US interest rate rise almost certain after bumper jobs growth

President Trump quickly claims credit for 235,000 jobs created last month as pressure on Federal Reserve grows to order first of three predicted rises

The US Federal Reserve is poised to raise interest rates next week for only the third time since the financial crisis after the latest job numbers for the world’s largest economy beat expectations.

The closely watched Labor department data for February showed that the number of new jobs soared to 235,000, the best month for job growth since July last year, adding to pressure on the central bank to agree the first of three predicted rises this year.

Continue reading…

Volkswagen pleads guilty to all criminal charges in emissions cheating scandal

The German automaker admits scheme to skirt pollution rules justifies felony conspiracy and obstruction of justice, in what attorney calls ‘calculated offense’

Volkswagen pleaded guilty on Friday to conspiracy and obstruction of justice charges in a brazen scheme to get around US pollution rules on nearly 600,000 diesel vehicles by using software to suppress emissions of nitrogen oxide during tests.

The German automaker has already agreed to pay $4.3bn in civil and criminal penalties – the largest ever levied by the US government against an automaker –although VW’s total cost of the scandal has been pegged at about $21bn, including a pledge to repair or buy back vehicles.

Continue reading…

NFL hits back at ‘meritless’ claims it broke the law on prescription drugs

  • Ex-players say NFL routinely ignored laws governing drug regulation
  • League insists ‘the clubs put the health and safety of our players first’

The NFL has rejected accusations that its teams routinely ignored federal laws regulating the use and distribution of addictive prescription painkillers.

Related: Tony Romo might be a splash signing, but he won’t deliver a Super Bowl | Les Carpenter

Continue reading…

Malware Attacks Used by the U.S. Government Retain Potency for Many Years, New Evidence Indicates

A new report from Rand Corp. may help shed light on the government’s arsenal of malicious software, including the size of its stockpile of so-called “zero days” — hacks that hit undisclosed vulnerabilities in computers, smartphones, and other digital devices.

The report also provides evidence that such vulnerabilities are long lasting. The findings are of particular interest because not much is known about the U.S. government’s controversial use of zero days. Officials have long refused to say how many such attacks are in the government’s arsenal or how long it uses them before disclosing information about the vulnerabilities they exploit so software vendors can patch the holes.

Rand’s report is based on unprecedented access to a database of zero days from a company that sells them to governments and other customers on the “gray market.” The collection contains about 200 entries — about the same number of zero days some experts believe the government to have. Rand found that the exploits had an average lifespan of 6.9 years before the vulnerability each targeted was disclosed to the software maker to be fixed, or before the vendor made upgrades to the code that unwittingly eliminated the security hole.

Some of the exploits survived even longer than this. About 25 percent had a lifespan of a decade or longer. But another 25 percent survived less than 18 months before they were patched or rendered obsolete through software upgrades.

zero-days-vulnerabilities-1489094297

Chart: RAND

 

Rand’s researchers found that there was no pattern around which exploits lived a long or short life — severe vulnerabilities were not more likely to be fixed quickly than minor ones, nor were vulnerabilities in programs that were more widely available.

“The relatively long life expectancy of 6.9 years means that zero-day vulnerabilities — in particular the ones that exploits are created for [in the gray market] — are likely old,” write lead researchers Lillian Ablon and Andy Bogart in their paper “Zero Days, Thousands of Nights.”

Rand, a nonprofit research group, is the first to study in this manner a database of exploits that are in the wild and being actively used in hacking operations. Previous studies of zero days have used manufactured data or the vulnerabilities and exploits that get submitted to vendor bug bounty programs — programs in which software makers or website owners pay researchers for security holes found in their software or websites.

The database used in the study belongs to an anonymous company referred to in the report as “Busby,” which amassed the exploits over 14 years, going back to 2002. Busby’s full database actually has around 230 exploits in it, about 100 of which are still considered active, meaning they are unknown to the software vendors and therefore no patches are available to fix them. The Rand researchers only had access to information on 207 zero days — the rest are recently discovered exploits the company withheld from Rand’s set “due to operational sensitivity.”

While it’s not known how many of these exploits are in the U.S. government’s arsenal, Jason Healey, a senior research scholar at Columbia University’s School for International and Public Affairs, believes the U.S. government’s zero-day stockpile is comparable in size to Busby’s.

