Episode Transcript
Transcripts are displayed as originally observed. Some content, including advertisements may have changed.
Use Ctrl + F to search
0:00
A lot can happen in three years,
0:02
like a chatbot may be your new
0:04
best friend. But what won't change? Needing
0:06
health insurance? UnitedHealthcare Tri-Term Medical Plans, underwritten
0:08
by Golden Rule Insurance Company, offer flexible,
0:10
budget-friendly coverage that lasts nearly three years
0:12
in some states. Learn more at uh1.com.
0:18
What was the totality situation
0:20
in Minnesota, Alan? It
0:23
was super lame. I mean, we weren't in the
0:25
path of the totality and it was super overcast.
0:27
So like, you couldn't... Oh no. We basically got...
0:30
It was zero. There was nothing. Bubkus,
0:33
which was unfortunate, though it meant that my wife
0:35
and I could take mid-afternoon naps without feeling
0:37
too bad that we were missing out on anything.
0:41
What about you guys? I think here it was
0:44
like 87% coverage maximum at 3.20 PM. Yeah.
0:50
What does that mean? Like, I
0:52
mean, presumably the effect is not
0:54
linear, right? So actually
0:56
I found a very cool
0:58
graph that basically
1:01
shows brightness against
1:03
time toward totality,
1:05
which is not linear. It
1:09
looks kind of like a log
1:11
graph, actually. Yeah, I assume. But
1:13
especially because your eyes adjust to
1:15
the change in brightness initially,
1:18
like as it gets slightly darker, and
1:21
then as it approaches totality, it gets
1:24
rapidly dark very, very quickly. So not
1:26
only is it like really dark, but
1:28
your eyes haven't, your pupils haven't adjusted.
1:30
So it's those like last couple of percentages that are really,
1:32
oh my God, the world is ending. Apparently,
1:35
yeah, basically I had family
1:38
up in Vermont for totality
1:40
and apparently it was pretty
1:42
cool. If you had
1:44
asked me before the eclipse, like how
1:47
many people do you know who are
1:49
going to travel to be in the path of totality? I
1:52
don't know what I would have told you, but it
1:54
almost certainly, I would have said
1:56
zero because like, it turns out I
1:58
knew. many people who made
2:01
this choice. Most
2:03
of them, I think including our
2:06
fine law fair colleague, Haman, and
2:09
our other colleague, Ohania, yes. But
2:12
like Haman went to where
2:14
she had grown up, which happened to be
2:17
in the path of totality. But
2:19
I know other people who were just
2:22
so committed to this experience that they
2:24
traveled to places like
2:26
Indianapolis. I just think the word
2:28
totality is so cool in the
2:30
path of totality. It's a very it's
2:33
a cool it's a cool word. You
2:35
can definitely see why people were
2:38
freaked out by it. Right. I
2:40
mean, if you had no understanding of what the hell was
2:42
going on and you just looked up
2:44
and the sun was gone, I would be freaked out.
2:46
I would think the world was ending. Animals are freaking
2:48
out at the same time. Definitely
2:51
would be, you know, world ending,
2:53
fear, stuff. Especially
2:55
when this obviously is not
2:57
a joke original to me, but when coupled
3:00
with, say, an earthquake in a part of
3:02
the country, does that usually get earthquakes just
3:04
a few days prior? See these things, these
3:06
things come in threes, you know,
3:08
to make it like maximally spooky.
3:10
We should be expecting another disaster. I
3:13
blame the Jewish space lasers. Hello,
3:22
everyone, and welcome to Rational Security.
3:24
This is the Eldritch Portents edition
3:26
in honor of the Eiclet. I
3:30
am Quinta Jurassic and that
3:32
spooky noise you just heard was my
3:35
co-host, Ellen Rosenstein. Hello.
3:38
And we are joined by none other
3:41
than our Brookings and Lawfare colleague, Molly
3:43
Reynolds, who will explain Congress to us
3:45
once again. Hello, Molly. The Congress whisperer.
3:50
I actually prefer Congress
3:52
whisperer to congressional guru, which
3:54
is what Ben was calling me for
3:56
quite some time. Well, I'll take Congress
3:59
whisperer. Yeah. Well, as
4:01
that suggests, listeners, we have many
4:03
Congress topics for you today, two out of
4:05
three, in fact. So
4:08
our three topics, the first one will be
4:10
the 700 and second time of the charm.
4:14
Section 702 of the Foreign Intelligence Surveillance Act
4:16
was originally set to expire on December 31st,
4:19
2023, but somehow Congress has
4:21
managed to keep kicking the can down the road
4:23
and were once again in the middle of an
4:25
argument about whether and to what extent the
4:27
legislature should reform the bulk surveillance authority. How
4:30
did we end up here? And is there
4:33
any indication that Congress will manage to pass
4:35
a lasting reauthorization in some form this time
4:37
around? Second
4:39
topic, Magic Mike. Speaker
4:42
of the House Mike Johnson's troubles do not
4:44
stop with FISA. He's also tangled up
4:46
in a prolonged dispute with his caucus over
4:48
U.S. aid to Ukraine, which is becoming
4:50
a matter of rapidly increasing urgency with
4:52
Ukrainian President Volodymyr Zelensky, warning that his
4:54
country will lose the war if the
4:56
aid is not approved. Johnson
4:59
now says he'll put his own aid package on the
5:01
table, still tying that to another trench of aid
5:03
to Israel. But will the House
5:05
actually vote this time or is this just another
5:07
head fake? And
5:10
last but not least, Alan's
5:12
prayers have been answered and we can finally talk
5:14
about Linux. Hell yeah.
5:17
A few, Alan actually is responsible for what
5:19
I'm about to describe. He engineered the whole
5:21
thing just to talk about Linux. A
5:25
few weeks ago, a single software engineer
5:27
alerted the world to an alarming discovery,
5:30
malicious code inside a key piece of
5:32
Linux software that had it gone undetected
5:34
could have caused a catastrophic cyber
5:36
attack worldwide. What actually
5:38
happened here? Is it related to the
5:40
eclipse? It's not, but I just wanted to say that. And
5:43
what could stop it from happening again? So
5:47
for our first topic, I will
5:49
kick things off. I
5:51
don't actually know whether this
5:53
is the 700 and second time that we've talked
5:56
about renewing section seven of
5:58
this time around, but it certainly feels like.
6:00
listeners. Here we are
6:02
once again. On Tuesday
6:05
the Rules Committee moved
6:07
forward with some legislation that has
6:10
been put on the table as
6:12
kind of the base structure with
6:14
which the House can itself move
6:17
forward with a vote on reauthorizing
6:20
Section 702. We've been
6:22
kind of tangled in
6:24
a long-running dispute between
6:26
sort of let's call
6:28
them in a very high altitude sort of
6:31
reformers who want some
6:33
additional restrictions on the bulk
6:35
surveillance authority and another
6:38
camp that would rather
6:42
reauthorize things in
6:45
a form that more closely aligns with the
6:47
way that the statute and the authorities are
6:49
currently set up. Those were terrible names for
6:51
the two camps so if you can come
6:53
up with anything better we'll go with that.
