[runjake]

The articles mentioned that they knew about AES, PGP, etc but did not trust it because "non-believers" used/developed these protocols.

Instead, they developed their own encoding mechanism in the hopes that it would evade detection or decryption by possible backdoors in existing algorithms.

In many cases, security by obscurity is a viable tactic, especially in combination with other tactics.

[tptacek]

For whatever it's worth to you, most of the pre-DES-era encryption techniques betray themselves to basic statistical analysis. It's hard to hide that you're using puzzle book crypto, even if it produces what appears at first glance to be binary gibberish.

Like I said, there is a security-by-obscurity game to be played with this stuff: tamper with a known algorithm (even if you don't trust it, it's not like you can tell the difference between AES and TEA just by looking at ciphertexts).

[runjake]

And that's assuming the traffic is being subjected to the statistical analysis required for detection.

Timing also plays a big role. Many times a piece of intelligence is only useful for a duration of x.

Narus boxes are not magic, they can only do so much ;).

[tptacek]

I wrote this comment only to make it clear that the stats required to figure out if something is "really" encrypted are trivial. They take significantly less than a second for a Ruby program to perform. You'd just always run them.

Sorry I wasn't more explicit (or if you already realized that).

[r00fus]

It was more than just security-by-obscurity; these guys refused to use an existing package that would solve their issues... the "mujahaddin secrets" package (ostensibly jihadist in origin) that did implement AES cyphers.

Guess what, if you're so purist you can't trust experts in your own field because they use "contaminated knowledge", then you better be a true genius, or you're not going to be very effective.

[waqf]

It sure is convenient that the people who have such bad judgement that they want to plant bombs on airliners also have such bad judgement that they roll their own crypto.

And I don't think it's a coincidence. It really boils down to them not being able to figure out which people (especially, which "authorities") to trust.