For many years, critics of the government’s use of zero days suspected the arsenal numbered in the thousands. But a report Healey published with his students last year, based in part on statistical analysis of the number of zero days that get discovered and disclosed each year to bug bounty programs, estimated that the government’s trove likely contained between two dozen and 225 zero-day exploits.

This would seem to jibe with statements made by government officials. Michael Daniel, former special adviser to President Obama on cybersecurity issues and a member of Obama’s National Security Council, has said in the past that “there’s often this image that the government has spent a lot of time and effort to discover vulnerabilities that we’ve stockpiled in huge numbers and similarly that we would be purchasing very, very large numbers of vulnerabilities on the open market, the gray market, the black market, whatever you want to call it. [But] the numbers are just not anywhere near what people believe they are.”

Shining a Light on the Government’s Zero-Day Policy

The government has long insisted that it discloses more than 90 percent of the vulnerabilities it finds or purchases, and that those it doesn’t disclose initially get reviewed on a regular basis to re-evaluate if they should be disclosed.

The problem with this is that the public doesn’t know how long the government is exploiting these security holes before they’re shared publicly — and therefore how long ordinary citizens are left exposed to Russian or Chinese nation-state hackers or cybercriminals who may discover the same vulnerabilities and exploit them.

One factor that can affect how quickly the government discloses vulnerabilities is their collision rate or rediscovery rate. This refers to how often the same vulnerabilities get discovered independently by two or more parties.

It’s a metric that is particularly important in the policy debate around the government’s use of zero-day exploits; if the U.S. knows about a vulnerability, there’s a good chance others do too and are quietly exploiting it. If the data shows there is high probability that criminal hackers or nation-state hackers from Russia or China could discover a vulnerability and create an exploit for it, this can be an argument for disclosing the vulnerability sooner rather than later to get it patched. But if that probability is low, the government can use it to justify nondisclosure and keeping people at risk longer.

The Rand researchers found that the collision rate for the exploits in the Busby database was indeed low. In a typical one-year period, only about 6 percent of the vulnerabilities got discovered by others. That figure jumped to 40 percent, however, when viewed across the entire 14 years of the database.

But there’s a slight problem with this analysis, says Columbia University’s Healey. The Rand researchers determined the collision rate based on publicly disclosed vulnerabilities — those discovered and reported by researchers as part of a vendor bug bounty program or made public in some other way, such as at conferences or in news articles. But this isn’t the collision that concerns critics of zero-day arsenals. They’re concerned about collisions with zero days that remain secret, such as those developed by other nation-state actors and criminal hackers and aren’t publicly disclosed.

“The collision rate is absolutely fascinating, but this is the wrong way to talk about it,” says Healey.

Healey says Rand should be looking for collisions with the zero days found in other gray market databases held by other exploit sellers. He says the kinds of researchers who participate in bug bounty programs tend to be looking for different kinds of vulnerabilities than researchers who are looking for vulnerabilities for offensive hacking. The latter will have different needs and also better resources to look for vulnerabilities.

It’s worth noting that another study released this week by cryptographer Bruce Schneier and Trey Herr of the Harvard Kennedy School found a higher collision rate when looking at vulnerabilities found in browser software and mobile phones.

“Between 15 percent and 20 percent of all vulnerabilities in browsers have at least one duplicate,” they wrote “For data available on Android between 2015 and 2016, 22 percent of vulnerabilities are rediscovered at least once an average of 2 months after their original disclosure. There are reasons to believe that the actual rate is even higher for certain types of software.”

But this study also involved vulnerabilities disclosed to bug bounty programs. Dan Guido, CEO of Trail of Bits, whose company does extensive consulting on iOS security, says, “I don’t think studying bug bounty collisions is representative of exploit use in the wild.”

Regardless of this limitation, Guido says the collision test conducted by Rand is still illuminating for the very fact that it involved at least one set of data consisting of live, in-the-wild exploits.

“Even with the caveats around the collision rate, using the best available data we have now [with those live exploits], is significantly lower than we expected,” he said.

Which begs the question — is it low enough that the government would be justified in holding on to exploits for years and not disclosing the vulnerabilities they attack?

Ari Schwartz, former senior director of cybersecurity in Obama’s White House who participated in the so-called Vulnerabilities Equities process where the government makes these assessments, says even a low collision rate is a problem.

“Let’s say it’s just 10 percent; is it worth doing disclosure for 10 percent? I think it is,” he says. “That’s still pretty high if you think about it — 1 in 10.”