6:56
These two camps have kind of been going
6:58
back and forth. I think they broadly, though
7:00
not entirely, align with the House Judiciary Committee
7:02
on the reform side, Bipartisan,
7:06
and the House Intelligence Committee on the keep
7:08
it as it is side. And
7:10
Speaker Johnson has been unsuccessfully, I
7:12
think it's fair to say, trying
7:15
to kind of square the circle between
7:18
these two camps. So Molly,
7:20
we're going to take it over to you. As
7:22
always, what is happening and
7:25
will Mike Johnson have any luck
7:27
in actually resolving this issue this time around? So
7:30
I think to understand what's happening
7:32
there are a couple of ways
7:35
that it's helpful to zoom out
7:37
a little bit from where we
7:39
are right now. So the first
7:41
gets at this question of camps
7:43
as Hinta was describing them. And
7:46
so I'm channeling Ben a little
7:48
bit here because he likes to
7:50
make this point often that historically
7:54
in the House and Senate the
7:57
FISA, Foreign Surveillance,
8:00
has been a little bit
8:03
of a strange bedfellows enterprise
8:05
in that in terms of folks who
8:08
would like to see the authorities
8:10
of the law limited or
8:12
reformed in significant ways historically
8:14
that's been kind of a
8:17
coalition of
8:19
civil liberties minded Democrats
8:22
and a handful of kind of true
8:25
civil libertarians so when for
8:27
instance Justin Amash was
8:30
from Michigan was still in the house he was sort
8:32
of the archetype of
8:34
this this Republican group and
8:38
so the idea that we
8:40
have some alliance between some
8:42
Democrats and some Republicans in
8:45
advocating for pretty aggressive changes
8:47
to fight so that's not
8:49
a totally new issue what
8:51
is new this go-round is
8:53
this notion that that group
8:57
some Democrats a couple of
8:59
Republicans have been joined by
9:01
a larger number of Republicans
9:03
who are kind of I don't
9:05
know anti-deep state might
9:08
be the way to describe them folks
9:11
who see the issue of 702
9:13
and surveillance as
9:17
prototypical of an overreach by the
9:20
FBI and this idea that the
9:22
deep state is spying
9:24
on Americans and having Trump's wires
9:26
it's a little bit of a
9:28
caricature here but this is it's
9:30
a sort of this dynamic is
9:32
new to this go-round of the
9:35
FISA debate and Quint is right that
9:38
in the house we have
9:40
two or for several months now
9:42
we've had sort of two competing approaches
9:45
to reauthorizing FISA 702
9:47
one of them has been
9:49
coming from the House Judiciary
9:51
Committee which has
9:53
both the civil libertarian
9:56
minded Democrats and
9:58
a bunch of these concerned
10:01
about the FBI-minded Republicans. So
10:03
you can kind of, when
10:06
the last time we
10:09
went down this road, if
10:11
you watched, and really no
10:13
one needs to do this, but if you watched
10:15
the House Rules Committee the last time this was
10:17
going to come up, debate
10:20
the rule for consideration, you saw
10:22
of all people Jim Jordan
10:24
and Jerry Nadler appear together
10:27
to advocate for the House
10:29
Judiciary Committee. Extremely odd couple.
10:31
And what is, I think, probably, I'm
10:34
not an expert on this,
10:36
but probably most central to what that
10:38
faction wants is a requirement
10:41
that, a warrant requirement
10:44
under section 702 that doesn't
10:46
currently exist. The other kind
10:48
of faction in the House
10:50
is being led by
10:53
the folks
10:55
from both parties on the House Intelligence
10:57
Committee. They would have you,
10:59
they would want you to believe, Mike
11:01
Johnson would want you to believe that their
11:03
proposal does make some changes to FISA. Again,
11:07
I'm not an expert to the point that
11:09
I can sort of adjudicate that claim, but
11:12
you know Mike Johnson, in trying to sell
11:15
the idea of action that is
11:17
closer to the
11:19
intelligence committee's proposal to his conference,
11:21
has gone around saying things like,
11:24
there are 50 reforms to FISA
11:26
702 in this proposal
11:30
that's come out of the Intelligence Committee. So
11:33
that's sort of one thing to know
11:35
and just give you kind of a
11:37
lay of the land on where the
11:39
two kind of principal factions
11:42
are. Next thing I'll talk
11:44
about is Quinta Mention's Rules Committee, which met
11:46
yesterday, and in some
11:48
ways this is actually, it's a
11:51
notable development and it's like a
11:53
remarkably notable development in that it
11:55
shouldn't be remarkable. So over
11:57
the past six to nine months, Mike
11:59
Johnson... Then so can Mccarthy before my
12:02
John Cena and then my chance
12:04
and I'm have really lost control
12:06
of the ability to bring the
12:08
things to the floor of the
12:10
House of Representatives via the rules
12:13
committee. So super brief overview of
12:15
how this generally works: The House
12:17
Rules Committee: When the house is
12:19
going to debate a subset piece
12:21
of legislation, will meets will talk
12:24
about what are the terms under
12:26
which that bill is going to
12:28
come to the floor. Or
12:30
their amendments to the offered that sort of thing. And then
12:32
they. Do what we call, report
12:34
out a rule. That rule goes to
12:37
the floor. There's a vote on the
12:39
rule were historically everyone in the majority
12:41
party votes for it, and everyone in
12:43
the minority party votes against it. And
12:46
you as a member of the majority
12:48
party are supposed to vote for these
12:50
things. This this what allows your parties
12:52
to have procedural control over what happens
12:54
on the floor. And if you stop
12:57
voting for rules, then it makes it.
12:59
particularly if your party has a very
13:01
slim majority. see the current house. Republicans
13:03
and makes it very hard for
13:05
your party leader, the speaker to
13:07
manage what's happening on the floor.
13:09
And so over the past six
13:11
nine months. Basically. All of
13:14
the major things that Congress has done
13:16
around say keeping the government open the
13:18
am and funding the government for the
13:20
balance of the fiscal year have not
13:22
only required democratic votes to pass but
13:24
of had to come to the floor
13:27
in a way that doesn't go through
13:29
the roof to any either because. Republicans
13:31
don't have the votes on the committee
13:34
that itself and because they put several
13:36
i'm sitting pakistan same text aligned face
13:38
and neck committee as benefit concessions that
13:41
Mccarthy made when he was trying to
13:43
get elected speaker and or they don't
13:45
have the votes in the Republican Conference
13:48
or say adopt these rules. On
13:50
this was a. why did my
13:52
grandson have to go through the roof through
13:54
the here it's because if you go if
13:56
you bring something to the floor in that
13:58
and other manner that he's been doing
14:00
with spending bills, you can't amend
14:02
those bills on the floor. And so it became
14:05
very clear that if there
14:07
is a path forward for
14:09
702, it's going to have to involve
14:11
the two factions, the
14:14
Hipsey faction and the judiciary faction to kind
14:16
of shorthand them. Each
14:19
faction's gonna have to get some amendment
14:21
votes. They're gonna have to get the opportunity to
14:23
offer some amendments on the floor and
14:25
then see what happens. So that's kind of
14:27
where we are. It is
14:30
the middle of the day, Wednesday. I
14:32
believe the vote on the rule
14:35
is supposed to happen today. So maybe by the time
14:37
you're listening to this, this will all have blown up
14:39
again. But, and then
14:42
if the rule passes, the
14:44
vote on the bill itself, I believe is scheduled to
14:46
happen tomorrow. We can
14:48
talk a little bit about the sort of key
14:50
issues that are in these amendments that the House
14:53
might consider. There are three from kind
14:55
of the intel factions, three from the
14:58
judiciary faction, I think we should
15:00
think about them as issues that Johnson
15:02
is trying to separate from the
15:04
out of the core bill, either
15:07
because there's a possibility that they're vote
15:10
losers if they're definitely in the bill
15:12
itself, or because they are
15:14
things on which people who
15:17
oppose the form that
15:19
the bill is taking are
15:21
insisting on getting votes on if they're going to
15:24
go along with the plan for
15:26
considering the bill. The last thing
15:28
that I will say is
15:30
that you might be asking yourself,
15:32
well, there are a lot of
15:34
Democrats who would like to see this PISA
15:37
reauthorized, some of them are on the Intel
15:39
committee, others are just folks who agree with
15:41
the idea that the government should be able
15:43
to keep doing what it's doing. Why
15:45
would they not help Mike Johnson bring
15:48
this bill to the floor? Why would they not vote
15:50
for the rule? Because that's really what the crux of
15:52
the issue is right now is
15:54
do Republicans have the votes to bring the
15:57
votes before it's off? In
16:00
addition to this strong norm that
16:02
Republicans have thrown out the window
16:05
around if you're in the majority
16:07
party, you vote for the rule. And if you're in the minority
16:09
party, you vote against the rule. Republicans
16:11
have also made it harder on
16:14
themselves to get Democrats to potentially
16:16
vote with them on the rule
16:18
to consider FISRA reauthorization by putting
16:20
two other, putting the terms
16:22
for debate for two other unrelated
16:24
resolutions into the same rule. One
16:27
of them is a resolution that denounces
16:29
the Biden administration's immigration policy. Another
16:32
is one, and here I'm quoting, opposing efforts
16:35
to place one-sided pressure on Israel with
16:37
respect to Gaza. So sure.
