0:00

A lot can happen in three years,

0:02

like a chatbot may be your new

0:04

best friend. But what won't change? Needing

0:06

health insurance? UnitedHealthcare Tri-Term Medical Plans, underwritten

0:08

by Golden Rule Insurance Company, offer flexible,

0:10

budget-friendly coverage that lasts nearly three years

0:12

in some states. Learn more at uh1.com.

0:18

What was the totality situation

0:20

in Minnesota, Alan? It

0:23

was super lame. I mean, we weren't in the

0:25

path of the totality and it was super overcast.

0:27

So like, you couldn't... Oh no. We basically got...

0:30

It was zero. There was nothing. Bubkus,

0:33

which was unfortunate, though it meant that my wife

0:35

and I could take mid-afternoon naps without feeling

0:37

too bad that we were missing out on anything.

0:41

What about you guys? I think here it was

0:44

like 87% coverage maximum at 3.20 PM. Yeah.

0:50

What does that mean? Like, I

0:52

mean, presumably the effect is not

0:54

linear, right? So actually

0:56

I found a very cool

0:58

graph that basically

1:01

shows brightness against

1:03

time toward totality,

1:05

which is not linear. It

1:09

looks kind of like a log

1:11

graph, actually. Yeah, I assume. But

1:13

especially because your eyes adjust to

1:15

the change in brightness initially,

1:18

like as it gets slightly darker, and

1:21

then as it approaches totality, it gets

1:24

rapidly dark very, very quickly. So not

1:26

only is it like really dark, but

1:28

your eyes haven't, your pupils haven't adjusted.

1:30

So it's those like last couple of percentages that are really,

1:32

oh my God, the world is ending. Apparently,

1:35

yeah, basically I had family

1:38

up in Vermont for totality

1:40

and apparently it was pretty

1:42

cool. If you had

1:44

asked me before the eclipse, like how

1:47

many people do you know who are

1:49

going to travel to be in the path of totality? I

1:52

don't know what I would have told you, but it

1:54

almost certainly, I would have said

1:56

zero because like, it turns out I

1:58

knew. many people who made

2:01

this choice. Most

2:03

of them, I think including our

2:06

fine law fair colleague, Haman, and

2:09

our other colleague, Ohania, yes. But

2:12

like Haman went to where

2:14

she had grown up, which happened to be

2:17

in the path of totality. But

2:19

I know other people who were just

2:22

so committed to this experience that they

2:24

traveled to places like

2:26

Indianapolis. I just think the word

2:28

totality is so cool in the

2:30

path of totality. It's a very it's

2:33

a cool it's a cool word. You

2:35

can definitely see why people were

2:38

freaked out by it. Right. I

2:40

mean, if you had no understanding of what the hell was

2:42

going on and you just looked up

2:44

and the sun was gone, I would be freaked out.

2:46

I would think the world was ending. Animals are freaking

2:48

out at the same time. Definitely

2:51

would be, you know, world ending,

2:53

fear, stuff. Especially

2:55

when this obviously is not

2:57

a joke original to me, but when coupled

3:00

with, say, an earthquake in a part of

3:02

the country, does that usually get earthquakes just

3:04

a few days prior? See these things, these

3:06

things come in threes, you know,

3:08

to make it like maximally spooky.

3:10

We should be expecting another disaster. I

3:13

blame the Jewish space lasers. Hello,

3:22

everyone, and welcome to Rational Security.

3:24

This is the Eldritch Portents edition

3:26

in honor of the Eiclet. I

3:30

am Quinta Jurassic and that

3:32

spooky noise you just heard was my

3:35

co-host, Ellen Rosenstein. Hello.

3:38

And we are joined by none other

3:41

than our Brookings and Lawfare colleague, Molly

3:43

Reynolds, who will explain Congress to us

3:45

once again. Hello, Molly. The Congress whisperer.

3:50

I actually prefer Congress

3:52

whisperer to congressional guru, which

3:54

is what Ben was calling me for

3:56

quite some time. Well, I'll take Congress

3:59

whisperer. Yeah. Well, as

4:01

that suggests, listeners, we have many

4:03

Congress topics for you today, two out of

4:05

three, in fact. So

4:08

our three topics, the first one will be

4:10

the 700 and second time of the charm.

4:14

Section 702 of the Foreign Intelligence Surveillance Act

4:16

was originally set to expire on December 31st,

4:19

2023, but somehow Congress has

4:21

managed to keep kicking the can down the road

4:23

and were once again in the middle of an

4:25

argument about whether and to what extent the

4:27

legislature should reform the bulk surveillance authority. How

4:30

did we end up here? And is there

4:33

any indication that Congress will manage to pass

4:35

a lasting reauthorization in some form this time

4:37

around? Second

4:39

topic, Magic Mike. Speaker

4:42

of the House Mike Johnson's troubles do not

4:44

stop with FISA. He's also tangled up

4:46

in a prolonged dispute with his caucus over

4:48

U.S. aid to Ukraine, which is becoming

4:50

a matter of rapidly increasing urgency with

4:52

Ukrainian President Volodymyr Zelensky, warning that his

4:54

country will lose the war if the

4:56

aid is not approved. Johnson

4:59

now says he'll put his own aid package on the

5:01

table, still tying that to another trench of aid

5:03

to Israel. But will the House

5:05

actually vote this time or is this just another

5:07

head fake? And

5:10

last but not least, Alan's

5:12

prayers have been answered and we can finally talk

5:14

about Linux. Hell yeah.

5:17

A few, Alan actually is responsible for what

5:19

I'm about to describe. He engineered the whole

5:21

thing just to talk about Linux. A

5:25

few weeks ago, a single software engineer

5:27

alerted the world to an alarming discovery,

5:30

malicious code inside a key piece of

5:32

Linux software that had it gone undetected

5:34

could have caused a catastrophic cyber

5:36

attack worldwide. What actually

5:38

happened here? Is it related to the

5:40

eclipse? It's not, but I just wanted to say that. And

5:43

what could stop it from happening again? So

5:47

for our first topic, I will

5:49

kick things off. I

5:51

don't actually know whether this

5:53

is the 700 and second time that we've talked

5:56

about renewing section seven of

5:58

this time around, but it certainly feels like.

6:00

listeners. Here we are

6:02

once again. On Tuesday

6:05

the Rules Committee moved

6:07

forward with some legislation that has

6:10

been put on the table as

6:12

kind of the base structure with

6:14

which the House can itself move

6:17

forward with a vote on reauthorizing

6:20

Section 702. We've been

6:22

kind of tangled in

6:24

a long-running dispute between

6:26

sort of let's call

6:28

them in a very high altitude sort of

6:31

reformers who want some

6:33

additional restrictions on the bulk

6:35

surveillance authority and another

6:38

camp that would rather

6:42

reauthorize things in

6:45

a form that more closely aligns with the

6:47

way that the statute and the authorities are

6:49

currently set up. Those were terrible names for

6:51

the two camps so if you can come

6:53

up with anything better we'll go with that.

