Marines Tasked with Firing Howitzers in Syria Are Just “Advisers,” Says Sean Spicer

The Pentagon has deployed several hundred marines to Northern Syria, the Washington Post and CNN reported this week. Their mission: firing long-range artillery to help recapture Raqqa, ISIS’s self-proclaimed capital city.

The marines are equipped with M777 howitzers, which can fire GPS-guided explosives up to 25 miles.

That’s a big change from the “train, advise and assist” role U.S. forces have been playing so far — although as with many previous troop deployments to Iraq and Syria, it was not debated, let alone authorized, by Congress.

But White House Press Secretary brushed off a question about the move, saying that sending “several hundred advisers” did not amount to “hostile action.”

Right-wing radio host John Fredericks asked Spicer on Thursday whether Trump was committed to seeking Congressional authorization for new deployments.

“I think there’s a big difference between an authorization of war than [sic] sending a few hundred advisors,” Spicer replied. “And I think most in Congress would probably agree with that as well.  I think that’s a big difference between a hostile action and going in to address some certain concerns, whether it’s certain countries in the Middle East or elsewhere.”

Spicer referred the question to the Department of Defense. But when reached by the Intercept, a Pentagon spokesman disputed Spicer’s characterization.

“This is fire support,” said Maj. Adrian Rankine-Galloway, a public affairs officer for the Marine Corps, explaining that the new deployment would fire long range artillery in an assault on Raqqa. “They will be providing partner support for the Syrian Democratic Forces.”

The U.S. has long tried to downplay its military footprint in Syria. When President Obama deployed 250 special forces to Syria in April 2016, despite repeatedly promising not to put U.S. “boots on the ground” in Syria, State Department Spokesman John Kirby tried to parse the meaning of “boots on the ground” to exclude special forces.

The Pentagon has maintained that the fight against ISIS is authorized by a 2001 Congressional resolution, which authorizes the President to use “necessary and appropriate force” against the “nations, organizations, or persons” involved in the 9/11 attacks.

Multiple members of Congress have criticized the resolution, because it has been stretched to cover numerous terror groups, like ISIS, that did not exist at the time of the 9/11 attacks. But the Obama administration long insisted that it did not need independent authorization to fight ISIS.

Top photo: Soldiers from the Syrian army fire a rocket at Islamic State group positions in the province of Raqqa, Syria on Feb. 17, 2016.

The post Marines Tasked with Firing Howitzers in Syria Are Just “Advisers,” Says Sean Spicer appeared first on The Intercept.

Trump did not know Flynn would have to register as ‘foreign agent’, Spicer says

White House official says team told before inauguration that Flynn might need to register with justice department over lobbying linked to Turkish government

Donald Trump did not know that his now-dismissed national security adviser Michael Flynn had lobbied on behalf of the Turkish government and potentially needed to register as a “foreign agent”, Sean Spicer insisted on Friday.

The White House press secretary told his daily media briefing that Flynn’s decision to register with the justice department was a personal one and not something for Trump’s lawyers to determine.

Continue reading…

US interest rate rise almost certain after bumper jobs growth

President Trump quickly claims credit for 235,000 jobs created last month as pressure on Federal Reserve grows to order first of three predicted rises

The US Federal Reserve is poised to raise interest rates next week for only the third time since the financial crisis after the latest job numbers for the world’s largest economy beat expectations.

The closely watched Labor department data for February showed that the number of new jobs soared to 235,000, the best month for job growth since July last year, adding to pressure on the central bank to agree the first of three predicted rises this year.

Continue reading…

Volkswagen pleads guilty to all criminal charges in emissions cheating scandal

The German automaker admits scheme to skirt pollution rules justifies felony conspiracy and obstruction of justice, in what attorney calls ‘calculated offense’

Volkswagen pleaded guilty on Friday to conspiracy and obstruction of justice charges in a brazen scheme to get around US pollution rules on nearly 600,000 diesel vehicles by using software to suppress emissions of nitrogen oxide during tests.

The German automaker has already agreed to pay $4.3bn in civil and criminal penalties – the largest ever levied by the US government against an automaker –although VW’s total cost of the scandal has been pegged at about $21bn, including a pledge to repair or buy back vehicles.

