[Cryptography] Security clearances and FOSS encryption?

Tue Jul 8 08:16:31 EDT 2014

On 3/07/2014 16:47 pm, Bill Cox wrote:
> I am working on the CipherShed open-source fork of TrueCrypt.  I believe
> one of our contributors has a US security clearance of some sort.  I
> have no problem with this, but:

Is your project a target?  Some more on this [0].

> Do US security clearances in any way restrict a person's involvement in
> FOSS encryption projects like CipherShed?  In the US, we only recently
> gained the right to contribute to FOSS encryption projects with only a
> reporting requirement.  The government surely could restrict those
> rights with a security clearance, but having never had one, I have no
> idea.  Is there anything I should know about people with security
> clearances who contribute to CipherShed?

There aren't specific restrictions as such with security clearances [1]
but there are conflicts of interest.  If a person has a security
clearance, then they have a master or power.  If they are devoted to
your project, then this means they serve two masters, the best you can
hope for is that the other master is dormant.

That power can be used at will.  There are a range of pressures that can
be put on a person to assist the power.

There is a security reporting requirement.  Any issue of security
relevance has to be reported to the security officer of the
organisation.  This is deliberately vague, it might not be immediately
clear that this is of interest, but consider how bureaucracy and spying
works, and what the interests are in this.  In effect, your contributor
has a duty to report *anything*.

> I would be quite the hypocrite to say people with US security clearances
> are not welcome to contribute.

You need to model this from a security pov.  What is the worst this
person can do?  What does the presence of a security clearance do to
likelihood of some threat?  Is the threat there regardless?

Then, what can you do to stop it?  In a typical security project the
code is not committed until reviewed.  So does your review process
provide enough cover?  What happens if 2 or 3 of these people turn up
and start reviewing code together?  Does your review process stop that
breach as well as other breaches?

If the result of this is damaging, then you might want to consider
moving the person out of harm's way.  To him as well as to the project;
 if the person is really vulnerable, it isn't nice to go dangling
carrots before the spooks.  People can get hurt, the spooks will think
it nothing to destroy this person's career in order to get at some keys.
 Do you hate your contributors that much that you'll put them in harms
way?  Odd way to run a project ;)

> A company I founded did US military
> sub-contracting after all.  I would just feel better knowing that a
> security clearance in no way impacts how or if a person can participate.

You can never know that.  And, you can never know what you are exposing
the person to, as they won't be telling you.  All you can know is what
they will do if an opportunity arises.  That, you can get from reading
the better breed of spy novels, they are often based on real events.

iang

[0]  http://wiki.cacert.org/Risks/SecretCells/ThreatsAndAssumptions
[1]  I think this is true of all countries.