6:56

These two camps have kind of been going

6:58

back and forth. I think they broadly, though

7:00

not entirely, align with the House Judiciary Committee

7:02

on the reform side, Bipartisan,

7:06

and the House Intelligence Committee on the keep

7:08

it as it is side. And

7:10

Speaker Johnson has been unsuccessfully, I

7:12

think it's fair to say, trying

7:15

to kind of square the circle between

7:18

these two camps. So Molly,

7:20

we're going to take it over to you. As

7:22

always, what is happening and

7:25

will Mike Johnson have any luck

7:27

in actually resolving this issue this time around? So

7:30

I think to understand what's happening

7:32

there are a couple of ways

7:35

that it's helpful to zoom out

7:37

a little bit from where we

7:39

are right now. So the first

7:41

gets at this question of camps

7:43

as Hinta was describing them. And

7:46

so I'm channeling Ben a little

7:48

bit here because he likes to

7:50

make this point often that historically

7:54

in the House and Senate the

7:57

FISA, Foreign Surveillance,

8:00

has been a little bit

8:03

of a strange bedfellows enterprise

8:05

in that in terms of folks who

8:08

would like to see the authorities

8:10

of the law limited or

8:12

reformed in significant ways historically

8:14

that's been kind of a

8:17

coalition of

8:19

civil liberties minded Democrats

8:22

and a handful of kind of true

8:25

civil libertarians so when for

8:27

instance Justin Amash was

8:30

from Michigan was still in the house he was sort

8:32

of the archetype of

8:34

this this Republican group and

8:38

so the idea that we

8:40

have some alliance between some

8:42

Democrats and some Republicans in

8:45

advocating for pretty aggressive changes

8:47

to fight so that's not

8:49

a totally new issue what

8:51

is new this go-round is

8:53

this notion that that group

8:57

some Democrats a couple of

8:59

Republicans have been joined by

9:01

a larger number of Republicans

9:03

who are kind of I don't

9:05

know anti-deep state might

9:08

be the way to describe them folks

9:11

who see the issue of 702

9:13

and surveillance as

9:17

prototypical of an overreach by the

9:20

FBI and this idea that the

9:22

deep state is spying

9:24

on Americans and having Trump's wires

9:26

it's a little bit of a

9:28

caricature here but this is it's

9:30

a sort of this dynamic is

9:32

new to this go-round of the

9:35

FISA debate and Quint is right that

9:38

in the house we have

9:40

two or for several months now

9:42

we've had sort of two competing approaches

9:45

to reauthorizing FISA 702

9:47

one of them has been

9:49

coming from the House Judiciary

9:51

Committee which has

9:53

both the civil libertarian

9:56

minded Democrats and

9:58

a bunch of these concerned

10:01

about the FBI-minded Republicans. So

10:03

you can kind of, when

10:06

the last time we

10:09

went down this road, if

10:11

you watched, and really no

10:13

one needs to do this, but if you watched

10:15

the House Rules Committee the last time this was

10:17

going to come up, debate

10:20

the rule for consideration, you saw

10:22

of all people Jim Jordan

10:24

and Jerry Nadler appear together

10:27

to advocate for the House

10:29

Judiciary Committee. Extremely odd couple.

10:31

And what is, I think, probably, I'm

10:34

not an expert on this,

10:36

but probably most central to what that

10:38

faction wants is a requirement

10:41

that, a warrant requirement

10:44

under section 702 that doesn't

10:46

currently exist. The other kind

10:48

of faction in the House

10:50

is being led by

10:53

the folks

10:55

from both parties on the House Intelligence

10:57

Committee. They would have you,

10:59

they would want you to believe, Mike

11:01

Johnson would want you to believe that their

11:03

proposal does make some changes to FISA. Again,

11:07

I'm not an expert to the point that

11:09

I can sort of adjudicate that claim, but

11:12

you know Mike Johnson, in trying to sell

11:15

the idea of action that is

11:17

closer to the

11:19

intelligence committee's proposal to his conference,

11:21

has gone around saying things like,

11:24

there are 50 reforms to FISA

11:26

702 in this proposal

11:30

that's come out of the Intelligence Committee. So

11:33

that's sort of one thing to know

11:35

and just give you kind of a

11:37

lay of the land on where the

11:39

two kind of principal factions

11:42

are. Next thing I'll talk

11:44

about is Quinta Mention's Rules Committee, which met

11:46

yesterday, and in some

11:48

ways this is actually, it's a

11:51

notable development and it's like a

11:53

remarkably notable development in that it

11:55

shouldn't be remarkable. So over

11:57

the past six to nine months, Mike

11:59

Johnson... Then so can Mccarthy before my

12:02

John Cena and then my chance

12:04

and I'm have really lost control

12:06

of the ability to bring the

12:08

things to the floor of the

12:10

House of Representatives via the rules

12:13

committee. So super brief overview of

12:15

how this generally works: The House

12:17

Rules Committee: When the house is

12:19

going to debate a subset piece

12:21

of legislation, will meets will talk

12:24

about what are the terms under

12:26

which that bill is going to

12:28

come to the floor. Or

12:30

their amendments to the offered that sort of thing. And then

12:32

they. Do what we call, report

12:34

out a rule. That rule goes to

12:37

the floor. There's a vote on the

12:39

rule were historically everyone in the majority

12:41

party votes for it, and everyone in

12:43

the minority party votes against it. And

12:46

you as a member of the majority

12:48

party are supposed to vote for these

12:50

things. This this what allows your parties

12:52

to have procedural control over what happens

12:54

on the floor. And if you stop

12:57

voting for rules, then it makes it.

12:59

particularly if your party has a very

13:01

slim majority. see the current house. Republicans

13:03

and makes it very hard for

13:05

your party leader, the speaker to

13:07

manage what's happening on the floor.

13:09

And so over the past six

13:11

nine months. Basically. All of

13:14

the major things that Congress has done

13:16

around say keeping the government open the

13:18

am and funding the government for the

13:20

balance of the fiscal year have not

13:22

only required democratic votes to pass but

13:24

of had to come to the floor

13:27

in a way that doesn't go through

13:29

the roof to any either because. Republicans

13:31

don't have the votes on the committee

13:34

that itself and because they put several

13:36

i'm sitting pakistan same text aligned face

13:38

and neck committee as benefit concessions that

13:41

Mccarthy made when he was trying to

13:43

get elected speaker and or they don't

13:45

have the votes in the Republican Conference

13:48

or say adopt these rules. On

13:50

this was a. why did my

13:52

grandson have to go through the roof through

13:54

the here it's because if you go if

13:56

you bring something to the floor in that

13:58

and other manner that he's been doing

14:00

with spending bills, you can't amend

14:02

those bills on the floor. And so it became

14:05

very clear that if there

14:07

is a path forward for

14:09

702, it's going to have to involve

14:11

the two factions, the

14:14

Hipsey faction and the judiciary faction to kind

14:16

of shorthand them. Each

14:19

faction's gonna have to get some amendment

14:21

votes. They're gonna have to get the opportunity to

14:23

offer some amendments on the floor and

14:25

then see what happens. So that's kind of

14:27

where we are. It is

14:30

the middle of the day, Wednesday. I

14:32

believe the vote on the rule

14:35

is supposed to happen today. So maybe by the time

14:37

you're listening to this, this will all have blown up

14:39

again. But, and then

14:42

if the rule passes, the

14:44

vote on the bill itself, I believe is scheduled to

14:46

happen tomorrow. We can

14:48

talk a little bit about the sort of key

14:50

issues that are in these amendments that the House

14:53

might consider. There are three from kind

14:55

of the intel factions, three from the

14:58

judiciary faction, I think we should

15:00

think about them as issues that Johnson

15:02

is trying to separate from the

15:04

out of the core bill, either

15:07

because there's a possibility that they're vote

15:10

losers if they're definitely in the bill

15:12

itself, or because they are

15:14

things on which people who

15:17

oppose the form that

15:19

the bill is taking are

15:21

insisting on getting votes on if they're going to

15:24

go along with the plan for

15:26

considering the bill. The last thing

15:28

that I will say is

15:30

that you might be asking yourself,

15:32

well, there are a lot of

15:34

Democrats who would like to see this PISA

15:37

reauthorized, some of them are on the Intel

15:39

committee, others are just folks who agree with

15:41

the idea that the government should be able

15:43

to keep doing what it's doing. Why

15:45

would they not help Mike Johnson bring

15:48

this bill to the floor? Why would they not vote

15:50

for the rule? Because that's really what the crux of

15:52

the issue is right now is

15:54

do Republicans have the votes to bring the

15:57

votes before it's off? In

16:00

addition to this strong norm that

16:02

Republicans have thrown out the window

16:05

around if you're in the majority

16:07

party, you vote for the rule. And if you're in the minority

16:09

party, you vote against the rule. Republicans

16:11

have also made it harder on

16:14

themselves to get Democrats to potentially

16:16

vote with them on the rule

16:18

to consider FISRA reauthorization by putting

16:20

two other, putting the terms

16:22

for debate for two other unrelated

16:24

resolutions into the same rule. One

16:27

of them is a resolution that denounces

16:29

the Biden administration's immigration policy. Another

16:32

is one, and here I'm quoting, opposing efforts

16:35

to place one-sided pressure on Israel with

16:37

respect to Gaza. So sure.

