"What Bruce doesn't say is that the NSA made modifications to DES S-Boxes so that it can RESIST differential cryptanalysis better."

That was then. Back then, the NSA's clear mission was to help prevent the Soviets from winning, and that included protecting our communications (still part of their remit). Now ... it's not so clear.

BTW, according to Wikipedia IBM independently discovered differential cryptography and kept that secret at the NSA's request, so IBM was potentially in a position to understand the NSA's requested changes, or just plain worked with it on them.

There were a bunch of things that the NSA might have though mitigated the danger so it was an acceptable tradeoff to the very real threat of Soviet spying on US businesses (see e.g. http://nsarchive.wordpress.com/2013/04/26/agent-farewell-and...):

They limited the key size to 56 bits (according to Wikipedia a compromise between 48 and 64 ... where else have we heard of that sort of thing: https://en.wikipedia.org/wiki/Asynchronous_Transfer_Mode#Cel...).

It was intended for hardware implementations, and perhaps they didn't do a good job of factoring in Moore's law, which then was only a decade old and had a lot more skeptics. And microprocessors were still quite new.

There was a strong export control regime back then, and to the extent DES was implemented in hardware it was more effective.

Getting back to adversaries, official and unofficial, to the extend they aren't nation states, or not very wealthy and technically sophisticated ones, the tradeoffs are significantly different today. We can be very sure they're not worried about al-Qaeda brute forcing a secretly weakened algorithm as long as it's not too weak (i.e. requires a lot more than a handful of machines with GPUs or FPGAs).

Same might be true for various nation states as long as they don't get patronage by the Russians or Chinese Communists, and we might have an idea of the capabilities of the latter two frenemies (I sure hope we do!).