they could employ 2500 security researchers to overcome some security problem.
It's also possible to build systems that are correct, such that no adversary with any amount of resources could find a security hole. Many CPUs in the past have been correct. Probably most major commercial ones before 2000 were. So it's not mathematically impossible.
>Probably most major commercial ones before 2000 were.
I find that hard to believe. For instance, what makes you think they got speculative execution more correct before 2000 than after? At least it seems impossible to get rid of the timing side-channel since the whole point of the exercise is to change the amount of time it takes to run the program.
Surely you'd have to go back to at least 1980. I suppose one could start a production line of 1970s supercomputers for personal use, and put it on the programmers to figure out how to parallelise everything, but it would be very painful and expensive.
The beauty of public key cryptography is that a x5 increase in security researchers is nowhere near a x2^128 increase in difficulty. What's pitiful is coming up with O(1) schemes and hoping for security through obscurity to keep them safe.
NSA can't hire the hackers they want because they all smoke weed. China sends all their drug users to the execution van so all the new CS and security grads can go right to work for the govt.
I once worked with a guy who had previously worked for GCHQ doing something with cyphers/cryptography. He said he had never consumed more drugs in his life than during that period. They didn't care he took drugs as long as he was open about it and couldn't be black mailed through his use of drugs.
Interesting! Though GCHQ is UK, I'm not sure what the NSA is like. My impression so far here has been that they tend to hire people who live rather boring, quiet personal lives, since they're easier to vet.
I'm sure non-mainstream political views likely count against you more, though.
Also a lot of hackers/engineers have ethics that don't necessarily match that of government security agencies. I would happily work to protect my country from terrorism or foreign attacks, but not if it means sacrificing the freedoms that we were originally trying to protect.
I believe the actual reason for "security through obscurity" is that it's a delay tactic used against well-funded adversaries.
There's an inherent problem in security. A company, existing in the private sector, could never hope to overcome the infinite resources of a nation state. It's literally, mathematically, financially impossible.
A nation state could even apply a rule like, if they know a particular technology was developed by roughly 500 engineers at some company, a nation state could employ 5x the number of engineers used; simply as a rule. So in this case, they could employ 2500 security researchers to overcome some security problem.