16:39

Yeah. So it's not, I'm

16:41

not saying that if they had left those

16:43

things out of the rule, that this would

16:46

be smooth sailing and that you would get

16:48

Democrats to vote

16:51

with Republicans on a vote that, again,

16:54

historically they wouldn't do

16:56

for kind of party unity reasons.

16:59

But Republicans, again, and

17:01

I'm assuming there's a good, like, intro

17:03

Republican reason for putting those things in

17:05

the rule. I don't know. But it's

17:07

all, it all comes down to there,

17:09

these just huge divisions within the Republican

17:11

conference that are very

17:14

difficult for Mike Johnson to manage. So

17:17

Alan, what substantively is the fight here?

17:20

I think the term warrant requirement has

17:22

been thrown around a lot in recent

17:24

months as this debate has been ongoing.

17:28

What is on the table? And also

17:30

why is the sort of cohort of

17:32

Congress that's more closely aligned with the

17:34

intelligence community and this so opposed to

17:36

the idea? Sure. So

17:39

I apologize to the listener, but in order to do

17:41

this, I have to explain a little bit of what

17:43

FISA is and particularly 702. And

17:46

I'm scared to do it because it's so complicated. I'm

17:48

always terrified of getting something wrong here. But

17:50

the general idea is that 702,

17:52

and the reason it's often sometimes

17:54

called a bulk collection program, is

17:56

that it allows the government

17:59

to collect large amounts of data about

18:02

foreign persons abroad, but to collect that

18:04

data inside the United States. And the

18:06

reason for this is that when

18:08

702 was created and still to a large

18:10

extent today, a huge amount of internet

18:13

traffic goes through the United States because we're

18:15

the leading producer

18:17

of internet technologies and companies and Google

18:19

and Microsoft and all these companies are

18:21

in the United States. So

18:23

even if the government is trying to

18:25

collect on foreigners outside the United States, individuals

18:28

who don't generally have constitutional rights or

18:30

Fourth Amendment rights, the fact

18:32

that the government wants to do it in

18:34

the United, the actual collection in the United

18:36

States creates some legal, potential legal issues. And

18:39

so 702 was created to provide

18:41

a kind of statutory framework by

18:43

which rather than getting a warrant every time

18:46

the government wanted to do a search in the United

18:48

States, it would rather go to

18:50

the special court, the Foreign Intelligence Surveillance Court,

18:52

the FISC, and say, hey, here's this program

18:55

that we're going to do. Here are the

18:57

general guidelines. Here's how we're going to do targeting. Here's how we're going

18:59

to do minimization. Here's going to do all this

19:01

sort of stuff. Sign off on

19:03

that program and then

19:05

we will then do that thing. And

19:09

that's meant to provide more

19:11

privacy safeguards than just letting the government do what it

19:13

wants to do, but it's less than a warrant, right?

19:15

Because a warrant, and this is literally in the Constitution

19:17

in the Fourth Amendment, has to have

19:19

probable cause and in particular has to specify with

19:22

particularity what the government is seeking to

19:24

find evidence of a crime or something like

19:26

that. And of course, if you're doing bulk collection, by definition, you

19:29

can't specify in advance the specific thing you're

19:31

looking for. That's bulk collection. Okay.

19:34

Fine. So now you have all this

19:37

data and the problem is that although it's

19:39

going to contain, hopefully, mostly stuff about

19:41

foreign individuals, because that was the whole

19:43

point of the targeting procedures that the

19:45

FISC signed off on. Basically

19:48

it's going to contain a huge amount of US person

19:50

information. And this is because foreign individuals are often talking

19:52

to US persons and so just this information gets swept

19:54

up. Okay. So what do

19:56

you do with that US person information? If

19:58

it's not relevant... a foreign intelligence, you're

20:01

supposed to minimize it. Okay. But what if it might

20:03

be relevant to a foreign intelligence investigation? You have this

20:06

data. So what is the government going to do? Well,

20:08

the government wants to query it. And

20:10

right now the government is allowed to query

20:12

this massive data with

20:15

what are called US person identifiers. So these things

20:18

are like, you know, Molly Reynolds, his name, Quinta

20:20

jurisics, phone number, Alan Rosenstein's

20:22

address. If the

20:24

government can articulate that there's

20:27

a reasonable chance reasonable expectation

20:29

that using this US

20:31

person query will create useful foreign intelligence

20:34

information. But again, this is all on

20:36

the government's say so. Now, there

20:38

are still libertarians who generally don't like this. They

20:40

don't like the government being able to do frankly

20:42

anything without a lot of court oversight. But

20:44

even folks that are more sympathetic to this,

20:47

there have been some concerns around agencies,

20:51

in particular, the FBI just doing a very bad

20:53

job in actually abiding by these

20:55

requirements. And so, so there's a great piece we'll

20:57

link to by Ben Whittits and Preston Marquis, sort

20:59

of going through sort of examples of the FBI

21:01

screwing up, not maliciously, but just

21:03

kind of sloppily, that is

21:06

an example of why this has become such a

21:08

controversial issue. So this

21:10

now finally brings us to the warrant requirement

21:13

issue that we've talked about. So

21:15

the intelligence community and its allies in

21:17

Congress accept that this is a problem.

21:19

No one's defending sloppiness. But they think

21:21

that the way to fix that is

21:23

just to have even more oversight, even

21:25

more procedures, give the National Security

21:27

Division at DOJ where I used to work, even

21:30

more money and resources to go and

21:32

sit on top of the FBI and

21:34

audit their stuff. But

21:36

there's another group, and I would

21:38

associate this with the sort of, not so

21:40

much the Republicans who are opposed to FISA because

21:42

their complaints are kind of weird and a

21:44

little more paranoid. But let's call it sort of usually the

21:47

Democrats or the sort of civil libertarians in Congress who say,

21:49

no, this is just, there's

21:51

no internal oversight that's going to be sufficient.

21:53

The government should have to go to the

21:55

FISC and get a warrant, like an actual

21:58

real live, you know, probable cause. a

22:00

particular specified warrant before it

22:02

can put Molly Reynolds' name

22:05

in that database for a query.

22:08

And the government doesn't like this.

22:12

The arguments that are made are sometimes kind of conceptual,

22:14

like, well, we have this data already lawfully collected. Why

22:16

should we need a warrant to access data where you

22:18

have lawfully collected? Yeah, I mean,

22:20

I'm not sure that argument makes a lot of

22:22

sense. You can

22:25

have any warrant system you want. I think the better

22:27

argument is just more practical, which is it's going to

22:29

really make it much harder for us to do our

22:31

jobs if we have to go get a warrant every

22:33

time we want to look at this data. To which

22:35

the civil libertarian say, yup, that's exactly the point. And

22:38

because this is classified, all of this,

22:40

it's very hard to do the kind

22:43

of bloodless cost-benefit analysis that you would

22:45

otherwise do in any other regulatory domain.

