[Cryptography] Security clearances and FOSS encryption?

[Theodore Ts'o]

On Thu, Jul 17, 2014 at 02:04:18AM -0400, Kevin W. Wall wrote:
> I can't speak for other projects like Apache or Linux or whatever, but
> for OWASP,
> this is a common modus operandi, in part because volunteers are scarce and
> experienced committed volunteers are even scarcer.

This is not just true for open source projects, but also for for many
major technology companies.  Companies like Google, Facebook, Intel,
IBM, etc., all are eagerly accepting interns from China, and/or have
development centers in China, despite the fact that it's well known
that the Ministry of State Security is trying their hardest to try to
penetrate into American data centers.  Despite this, it's just not
practical for companies to turn their backs on that much raw
engineering talent, even if some of them could potentially be plants
from the MSS.

The goal is to design systems so that even if you have some malcious
actors, that you have enough auditing and multi-person control systems
so that a single bad apple isn't going to be able to compromise
whatever you consider to be most critical data (i.e., PII data,
authentication/encryption related subsystems, etc.), and that any
misuse can be discovered during or after a compromise.  And then you
do lots of internal orange/tiger team attacks to make sure your
policies and procedures are as airtight as possible, and that any
holes that the tiger teams find are fixed.

After all, even if you do try to do all of the screening in the world,
do you really think you can stop all potential bad actors?  The NSA
wasn't able to prevent Snowden from being hired and given keys to the
kingdom....

					- Ted