[HacktionLab] Fwd: Security Best Practice for vetting tech volunteers.

Garcon du Monde gdm at fifthhorseman.net
Mon Jan 27 17:42:22 UTC 2025 

hi there,

i might be slightly late to the game, but fascinating question!

On Tue, Jan 14, 2025 at 05:18:33PM +0000, Tim Dobson wrote:
> I'm looking at a potentially memorable activist job, assisting people in
> $other_country with stuff that you and me might look at as important.
> 
> The government of $other_country would deem the organisation as Very
> Interesting or Very Interesting Eager To Disrupt, and have active
> operations.
> 
> An interview question is
> > A volunteer from the $other_country has applied to your organization. How
> can you verify them? Describe the procedure.


i think there are 2 solutions:

 1. they need a friend of a friend recommmendation;

 2. they need to prove some other way that they "do good stuff".

of course, neither of these is infallible. but they each have something
going for them:

 - in the first case, the "friend" has made the recommendation, so
   ultimately you can say it's down to them - not you. You can even
   strengthen this by using a requirement for two friends, or three,
   or...

 - for option two, they've given some proof that they can do "good
   stuff" and so the challenge is then to get them to do (or keep them
   doing) "good stuff" for your organisation. as long as you can do
   this, then things are fine. they may well *also* do "bad things"
   (e.g. provide intel to the "enemy") - but you run that risk with
   every single existing member of your organisation anyway, including
   you!! that is, you never know when someone is going to be
   compromised: we all have shady things in our past that can be used
   against us if you figure out how, that's one of the main
   characteristics of being human.

> It occurs to me that basically, you'll _never_ be able to defeat a
> nation-state intelligence test with screening procedures, and if you're
> relying on volunteer support, you'll need to recruit volunteers... and so
> you have to assume your behind the scenes work and infrastructure is
> transparent to the other side?

yes, probably.

> Does anyone have a counterpoint to this? Or best practice?

figuring out specific threats/threat levels, then assigning people
accordingly?

solidarity,

	--gdm

-- 
GPG: 5607 E4BC C6B6 90F4 5EBC  B348 D01B 9D77 912F 963C
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.aktivix.org/pipermail/hacktionlab/attachments/20250127/dfd6f668/attachment.sig>

More information about the HacktionLab mailing list