16:39
Yeah. So it's not, I'm
16:41
not saying that if they had left those
16:43
things out of the rule, that this would
16:46
be smooth sailing and that you would get
16:48
Democrats to vote
16:51
with Republicans on a vote that, again,
16:54
historically they wouldn't do
16:56
for kind of party unity reasons.
16:59
But Republicans, again, and
17:01
I'm assuming there's a good, like, intro
17:03
Republican reason for putting those things in
17:05
the rule. I don't know. But it's
17:07
all, it all comes down to there,
17:09
these just huge divisions within the Republican
17:11
conference that are very
17:14
difficult for Mike Johnson to manage. So
17:17
Alan, what substantively is the fight here?
17:20
I think the term warrant requirement has
17:22
been thrown around a lot in recent
17:24
months as this debate has been ongoing.
17:28
What is on the table? And also
17:30
why is the sort of cohort of
17:32
Congress that's more closely aligned with the
17:34
intelligence community and this so opposed to
17:36
the idea? Sure. So
17:39
I apologize to the listener, but in order to do
17:41
this, I have to explain a little bit of what
17:43
FISA is and particularly 702. And
17:46
I'm scared to do it because it's so complicated. I'm
17:48
always terrified of getting something wrong here. But
17:50
the general idea is that 702,
17:52
and the reason it's often sometimes
17:54
called a bulk collection program, is
17:56
that it allows the government
17:59
to collect large amounts of data about
18:02
foreign persons abroad, but to collect that
18:04
data inside the United States. And the
18:06
reason for this is that when
18:08
702 was created and still to a large
18:10
extent today, a huge amount of internet
18:13
traffic goes through the United States because we're
18:15
the leading producer
18:17
of internet technologies and companies and Google
18:19
and Microsoft and all these companies are
18:21
in the United States. So
18:23
even if the government is trying to
18:25
collect on foreigners outside the United States, individuals
18:28
who don't generally have constitutional rights or
18:30
Fourth Amendment rights, the fact
18:32
that the government wants to do it in
18:34
the United, the actual collection in the United
18:36
States creates some legal, potential legal issues. And
18:39
so 702 was created to provide
18:41
a kind of statutory framework by
18:43
which rather than getting a warrant every time
18:46
the government wanted to do a search in the United
18:48
States, it would rather go to
18:50
the special court, the Foreign Intelligence Surveillance Court,
18:52
the FISC, and say, hey, here's this program
18:55
that we're going to do. Here are the
18:57
general guidelines. Here's how we're going to do targeting. Here's how we're going
18:59
to do minimization. Here's going to do all this
19:01
sort of stuff. Sign off on
19:03
that program and then
19:05
we will then do that thing. And
19:09
that's meant to provide more
19:11
privacy safeguards than just letting the government do what it
19:13
wants to do, but it's less than a warrant, right?
19:15
Because a warrant, and this is literally in the Constitution
19:17
in the Fourth Amendment, has to have
19:19
probable cause and in particular has to specify with
19:22
particularity what the government is seeking to
19:24
find evidence of a crime or something like
19:26
that. And of course, if you're doing bulk collection, by definition, you
19:29
can't specify in advance the specific thing you're
19:31
looking for. That's bulk collection. Okay.
19:34
Fine. So now you have all this
19:37
data and the problem is that although it's
19:39
going to contain, hopefully, mostly stuff about
19:41
foreign individuals, because that was the whole
19:43
point of the targeting procedures that the
19:45
FISC signed off on. Basically
19:48
it's going to contain a huge amount of US person
19:50
information. And this is because foreign individuals are often talking
19:52
to US persons and so just this information gets swept
19:54
up. Okay. So what do
19:56
you do with that US person information? If
19:58
it's not relevant... a foreign intelligence, you're
20:01
supposed to minimize it. Okay. But what if it might
20:03
be relevant to a foreign intelligence investigation? You have this
20:06
data. So what is the government going to do? Well,
20:08
the government wants to query it. And
20:10
right now the government is allowed to query
20:12
this massive data with
20:15
what are called US person identifiers. So these things
20:18
are like, you know, Molly Reynolds, his name, Quinta
20:20
jurisics, phone number, Alan Rosenstein's
20:22
address. If the
20:24
government can articulate that there's
20:27
a reasonable chance reasonable expectation
20:29
that using this US
20:31
person query will create useful foreign intelligence
20:34
information. But again, this is all on
20:36
the government's say so. Now, there
20:38
are still libertarians who generally don't like this. They
20:40
don't like the government being able to do frankly
20:42
anything without a lot of court oversight. But
20:44
even folks that are more sympathetic to this,
20:47
there have been some concerns around agencies,
20:51
in particular, the FBI just doing a very bad
20:53
job in actually abiding by these
20:55
requirements. And so, so there's a great piece we'll
20:57
link to by Ben Whittits and Preston Marquis, sort
20:59
of going through sort of examples of the FBI
21:01
screwing up, not maliciously, but just
21:03
kind of sloppily, that is
21:06
an example of why this has become such a
21:08
controversial issue. So this
21:10
now finally brings us to the warrant requirement
21:13
issue that we've talked about. So
21:15
the intelligence community and its allies in
21:17
Congress accept that this is a problem.
21:19
No one's defending sloppiness. But they think
21:21
that the way to fix that is
21:23
just to have even more oversight, even
21:25
more procedures, give the National Security
21:27
Division at DOJ where I used to work, even
21:30
more money and resources to go and
21:32
sit on top of the FBI and
21:34
audit their stuff. But
21:36
there's another group, and I would
21:38
associate this with the sort of, not so
21:40
much the Republicans who are opposed to FISA because
21:42
their complaints are kind of weird and a
21:44
little more paranoid. But let's call it sort of usually the
21:47
Democrats or the sort of civil libertarians in Congress who say,
21:49
no, this is just, there's
21:51
no internal oversight that's going to be sufficient.
21:53
The government should have to go to the
21:55
FISC and get a warrant, like an actual
21:58
real live, you know, probable cause. a
22:00
particular specified warrant before it
22:02
can put Molly Reynolds' name
22:05
in that database for a query.
22:08
And the government doesn't like this.
22:12
The arguments that are made are sometimes kind of conceptual,
22:14
like, well, we have this data already lawfully collected. Why
22:16
should we need a warrant to access data where you
22:18
have lawfully collected? Yeah, I mean,
22:20
I'm not sure that argument makes a lot of
22:22
sense. You can
22:25
have any warrant system you want. I think the better
22:27
argument is just more practical, which is it's going to
22:29
really make it much harder for us to do our
22:31
jobs if we have to go get a warrant every
22:33
time we want to look at this data. To which
22:35
the civil libertarian say, yup, that's exactly the point. And
22:38
because this is classified, all of this,
22:40
it's very hard to do the kind
22:43
of bloodless cost-benefit analysis that you would
22:45
otherwise do in any other regulatory domain.
