
Former NSA lawyer: the cyberwar is between tech firms and the US government - jgrahamc
http://www.theguardian.com/technology/2014/nov/04/nsa-cyberwar-stewart-baker-cloudflare-snowden
======
maerF0x0
>"Baker said encrypting user data had been a bad business model for
Blackberry, which has had to dramatically downsize its business and refocus on
business customers. “Blackberry pioneered the same business model that Google
and Apple are doing now - that has not ended well for Blackberry,” said Baker.

Baker is incompetent. Blackberry's primary advantage was its encryption. It
branded itself as a business device and supported enterprise use. As bring
your own device became mainstream and as the app store markets grew,
Blackberry fell behind, failing to deliver the diversity of apps that iOS and
Android did. Sales of devices fell and hence they've had to lay off 1000s.

TlDr; Baker has it wrong; Encryption was a business advantage for Blackberry,
until access to a diversity of apps mattered more.

~~~
revelation
Blackberry is suddenly the posterchild for encryption? I thought Blackberry is
this service where all your mail and communication is routed in cleartext
through their services, a workaround from the days of 1G that they simply
never got around to get rid of before smartphones flattened their business.

That is not encryption, if anything it is the direct opposite.

~~~
wmf
_I thought Blackberry is this service where all your mail and communication is
routed in cleartext through their services_

That's how consumer BlackBerry worked (while other consumer services at the
time that had no encryption whatsoever) but the enterprise version was as
secure as they could make it.

------
arethuza
As an aside:

"The crypto wars have about as much to do with the outcome of security as the
Soviet-Finnish war of 1939 had to do with the outcome of WW2."

I've seen it argued that the Soviet-Finnish (AKA the "Winter War") actually
had quite a large impact on the outcome of WW2:

\- The difficulties the Soviets had in fighting the Finns made them re-
organize their command structure of the Red Army, re-instating traditional
rank structures and reducing the role of political officers

\- It led Hitler to believe that the Soviets would be easy to defeat,
underestimating both the size and quality of Soviet forces

So you could argue that if the Soviet-Finnish hadn't happened then Hitler
might not have been quite so keen to invade the Soviet Union when he did and
might have encountered a more poorly organized Red Army when he did.

NB The Finns put up an _incredible_ defence of their country against
apparently overwhelming attacks, including Simo Häyhä who as a sniper had 505
combat kills.

Perhaps we should be concluding that a small, skilled and highly motivated
defence can blunt the attack of even the most powerful of enemies?

------
declan
I've known Stewart Baker, the ex-NSA GC quoted in the linked article, for
about 15 years--not incredibly well, but well enough that he'd show up at
parties I held in my home when I was living in D.C. before moving to the SF
bay area.

Stewart is extremely smart, should not be underestimated, and HN comments in
this thread calling him "incompetent" reflect badly on the person making the
comment. He's likely the single most capable adversary the
HN/EFF/ACLU/Cato/Mozilla/etc. axis faces over encryption (if he ends up
playing that role).

Stewart is correct that end-to-end crypto will "restrict [companies'] ability
to sell" products internationally. And he is narrowly correct that "the market
for absolute encryption is more limited than you might think" in a corporate
environment.
[https://www.youtube.com/watch?v=ak4ZwLU3aX0](https://www.youtube.com/watch?v=ak4ZwLU3aX0)
[8:45]

But these are merely clever rhetorical devices. Of course Apple/Google/FB/etc.
know that HTTPS will vex snoophappy governments; at this point I suspect their
CEOs may view that as a welcome side effect and in any case know their
business better than a DC attorney does. And of course banks and brokerage
firms don't want end-to-end encryption for their employees; they have likely
have FINRA and other legal obligations to preserve correspondence.

Okay, Russia and China are snoophappy and banks may want access to employees'
email. Now can we go back to talking about the NSA's bulk surveillance of law-
abiding Americans?

Stewart's comments at 12:56 about Silicon Valley companies "picking fights"
with the NSA are also misleading. In reality, the NSA was "picking fights" by
bulk-tapping Google's interdata center links, subverting encryption standards,
and (in the 1990s) defending export controls that weakened American companies'
ability to compete. I posted more about this here:
[https://twitter.com/declanm/status/529804398457651201](https://twitter.com/declanm/status/529804398457651201)
[https://twitter.com/declanm/status/529798596221095937](https://twitter.com/declanm/status/529798596221095937)

Today these companies -- and hopefully the startup founders here on HN -- are
merely protecting their users by adopting encryption. At
[http://recent.io/](http://recent.io/), which I founded after leaving CNET/CBS
earlier this year, our forthcoming Android and iOS apps use only HTTPS to
connect to the backend. Naturally.