Continue reading…

NFL hits back at ‘meritless’ claims it broke the law on prescription drugs

  • Ex-players say NFL routinely ignored laws governing drug regulation
  • League insists ‘the clubs put the health and safety of our players first’

The NFL has rejected accusations that its teams routinely ignored federal laws regulating the use and distribution of addictive prescription painkillers.

Related: Tony Romo might be a splash signing, but he won’t deliver a Super Bowl | Les Carpenter

Continue reading…

Malware Attacks Used by the U.S. Government Retain Potency for Many Years, New Evidence Indicates

A new report from Rand Corp. may help shed light on the government’s arsenal of malicious software, including the size of its stockpile of so-called “zero days” — hacks that hit undisclosed vulnerabilities in computers, smartphones, and other digital devices.

The report also provides evidence that such vulnerabilities are long lasting. The findings are of particular interest because not much is known about the U.S. government’s controversial use of zero days. Officials have long refused to say how many such attacks are in the government’s arsenal or how long it uses them before disclosing information about the vulnerabilities they exploit so software vendors can patch the holes.

Rand’s report is based on unprecedented access to a database of zero days from a company that sells them to governments and other customers on the “gray market.” The collection contains about 200 entries — about the same number of zero days some experts believe the government to have. Rand found that the exploits had an average lifespan of 6.9 years before the vulnerability each targeted was disclosed to the software maker to be fixed, or before the vendor made upgrades to the code that unwittingly eliminated the security hole.

Some of the exploits survived even longer than this. About 25 percent had a lifespan of a decade or longer. But another 25 percent survived less than 18 months before they were patched or rendered obsolete through software upgrades.

zero-days-vulnerabilities-1489094297

Chart: RAND

 

Rand’s researchers found that there was no pattern around which exploits lived a long or short life — severe vulnerabilities were not more likely to be fixed quickly than minor ones, nor were vulnerabilities in programs that were more widely available.

“The relatively long life expectancy of 6.9 years means that zero-day vulnerabilities — in particular the ones that exploits are created for [in the gray market] — are likely old,” write lead researchers Lillian Ablon and Andy Bogart in their paper “Zero Days, Thousands of Nights.”

Rand, a nonprofit research group, is the first to study in this manner a database of exploits that are in the wild and being actively used in hacking operations. Previous studies of zero days have used manufactured data or the vulnerabilities and exploits that get submitted to vendor bug bounty programs — programs in which software makers or website owners pay researchers for security holes found in their software or websites.

The database used in the study belongs to an anonymous company referred to in the report as “Busby,” which amassed the exploits over 14 years, going back to 2002. Busby’s full database actually has around 230 exploits in it, about 100 of which are still considered active, meaning they are unknown to the software vendors and therefore no patches are available to fix them. The Rand researchers only had access to information on 207 zero days — the rest are recently discovered exploits the company withheld from Rand’s set “due to operational sensitivity.”

While it’s not known how many of these exploits are in the U.S. government’s arsenal, Jason Healey, a senior research scholar at Columbia University’s School for International and Public Affairs, believes the U.S. government’s zero-day stockpile is comparable in size to Busby’s.

For many years, critics of the government’s use of zero days suspected the arsenal numbered in the thousands. But a report Healey published with his students last year, based in part on statistical analysis of the number of zero days that get discovered and disclosed each year to bug bounty programs, estimated that the government’s trove likely contained between two dozen and 225 zero-day exploits.

This would seem to jibe with statements made by government officials. Michael Daniel, former special adviser to President Obama on cybersecurity issues and a member of Obama’s National Security Council, has said in the past that “there’s often this image that the government has spent a lot of time and effort to discover vulnerabilities that we’ve stockpiled in huge numbers and similarly that we would be purchasing very, very large numbers of vulnerabilities on the open market, the gray market, the black market, whatever you want to call it. [But] the numbers are just not anywhere near what people believe they are.”

Shining a Light on the Government’s Zero-Day Policy

The government has long insisted that it discloses more than 90 percent of the vulnerabilities it finds or purchases, and that those it doesn’t disclose initially get reviewed on a regular basis to re-evaluate if they should be disclosed.

