Modern-day spying: sometimes old technology is more secure

Original Article ↗ Hacker News Discussion ↗

Fiction vs real-world security decisions

  • Several comments push back on treating TV/film (Battlestar Galactica, Jurassic Park, Lord of the Flies) as evidence about what “works” in security.
  • Stories are structured to entertain, not to be operationally correct; they can still be useful as opinion or propaganda, but not as proof.

Why intelligence services still use “old” tech

  • Argument: legacy tools (numbers stations, OTPs, radio) persist because they’re proven, reliable, and independent of fragile, bug‑prone modern stacks.
  • Counter‑view: some assume it’s partly because it’s hard to retrain older operatives; others say new recruits are trained on modern tech while older ones stay with what they know.
  • Commenters note US/allied services are conservative in adopting “modern” digital methods, which are often seen as unsafe end‑to‑end.

Numbers stations and one-time pads

  • Links and discussion around Cuban numbers stations and a flaw where one digit never appears, likely due to RNG or implementation errors.
  • Discussion of how “fill” (dummy traffic) might be generated without consuming pad material, and how headers/indicators can tell an agent whether a message is for them.
  • OTPs are praised as information‑theoretically secure when perfectly implemented, but many stress practical difficulties: true randomness, key distribution, non‑reuse, and human/operational errors (e.g., VENONA‑style failures).

Avoiding surveillance and triangulation

  • Tradeoff proposed: you can usually get only two of three—low triangulation risk, strong encryption, and high bandwidth.
  • LoRa/Meshtastic: low power and AES‑based, but criticized as easy to triangulate due to static IDs and infrastructure (e.g., consumer networks) that can track frequent emitters.
  • Other ideas: HF with near‑vertical incidence skywave to shift the apparent source, hiding in noisy high‑traffic channels, satellite “piracy,” and speculative notions about detecting or masking receiver emissions.

Security by obscurity and layered defenses

  • One camp: obscurity is a valid extra layer (e.g., moving SSH off port 22, hard‑to‑guess share links) and the blanket slogan “security by obscurity is bad” is overused.
  • Others: the slogan arose because secret, proprietary systems were repeatedly found weak once exposed; relying on obscurity alone is dangerous, especially in commercial tech.
  • Synthesis view: primary cryptosystems should be secure even if fully understood; obscurity is useful only as additional defense, not a foundation.

Offline vs cloud-connected infrastructure

  • Example of a wired, offline school intercom that avoided compromise, contrasted with a hacked, cloud‑based system elsewhere.
  • Some argue offline simplicity often gives better real‑world security and reliability; opponents note physical bugs and argue well‑designed, internet‑connected systems can in principle offer strong cryptographic guarantees, though current practice often falls short.