TLDR: You underestimate Stewart Baker at your peril.

~~~
AnthonyMouse
> Stewart is extremely smart, should not be underestimated, and HN comments in
> this thread calling him "incompetent" reflect badly on the person making the
> comment.

Incompetent may be the wrong word. What people (including you) are getting at
is that his arguments are unpersuasive upon examination. It's all just fear
mongering.

There are two plausible explanations for this. The first is that he doesn't
see the holes in his own arguments; that would substantiate the charge of
incompetence. The second is that he does but makes the arguments anyway in
order to mislead others who don't. That appears to be the case you're making.
But I'm not sure scoundrel is a lesser charge than idiot.

~~~
declan
Welcome to the delightful world of Washington, D.C. realpolitik!

A third possibility is that he honestly believes his position is the correct
one--or is holding out the possibility of returning to a .gov/.mil job in this
or a future administration--and (a) is using the best arguments for his case,
however weak or (b) is on a conference panel, not in a courtroom, and is
aiming for entertaining one-liners rather than a point-by-point argument that
you'd find in a legal brief or congressional testimony.

~~~
mike_hearn
I didn't find his comments especially entertaining, and I don't think my sense
of humour is faulty, so let's rule out the court jester theory.

That leaves "using the best arguments for the case he truly believes in,
however weak". This I think would correctly fall under the umbrella of
incompetence. At some point, rational people are supposed to evaluate their
own arguments and change their beliefs if they can't sustain them anymore.

In this case he has strongly implied that "tech people" with a libertarian
bent are naive and their beliefs crumble the moment they're faced with the
real world. Insulting the people you need help from isn't a good start. But
regardless, I don't know of any tech companies that have real problems
complying with a robust, trustworthy process that includes many checks and
balances to ensure only people widely agreed to be criminals get investigated.
The whole problem has started because that system has broken down over time
and post-Snowden been revealed as nothing more than a political sleight of
hand.

~~~
ganeumann
It can't be called incompetence if he makes the arguments he has been paid
(and likely will again be paid) to make. The world is full of highly competent
people who do exactly that, many of them lawyers. They're not called
'advocates' for nothing.

But this begs the question why otherwise self-respecting panels so often give
a soapbox to propagandists. Perhaps instead of using the mindless daily news
formula of pitting two self-interested views against each other to see who has
better soundbites we should try to put rational, thoughtful people on the
stage.

~~~
duaneb
That raises the question. Begging the question is arguing a point with the
conclusion as evidence.

------
zaroth
It's surreal reading what Baker is saying. Companies aren't generally afraid
of their employees, and any competent IT department can manage BYOD. The
reality is that privacy and security has become an extremely important
differentiator, and I'm glad to see Apple and Google both capitalizing on it.

This was by far the scariest part;

    
    
      "But I’ve worked with these companies and as soon as they get
      a law enforcement request no matter how liberal or
      enlightened they think they are, sooner to later they find
      some crime that is so loathsome they will do anything to
      find that person and identify them so they can be punished."
    

Seriously? Yes, just advertise your complete contempt for following due
process, because, you know, it's easier to catch crooks that way. Thank you
for proving within the article exactly why end-to-end _cryptography_ is
needed, so that we don't have to trust people like this to actually follow the
law.

------
grandalf
This is a fairly evolved astroturf argument which will likely be enjoyed by
all powerful interests (government and private).

The battle is between powerful interests and the masses. The powerful
interests gain a lot by controlling information and dissent. Surveillance is a
useful tool to help achieve that.

------
rdl
[https://www.youtube.com/watch?v=ak4ZwLU3aX0](https://www.youtube.com/watch?v=ak4ZwLU3aX0)
is the raw video. I'm obviously a bit biased here, but I've always wondered if
Baker actually believes his arguments or not.

~~~
csandreasen
Thanks for the link to the video.

I think his argument makes sense (just speaking with regards to encryption -
they brought up a couple of things in the discussion), but you have to keep in
mind that he's arguing from a completely different perspective than most of
the folks posting to HN. Whereas it's usually in the best interest for a
private citizen to have all of the data on his/her device encrypted and only
decryptable by him/her, it's not the same case for corporate or government
data, which is a huge portion of the market.

Baker is arguing from the point of view that a large organization needs to be
able to monitor what its employees are doing because they're legally
responsible for anything that those employees may do. Imagine having to secure
a network where you couldn't look at the logs due to privacy concerns; or
figuring out which disgruntled employee is siphoning data off to a competitor;
or responding to warrant/subpoena when one of your employees is suspected of
committing a crime. You're not in a very good position if the only one who can
decrypt the data is the end user.

Not to mention that there are also situations, particularly in government,
where it's in the best interest of the public to be able to investigate a
government official for wrongdoing. If their IT department can't get to their
e-mails when the Inspector General comes knocking, what's to stop that
official from just saying "Whoops, I forgot my password." ?

~~~
Zigurd
Why would these use cases need end to end encryption?

~~~
csandreasen
I'm sorry if I wasn't clear. I wasn't meaning to limit my argument to data in
transit - I was also including data at rest.