Healey says the RAND study is an incredible asset to other researchers because of its use of live exploits that are in the wild. It makes the data and analysis more realistic than studies that only simulate scenarios and guess at conclusions, like what the consequences of not disclosing a vulnerability might be.

“We can theorize all we want about what’s good and what’s bad [in terms of disclosure], but this is going to shake things up, because now we can roll up our sleeves and actually come up with some real answers.”

They hope it may also encourage the owners of other exploit databases to share their collections with researchers.

The post Malware Attacks Used by the U.S. Government Retain Potency for Many Years, New Evidence Indicates appeared first on The Intercept.

Ferrari gives up F1 stake in exchange for Liberty Media stock

Exclusive: The franchise’s new owner, Liberty Media, seeks to change old-boys Formula One management structure of the storied race series

Ferrari has traded its entire stake in Formula One for an interest in the racing franchise’s new owner, Liberty Media. The Italian luxury car company revealed in a regulatory filing that it sold its 0.25% stake in the top-ranked single-seat auto race series in exchange for $3.1m of stock in Liberty and a cash payout of $11.4m.

Related: Liberty Media purchase of F1 likely to result in even greater profits

Continue reading…

As Trump Neuters Regulatory Commissions, Chuck Schumer Needs to Decide If He Will Fight or Give In

A spate of vacancies will soon turn the federal regulatory commissions that police financial trades, telecommunications, energy, and consumer protection into key political battlegrounds, with Donald Trump on one side and Senate Minority Leader Chuck Schumer on the other.

Instead of a single director, the Federal Communications Commission, Federal Trade Commission, Commodity Futures Trading Commission, Securities and Exchange Commission, and Federal Energy Regulatory Commission each have five members, nominated by the president. But by statute, no more than three members can be from the president’s party. The Federal Election Commission’s six members are supposed to be evenly split. This is supposed to give some weight to diverse viewpoints.

As the Trump era begins, active members at the commissions have dwindled. Ann Ravel, a Democrat, just quit the FEC, leaving that agency one member short. The FCC has only three of its five seats filled; the FTC, SEC and CFTC have only two. The FERC’s two members do not constitute a quorum, meaning it cannot approve dozens of energy infrastructure projects or enforce several energy-related laws. The commissioners have had to delegate these operations to staff.

Trump has made a handful of nominations to fill Republican vacancies: longtime corporate lawyer Jay Clayton to chair the SEC, for example, and two picks, including a senior adviser to Mitch McConnell, for the FERC.

But Trump has not made any movement with regard to the positions that cannot go to Republicans — and there’s one such slot vacant on every one of these six commissions, with more coming down the pike.

In fact, the Trump administration has pulled several commission nominees left over from the Obama era, including one Democratic nominee to the CFTC.

That has led to concerns that Trump might choose conservative-leaning independents instead of Democrats, effectively silencing the opposition party on those commissions. It’s even possible that Trump will decline to fill minority party vacancies, along the lines of top adviser Steve Bannon’s vow to deconstruct the administrative state.

But there’s an arguably even grimmer scenario for progressives, and it involves Sen. Schumer.

Traditionally, the minority leader in the Senate — Schumer — has wide discretion to recommend minority-party commission members, who the president then nominates. In theory, the Democratic Senate caucus needs to agree on Schumer’s choices, but typically, the choice falls to the leader.

Those nominations matter — because while minority party panel members routinely get outvoted, they can create a record of opposition and carry the banner for the party’s ideas and principles. They also matter tremendously when the presidency changes. For example, Ajit Pai, a Republican FCC commissioner under Obama, routinely agitated against Democratic-favored positions for an open internet and expanded broadband access. Under the Trump administration, Pai became chair, and he has acted aggressively in the first two months, blocking a cap on prison phone rates and limiting a program for low-income families to purchase affordable broadband. Trump just re-nominated Pai to another five-year term.

And if it does come down to Schumer, will he select ideologically progressive nominees who would fight Trump’s deregulatory initiatives tooth and nail? Or will he select business-friendly nominees who will be willing collaborators.

“Schumer can lay out a Democratic governing agenda,” said Matt Stoller, a fellow at the Open Markets program at the New America Foundation (and Intercept contributor). “This is how you can tell whether the Democrats are serious.”

Early signs have not been encouraging. Schumer is reportedly interested in elevating his former Chief of Staff David Hantman — who currently lobbies for Silicon Valley firms — to a Democratic seat on the Federal Trade Commission.