22:48

So that's the warrant requirement. Now the

22:50

last thing I want to say is the warrant requirement, it's

22:52

not a yes or no thing. There are different versions

22:55

of the warrant requirements that are being

22:57

bandied about. So the PCLOB, the President's

22:59

Civil Liberties Oversight Board, released

23:02

a report at some point in

23:04

the past, I don't remember, in which the

23:07

three-member majority suggested a kind of

23:09

compromise whereby the agencies

23:12

would be able to enter

23:14

the US person, to make the

23:16

US person query without a warrant. But

23:18

then if the database returned actual results, they

23:21

said, yes, there is actually something about Molly

23:23

Reynolds or Quinta Jurassic or Alan Rosenstein that's

23:25

responsive to your query. Here are

23:27

seven results. The agency would then have to

23:29

go to the FISC to get a warrant

23:31

to look at those results. And

23:33

so the idea here, the reason for compromise

23:35

is because since the vast majority of queries

23:37

don't actually result in

23:39

positive flags, it would

23:41

cut down on a lot of unnecessary going to the

23:43

FISC and wasting of every time. Now I haven't kind

23:46

of gone totally into details of what this compromise would look

23:49

like. So I mean, I am assuming that the

23:51

mere fact that a query produced responsive

23:53

result could not itself be used

23:56

to bootstrap the probable cause for the warrant, otherwise it's

23:58

not really warrant or crime anymore. It's a reverse. stamp.

24:00

So presumably it would have to be not just

24:02

that you know Alan Rosenstein came back as there's

24:05

stuff about him in this database but and also

24:07

there's other information that makes us think that this

24:10

data that's in the database would be relevant to a

24:12

foreign intelligence investigation and so on and so forth. So

24:16

that's the kind of compromised position that well

24:19

we'll see what happens to it. That was

24:21

really helpful Alan. Couple things that I'll note from just

24:23

kind of a congressional politics

24:26

perspective around this. One

24:29

is that the

24:31

version of the

24:34

warrant requirement that is so

24:38

should we get past the rule

24:40

vote and there's an actual debate on the floor

24:42

of the House with votes on amendments. The

24:44

version of the warrant requirement that's teed

24:47

up by the House Rules Committee to

24:49

be considered is one that

24:51

has it's in the form

24:53

of an amendment with six co-sponsors. Three

24:56

of them are Republicans, Andy

24:58

Biggs, Warren Davidson and Jim Jordan and

25:01

three of them are Democrats. Pramila Jayapal

25:03

who's the Chairwoman of the House Progressive

25:05

Caucus, Jerry Nadler who's the

25:07

ranking member on the Judiciary Committee and

25:09

Zill Lofgren who's also sort

25:11

of very much one of these civil libertarian

25:14

minded Democrats.

25:16

So that I

25:18

think should tell us something about like where that

25:20

the House is on this. The

25:23

fact that that is being offered

25:25

as an amendment I think is

25:27

a sign probably that the

25:30

kind of Intel Committee faction thinks that

25:32

that amendment will fail on the floor.

25:34

That you know the people who really

25:37

want to see it will get their

25:39

vote but they won't won't make it

25:41

into the bill. It won't be in

25:43

the version of the bill that would

25:46

potentially ultimately pass the House and

25:48

go over to the Senate. We can talk about the

25:51

Senate in a second. One other

25:54

thing that something you said made me

25:56

remember that I wanted to note is

25:58

another kind of general dynamic here

26:00

that it appears Speaker Johnson has

26:03

kind of maneuvered or tried to

26:05

maneuver his way out of is

26:07

that there is a there's a

26:10

proposal that's been kind of wrapped

26:12

up in this reauthorization debate that

26:14

is generally referred to

26:16

as the quote Fourth Amendment is not

26:19

for sale act, which is a set

26:21

of provisions that

26:24

involve the ability to in

26:27

conjunction with surveillance purchase commercial

26:30

data that the surveillance itself

26:32

cannot capture that notably that

26:35

was sort of in the

26:37

potential mix for being considered

26:39

as part of price

26:42

every authorization with the House what Johnson

26:44

has sort of indicated that the House

26:46

may do instead is have a

26:49

separate vote on that proposal later this

26:51

week, but at that higher two thirds

26:53

threshold so not take that proposal through

26:55

the rules committee just bring it to

26:57

the floor directly I think under the

26:59

assumption that it would not get two

27:01

thirds as a standalone measure such as

27:04

I got another example of

27:06

of what's going on here. But

27:09

Quinta back over to you. Well,

27:11

I'm gonna kick it right back to you by

27:13

asking what the situation is in the Senate and how

27:15

that plays into our understanding of what's happening. Yeah,

27:17

so I think the two things that I

27:19

would note about the Senate. One

27:22

is that we've just been talking about

27:25

quote on quote warrant requirement in some form. I think

27:27

it is expected that a that's

27:30

probably a non starter in the Senate. So

27:33

if sort of Johnson and

27:35

folks who want to see

27:37

this reauthorized and I say

27:39

that Johnson has attempted

27:43

to maintain

27:45

some posture of

27:48

neutrality between the warring factions

27:50

of his conference on this.

27:53

I think there are a series of

27:55

things that have happened that suggests that

27:57

he is more

27:59

aligned. with the kind of intel

28:01

faction, but he has tried very

28:04

hard not to anger the other faction

28:08

too much. The

28:11

other faction are Republicans

28:13

who are also, in many cases, mad at

28:15

Johnson about other things, which we'll get to

28:17

in a little bit. But

28:20

I think the notion is that if

28:22

the House were to adopt a warrant

28:25

requirement, that would make it very hard

28:27

for that version to pass the Senate.

28:30

Though I think I'm not sure that that's true.

28:33

The other thing that Johnson and

28:35

House Republican leadership have been trying

28:37

to impress upon their conference is

28:40

that if they cannot get their act together,

28:42

if they cannot in

28:44

the House pass something that reauthorizes

28:46

FISA, the Senate is prepared probably

28:49

to do something that looks much

28:51

more like a clean extension that

28:53

does not make any of the

28:56

changes that are even in the

28:58

House intel committee's version. Again, I

29:01

think different people have

29:03

different perspectives on how

29:06

much change is actually in the intel

29:08

committee's version and how much is it

29:10

the intel committee trying to sell

29:14

things as changes that aren't really changes.

29:17

But there is this sense that, or

29:19

Johnson at least is trying to convince

29:22

House Republicans that if

29:24

they can't do this themselves, this

29:26

will be yet another situation where

29:29

their inability to act and

29:31

their intra-party divisions are just going to end

29:33

up with them getting jammed by the Senate.

29:43

to your

29:55

door. Go to bluenile.com and use

29:58

promo code. your

30:00

purchase of $500 or more. That's

30:02

code LISTEN at bluenile.com for $50

30:04

off. bluenile.com, code

30:07

LISTEN. Tired of ads barging

30:09

into your favorite news podcasts? Good news! Tired

30:15

of ads barging into your favorite news

30:17

podcasts? Good news. Ad

30:19

free listening on Amazon Music is included with

30:22

your Prime membership. Or go

30:24

to amazon.com/news ad free. That's

30:27

amazon.com/news ad free to catch up

30:29

on the latest episodes without the

30:31

ads. So

30:37

moving on to another situation in which the house's

30:39

inability to get attacked together will

30:41

cause them to get jammed by the Senate.

30:43

Let's talk about our other... That's really all

30:45

I spend my time talking about because so

30:48

happy to take up the next round. Yeah,

30:50

look Molly, when you're on... when we

30:53

have the privilege of getting you on RadSec, we try to shut up and

30:55

let you talk. And I'd just like to

30:57

say for all the listeners who are... don't

31:00

get to see the visual, Molly just very... she

31:02

said her thing and then just took a very elegant

31:05

sip from... I think it was a C-SPAN mug. Is

31:07

that correct? Am I saying that correctly? Okay. It

31:09

is the reward you get if you go

31:11

on C-SPAN in the mornings and

31:13

take live C-SPAN callers, which is an

31:15

experience unlike any other I have had

31:18

in my life. They should

31:20

give you like a hundred mugs for that. Just

31:22

a small digression. I feel like in our world, there's

31:24

like famous and there's nerd famous, which is what like

31:26

people like us actually care about. Right?

31:29

So there's like, you know, like local

31:31

affiliate NPR. Then there's like, I was

31:33

on national NPR. I think taking C-SPAN

31:35

calls is... You're done.