22:48
So that's the warrant requirement. Now the
22:50
last thing I want to say is the warrant requirement, it's
22:52
not a yes or no thing. There are different versions
22:55
of the warrant requirements that are being
22:57
bandied about. So the PCLOB, the President's
22:59
Civil Liberties Oversight Board, released
23:02
a report at some point in
23:04
the past, I don't remember, in which the
23:07
three-member majority suggested a kind of
23:09
compromise whereby the agencies
23:12
would be able to enter
23:14
the US person, to make the
23:16
US person query without a warrant. But
23:18
then if the database returned actual results, they
23:21
said, yes, there is actually something about Molly
23:23
Reynolds or Quinta Jurassic or Alan Rosenstein that's
23:25
responsive to your query. Here are
23:27
seven results. The agency would then have to
23:29
go to the FISC to get a warrant
23:31
to look at those results. And
23:33
so the idea here, the reason for compromise
23:35
is because since the vast majority of queries
23:37
don't actually result in
23:39
positive flags, it would
23:41
cut down on a lot of unnecessary going to the
23:43
FISC and wasting of every time. Now I haven't kind
23:46
of gone totally into details of what this compromise would look
23:49
like. So I mean, I am assuming that the
23:51
mere fact that a query produced responsive
23:53
result could not itself be used
23:56
to bootstrap the probable cause for the warrant, otherwise it's
23:58
not really warrant or crime anymore. It's a reverse. stamp.
24:00
So presumably it would have to be not just
24:02
that you know Alan Rosenstein came back as there's
24:05
stuff about him in this database but and also
24:07
there's other information that makes us think that this
24:10
data that's in the database would be relevant to a
24:12
foreign intelligence investigation and so on and so forth. So
24:16
that's the kind of compromised position that well
24:19
we'll see what happens to it. That was
24:21
really helpful Alan. Couple things that I'll note from just
24:23
kind of a congressional politics
24:26
perspective around this. One
24:29
is that the
24:31
version of the
24:34
warrant requirement that is so
24:38
should we get past the rule
24:40
vote and there's an actual debate on the floor
24:42
of the House with votes on amendments. The
24:44
version of the warrant requirement that's teed
24:47
up by the House Rules Committee to
24:49
be considered is one that
24:51
has it's in the form
24:53
of an amendment with six co-sponsors. Three
24:56
of them are Republicans, Andy
24:58
Biggs, Warren Davidson and Jim Jordan and
25:01
three of them are Democrats. Pramila Jayapal
25:03
who's the Chairwoman of the House Progressive
25:05
Caucus, Jerry Nadler who's the
25:07
ranking member on the Judiciary Committee and
25:09
Zill Lofgren who's also sort
25:11
of very much one of these civil libertarian
25:14
minded Democrats.
25:16
So that I
25:18
think should tell us something about like where that
25:20
the House is on this. The
25:23
fact that that is being offered
25:25
as an amendment I think is
25:27
a sign probably that the
25:30
kind of Intel Committee faction thinks that
25:32
that amendment will fail on the floor.
25:34
That you know the people who really
25:37
want to see it will get their
25:39
vote but they won't won't make it
25:41
into the bill. It won't be in
25:43
the version of the bill that would
25:46
potentially ultimately pass the House and
25:48
go over to the Senate. We can talk about the
25:51
Senate in a second. One other
25:54
thing that something you said made me
25:56
remember that I wanted to note is
25:58
another kind of general dynamic here
26:00
that it appears Speaker Johnson has
26:03
kind of maneuvered or tried to
26:05
maneuver his way out of is
26:07
that there is a there's a
26:10
proposal that's been kind of wrapped
26:12
up in this reauthorization debate that
26:14
is generally referred to
26:16
as the quote Fourth Amendment is not
26:19
for sale act, which is a set
26:21
of provisions that
26:24
involve the ability to in
26:27
conjunction with surveillance purchase commercial
26:30
data that the surveillance itself
26:32
cannot capture that notably that
26:35
was sort of in the
26:37
potential mix for being considered
26:39
as part of price
26:42
every authorization with the House what Johnson
26:44
has sort of indicated that the House
26:46
may do instead is have a
26:49
separate vote on that proposal later this
26:51
week, but at that higher two thirds
26:53
threshold so not take that proposal through
26:55
the rules committee just bring it to
26:57
the floor directly I think under the
26:59
assumption that it would not get two
27:01
thirds as a standalone measure such as
27:04
I got another example of
27:06
of what's going on here. But
27:09
Quinta back over to you. Well,
27:11
I'm gonna kick it right back to you by
27:13
asking what the situation is in the Senate and how
27:15
that plays into our understanding of what's happening. Yeah,
27:17
so I think the two things that I
27:19
would note about the Senate. One
27:22
is that we've just been talking about
27:25
quote on quote warrant requirement in some form. I think
27:27
it is expected that a that's
27:30
probably a non starter in the Senate. So
27:33
if sort of Johnson and
27:35
folks who want to see
27:37
this reauthorized and I say
27:39
that Johnson has attempted
27:43
to maintain
27:45
some posture of
27:48
neutrality between the warring factions
27:50
of his conference on this.
27:53
I think there are a series of
27:55
things that have happened that suggests that
27:57
he is more
27:59
aligned. with the kind of intel
28:01
faction, but he has tried very
28:04
hard not to anger the other faction
28:08
too much. The
28:11
other faction are Republicans
28:13
who are also, in many cases, mad at
28:15
Johnson about other things, which we'll get to
28:17
in a little bit. But
28:20
I think the notion is that if
28:22
the House were to adopt a warrant
28:25
requirement, that would make it very hard
28:27
for that version to pass the Senate.
28:30
Though I think I'm not sure that that's true.
28:33
The other thing that Johnson and
28:35
House Republican leadership have been trying
28:37
to impress upon their conference is
28:40
that if they cannot get their act together,
28:42
if they cannot in
28:44
the House pass something that reauthorizes
28:46
FISA, the Senate is prepared probably
28:49
to do something that looks much
28:51
more like a clean extension that
28:53
does not make any of the
28:56
changes that are even in the
28:58
House intel committee's version. Again, I
29:01
think different people have
29:03
different perspectives on how
29:06
much change is actually in the intel
29:08
committee's version and how much is it
29:10
the intel committee trying to sell
29:14
things as changes that aren't really changes.
29:17
But there is this sense that, or
29:19
Johnson at least is trying to convince
29:22
House Republicans that if
29:24
they can't do this themselves, this
29:26
will be yet another situation where
29:29
their inability to act and
29:31
their intra-party divisions are just going to end
29:33
up with them getting jammed by the Senate.
29:43
to your
29:55
door. Go to bluenile.com and use
29:58
promo code. your
30:00
purchase of $500 or more. That's
30:02
code LISTEN at bluenile.com for $50
30:04
off. bluenile.com, code
30:07
LISTEN. Tired of ads barging
30:09
into your favorite news podcasts? Good news! Tired
30:15
of ads barging into your favorite news
30:17
podcasts? Good news. Ad
30:19
free listening on Amazon Music is included with
30:22
your Prime membership. Or go
30:24
to amazon.com/news ad free. That's
30:27
amazon.com/news ad free to catch up
30:29
on the latest episodes without the
30:31
ads. So
30:37
moving on to another situation in which the house's
30:39
inability to get attacked together will
30:41
cause them to get jammed by the Senate.
30:43
Let's talk about our other... That's really all
30:45
I spend my time talking about because so
30:48
happy to take up the next round. Yeah,
30:50
look Molly, when you're on... when we
30:53
have the privilege of getting you on RadSec, we try to shut up and
30:55
let you talk. And I'd just like to
30:57
say for all the listeners who are... don't
31:00
get to see the visual, Molly just very... she
31:02
said her thing and then just took a very elegant
31:05
sip from... I think it was a C-SPAN mug. Is
31:07
that correct? Am I saying that correctly? Okay. It
31:09
is the reward you get if you go
31:11
on C-SPAN in the mornings and
31:13
take live C-SPAN callers, which is an
31:15
experience unlike any other I have had
31:18
in my life. They should
31:20
give you like a hundred mugs for that. Just
31:22
a small digression. I feel like in our world, there's
31:24
like famous and there's nerd famous, which is what like
31:26
people like us actually care about. Right?
31:29
So there's like, you know, like local
31:31
affiliate NPR. Then there's like, I was
31:33
on national NPR. I think taking C-SPAN
31:35
calls is... You're done.