To answer your question though, end-to-end encryption of data in transit will
obviously interfere with an employer's ability to log transactions.

I think Mr. Baker's arguments were more directed at the recent ubiquitous
iPhone encryption controversy (in fact, after doing a quick search, he made
almost the exact same argument in the NY Times directed explicitly towards
Apple[1], although I think his wording could be toned down slightly). Since
the decryption mechanism on the iPhone is tied to chip inside it, it limits a
company's ability to hand you a corporate iPhone and still be able to monitor
what you're doing with it, hand it over to the cops, etc.

Baker makes the further argument that while Apple can encrypt everyone's data
to the chagrin of the FBI and the federal government is unlikely to enact any
laws preventing it or hindering sales, Apple will have a much harder time
doing the same in certain foreign markets. A country like China will likely
have much more political will to push Apple out of the market if their cops
can't decrypt people's phones. Maybe that will ultimately be a good thing, but
by trying to send a message to the US government they might be opening up a
much larger can of worms overseas.

[1] [http://www.nytimes.com/roomfordebate/2014/09/30/apple-vs-
the...](http://www.nytimes.com/roomfordebate/2014/09/30/apple-vs-the-law/data-
access-shouldnt-be-up-to-companies-alone)

~~~
Zigurd
Unless that data is at rest somewhere outside an organization's control, that
still does not require end to end Enron with key escrow/recovery.

~~~
csandreasen
I think I misunderstood your initial question - the I (well, really, Stewart
Baker) was trying to make was that selling devices which are automatically
encrypted with keys that can't be escrowed by the owning company (like the new
iPhones) isn't going to be very welcome in a corporate environment.

> end to end Enron

I think you meant "end to end encryption". I'm guessing you're typing that on
iPhone :)

~~~
Zigurd
That was Android's auto-incorrect. Evidently Google doesn't think I need end
to end encryption either!

I understand your point, but key escrow and most corporate use cases don't
overlap. You are better off not managing user keys, with or without key
escrow, and, instead, securing your links back to your infrastructure with a
VPN and encrypting your storage to secure data at rest. Key escrow gives you
no more protection, or access. It's just more complicated.

Key escrow, therefore, is only useful for spying on individuals' interpersonal
communication, and Baker knows this very well.

------
DannyBee
Just from the timber of the comments, i had guessed this was Stewart Baker.
The man does not, IMHO, deserve to be viewed as an expert on anything other
than playing political games.

I'm not sure how he got to where he was, but i'm pretty sure it had nothing to
do with competence (and that's something i'll rarely say).

If you want to form an opinion, he posts quite often on volokh.com as a
blogger.

------
justcommenting
this and the FBI's crypto wars redux both appear to be designed to divert
attention and resources away from understanding and addressing surveillance-
related abuses using the classic and surprisingly effective strategy:

controlling the debate by defining its terms

------
Legogris
I'd say what he's really saying is that it is between governments and their
citizens.

------
squozzer
The disingenuity lies in the lack of context.

The emergence of the NSA as America's secret police did not happen as an
aberration but within the phenomenon of shrinking rights that I've noticed
since my political awareness began in 1980 or so.

Since then, I have not seen any expansion of rights for anyone, except maybe
for those living in the former Warsaw Pact and non-humans (e.g. pets) in the
US.

I have however seen a relaxation of controls for groups such as law
enforcement.

It may have started with the belief that "criminals have more rights than
victims" that found expression in movies such as Sudden Impact. Such
sympathetic arguments missed the point that the power of the state doesn't
target victims.

Regardless of origin, law enforcement lobbied for - and usually got -
exception after exception to the bill of rights until we reached the point
where an actual trial hardly matters.

While the rights of suspects and law-abiding people shrank, the scope of the
term "national security" grew, fueled by another belief - that the survival of
the state mattered more than its' intended purpose - the protection of the
lives and liberties of its' inhabitants.

------
tfgg
Does all the protesting by security agencies actually mean much, in terms of a
signal?

1) If these measures are effective and stop them doing what they perceive to
be their job, they'd have to protest.

2) If they had access to the information by other means, they'd have to
protest anyway, otherwise you'd be able to conclude we're in situation 1

My guess it's a bit of both, and they're mostly just losing their ability to
mass surveil against low priority targets (e.g. populations), since cracking
the encryption for absolutely all connections would be too much work.

------
billions
The internet moves much faster than government and so the government can't
control it. Information moves like water. Everybody is exposed for who they
are and nobody can fake it. The whole world is in a big room and everybody can
hear each other. Wars will no longer be violent and fought with weapons, they
will be fought with software hacks.

------
lotsofmangos
I do wonder if Matthew Prince's faith may be a little bit misplaced here. I
presume it was meant as a figure of speech, but mathematics is not an area
where faith is especially dependable.

------
CurtMonash
"the easiest war to swim"????

Copy-editing fail.

~~~
pessimizer
probably autocorrect from 'swin.' 'S' and 'w' are very close.