31:37

You've peaked. How does it feel to

31:39

have peaked, Molly? My personal

31:42

favorite version of this, and again, I

31:44

apologize for the digression, is

31:47

one that comes from a friend of

31:49

mine who sort of occupies a similar

31:52

space to me, who told me once

31:54

that there are two and

31:56

only two public engagements that

31:59

bring his... old high school girlfriends

32:01

out of the woodwork to send him

32:03

emails. One of them is appearing

32:05

in the New York Times and the other one

32:07

is appearing on National NPR. So

32:09

that's like the benchmark that I tend to think about.

32:12

I love it. He clearly had good

32:14

taste in nerdy girlfriends in high school, I

32:16

approve. Okay, so we've

32:18

talked about one source of headaches for Mike Johnson.

32:20

Let's talk about another source of headaches for Mike

32:22

Johnson, which is these

32:25

aid bills for Israel and Ukraine. Let

32:28

me actually start with what's been happening in the Senate.

32:30

Here it seems a little more straightforward, right? So the

32:32

Senate has in fact voted on a kind of a

32:34

bipartisan Israel-Ukraine bill.

32:37

So you just talk about what's happening there and

32:39

we can then segue from that into what Magic

32:43

Mike is trying to deal with. So

32:45

on one level, I think in the Senate,

32:47

there's just a fair amount of frustration about

32:49

the fact that they did this. There

32:52

was a lot of frustration about how they

32:54

got to the point of having something that

32:56

they could pass. There's

32:58

a whole torturous episode around

33:01

were there border-related

33:04

provisions that the Senate could

33:06

negotiate and get Senate approval

33:09

for that then potentially could

33:11

go over to the House

33:13

and that went terribly

33:15

for Jim Langford

33:18

and Chris Murphy and Chris Ncinema, who

33:20

spent a lot of time working only

33:22

to have Republicans throw Jim

33:24

Langford under the bus in mere

33:26

hours from when they announced what

33:29

they had agreed to. And so on

33:31

one level, I think there's a lot of, there's

33:33

four the folks in the Senate who would

33:35

like to see additional assistance to Ukraine approved.

33:37

There's a lot of frustration. There

33:40

is a faction in the House,

33:42

excuse me, in the Senate Republican

33:44

Conference that is not interested in

33:47

approving additional assistance to Ukraine

33:49

without sort of significant changes to the

33:51

structure of that assistance. So we can

33:53

talk about what that

33:55

might look like, but it

33:58

seems the... is a

34:00

little bit of an overstatement, but

34:02

it seems like if you ask

34:04

Mitch McConnell about anything right now,

34:07

he will pivot the answer to

34:09

just telling you that the Senate

34:11

and the House need to approve

34:13

additional assistance to Ukraine. Like, it

34:15

continues to be the biggest

34:17

thing that he appears to care

34:19

about in the now

34:22

waning days of his leadership of

34:24

the Senate Republican Conference. And

34:26

so I think that that's kind of where the

34:29

Senate is. And I

34:31

think there is a sense among

34:33

some Democrats in the House that

34:35

the most likely scenario that we

34:37

still get is that the

34:39

House takes up what the Senate has passed

34:41

already. That is, we can

34:43

talk about why I think

34:46

I'm a little skeptical of that. But it actually,

34:48

at this point, the reason I'm

34:50

skeptical of that has as much to do with the

34:53

evolving congressional politics of assistance to

34:55

Israel as it does with the,

34:57

actually, I would say, sort of static

34:59

congressional politics of assistance to Ukraine. OK.

35:02

So before we then get to the House, I actually do

35:04

want to pause and talk actually about the substance of

35:07

these bills, right? In particular, just the substance of providing

35:09

aid to Ukraine and aid to Israel. So my sense

35:11

is that aid to Israel, while

35:13

Israel would appreciate it, it's

35:15

hardly existential for Israel. Israel is a rich country.

35:18

It is not facing, you know, it is

35:21

the Goliath here, right? Not the David. Although,

35:23

obviously, it's a complicated situation. And

35:26

so funding from the United

35:28

States to Israel would be nice for Israel. It'd

35:30

be like a good signal.

35:32

It'd be a nice gesture. But

35:34

it's hardly existential for Israel. But

35:36

that's not the case for Ukraine.

35:38

And Quintez, you mentioned in

35:40

the intro, Ukrainian

35:43

President Zelensky has basically, well, not basically, he's

35:45

just very explicitly said, if we do not

35:47

get this funding, we will lose

35:49

the war in Russia. Yeah, saying that more

35:51

and more directly as time goes on. And

35:54

I'm curious, actually, what you think about that. Obviously,

35:56

it's pretty clear that that aid would be

35:58

much more useful to Ukraine. in a way

36:00

that, you know, again, it's not existential for Israel. But

36:03

of course, it is an interest to say very

36:05

strongly that he needs that aid, or,

36:07

you know, the Ukraine will quote unquote, lose

36:09

again, whatever that means. I'm sort of curious

36:12

what you think about that. I mean, do

36:14

you think this really is kind of an

36:16

existential moment in the Russia-Ukraine war? Let

36:18

me start with you, you, Quinta. My impression is

36:20

honestly, yeah, that it is. I think that,

36:22

I mean, Molly, I'm curious for your perspective

36:25

as well, because I know you've been in

36:27

a number of podcasts discussing this with

36:30

people who are far more expert than I am. But

36:32

my strong impression is that it

36:35

is not an exaggeration to say

36:37

that if the House

36:39

cannot get it together and approve aid

36:42

and Ukraine loses the war, it will

36:45

be the House Republicans' fault. That

36:48

sounds extreme and

36:50

like I'm exaggerating. I really

36:52

don't think that I am. And I

36:54

actually don't know to what

36:57

extent it has sunk in

36:59

among House Republicans and

37:02

among sort of centrist

37:04

policy types in D.C. the

37:06

extent to which that is

37:08

the case. Like the Ukraine

37:11

is really on a razor's edge right

37:13

now. They have been, I don't know

37:16

whether outright retreating or just saying that they're

37:19

going to need to start retreating. But like

37:21

the situation is not good. And

37:23

they have been able to hold on

37:25

for this long precisely because of these

37:27

shipments of aid from the U.S. and

37:29

from Europe. That's

37:31

really key. And the bottleneck here

37:33

is the House Republican

37:36

Caucus, which honestly

37:38

raises separate from

37:41

the fate of Ukraine, which I think is

37:43

the real consideration here, I think also raises

37:45

kind of a domestic political question for me,

37:47

which is do they

37:49

realize that? And

37:52

if they do or if they don't, do

37:55

they have a sense of

37:57

what the fallout for them will be?

38:00

if this happens and people are able to

38:02

point to them and say, you know, this

38:04

was you, you did this.

38:07

I actually don't have a sense of that particularly,

38:09

or if they care, frankly, or if it's really

38:11

just posturing. I don't know, Molly, do you? Yeah,

38:13

so I don't- It's sort of, am I exaggerating?

38:17

Not as I understand it. Again,

38:19

most of what I know here

38:21

comes from listening to colleagues of

38:23

ours at lawfare, at

38:26

Brookings, in sort of the Washington Think

38:28

Tank establishment. So I think the

38:30

one thing- The blob. One thing is the

38:32

blob, yeah. One thing that's really unclear to

38:34

me is, so to kind

38:37

of situate this within broader

38:39

dynamics within the House, sort

38:42

of the Republican Party more generally, but

38:44

specifically the House Republican Conference, is that

38:47

sometimes when

38:49

there is division within, again,

38:52

especially the Republican Party on

38:55

some major issue, there

38:57

are, within the sort

39:00

of people who are saying

39:02

no, some of those people

39:04

are true no's, and some of

39:06

those people are what we often refer

39:08

to as the vote no, hope yes

39:11

process. And what I don't have,

39:13

this goes to sort of your last point,

39:15

Clinton, what I don't have a great sense

39:18

of is among the, I'm

39:20

going to wildly shorthand this,

39:22

kind of 100-ish House Republicans

39:24

who have been no

39:26

votes on additional assistance to Ukraine

39:29

in some form. How many

39:31

of them are true

39:33

no's and how many of them are

39:35

this sort of vote no, but

39:37

hope this actually gets done and

39:40

are taking the no position

39:44

because they feel pressured to

39:46

do so by President Trump, any

39:49

number of things. The other

39:51

thing that I'll note on kind

39:54

of like thinking about the

39:56

issue of assistance to Ukraine as

39:59

related to- assistance to Israel,

40:01

and I think it's important

40:03

to remember that when we

40:05

started down this particular version

40:08

of the assistance to Ukraine

40:10

path, it was before Hamas

40:12

attacked Israel on October 7th.

