[Cryptography] Security clearances and FOSS encryption?

[Rick Smith, Cryptosmith]

On Jul 8, 2014, at 2:03 PM, Tom Mitchell <mitch at niftyegg.com> wrote:

> The important bit is that you cannot know unless your personal position and clearance includes and dominates this
> need to know knowledge.    
> 
> It is possible that he does not and cannot know.... It is possible that his manager does not know and cannot know.
> 
> He would do well to disclose and ask inside his classified working situation and communicate in writing to you, that he did
> ask and that he did disclose to the appropriate authorities.

I don't believe a disclosure would be effective. We're essentially asking, "Do you expect to be recruited by an intelligence agency to subvert our FOSS crypto project's integrity?" 

People won't necessarily know ahead of time if they are candidates to be chosen for such a task, and their managers might not know, either. 

It also DOES NOT MATTER if the person holds a personal security clearance or not. An agency might easily ask someone to do something like this without requiring a clearance. Yes, there are clearances galore if someone is an "officer" of an intelligence agency. But the grunt spies who get recruited to do the work may or may not have clearances. 

There's another whole question of how an intelligence agency would penetrate a FOSS crypto project, and whether they'd bother involving any actual participants. Given the terrific state of cyber security, I suspect most agencies would just penetrate remotely and anonymously, and manipulate the change files. 

Rick.