31:37
You've peaked. How does it feel to
31:39
have peaked, Molly? My personal
31:42
favorite version of this, and again, I
31:44
apologize for the digression, is
31:47
one that comes from a friend of
31:49
mine who sort of occupies a similar
31:52
space to me, who told me once
31:54
that there are two and
31:56
only two public engagements that
31:59
bring his... old high school girlfriends
32:01
out of the woodwork to send him
32:03
emails. One of them is appearing
32:05
in the New York Times and the other one
32:07
is appearing on National NPR. So
32:09
that's like the benchmark that I tend to think about.
32:12
I love it. He clearly had good
32:14
taste in nerdy girlfriends in high school, I
32:16
approve. Okay, so we've
32:18
talked about one source of headaches for Mike Johnson.
32:20
Let's talk about another source of headaches for Mike
32:22
Johnson, which is these
32:25
aid bills for Israel and Ukraine. Let
32:28
me actually start with what's been happening in the Senate.
32:30
Here it seems a little more straightforward, right? So the
32:32
Senate has in fact voted on a kind of a
32:34
bipartisan Israel-Ukraine bill.
32:37
So you just talk about what's happening there and
32:39
we can then segue from that into what Magic
32:43
Mike is trying to deal with. So
32:45
on one level, I think in the Senate,
32:47
there's just a fair amount of frustration about
32:49
the fact that they did this. There
32:52
was a lot of frustration about how they
32:54
got to the point of having something that
32:56
they could pass. There's
32:58
a whole torturous episode around
33:01
were there border-related
33:04
provisions that the Senate could
33:06
negotiate and get Senate approval
33:09
for that then potentially could
33:11
go over to the House
33:13
and that went terribly
33:15
for Jim Langford
33:18
and Chris Murphy and Chris Ncinema, who
33:20
spent a lot of time working only
33:22
to have Republicans throw Jim
33:24
Langford under the bus in mere
33:26
hours from when they announced what
33:29
they had agreed to. And so on
33:31
one level, I think there's a lot of, there's
33:33
four the folks in the Senate who would
33:35
like to see additional assistance to Ukraine approved.
33:37
There's a lot of frustration. There
33:40
is a faction in the House,
33:42
excuse me, in the Senate Republican
33:44
Conference that is not interested in
33:47
approving additional assistance to Ukraine
33:49
without sort of significant changes to the
33:51
structure of that assistance. So we can
33:53
talk about what that
33:55
might look like, but it
33:58
seems the... is a
34:00
little bit of an overstatement, but
34:02
it seems like if you ask
34:04
Mitch McConnell about anything right now,
34:07
he will pivot the answer to
34:09
just telling you that the Senate
34:11
and the House need to approve
34:13
additional assistance to Ukraine. Like, it
34:15
continues to be the biggest
34:17
thing that he appears to care
34:19
about in the now
34:22
waning days of his leadership of
34:24
the Senate Republican Conference. And
34:26
so I think that that's kind of where the
34:29
Senate is. And I
34:31
think there is a sense among
34:33
some Democrats in the House that
34:35
the most likely scenario that we
34:37
still get is that the
34:39
House takes up what the Senate has passed
34:41
already. That is, we can
34:43
talk about why I think
34:46
I'm a little skeptical of that. But it actually,
34:48
at this point, the reason I'm
34:50
skeptical of that has as much to do with the
34:53
evolving congressional politics of assistance to
34:55
Israel as it does with the,
34:57
actually, I would say, sort of static
34:59
congressional politics of assistance to Ukraine. OK.
35:02
So before we then get to the House, I actually do
35:04
want to pause and talk actually about the substance of
35:07
these bills, right? In particular, just the substance of providing
35:09
aid to Ukraine and aid to Israel. So my sense
35:11
is that aid to Israel, while
35:13
Israel would appreciate it, it's
35:15
hardly existential for Israel. Israel is a rich country.
35:18
It is not facing, you know, it is
35:21
the Goliath here, right? Not the David. Although,
35:23
obviously, it's a complicated situation. And
35:26
so funding from the United
35:28
States to Israel would be nice for Israel. It'd
35:30
be like a good signal.
35:32
It'd be a nice gesture. But
35:34
it's hardly existential for Israel. But
35:36
that's not the case for Ukraine.
35:38
And Quintez, you mentioned in
35:40
the intro, Ukrainian
35:43
President Zelensky has basically, well, not basically, he's
35:45
just very explicitly said, if we do not
35:47
get this funding, we will lose
35:49
the war in Russia. Yeah, saying that more
35:51
and more directly as time goes on. And
35:54
I'm curious, actually, what you think about that. Obviously,
35:56
it's pretty clear that that aid would be
35:58
much more useful to Ukraine. in a way
36:00
that, you know, again, it's not existential for Israel. But
36:03
of course, it is an interest to say very
36:05
strongly that he needs that aid, or,
36:07
you know, the Ukraine will quote unquote, lose
36:09
again, whatever that means. I'm sort of curious
36:12
what you think about that. I mean, do
36:14
you think this really is kind of an
36:16
existential moment in the Russia-Ukraine war? Let
36:18
me start with you, you, Quinta. My impression is
36:20
honestly, yeah, that it is. I think that,
36:22
I mean, Molly, I'm curious for your perspective
36:25
as well, because I know you've been in
36:27
a number of podcasts discussing this with
36:30
people who are far more expert than I am. But
36:32
my strong impression is that it
36:35
is not an exaggeration to say
36:37
that if the House
36:39
cannot get it together and approve aid
36:42
and Ukraine loses the war, it will
36:45
be the House Republicans' fault. That
36:48
sounds extreme and
36:50
like I'm exaggerating. I really
36:52
don't think that I am. And I
36:54
actually don't know to what
36:57
extent it has sunk in
36:59
among House Republicans and
37:02
among sort of centrist
37:04
policy types in D.C. the
37:06
extent to which that is
37:08
the case. Like the Ukraine
37:11
is really on a razor's edge right
37:13
now. They have been, I don't know
37:16
whether outright retreating or just saying that they're
37:19
going to need to start retreating. But like
37:21
the situation is not good. And
37:23
they have been able to hold on
37:25
for this long precisely because of these
37:27
shipments of aid from the U.S. and
37:29
from Europe. That's
37:31
really key. And the bottleneck here
37:33
is the House Republican
37:36
Caucus, which honestly
37:38
raises separate from
37:41
the fate of Ukraine, which I think is
37:43
the real consideration here, I think also raises
37:45
kind of a domestic political question for me,
37:47
which is do they
37:49
realize that? And
37:52
if they do or if they don't, do
37:55
they have a sense of
37:57
what the fallout for them will be?
38:00
if this happens and people are able to
38:02
point to them and say, you know, this
38:04
was you, you did this.
38:07
I actually don't have a sense of that particularly,
38:09
or if they care, frankly, or if it's really
38:11
just posturing. I don't know, Molly, do you? Yeah,
38:13
so I don't- It's sort of, am I exaggerating?
38:17
Not as I understand it. Again,
38:19
most of what I know here
38:21
comes from listening to colleagues of
38:23
ours at lawfare, at
38:26
Brookings, in sort of the Washington Think
38:28
Tank establishment. So I think the
38:30
one thing- The blob. One thing is the
38:32
blob, yeah. One thing that's really unclear to
38:34
me is, so to kind
38:37
of situate this within broader
38:39
dynamics within the House, sort
38:42
of the Republican Party more generally, but
38:44
specifically the House Republican Conference, is that
38:47
sometimes when
38:49
there is division within, again,
38:52
especially the Republican Party on
38:55
some major issue, there
38:57
are, within the sort
39:00
of people who are saying
39:02
no, some of those people
39:04
are true no's, and some of
39:06
those people are what we often refer
39:08
to as the vote no, hope yes
39:11
process. And what I don't have,
39:13
this goes to sort of your last point,
39:15
Clinton, what I don't have a great sense
39:18
of is among the, I'm
39:20
going to wildly shorthand this,
39:22
kind of 100-ish House Republicans
39:24
who have been no
39:26
votes on additional assistance to Ukraine
39:29
in some form. How many
39:31
of them are true
39:33
no's and how many of them are
39:35
this sort of vote no, but
39:37
hope this actually gets done and
39:40
are taking the no position
39:44
because they feel pressured to
39:46
do so by President Trump, any
39:49
number of things. The other
39:51
thing that I'll note on kind
39:54
of like thinking about the
39:56
issue of assistance to Ukraine as
39:59
related to- assistance to Israel,
40:01
and I think it's important
40:03
to remember that when we
40:05
started down this particular version
40:08
of the assistance to Ukraine
40:10
path, it was before Hamas
40:12
attacked Israel on October 7th.
