Not only messed up, but I am guessing that there are either politics involved (personal gain, friends of friends, etc), or somebody paid somebody to push Kyber over NTRU. Which is difficult or impossible to prove, ESPECIALLY if that "person" is senator or "other". (Since I failed civics, I have no idea what forces are involved in something like this, but it all sounds really fishy).
Historically the NSA has sabotaged public cryptography standards so that it could crack them, while adversaries hopefully couldn't. It pays its employees to do this. It seems plausible that that's what's going on here, but even if so, whether that's because they know of a fatal weakness in NTRU they fear adversaries will exploit, or know of one in Kyber that they hope to exploit themselves, is anybody's guess.
If the U.S. Government is willing to bet the SECRET-and-above farm on particular cryptography standards and implementations, it’s probably safe for you to use them too.
> If NSA and only NSA can crack a particular system, they probably wouldn't mind using it for their own secrets.
How do you think they could assess that they, and only they will ever be able to exploit a particular cryptographic vulnerability at any time over the next few decades?
They can’t, they would be well aware of that, and they are extremely risk averse.
> And anyway why is there any reason to believe they really do use the system they say they use?
Because these systems exist widely throughout government today.
FWIW, the US government actively develops and maintains a suite of classified cryptography algorithms[0] which are completely separate from the suite of algorithms they publish publicly. The reason for the existence of Suite A algorithms has never really been explained. I’ve heard rumors that it contains capabilities not known in public cryptographic algorithms, but that’s speculation.
They do, and there are a lot of situations in which those algorithms are not usable, such as on mobile devices, hence the introduction of Suite B and now CNSA.
They haven’t been using commercial cryptography to protect classified information for 50 years.
The fact they are now is a relatively recent development, and it’s significant because they now have their own skin in the game whereas they previously did not.
Most CDs don't include metadata, so that's commonly provided by third-party databases which both don't exactly know the original intent of the producer/publisher and can make mistakes.
This just seems like a skeuomorphic design refresh. Which Apple HATED and tore down with prejudice. And then proceeded to replace it with childish, flat, candy-colored icons for kids.... smh
You write that "reporting bugs is usually a terrible experience". I find bugs ALL THE TIME, and yet, when I even try to find a way to contact ANYONE, let alone a developer, they leave no door open at all. No method, no form, no contact name, no nothing. I (along with many, I presume), actually want those companies to excel. I WANT to let them know what to fix. But, they just don't want to hear about it. Really sad I think.
In my experience it's because the companies have not hired any persons whose job is to triage bug reports. People do find bugs all the time, and making it super frictionless to report bugs will result in a deluge of reports. Some reports will be outright spam, some could be mistaking a feature for a bug, some could be duplicates. Someone needs to do the triage and try to reproduce before the issue is forwarded to developers. Few companies have the role of Quality Test Engineer (QTE) to do this job; most don't so they have no means to triage the bug reports.
The only exception is indie apps I pay for on the App Store. There is usually only one or perhaps two people behind it, so by definition that person is SWE, QTE, PM and several jobs rolled into one. And this is unsustainable unless the app is paid.
Wait... Isn't that what AI is for? To do that for "free" and removing the time an actual person has to spend on it? Separating the spam and duplicates, etc?
The difficult part is the step of reproducing the bug. Will companies trust AI enough to allow the AI to operate on their UI, according to instructions written by bug reporters who are strangers on the internet?
I think if you take for example apps on the Atlassian Marketplace, probably all of them have an easy way to contact them (Probably because they get Jira for free, granted).
I develop for iOS and Android. All my apps have a Send Feedback button which opens an email in the user's default email client with my address in the To field, pre-filled subject line and some diagnostic info in the body (things like version number, device type, iOS version etc). I get all my bug reports and feedback that way and respond to them via a reply email when I have released the update to fix it.
