It is my, unsubstantiated, guess that these kinds of standards are kept deliberately complicated and weak to allow the “three letter agencies” to exploit them. I would expect the government itself when needed uses the most secure or even an improved version of the spec which does not have these obvious vulnerabilities.
Pretty sure nation-state actors are breaking things at a much lower level, like the encryption layer, which would enable a much greater harvesting of info. To me, this seems more like incompetence. If the standard is so broken that it’s obvious to an outside observer, I’m guessing an MBA did a cost-benefit analysis somewhere and decided the OSDP standard was “good enough” for its intended purpose.
How do things like this ever make it into production? Rather than a failure of the tech, it’s more like a failure (or feature) of design-by-committee.
It is my, unsubstantiated, guess that these kinds of standards are kept deliberately complicated and weak to allow the “three letter agencies” to exploit them. I would expect the government itself when needed uses the most secure or even an improved version of the spec which does not have these obvious vulnerabilities.
Pretty sure nation-state actors are breaking things at a much lower level, like the encryption layer, which would enable a much greater harvesting of info. To me, this seems more like incompetence. If the standard is so broken that it’s obvious to an outside observer, I’m guessing an MBA did a cost-benefit analysis somewhere and decided the OSDP standard was “good enough” for its intended purpose.