40:15
So the kind of first several
40:18
rounds of this fight were
40:20
about a proposal that would have had
40:22
assistance to Ukraine with additional money for
40:24
the border and then some assistance or
40:28
some additional funds for U.S. operations
40:31
in the Asia Pacific, sort of short-handed
40:33
as money for Taiwan. And
40:35
so when the
40:38
war in Gaza erupted in
40:41
early October, the
40:43
initial idea was that, oh,
40:46
we will add assistance
40:48
to Israel to this
40:50
proposal because it might
40:53
be a vote-getter. It
40:55
might help build a coalition
40:57
that will also—it might sway
41:00
some people who had been knows
41:02
on assistance to Ukraine and turn
41:05
them into yeses on a combined
41:07
assistance proposal. For Mike Johnson. And
41:12
the politics of that in
41:14
the intervening six months have
41:16
just changed wildly. And
41:19
so I don't—and this gets sort of back to
41:21
this question of like, what might
41:23
the House do? And
41:26
I think it's a real possibility that
41:28
now they need to take
41:30
these two things that were connected
41:32
under the idea that doing
41:35
the two of them together would help
41:37
get votes for the thing and cleave
41:39
them apart because of
41:43
the evolving politics of
41:45
providing additional assistance to
41:47
Israel. So
41:50
kind of where—just to wrap up the
41:52
segment maybe—kind of where we are at
41:54
the moment is
41:57
that there are, quote-unquote,
42:00
plans for the House to
42:02
consider some sort of measure
42:04
providing additional assistance to Ukraine
42:07
next week. I think plans was doing a lot
42:09
of the work in that sentence. And
42:12
there's a lot of debate over the form that
42:14
that would take. But a
42:16
big open question for many
42:19
folks is if Johnson does
42:21
bring a Ukraine
42:23
assistance package to the floor, whether it
42:25
has additional assistance for Israel, whether it's
42:27
separate from that, who knows, is
42:31
that a thing that would trigger
42:33
the kind of most
42:37
hardline element in the
42:39
conference to try and get rid
42:41
of him in the same way that they
42:44
got rid of McCarthy last fall? I
42:46
will say that I
42:48
am skeptical of that. I certainly could be
42:50
wrong. I think that
42:53
many, many Republicans do not
42:55
have an interest
42:57
in going through that experience
42:59
again. And I
43:01
also think that the chances
43:03
for the calculations
43:05
for Democrats of sort
43:08
of potentially backstopping
43:10
Johnson in a way
43:12
that they were unwilling to backstop McCarthy,
43:15
I think those calculations are different in
43:18
part because while Johnson is
43:20
very conservative and is not
43:23
liked for policy reasons by
43:25
many Democrats, he
43:27
does not have the same track record
43:29
of doing things that make each and
43:31
every element of the Democratic caucus angry
43:33
in the way that McCarthy did in
43:35
the run up to what happened in
43:38
late September. So you can have me
43:40
back on in a couple of weeks when
43:42
I may have to eat
43:44
these words, but I am
43:47
somewhat skeptical that we'd actually
43:49
see Johnson get deposed over
43:51
bringing something to the floor in
43:53
Ukraine. And maybe the answer to that is he
43:55
just ultimately doesn't do it, but that's
43:58
kind of where I see that. piece
44:00
of the puzzle. And
44:02
now the second we've all been waiting for. Yes,
44:05
the second we've all been waiting for. So
44:11
late last month, Microsoft
44:14
developer uncovered a backdoor planted
44:16
in a widely deployed Linux
44:18
utility called XZ utils. I
44:21
just want to say that I spent a lot
44:23
of time trying to think about whether I could
44:26
make a joke about utils from Econ
44:28
101. Oh, that literally just
44:30
occurred to me. I came up with nothing. What's
44:35
your XZ utility function?
44:37
I just thought about
44:39
it for a long
44:42
time. The Pareto optimality.
44:45
So this backdoor was detected
44:47
before it was included in
44:49
any like production releases for
44:52
big Linux distributions. But if it hadn't
44:54
been discovered when it was, the consequences
44:56
would have been quite large. So,
44:59
Alan, mostly I want to talk
45:01
about the national security implications here.
45:04
But I think it'd be helpful
45:06
to start briefly with just like
45:08
a basic overview of
45:11
the underlying environment computing wise that
45:13
like creates this possibility. So
45:15
we spent a lot of time saying, Oh, like X is
45:18
a national security issue, what we're at, whatever
45:21
X is. But can you
45:23
briefly help us understand why, like, as I
45:26
understand it, there's a widely
45:28
accepted set of programming practices that like
45:30
creates the opportunity for what would
45:33
have been a huge cybersecurity crisis? Yeah.
45:36
And so here, I want to reference a
45:38
great piece that we just published, I think
45:40
yesterday or Tuesday by Bruce Schneier on this
45:42
specific backdoor. And then we've published some great
45:45
stuff also by Chinni Sharma on kind of
45:47
open source software generally. And I
45:49
think this really is a story. I mean, there's
45:51
obviously a very specific technical point here about XC
45:53
utils and the SSH utility and
45:55
the backdoor and all that sort of stuff, which which,
45:58
you know, even I computer dork that I am only
46:00
sort of understand. I mean the open
46:19
source software is so important and so vital
46:21
and also screwed up all at the same
46:23
time. So there's a great, I
46:25
think it's an XKCD cartoon, which we will also
46:27
link to the show notes, where it's like a
46:31
giant tower of building
46:34
blocks and the
46:37
image label is something like civilization or
46:40
something. And then at the very bottom, there's a tiny little
46:43
jenga piece everything's balancing on and
46:45
it's labeled like some tiny utility
46:47
that some dude has been maintaining
46:50
in his free time for the last eight
46:52
years. And this is how open source works,
46:54
right? So increasingly as
46:57
computer systems have gotten more and more complicated, the
47:00
job of a programmer developing the system is less
47:02
to sort of start from scratch, but to take
47:04
existing modules and
47:06
kind of Lego blocks basically and build on
47:08
top of them. And you want to do
47:10
that. Like that's clearly the way to do
47:12
it because that makes programmers
47:15
much, much more productive. And there
47:17
also can create a lot
47:19
more security if everyone's relying on
47:21
a relatively narrow set,
47:23
narrow here being a few thousand
47:25
or a few tens of thousands,
47:27
which again doesn't seem that
47:30
narrow, but in the context of our digital
47:32
world is pretty small, a relatively
47:34
narrow set of really well-developed
47:36
and well-vetted modules. The
47:39
problem is that the
47:42
way that these modules are run is they tend to
47:44
be open source, which is to say they
47:46
are run basically by volunteers.
47:50
They're not generally maintained by companies and
47:52
these volunteers are just basically doing this
47:55
in their free time. Now,
47:57
again, that's really good because that's created this incredible
47:59
generation. of the
48:01
modern open source ecosystem. GitHub,
48:04
which is one of these open source repositories where
48:06
a ton of stuff is hosted, has been incredible
48:09
because it's allowed people from all around the
48:11
world to contribute, right? Some
48:14
people doing so as core maintainers, some
48:16
people like even me who have contributed tiny little
48:19
bits based on my own tiny expertise, right, such
48:22
as it is in little projects, and it's really, really fun.
