> In another obstacle, [Charles] used meaningless symbols to mislead any adversary trying to decipher the message.
how do we know these extra symbols aren't the real message, disguised behind a weakly encrypted run of the mill assassination plot. (who wasn't plotting against Charles V?)
otherwise, the article doesn't go into enough detail about the de/cipher
Journalists are allergic to external links unless they are ads. They need to keeps visitors inside their website to display ads or redirect them to ads, but not anything else.
His steganography was ingenious, concealed not just behind steganographical techniques, but also by a double veil of taboo and law: it presented itself as demonology, thus pious readers would avoid it altogether, and impious ones would think twice, given the power and reach of the Inquisition.
Which dovetails with the way Charles V operated. Completely unlike egotist leaders who insist on doing things themselves, Charles V was fabulously rich, knew the power of money, and contracted everything out to the most talented people he could find. Even his grand strategies were contracted out to accomplished strategists. And he didn't attach himself to any particular idea or move. At one point he messed up and a force of his numbering around 20k was destroyed. In public at least he simply shrugged it off and went back to planning world domination. His history is full of fascinating tales of the machinations of imperial power.
Nobody does that. On the contrary, all infosec people will say the exact opposite: "obscurity, as an additional layer to cryptography, is very much desired". What they say is to not rely for your secrets only on obscurity.
Yes the classical response of "it doesn't happen"/"no one says that", mind you someone will come argue that exact point in the next conversation I have on the topic, like the ten previous conversations I've had on the topic.
When you read 'Nobody does that', it is a shortening of "Nobody [credible] does that[, until a revolutionary argument is provided]".
Random opinions are collected from the bar, and that is a place where you go voluntarily. Of course you will always find people defending any possible position. Frequently, historically, it had not even been a rational stance out of a rational instance.
There even exist games on it: defending random positions a an exercise for rhetoric and forum practice; Richard Osman invented one for television, named "I could not disagree more" (e.g. «We should avoid a third world war» // «I could not disagree more. If a war is inevitable, I will prefer it to be waged in the "Third World"». Absurdity on absurdity).
It's very rhetorically convenient how extreme positions become shortenings of very carefully qualified statements when questioned.
As for the subject matter, it's a position I've seen defended on here. Sure it's random people, it's also a forum of software engineering professionals, you're not going to contribute much if you write-off everyone who disagrees with you as "non-credible".
It is also the case, happily. "Nobody does that" openly implies, "oh my, some do". Like a legitimate "No True Scotsman". It does mean "show me a credible practitioner that thinks differently - then, let us see the elaboration".
It is language: you have a full burden to interpret it. (And the guidelines oblige you to rubberbanding to the plausible.)
> everyone who disagrees
It is not a poll, it is never a poll: it is the arguments that count. And we are all professionals with different stories.
Of course some defended a position against obscurity: by default, they must have meant that having algorithms cross checked saves the enterprise from the embarrassing finding by some mathematician that your apparently strong algorithm reduces to, say, a bit-shift.
Or they could have misinterpreted the above completely and now shout "make everything public": because those individuals exist, and they are part of what you meet, and their presence does not have a Bayesian effect on truth.
This is unfair as it is not what GP said. It was simply pointed out that infosec professionals do not say that, which is true. There a wide difference between what one can read on the web and the security professionals position on this. You focus on the public perception, GP the professional one. And it's worth pointing this out IMHO particularly because there is such a large mismatch.
If one reads the Common Criteria specifications [1], they actually require obscurity at some level (didn't check which one, for sure EAL4 and above do). Specifically, all the design must be kept secret so obscured to attackers. This is serious stuff, requiring secure design facilities for example. The goal is to force an attacker into a complex (so costly) reverse engineering.
There is a too common vision of security as an absolute thing, it's either secure or not. This is already a simplification for algorithms, but there why not. But for secure systems it's definitely not sufficient, and you agree with this like GP does it seems. Professionals must balance the cost of security vs. the cost of an exploit. And obscurity do raise the cost of an attack, so it makes perfect sense to consider it. And it is considered (see CC).
So GP summary that obscurity is justly considered by professional, and makes sense as long as it's not the only defense, seems correct to me and worth mentioning. You have taken it as a criticism but you shouldn't: it essentially also says what you said, that obscurity has its proper place in security.
how do we know these extra symbols aren't the real message, disguised behind a weakly encrypted run of the mill assassination plot. (who wasn't plotting against Charles V?)
otherwise, the article doesn't go into enough detail about the de/cipher