[londons_explore]

And yet this one lasted 30 years. That's far longer than most open encryption algorithms continue to be deemed secure.

Obviously you can debate wether having it 'appear' secure for longer before someone publishes details of the flaw is more important or not...

[jjav]

> And yet this one lasted 30 years.

What do you mean lasted? If it is an intentional backdoor, it was vulnerable (to those who knew the backdoor) from day 1, so it was never secure let alone 30 years.

[inopinatus]

The TEA1 key compression weakness may have been known to intelligence agencies as early as 2006. See https://www.cryptomuseum.com/radio/tetra/ under section "Compromise".

[perlgeek]

It lasted 30 years in the sense it hasn't been publicly broken before.

We don't know how many intelligence agencies have found some of these and are happily listening in on "secure" communication, concealing that fact successfully.

[nicce]

This argument holds for any non-disclosed vulnerabilities, however.

[michaelt]

Aren't these encrypted radios mostly for cops?

I mean, this is embarrassing - but who cares if the secret police are spying on the regular police?

[creer]

Seems this was a general export item resulting from the 1990's crypto restrictions. The article mentions 100 countries using them. That would be agencies for whom it didn't matter, yes, (ambulance, corp security, etc) - but also everyone else who could not afford anything better but for whom security actually mattered. Not every country can afford to roll their own for this kind of stuff.

[perlgeek]

Does the FBI use these? The FBI is tasked with counter intelligence, and for a spy it could be highly relevant to learn if they are being targeted.

[chislobog]

Federal stuff is going to be p25 phase 2, usually AES encrypted. Harris or Motorola, and at one point Thales (previously Racal.)

Some other brands end up being used like cobham or bendix but those are usually for aviation.

Tetra isn’t used by us LE. There are military encryption schemes, some of which are classified or controlled occasionally used by feds. Mostly tho you're looking at encrypted voice over data using mobile phones tho. Cellcrypt Inc, for example. Not many investigators lug around a radio to call agents in the field unless they need interoperability with other agencies or tactical communications using local infrastructure.

During the Obama inauguration the Thales liberty triband was used with AES. I think most agencies dumped the Thales Libntry for Harris tri band radios or Motorola now, which is sad because as a result the liberty is basically a dead end platform

[dghlsakjg]

Whose secret police are spying on the civilian police.

Is it more concerning if it’s the Russian secret police spying on the Kyiv police?

[snvzz]

The publicly known attacks are recent, yes.

I know some group had it pwned at least 2010-ish. But won't elaborate.

And I'm sure they weren't the first, nor the only ones.

[nicce]

> And yet this one lasted 30 years.

Main goal of security through obscurity is the hindrance. Make it slower and harder to to detect possible vulnerabilities.

So indeed, there is something to debate.

But I guess it helps only against those with limited resources, not against nation states.

[swells34]

This is analogous to physical security doors. They are considered passive security, since they are a deterrent, and are rated by the numbers of hours they are expected to hold up against hand tools.

[xmprt]

Is it still true that nation states are at the forefront of innovation and the largest security threats? At least in the United States, I'd be surprised to learn that their best and brightest minds are working in three letter government agencies when they can work in industry for more money and less bureaucracy.

[londons_explore]

Does one need the best and brightest minds to break crypto? Or does it just take a lot of full-time regular minds?

Because the academic/opensource communities famously don't have many hours to dedicate to the cause.

[nicce]

> Because the academic/opensource communities famously don't have many hours to dedicate to the cause.

People in academics dedicate their lifes for this. Who has more time?

[tptacek]

Yes. Additionally, there are extensive public/private partnerships.

[fmajid]

> Main goal of security through obscurity is the hindrance

No, the main goal is to obfuscate just how incompetent the authors of the spec are, and how clearly they illustrate Dunning-Kruger.

[nicce]

> No, the main goal is to obfuscate just how incompetent the authors of the spec are

If you agree that it obfuscates the meaning of the author’s work, then it also slows down other things recursively…