48:25
But the problem is that these maintainers are
48:28
doing this on a volunteer basis, and
48:30
they only have a certain amount of bandwidth. And there's no
48:33
real oversight of them. Basically,
48:36
the way it works is, you know, someone
48:38
initially uploads something to GitHub, it's their repository,
48:40
they have what are called commit privileges, which
48:43
is basically they're the ones that can authorize the
48:46
changes that other users submit. And
48:49
then if the community of
48:51
programmers decides that that's a good repository,
48:54
people just use that
48:56
code. But there's no control
48:58
over that person's code except
49:01
that person. There's no mechanism. In
49:03
addition, those individuals who own the repository of commit privileges,
49:06
they can, they're the ones who decide who
49:09
else gets commit privileges. And this
49:11
is what happened in this case, where the maintainer
49:13
of this very widely used utility who
49:15
was really busy and had some sort of personal issues he
49:17
was working through, he was
49:20
approached by another user, a user
49:22
we now realize was likely the
49:24
front of, you know, an invented
49:26
persona by some probably nation
49:29
state actor, given the sophistication, you know, almost
49:31
certainly either the Russians or the
49:34
Chinese, who over a period
49:36
of, you know, months, I think maybe
49:38
even years, convinced this
49:40
individual to give him commit
49:42
privileges by being a useful member of
49:44
that community. Now, once that person
49:46
then got commit privileges, then over the next few
49:49
years, he gave commit privileges to some other people,
49:51
also probably front individuals for this
49:53
nation state actor. And then over time,
49:55
they managed to insert this
49:57
back door. And so this shows a real,
50:00
real vulnerability in the open source system, right?
50:02
Where you have our
50:04
entire digital infrastructure relying on these tiny
50:06
little components that are controlled
50:09
by volunteers, where
50:12
there's no real oversight. And
50:14
so that's, on the one hand, a big problem, which is a
50:17
huge vulnerability. On the other
50:19
hand, the way that this vulnerability was itself
50:21
discovered shows the upside of open source, which
50:23
is that because all the code
50:25
is open, that is literally
50:27
what open source means, or that's one of the
50:29
key features of open source software. You can go
50:31
and read the actual source code. It's not just
50:33
a kind of machine executable binary that you have
50:35
to accept on face that someone gives you. Anyone
50:37
can look at that. And because it's such a
50:39
broad community, people can look, and if they think
50:41
there's a problem, they can go and dig around.
50:43
And that's exactly what this Microsoft researcher did. And
50:46
so it's
50:48
tricky to know exactly what the lesson
50:50
here is because
50:54
you can sort of spin it either way. Yeah,
50:57
which is that this was obviously a crisis
51:00
averted, but
51:02
what should we take away from the fact that
51:04
it almost happened? And it's clear
51:06
the consequences would have been quite
51:09
serious. But given
51:11
everything that you just really helpfully explained
51:13
to me as a nerd
51:15
about many things, but not at all about this,
51:18
what are the possible structural responses?
51:20
Or are we just gonna
51:23
keep operating on the hope
51:25
that some solitary
51:27
Microsoft engineer or what
51:29
have you finds these
51:31
sorts of efforts in
51:34
this open source code? Yeah, I mean,
51:36
so there's a kind of a range of options. I'm
51:38
gonna sort of put them in
51:40
three rough buckets. Sort of one bucket
51:42
is business as usual. So the first option is
51:45
saying, no, this worked. This is
51:47
exactly how it's supposed to work. I mean, it's bad
51:49
that this person was able to get commit access and
51:51
inject a backdoor, but the system worked, right? And
51:54
we should just keep doing what we're doing and
51:56
we should make open source even more open, right? We
51:58
should have even more people involved and. everything should be
52:00
more open source because again, the more eyeballs you
52:02
have on the problem, the better it is. And
52:04
again, there's some precedent for this. This is in
52:07
fact how modern cryptography works. It used to be
52:09
that cryptographic systems were developed in-house
52:11
and their details were secret. And the idea being
52:13
that because they were secret, they'd be harder to
52:15
crack. And starting in the 1990s
52:18
and through today, it's become clear that
52:20
actually a much better system is to
52:22
have cryptographic systems where the details are
52:24
completely public. But
52:26
because they're public, people can stress test
52:28
them. And you could design systems that are
52:30
so good that even though the details are public,
52:32
like even though to use a metaphor here, the
52:35
schematics of the lock are public, it's just so
52:37
complicated and so well designed, you can't pick the
52:39
lock, right? So that's kind of one option. Another
52:42
possibility, this goes all the way to the other end of
52:44
the spectrum is to say this is not feasible, right? Like
52:46
you cannot have a system in which stuff
52:49
is built on this group
52:52
of random utilities designed to
52:55
maintain by random people and that this could have been
52:57
a disaster and so we have to lock it down.
52:59
And so companies need to move away
53:01
from open source, move to closed source. Maybe
53:04
you have to go back to sort of what's
53:06
called security by obscurity. I haven't seen a lot
53:08
of suggestions on that because it would be
53:10
such a tectonic shift, but that is kind of conceptually one
53:12
possibility. And the third, and I
53:14
think this is where there's been some interesting work and honestly
53:17
including interesting work by law fair. I'm going to use this
53:19
to plug our ongoing security by
53:21
design project in which we're trying to
53:23
think through, white papers and
53:25
blog posts, kind of what security in software
53:27
and hardware should look like. It's
53:30
to see if we can take sort of the core of
53:32
open source, but maybe beef it
53:34
up a little bit. So maybe there
53:36
are various set of liability mechanisms that we
53:38
can add to open source. The
53:41
most dramatic of which is to make open source
53:43
developers themselves liable for software. That has huge downsides
53:45
and most people don't really advocate
53:47
for that because that would basically ruin the open source
53:49
ecosystem. But maybe you have a situation in which
53:52
companies that use open source software have to
53:54
do more work from a
53:56
liability perspective to vet that software. Or maybe companies move
53:59
to a particular company. to instead of a
54:02
blacklist model where you use all the open
54:04
source software you can get your hands on,
54:06
except that which is known to be bad,
54:08
maybe more companies move to a
54:11
whitelist model where you don't
54:13
– you only use
54:15
pre-vetted open source software. Maybe
54:19
there's also a way to incentivize companies to invest
54:22
more in maintaining the open source
54:24
itself, right? If this person who
54:27
had the thankless job of maintaining
54:29
this incredibly important but kind of
54:31
esoteric utility had more
54:33
support, right, had a team behind him
54:35
or had other maintainers that were not
54:37
just randos on the internet that turned
54:40
out to be the front for the
54:42
Russian government but were rather Microsoft and
54:44
Google researchers who get 10% free
54:46
time to do open source stuff, maybe that would
54:48
have solved that problem. The question there is how
54:51
do you align those incentives because, of course, open
54:53
source is just a classic example of a public
54:55
good where you have a tragedy of the commons
54:57
problem and sort of how do you get companies
54:59
to – We're just hitting one on one. Yeah,
55:02
exactly. Exactly. I
55:04
mean, in a sense, right, I mean, this is
55:06
– there's the technical piece of this which is
55:10
interesting but I think not super relevant to
55:12
our discussion. But then there's what I think
55:14
of as literally the economics of open source.
55:17
This is much more of an economics problem
55:19
in a sense of how to align incentives
55:21
than it is even a technical
55:23
problem if you're thinking about open source. But
55:27
man, it's so much fun to talk about Linux on this. And
55:30
so do we have any sense of
55:32
who was behind this? Reading about the
55:35
sort of scheme in Bruce Schneier's
55:37
post, it's like it's pretty involved.
55:39
Oh, it's super sophisticated. It's super
55:41
sophisticated both at the – it's
55:43
sophisticated on two levels, right?