The Capitol Forum, a subscription-based news service for policymakers and investors, first reported on the potential Hantman pick for the FTC, which regulates unfair business practices and antitrust violations. Hantman spent over a decade on Capitol Hill, working for Robert Torricelli, Dianne Feinstein, and finally Schumer.

But most recently, he’s represented Silicon Valley in its dealings with the government. And far from being a supporter of activist government and a counter-weight to Republican deregulatory impulses, Hantman is likely to be even more opposed to regulating the tech industry than his potential GOP colleagues.

Hantman served as vice president of global public policy for Yahoo — a top lobbyist position — from 2007 to 2012, then in a similar capacity for Airbnb from 2012 to 2015. He now runs Hantman Strategies, a lobby shop in D.C. for “independent political, public policy and communications advice to select companies.”

Hantman’s private-sector work suggests a belief that large Silicon Valley firms should be granted leeway from government regulations. At Airbnb, he explained his job in an internal memo as to “convince governments that allowing people to rent out their own homes or apartments should not be a problem,” seeking to toss out “antiquated laws.” Hantman represented the company at a 2015 New York City Council meeting. He refused to share data on Airbnb listings to determine which violated city statutes. Eventually, Airbnb lost the fight, as New York State passed legislation cracking down on illegal short-term rentals.

The tech sector will likely be a major FTC focus in the coming years. President Trump may choose as chair Utah Attorney General Sean Reyes, who has been vocal about needing to investigate Google over improperly using its market power to get its apps installed on mobile phones. Venture capitalist Peter Thiel, who has called Google a monopoly, has been active in screening potential antitrust enforcers.

Google’s parent company Alphabet has scrambled to hire former Republican staffers in a bid to ingratiate itself to the new regime in Washington. But Hantman’s perceived friendliness to tech firms would provide a critical beachhead for Silicon Valley at the FTC, from the Democratic side of the aisle.

“The FTC is the agency that regulates short-term rental websites, and David Hantman is somebody who would be against regulating, I assume, given his testimony at the City Council hearing,” said New York City Councilwoman Helen Rosenthal to the Capitol Forum.

Hantman’s wife, Jamie Brown Hantman, served as “Google’s first in-house lobbyist,” and before that, in George W. Bush’s White House, working on the Supreme Court confirmations of John Roberts and Samuel Alito. Brown Hantman now runs a lobbying firm called The JBH Group, and disclosure forms show that she has on more than one occasion received business from companies where her husband was employed. She was paid $25,000 a quarter from Airbnb from 2012-2016 to lobby for a vague portfolio of “programs and policies affecting the sharing economy.” She also lobbied for Yahoo when her husband worked there, specifically on antitrust issues involving partnerships between Yahoo and Google.

Brown Hantman’s ongoing lobbying, which often involves the tech sector, could lead to Hantman’s recusal on the FTC in cases involving those companies.

Schumer’s office declined to comment on whether Hantman would be chosen for the FTC position. Remarking on rumors that Trump would not grant Schumer the power to choose minority-party commission slots, a spokesman told The Huffington Post, “We intend to assert our prerogative on nominees as has always been done.”

The position of a minority party commissioner can be lonely but critical. Progressive fighters like Ravel at the FEC, Julie Brill at the FTC and Kara Stein at the SEC, worked to hold violators of the law accountable regardless of their wealth or privilege. Of the three, the only one currently serving is Stein, whose term is up in June.

In the face of a Republican onslaught of the regulatory state, they can serve as a last line of resistance, raising public awareness of the stakes of failing to enforce an insider trading scheme or allowing pharmaceutical giants to merge and jack up prices.

Historically, Democrats have not taken full advantage of this opportunity. During the Obama administration, Republicans routinely chose ideologues to serve as minority members of regulatory commissions. But Democrats often picked commissioners with ties to Senate leaders, regardless of their more corporate-friendly tendencies.

For example, Mark Wetjen, a former Harry Reid staffer who became a Democratic member of the Commodity Futures Trading Commission, repeatedly undermined Democratic initiatives by siding with derivatives trading firms. Pamela Jones Harbour, a Democratic selection for the FTC under George W. Bush, was actually a political independent. She was later appointed as a senior vice president to sketchy multilevel marketing firm Herbalife.

Top photo: The seal of the Federal Communications Commission hangs behind an empty seat at FCC headquarters.

The post As Trump Neuters Regulatory Commissions, Chuck Schumer Needs to Decide If He Will Fight or Give In appeared first on The Intercept.