It is my, unsubstantiated, guess that these kinds of standards are kept deliberately complicated and weak to allow the “three letter agencies” to exploit them. I would expect the government itself when needed uses the most secure or even an improved version of the spec which does not have these obvious vulnerabilities.
Pretty sure nation-state actors are breaking things at a much lower level, like the encryption layer, which would enable a much greater harvesting of info. To me, this seems more like incompetence. If the standard is so broken that it’s obvious to an outside observer, I’m guessing an MBA did a cost-benefit analysis somewhere and decided the OSDP standard was “good enough” for its intended purpose.
It is my, unsubstantiated, guess that these kinds of standards are kept deliberately complicated and weak to allow the “three letter agencies” to exploit them. I would expect the government itself when needed uses the most secure or even an improved version of the spec which does not have these obvious vulnerabilities.
Pretty sure nation-state actors are breaking things at a much lower level, like the encryption layer, which would enable a much greater harvesting of info. To me, this seems more like incompetence. If the standard is so broken that it’s obvious to an outside observer, I’m guessing an MBA did a cost-benefit analysis somewhere and decided the OSDP standard was “good enough” for its intended purpose.