40:15

So the kind of first several

40:18

rounds of this fight were

40:20

about a proposal that would have had

40:22

assistance to Ukraine with additional money for

40:24

the border and then some assistance or

40:28

some additional funds for U.S. operations

40:31

in the Asia Pacific, sort of short-handed

40:33

as money for Taiwan. And

40:35

so when the

40:38

war in Gaza erupted in

40:41

early October, the

40:43

initial idea was that, oh,

40:46

we will add assistance

40:48

to Israel to this

40:50

proposal because it might

40:53

be a vote-getter. It

40:55

might help build a coalition

40:57

that will also—it might sway

41:00

some people who had been knows

41:02

on assistance to Ukraine and turn

41:05

them into yeses on a combined

41:07

assistance proposal. For Mike Johnson. And

41:12

the politics of that in

41:14

the intervening six months have

41:16

just changed wildly. And

41:19

so I don't—and this gets sort of back to

41:21

this question of like, what might

41:23

the House do? And

41:26

I think it's a real possibility that

41:28

now they need to take

41:30

these two things that were connected

41:32

under the idea that doing

41:35

the two of them together would help

41:37

get votes for the thing and cleave

41:39

them apart because of

41:43

the evolving politics of

41:45

providing additional assistance to

41:47

Israel. So

41:50

kind of where—just to wrap up the

41:52

segment maybe—kind of where we are at

41:54

the moment is

41:57

that there are, quote-unquote,

42:00

plans for the House to

42:02

consider some sort of measure

42:04

providing additional assistance to Ukraine

42:07

next week. I think plans was doing a lot

42:09

of the work in that sentence. And

42:12

there's a lot of debate over the form that

42:14

that would take. But a

42:16

big open question for many

42:19

folks is if Johnson does

42:21

bring a Ukraine

42:23

assistance package to the floor, whether it

42:25

has additional assistance for Israel, whether it's

42:27

separate from that, who knows, is

42:31

that a thing that would trigger

42:33

the kind of most

42:37

hardline element in the

42:39

conference to try and get rid

42:41

of him in the same way that they

42:44

got rid of McCarthy last fall? I

42:46

will say that I

42:48

am skeptical of that. I certainly could be

42:50

wrong. I think that

42:53

many, many Republicans do not

42:55

have an interest

42:57

in going through that experience

42:59

again. And I

43:01

also think that the chances

43:03

for the calculations

43:05

for Democrats of sort

43:08

of potentially backstopping

43:10

Johnson in a way

43:12

that they were unwilling to backstop McCarthy,

43:15

I think those calculations are different in

43:18

part because while Johnson is

43:20

very conservative and is not

43:23

liked for policy reasons by

43:25

many Democrats, he

43:27

does not have the same track record

43:29

of doing things that make each and

43:31

every element of the Democratic caucus angry

43:33

in the way that McCarthy did in

43:35

the run up to what happened in

43:38

late September. So you can have me

43:40

back on in a couple of weeks when

43:42

I may have to eat

43:44

these words, but I am

43:47

somewhat skeptical that we'd actually

43:49

see Johnson get deposed over

43:51

bringing something to the floor in

43:53

Ukraine. And maybe the answer to that is he

43:55

just ultimately doesn't do it, but that's

43:58

kind of where I see that. piece

44:00

of the puzzle. And

44:02

now the second we've all been waiting for. Yes,

44:05

the second we've all been waiting for. So

44:11

late last month, Microsoft

44:14

developer uncovered a backdoor planted

44:16

in a widely deployed Linux

44:18

utility called XZ utils. I

44:21

just want to say that I spent a lot

44:23

of time trying to think about whether I could

44:26

make a joke about utils from Econ

44:28

101. Oh, that literally just

44:30

occurred to me. I came up with nothing. What's

44:35

your XZ utility function?

44:37

I just thought about

44:39

it for a long

44:42

time. The Pareto optimality.

44:45

So this backdoor was detected

44:47

before it was included in

44:49

any like production releases for

44:52

big Linux distributions. But if it hadn't

44:54

been discovered when it was, the consequences

44:56

would have been quite large. So,

44:59

Alan, mostly I want to talk

45:01

about the national security implications here.

45:04

But I think it'd be helpful

45:06

to start briefly with just like

45:08

a basic overview of

45:11

the underlying environment computing wise that

45:13

like creates this possibility. So

45:15

we spent a lot of time saying, Oh, like X is

45:18

a national security issue, what we're at, whatever

45:21

X is. But can you

45:23

briefly help us understand why, like, as I

45:26

understand it, there's a widely

45:28

accepted set of programming practices that like

45:30

creates the opportunity for what would

45:33

have been a huge cybersecurity crisis? Yeah.

45:36

And so here, I want to reference a

45:38

great piece that we just published, I think

45:40

yesterday or Tuesday by Bruce Schneier on this

45:42

specific backdoor. And then we've published some great

45:45

stuff also by Chinni Sharma on kind of

45:47

open source software generally. And I

45:49

think this really is a story. I mean, there's

45:51

obviously a very specific technical point here about XC

45:53

utils and the SSH utility and

45:55

the backdoor and all that sort of stuff, which which,

45:58

you know, even I computer dork that I am only

46:00

sort of understand. I mean the open

46:19

source software is so important and so vital

46:21

and also screwed up all at the same

46:23

time. So there's a great, I

46:25

think it's an XKCD cartoon, which we will also

46:27

link to the show notes, where it's like a

46:31

giant tower of building

46:34

blocks and the

46:37

image label is something like civilization or

46:40

something. And then at the very bottom, there's a tiny little

46:43

jenga piece everything's balancing on and

46:45

it's labeled like some tiny utility

46:47

that some dude has been maintaining

46:50

in his free time for the last eight

46:52

years. And this is how open source works,

46:54

right? So increasingly as

46:57

computer systems have gotten more and more complicated, the

47:00

job of a programmer developing the system is less

47:02

to sort of start from scratch, but to take

47:04

existing modules and

47:06

kind of Lego blocks basically and build on

47:08

top of them. And you want to do

47:10

that. Like that's clearly the way to do

47:12

it because that makes programmers

47:15

much, much more productive. And there

47:17

also can create a lot

47:19

more security if everyone's relying on

47:21

a relatively narrow set,

47:23

narrow here being a few thousand

47:25

or a few tens of thousands,

47:27

which again doesn't seem that

47:30

narrow, but in the context of our digital

47:32

world is pretty small, a relatively

47:34

narrow set of really well-developed

47:36

and well-vetted modules. The

47:39

problem is that the

47:42

way that these modules are run is they tend to

47:44

be open source, which is to say they

47:46

are run basically by volunteers.

47:50

They're not generally maintained by companies and

47:52

these volunteers are just basically doing this

47:55

in their free time. Now,

47:57

again, that's really good because that's created this incredible

47:59

generation. of the

48:01

modern open source ecosystem. GitHub,

48:04

which is one of these open source repositories where

48:06

a ton of stuff is hosted, has been incredible

48:09

because it's allowed people from all around the

48:11

world to contribute, right? Some

48:14

people doing so as core maintainers, some

48:16

people like even me who have contributed tiny little

48:19

bits based on my own tiny expertise, right, such

48:22

as it is in little projects, and it's really, really fun.