55:45
So the technical level is sophisticated, right? It's
55:47
like a backdoor that talks to another backdoor that talks
55:50
to another backdoor that talks to another backdoor, right? So
55:52
in that sense, it's just a very complicated technical
55:54
exploit. But it's also sophisticated
55:56
in the degree of social engineering
55:58
that it involved. You need someone
56:01
who understands how open source works, who can
56:03
ingrate themselves into community, who can use the
56:05
right lingo, who can use English in an
56:07
appropriate way, which might not be native fluency
56:09
because there are lots of open source developers
56:11
from all around the world. But
56:14
there's a way that crappy intelligence agencies
56:16
talk when they're trying to do these
56:18
operations versus good intelligence agencies. Greetings, friend.
56:20
Yeah, exactly. Exactly, yes. Hello,
56:23
young people. And
56:26
so, no, we don't know who this is. And
56:29
attribution and cyber security
56:31
is always difficult. But
56:34
it seems like this is a level of
56:36
sophistication that only a well-resourced, probably nation-state adversary
56:38
could pull off. And there's going
56:40
to be a lot of forensics ongoing in
56:43
the next weeks and months that we'll
56:45
see. And I suspect this is
56:47
something that it's not only computer researchers that are
56:49
interested in, but I certainly hope the NSA and
56:51
CIA are trying to figure this out too, though
56:53
presumably they won't necessarily tell us based
56:56
on what they know. All
56:58
right, time for object lessons. Alan, let me
57:00
start with you. Sure.
57:03
So, I have two kids. And
57:06
as they grow older, it's very fun to mark
57:09
off their heights. And
57:11
often that's done just in like a doorway, which is
57:13
a totally reasonable way to do it. But we want
57:15
to do it with a little more pizzazz. So
57:18
we got for our older child
57:20
a giraffe growth
57:23
chart. It is just
57:25
a big, beautiful, cute wooden giraffe that
57:27
is on his wall. But it
57:29
has a ruler on like one side
57:31
of the giraffe. And so as he gets
57:33
older, you can sort of mark off the heights.
57:38
And it is really sweet. I'm going to leave a link
57:40
to the Etsy store for this individual
57:42
who makes these. And obviously, they come in many animals.
57:45
So once our younger child
57:47
gets old enough that we can start tracking,
57:49
we'll have to get him his own animal.
57:53
Happy to take suggestions from our
57:55
followers as to should it be a zebra or an elephant
57:57
or whatnot. But it's just really nice. fun
58:00
thing. It makes a really fun thing
58:02
in a little kid's room and I like to
58:05
support good Etsy artisans. And
58:08
it's good for adults too, you know? I
58:10
mean, we've all stopped growing. Maybe
58:13
like a weight, maybe like a giraffe, like a hippo weight
58:15
chart, but that'd be depressing. Yeah.
58:17
I mean, we all as millennials that we
58:19
are, I don't think have approached the part
58:21
where we start getting shorter. Although, I went
58:23
to the doctor, she told me that she
58:27
did recently have to tell people, two people who
58:30
thought they were six feet tall, but they were
58:32
in fact not six feet tall. So that's brutal.
58:35
Yeah. Yeah. No, it's one of my great regrets
58:37
in life that I am five foot 11 and
58:39
a half. And I am
58:41
not six feet tall. That's what you have
58:43
to be aware of. Honestly, I am currently probably six feet
58:45
tall, if you had the air. Molly,
58:48
what about you? Sure. So
58:51
we talked a lot about
58:53
Congress this week. But we
58:55
didn't talk about the pending consideration
58:57
by the Senate of the
58:59
impeachment articles of Secretary Mayorkas. But
59:02
in honor of that, I want
59:04
to commend to everyone
59:07
my single favorite story
59:09
from a Senate impeachment
59:11
trial, which comes
59:13
from the start of the
59:16
Clinton impeachment and is
59:18
detailed in Peter Baker's really excellent
59:20
book about the Clinton impeachment. It's called
59:22
The Breach. And there's
59:24
a story about how when
59:26
the Senate convenes for an
59:29
impeachment trial, one of
59:31
the initial things that happen is that all
59:33
of the senators have to sign this book,
59:35
a testing that they
59:38
have been sworn in as jurors
59:40
sitting in an impeachment trial. This
59:42
is as an aside, a really
59:44
great way to determine which senators
59:46
are left handed. But in the
59:48
Clinton impeachment, all
59:50
the senators go to sign
59:52
this book, and they have these ceremonial pens that
59:55
they are to use for the task. And
59:58
the pens, it turns out, have
1:00:00
been misprinted. Instead of saying
1:00:03
the United States Senate, they
1:00:05
say the untied state Senate,
1:00:07
which really is just really
1:00:10
just very fitting. This story
1:00:14
is recounted in Baker's book. It
1:00:16
gets its own entry in the
1:00:18
index. There's an entry of the
1:00:20
index for misprinted pens. It really
1:00:22
is just a delight.
1:00:25
And so I offer the story to
1:00:27
you. The book is also
1:00:29
really excellent and I
1:00:31
think I learned a lot
1:00:33
from reading it. So we will link to
1:00:36
that as well. Quinto, what about you? So
1:00:39
in honor of Molly's return
1:00:41
to rational security, I'm recommending
1:00:43
a podcast series produced by
1:00:45
a regional NPR affiliate. If
1:00:48
there's nothing else that I've accomplished by
1:00:50
occasionally appearing on ROTC, I will take
1:00:53
converting more people to the cause of
1:00:56
listening to a recently produced NPR podcast.
1:00:58
Yes. So this one is from
1:01:00
KUOW in the Seattle Times.
1:01:03
It is called Lost Patients. That's
1:01:05
patients with a T and
1:01:08
is about the sort of absence
1:01:11
of a system, I guess is
1:01:13
the best way to describe it,
1:01:15
or multiple complicated, not really interlocking
1:01:17
systems for dealing with people, for
1:01:20
helping people with severe mental illness get
1:01:22
treatment. So far, I have
1:01:24
only listened to the first two and
1:01:26
a half episodes, but I'm enjoying
1:01:29
it a great deal. It's really thoughtfully
1:01:31
and compassionately done. And I
1:01:33
think it's kind of a
1:01:35
useful context to
1:01:37
a lot of the reporting that you
1:01:40
see right now about the crisis of
1:01:42
homelessness and other issues in
1:01:44
cities and across the country. It adds
1:01:46
really useful context to that and
1:01:48
includes some really heart-rending stories. So
1:01:51
highly recommended, although it will
1:01:53
not cheer you up. That
1:01:56
brings us to the end of this week's episode.
1:01:58
Rational security is a core a production of
1:02:00
Lawfare. Be sure to visit
1:02:02
lawfairmedia.org for our show page with links and
1:02:05
past episodes, for our written work
1:02:07
and the written work of other Lawfare
1:02:09
contributors, and for information on Lawfare's other
1:02:11
podcast series, including The Aftermath. Be
1:02:14
sure to follow us as well on Twitter
1:02:16
at RITLSecurity and leave a rating or review,
1:02:19
and sign up to become a material supporter of
1:02:21
Lawfare on Patreon for an ad-free version of this
1:02:23
podcast and other special benefits. Our
1:02:26
audio engineer and producer this week was now
1:02:28
a Moz Band of Goat Rodeo, and our
1:02:30
music as always was performed by Sophia Yan.
1:02:32
We are once again edited by Jen Petrow.
1:02:35
On behalf of my co-host, Alan, and our special
1:02:38
guest Molly Reynolds, I'm Quinta Jurassic, and we'll talk
1:02:40
to you next week. Until then,
1:02:42
goodbye. Stay
1:02:59
up to
1:03:01
date on everything newsworthy by downloading the
1:03:03
Amazon Music app for free, or
1:03:05
go to amazon.com/news ad free.
1:03:08
That's amazon.com/news ad free to catch
1:03:10
up on the latest episodes without
1:03:13
the ads.
Podchaser is the ultimate destination for podcast data, search, and discovery. Learn More