The problem with this is that the public doesn’t know how long the government is exploiting these security holes before they’re shared publicly — and therefore how long ordinary citizens are left exposed to Russian or Chinese nation-state hackers or cybercriminals who may discover the same vulnerabilities and exploit them.

One factor that can affect how quickly the government discloses vulnerabilities is their collision rate or rediscovery rate. This refers to how often the same vulnerabilities get discovered independently by two or more parties.

It’s a metric that is particularly important in the policy debate around the government’s use of zero-day exploits; if the U.S. knows about a vulnerability, there’s a good chance others do too and are quietly exploiting it. If the data shows there is high probability that criminal hackers or nation-state hackers from Russia or China could discover a vulnerability and create an exploit for it, this can be an argument for disclosing the vulnerability sooner rather than later to get it patched. But if that probability is low, the government can use it to justify nondisclosure and keeping people at risk longer.

The Rand researchers found that the collision rate for the exploits in the Busby database was indeed low. In a typical one-year period, only about 6 percent of the vulnerabilities got discovered by others. That figure jumped to 40 percent, however, when viewed across the entire 14 years of the database.

But there’s a slight problem with this analysis, says Columbia University’s Healey. The Rand researchers determined the collision rate based on publicly disclosed vulnerabilities — those discovered and reported by researchers as part of a vendor bug bounty program or made public in some other way, such as at conferences or in news articles. But this isn’t the collision that concerns critics of zero-day arsenals. They’re concerned about collisions with zero days that remain secret, such as those developed by other nation-state actors and criminal hackers and aren’t publicly disclosed.

“The collision rate is absolutely fascinating, but this is the wrong way to talk about it,” says Healey.

Healey says Rand should be looking for collisions with the zero days found in other gray market databases held by other exploit sellers. He says the kinds of researchers who participate in bug bounty programs tend to be looking for different kinds of vulnerabilities than researchers who are looking for vulnerabilities for offensive hacking. The latter will have different needs and also better resources to look for vulnerabilities.

It’s worth noting that another study released this week by cryptographer Bruce Schneier and Trey Herr of the Harvard Kennedy School found a higher collision rate when looking at vulnerabilities found in browser software and mobile phones.

“Between 15 percent and 20 percent of all vulnerabilities in browsers have at least one duplicate,” they wrote “For data available on Android between 2015 and 2016, 22 percent of vulnerabilities are rediscovered at least once an average of 2 months after their original disclosure. There are reasons to believe that the actual rate is even higher for certain types of software.”

But this study also involved vulnerabilities disclosed to bug bounty programs. Dan Guido, CEO of Trail of Bits, whose company does extensive consulting on iOS security, says, “I don’t think studying bug bounty collisions is representative of exploit use in the wild.”

Regardless of this limitation, Guido says the collision test conducted by Rand is still illuminating for the very fact that it involved at least one set of data consisting of live, in-the-wild exploits.

“Even with the caveats around the collision rate, using the best available data we have now [with those live exploits], is significantly lower than we expected,” he said.

Which begs the question — is it low enough that the government would be justified in holding on to exploits for years and not disclosing the vulnerabilities they attack?

Ari Schwartz, former senior director of cybersecurity in Obama’s White House who participated in the so-called Vulnerabilities Equities process where the government makes these assessments, says even a low collision rate is a problem.

“Let’s say it’s just 10 percent; is it worth doing disclosure for 10 percent? I think it is,” he says. “That’s still pretty high if you think about it — 1 in 10.”

Healey says the RAND study is an incredible asset to other researchers because of its use of live exploits that are in the wild. It makes the data and analysis more realistic than studies that only simulate scenarios and guess at conclusions, like what the consequences of not disclosing a vulnerability might be.

“We can theorize all we want about what’s good and what’s bad [in terms of disclosure], but this is going to shake things up, because now we can roll up our sleeves and actually come up with some real answers.”

They hope it may also encourage the owners of other exploit databases to share their collections with researchers.

The post Malware Attacks Used by the U.S. Government Retain Potency for Many Years, New Evidence Indicates appeared first on The Intercept.