The Crypto AG revelations --- a Swiss-based firm selling Telex encoding equipment revealed to be a CIA front --- strongly suggest to me that the principle (though not only) strength of the US intelligence agencies has been based on backdoors. As software-based encryption became more prevalent, they sought to either discourage effective crypto, or impose mandatory back-doors.
The downside of having generally-known weaknesses seems to have been largely deprecated.
Rather than "security by obscurity", the operational status has been "insecurity by obscurity". Unknown to users, systems are largely wholly insecure, and it's only ignorance that gives the illusion that they are secure.
In practice, the "everyone anywhere can attack any online system" status of the Internet, and the porosity of most LANs and even nominally airgapped / detached systems (see the Stuxnet attack on Iran's centrifuge systems) means that virtually all systems are vulnerable.
I suspect that the debate is quite live within government, particularly as the US itself is repeatedly the victim of such attacks.
The downside of having generally-known weaknesses seems to have been largely deprecated.
Rather than "security by obscurity", the operational status has been "insecurity by obscurity". Unknown to users, systems are largely wholly insecure, and it's only ignorance that gives the illusion that they are secure.
I wrote on this recently: https://joindiaspora.com/posts/b596219086b1013991d8002590d8e...
In practice, the "everyone anywhere can attack any online system" status of the Internet, and the porosity of most LANs and even nominally airgapped / detached systems (see the Stuxnet attack on Iran's centrifuge systems) means that virtually all systems are vulnerable.
I suspect that the debate is quite live within government, particularly as the US itself is repeatedly the victim of such attacks.