[Cryptography] Security clearances and FOSS encryption?
ianG
iang at iang.org
Fri Jul 11 06:41:10 EDT 2014
On 8/07/2014 17:27 pm, Rick Smith, Cryptosmith wrote:
> It should be clear by now from the conversation that holding a security clearance doesn't in general qualify or disqualify someone from working on FOSS.
I would say, unless your FLOSS project is specifically a target, this is
probably true.
> ... If someone intentionally subverts a FOSS project as their job representing an intelligence agency, then the agent isn't going to be bragging about security clearances. At least, a competent agent won't.
Right. In at least one case I saw, the agent tried to keep the
relationship a secret, citing privacy concerns. This was intentional.
> In any case, it comes down to a single solution - assurance through multi-person control. Teamwork for system maintenance, teamwork for code review, teamwork for everything. Human error and incompetence are bigger risks, and we can reduce the risks with the same mechanism.
Yup, it comes down to modifying your existing systems to cope with a
novel attack vector, more or less. If they don't already cope with the
approximate attack then that's likely because you don't care.
iang
More information about the cryptography
mailing list