48:25

But the problem is that these maintainers are

48:28

doing this on a volunteer basis, and

48:30

they only have a certain amount of bandwidth. And there's no

48:33

real oversight of them. Basically,

48:36

the way it works is, you know, someone

48:38

initially uploads something to GitHub, it's their repository,

48:40

they have what are called commit privileges, which

48:43

is basically they're the ones that can authorize the

48:46

changes that other users submit. And

48:49

then if the community of

48:51

programmers decides that that's a good repository,

48:54

people just use that

48:56

code. But there's no control

48:58

over that person's code except

49:01

that person. There's no mechanism. In

49:03

addition, those individuals who own the repository of commit privileges,

49:06

they can, they're the ones who decide who

49:09

else gets commit privileges. And this

49:11

is what happened in this case, where the maintainer

49:13

of this very widely used utility who

49:15

was really busy and had some sort of personal issues he

49:17

was working through, he was

49:20

approached by another user, a user

49:22

we now realize was likely the

49:24

front of, you know, an invented

49:26

persona by some probably nation

49:29

state actor, given the sophistication, you know, almost

49:31

certainly either the Russians or the

49:34

Chinese, who over a period

49:36

of, you know, months, I think maybe

49:38

even years, convinced this

49:40

individual to give him commit

49:42

privileges by being a useful member of

49:44

that community. Now, once that person

49:46

then got commit privileges, then over the next few

49:49

years, he gave commit privileges to some other people,

49:51

also probably front individuals for this

49:53

nation state actor. And then over time,

49:55

they managed to insert this

49:57

back door. And so this shows a real,

50:00

real vulnerability in the open source system, right?

50:02

Where you have our

50:04

entire digital infrastructure relying on these tiny

50:06

little components that are controlled

50:09

by volunteers, where

50:12

there's no real oversight. And

50:14

so that's, on the one hand, a big problem, which is a

50:17

huge vulnerability. On the other

50:19

hand, the way that this vulnerability was itself

50:21

discovered shows the upside of open source, which

50:23

is that because all the code

50:25

is open, that is literally

50:27

what open source means, or that's one of the

50:29

key features of open source software. You can go

50:31

and read the actual source code. It's not just

50:33

a kind of machine executable binary that you have

50:35

to accept on face that someone gives you. Anyone

50:37

can look at that. And because it's such a

50:39

broad community, people can look, and if they think

50:41

there's a problem, they can go and dig around.

50:43

And that's exactly what this Microsoft researcher did. And

50:46

so it's

50:48

tricky to know exactly what the lesson

50:50

here is because

50:54

you can sort of spin it either way. Yeah,

50:57

which is that this was obviously a crisis

51:00

averted, but

51:02

what should we take away from the fact that

51:04

it almost happened? And it's clear

51:06

the consequences would have been quite

51:09

serious. But given

51:11

everything that you just really helpfully explained

51:13

to me as a nerd

51:15

about many things, but not at all about this,

51:18

what are the possible structural responses?

51:20

Or are we just gonna

51:23

keep operating on the hope

51:25

that some solitary

51:27

Microsoft engineer or what

51:29

have you finds these

51:31

sorts of efforts in

51:34

this open source code? Yeah, I mean,

51:36

so there's a kind of a range of options. I'm

51:38

gonna sort of put them in

51:40

three rough buckets. Sort of one bucket

51:42

is business as usual. So the first option is

51:45

saying, no, this worked. This is

51:47

exactly how it's supposed to work. I mean, it's bad

51:49

that this person was able to get commit access and

51:51

inject a backdoor, but the system worked, right? And

51:54

we should just keep doing what we're doing and

51:56

we should make open source even more open, right? We

51:58

should have even more people involved and. everything should be

52:00

more open source because again, the more eyeballs you

52:02

have on the problem, the better it is. And

52:04

again, there's some precedent for this. This is in

52:07

fact how modern cryptography works. It used to be

52:09

that cryptographic systems were developed in-house

52:11

and their details were secret. And the idea being

52:13

that because they were secret, they'd be harder to

52:15

crack. And starting in the 1990s

52:18

and through today, it's become clear that

52:20

actually a much better system is to

52:22

have cryptographic systems where the details are

52:24

completely public. But

52:26

because they're public, people can stress test

52:28

them. And you could design systems that are

52:30

so good that even though the details are public,

52:32

like even though to use a metaphor here, the

52:35

schematics of the lock are public, it's just so

52:37

complicated and so well designed, you can't pick the

52:39

lock, right? So that's kind of one option. Another

52:42

possibility, this goes all the way to the other end of

52:44

the spectrum is to say this is not feasible, right? Like

52:46

you cannot have a system in which stuff

52:49

is built on this group

52:52

of random utilities designed to

52:55

maintain by random people and that this could have been

52:57

a disaster and so we have to lock it down.

52:59

And so companies need to move away

53:01

from open source, move to closed source. Maybe

53:04

you have to go back to sort of what's

53:06

called security by obscurity. I haven't seen a lot

53:08

of suggestions on that because it would be

53:10

such a tectonic shift, but that is kind of conceptually one

53:12

possibility. And the third, and I

53:14

think this is where there's been some interesting work and honestly

53:17

including interesting work by law fair. I'm going to use this

53:19

to plug our ongoing security by

53:21

design project in which we're trying to

53:23

think through, white papers and

53:25

blog posts, kind of what security in software

53:27

and hardware should look like. It's

53:30

to see if we can take sort of the core of

53:32

open source, but maybe beef it

53:34

up a little bit. So maybe there

53:36

are various set of liability mechanisms that we

53:38

can add to open source. The

53:41

most dramatic of which is to make open source

53:43

developers themselves liable for software. That has huge downsides

53:45

and most people don't really advocate

53:47

for that because that would basically ruin the open source

53:49

ecosystem. But maybe you have a situation in which

53:52

companies that use open source software have to

53:54

do more work from a

53:56

liability perspective to vet that software. Or maybe companies move

53:59

to a particular company. to instead of a

54:02

blacklist model where you use all the open

54:04

source software you can get your hands on,

54:06

except that which is known to be bad,

54:08

maybe more companies move to a

54:11

whitelist model where you don't

54:13

– you only use

54:15

pre-vetted open source software. Maybe

54:19

there's also a way to incentivize companies to invest

54:22

more in maintaining the open source

54:24

itself, right? If this person who

54:27

had the thankless job of maintaining

54:29

this incredibly important but kind of

54:31

esoteric utility had more

54:33

support, right, had a team behind him

54:35

or had other maintainers that were not

54:37

just randos on the internet that turned

54:40

out to be the front for the

54:42

Russian government but were rather Microsoft and

54:44

Google researchers who get 10% free

54:46

time to do open source stuff, maybe that would

54:48

have solved that problem. The question there is how

54:51

do you align those incentives because, of course, open

54:53

source is just a classic example of a public

54:55

good where you have a tragedy of the commons

54:57

problem and sort of how do you get companies

54:59

to – We're just hitting one on one. Yeah,

55:02

exactly. Exactly. I

55:04

mean, in a sense, right, I mean, this is

55:06

– there's the technical piece of this which is

55:10

interesting but I think not super relevant to

55:12

our discussion. But then there's what I think

55:14

of as literally the economics of open source.

55:17

This is much more of an economics problem

55:19

in a sense of how to align incentives

55:21

than it is even a technical

55:23

problem if you're thinking about open source. But

55:27

man, it's so much fun to talk about Linux on this. And

55:30

so do we have any sense of

55:32

who was behind this? Reading about the

55:35

sort of scheme in Bruce Schneier's

55:37

post, it's like it's pretty involved.

55:39

Oh, it's super sophisticated. It's super

55:41

sophisticated both at the – it's

55:43

sophisticated on two levels, right?

55:45

So the technical level is sophisticated, right? It's

55:47

like a backdoor that talks to another backdoor that talks

55:50

to another backdoor that talks to another backdoor, right? So

55:52

in that sense, it's just a very complicated technical

55:54

exploit. But it's also sophisticated

55:56

in the degree of social engineering

55:58

that it involved. You need someone

56:01

who understands how open source works, who can

56:03

ingrate themselves into community, who can use the

56:05

right lingo, who can use English in an

56:07

appropriate way, which might not be native fluency

56:09

because there are lots of open source developers

56:11

from all around the world. But

56:14

there's a way that crappy intelligence agencies

56:16

talk when they're trying to do these

56:18

operations versus good intelligence agencies. Greetings, friend.

56:20

Yeah, exactly. Exactly, yes. Hello,

56:23

young people. And

56:26

so, no, we don't know who this is. And

56:29

attribution and cyber security

56:31

is always difficult. But

56:34

it seems like this is a level of

56:36

sophistication that only a well-resourced, probably nation-state adversary

56:38

could pull off. And there's going

56:40

to be a lot of forensics ongoing in

56:43

the next weeks and months that we'll

56:45

see. And I suspect this is

56:47

something that it's not only computer researchers that are

56:49

interested in, but I certainly hope the NSA and

56:51

CIA are trying to figure this out too, though

56:53

presumably they won't necessarily tell us based

56:56

on what they know. All

56:58

right, time for object lessons. Alan, let me

57:00

start with you. Sure.

57:03

So, I have two kids. And

57:06

as they grow older, it's very fun to mark

57:09

off their heights. And

57:11

often that's done just in like a doorway, which is

57:13

a totally reasonable way to do it. But we want

57:15

to do it with a little more pizzazz. So

57:18

we got for our older child

57:20

a giraffe growth

57:23

chart. It is just

57:25

a big, beautiful, cute wooden giraffe that

57:27

is on his wall. But it

57:29

has a ruler on like one side

57:31

of the giraffe. And so as he gets

57:33

older, you can sort of mark off the heights.

57:38

And it is really sweet. I'm going to leave a link

57:40

to the Etsy store for this individual

57:42

who makes these. And obviously, they come in many animals.

57:45

So once our younger child

57:47

gets old enough that we can start tracking,

57:49

we'll have to get him his own animal.

57:53

Happy to take suggestions from our

57:55

followers as to should it be a zebra or an elephant

57:57

or whatnot. But it's just really nice. fun

58:00

thing. It makes a really fun thing

58:02

in a little kid's room and I like to

58:05

support good Etsy artisans. And

58:08

it's good for adults too, you know? I

58:10

mean, we've all stopped growing. Maybe

58:13

like a weight, maybe like a giraffe, like a hippo weight

58:15

chart, but that'd be depressing. Yeah.

58:17

I mean, we all as millennials that we

58:19

are, I don't think have approached the part

58:21

where we start getting shorter. Although, I went

58:23

to the doctor, she told me that she

58:27

did recently have to tell people, two people who

58:30

thought they were six feet tall, but they were

58:32

in fact not six feet tall. So that's brutal.

58:35

Yeah. Yeah. No, it's one of my great regrets

58:37

in life that I am five foot 11 and

58:39

a half. And I am

58:41

not six feet tall. That's what you have

58:43

to be aware of. Honestly, I am currently probably six feet

58:45

tall, if you had the air. Molly,

58:48

what about you? Sure. So

58:51

we talked a lot about

58:53

Congress this week. But we

58:55

didn't talk about the pending consideration

58:57

by the Senate of the

58:59

impeachment articles of Secretary Mayorkas. But

59:02

in honor of that, I want

59:04

to commend to everyone

59:07

my single favorite story

59:09

from a Senate impeachment

59:11

trial, which comes

59:13

from the start of the

59:16

Clinton impeachment and is

59:18

detailed in Peter Baker's really excellent

59:20

book about the Clinton impeachment. It's called

59:22

The Breach. And there's

59:24

a story about how when

59:26

the Senate convenes for an

59:29

impeachment trial, one of

59:31

the initial things that happen is that all

59:33

of the senators have to sign this book,

59:35

a testing that they

59:38

have been sworn in as jurors

59:40

sitting in an impeachment trial. This

59:42

is as an aside, a really

59:44

great way to determine which senators

59:46

are left handed. But in the

59:48

Clinton impeachment, all

59:50

the senators go to sign

59:52

this book, and they have these ceremonial pens that

59:55

they are to use for the task. And

59:58

the pens, it turns out, have

1:00:00

been misprinted. Instead of saying

1:00:03

the United States Senate, they

1:00:05

say the untied state Senate,

1:00:07

which really is just really

1:00:10

just very fitting. This story

1:00:14

is recounted in Baker's book. It

1:00:16

gets its own entry in the

1:00:18

index. There's an entry of the

1:00:20

index for misprinted pens. It really

1:00:22

is just a delight.

1:00:25

And so I offer the story to

1:00:27

you. The book is also

1:00:29

really excellent and I

1:00:31

think I learned a lot

1:00:33

from reading it. So we will link to

1:00:36

that as well. Quinto, what about you? So

1:00:39

in honor of Molly's return

1:00:41

to rational security, I'm recommending

1:00:43

a podcast series produced by

1:00:45

a regional NPR affiliate. If

1:00:48

there's nothing else that I've accomplished by

1:00:50

occasionally appearing on ROTC, I will take

1:00:53

converting more people to the cause of

1:00:56

listening to a recently produced NPR podcast.

1:00:58

Yes. So this one is from

1:01:00

KUOW in the Seattle Times.

1:01:03

It is called Lost Patients. That's

1:01:05

patients with a T and

1:01:08

is about the sort of absence

1:01:11

of a system, I guess is

1:01:13

the best way to describe it,

1:01:15

or multiple complicated, not really interlocking

1:01:17

systems for dealing with people, for

1:01:20

helping people with severe mental illness get

1:01:22

treatment. So far, I have

1:01:24

only listened to the first two and

1:01:26

a half episodes, but I'm enjoying

1:01:29

it a great deal. It's really thoughtfully

1:01:31

and compassionately done. And I

1:01:33

think it's kind of a

1:01:35

useful context to

1:01:37

a lot of the reporting that you

1:01:40

see right now about the crisis of

1:01:42

homelessness and other issues in

1:01:44

cities and across the country. It adds

1:01:46

really useful context to that and

1:01:48

includes some really heart-rending stories. So

1:01:51

highly recommended, although it will

1:01:53

not cheer you up. That

1:01:56

brings us to the end of this week's episode.

1:01:58

Rational security is a core a production of

1:02:00

Lawfare. Be sure to visit

1:02:02

lawfairmedia.org for our show page with links and

1:02:05

past episodes, for our written work

1:02:07

and the written work of other Lawfare

1:02:09

contributors, and for information on Lawfare's other

1:02:11

podcast series, including The Aftermath. Be

1:02:14

sure to follow us as well on Twitter

1:02:16

at RITLSecurity and leave a rating or review,

1:02:19

and sign up to become a material supporter of

1:02:21

Lawfare on Patreon for an ad-free version of this

1:02:23

podcast and other special benefits. Our

1:02:26

audio engineer and producer this week was now

1:02:28

a Moz Band of Goat Rodeo, and our

1:02:30

music as always was performed by Sophia Yan.

1:02:32

We are once again edited by Jen Petrow.

1:02:35

On behalf of my co-host, Alan, and our special

1:02:38

guest Molly Reynolds, I'm Quinta Jurassic, and we'll talk

1:02:40

to you next week. Until then,

1:02:42

goodbye. Stay

1:02:59

up to

1:03:01

date on everything newsworthy by downloading the

1:03:03

Amazon Music app for free, or

1:03:05

go to amazon.com/news ad free.

1:03:08

That's amazon.com/news ad free to catch

1:03:10

up on the latest episodes without

1:03:13

the ads.