>"elected officials, candidates, political campaigns, [and] political parties"
not to the general public. The potential threat is for someone at Candidate_1's campaign taking selfies with the app, that then uploads them to Russian servers where the Russian government can see them and can also see what's in the background (sensitive documents?) or see geo-location from the app (like how Strava was leaking the coordinates at military bases ) or any number of things a hostile foreign government who has already hacked American elections once and is planning to do it again might want to do with pictures that interns/staffers might think are private.
It feels like a boy scout camp rather than government then. The same for a bunch of emails that ‘interfered’ with true democratic elections. If your organization is so fragile that revealing a tip of your pants makes everyone wonder if they are clean, then maybe that is what needs to be fixed, not someone who posts pictures of it to the internets (in this case provides a REST API for you to do that). However evil my country’s govt will ever be, the level of this nonsense is pushing the heliopause.
(1) Or any human for that matter
(2) I am an American
It's not against the rules at all, so thank you for the encouragement! I will go read the article.
What the guidelines warn against is something different: Please don't comment on whether someone read an article. "Did you even read the article? It mentions that" can be shortened to "The article mentions that."
For example, I already have a database of high value target's faces built from political sources like house.gov. Now I do facial recognition between that set of faces and the FaceApp faces. That allows me to identify the specific devices used by government officials. That would seem to be super valuable for more targeted attacks and/or pairing with other apps for potential kompromat.
I knew someone volunteering for a senate campaign. They noted their personal email suddenly had what looked like a lot of spear phishing type emails.
But that is NOT what it says at all.
I can't emphasise how misleading this summary is! The exact quote is:
> If the FBI assesses that elected officials, candidates, political campaigns, political parties are targets of foreign influence operations involving FaceApp [then the the FBI would investigate].
Note that "IF"? That puts a pretty different spin on it to your interpretation!
Separately, it says:
> The FBI considers any application or similar product developed in Russia, such as FaceApp, to be a potential counter-intelligence threat.
@dang - I think that the current headline "FBI designates FaceApp as counterlintelligence threat" as misleading. "Designates" implies something like being added to an official list (like a sanctions list or something). A better headline would be "FBI responds to congressional query on FaceApp" or "FBI considers all Russian-built apps counterintelligence threats"
Not misleading at all. I don't know why so many people are reading this so wrong, it's not a long letter. The Senate asked the FBI if this app was a threat to US politicians, the FBI said it could be but they don't see it being exploited at this time. If that changes, the FBI will intervene. Pretty simple to understand as long as you read the words that were written.
In the letter it speaks separately about FaceApp specifically (~"no known campaigns") and general potential threats (~"anything developed in Russia"). Your summary combines a quote from the "no known campaign" and the "anything developed in Russia" bit to say something they never said.
Specifically the letter says the FBI will investigate any foreign influence operations involving FaceApp aimed at officials.
Your version turns that into a claim that the FBI says FaceApp is only a potential threat to those officials. The letter doesn't say that at all.
Additionally you make up a bunch of stuff around the threat model that you claim the FBI sees. ("The potential threat is for someone at Candidate_1's campaign taking selfies with the app, that then uploads them to Russian servers where the Russian government can see them and can also see what's in the background (sensitive documents?) or see geo-location from the app (like how Strava was leaking the coordinates at military bases ) or any number of things a hostile foreign government who has already hacked American elections once and is planning to do it again might want to do with pictures that interns/staffers might think are private.")
Again, this letter doesn't say or imply that. In-fact, the foreign influence operations may imply that the FBI is more concerned about foreign adversaries using the politician's likeness (eg for "Fake News" style videos or something).
good old days just less than 20 years ago back at Sun when we were strictly instructed that the computer monitors must be off when the photos would be taken. How times and basic norms of opsec have changed - these days you just tweet the straight photo of the classified monitor screen https://www.npr.org/2019/08/30/755994591/president-trump-twe...
There was also a photo from the Iranian Nuclear agency and it had photos of their systems and software on their website or something and it was scraped for info prior to Stuxnet.
MacAfee let some "Wired" photog take a digital photo without ensuring geotagging was disabled or removed from the metadata when he was prancing over Belize as he was escaping some plot to frame him.
Those lapses happen.
Hosting in Russia is expensive and does not provide any advantages, such as dynamic routing that is crucial for world-wide app. Most developers use it to comply with Russian standards: you only need to store information about Russian users on Russian servers.
In addition, currently in Russia there are no good alternatives for reliable cloud neural network inference.
But I can’t understand the negative media about the application, based on the founder’s country of origin. I argue that this is discrimination because there is as yet no evidence of breach of confidentiality.
>Hosting in Russia is expensive and does not provide any advantages
Hosting in top .ru DCs like Selectel is vastly cheaper than on any AWS-likes. These are extremely different products though.
It’s beyond dispute.
The Russian government has breached confidentiality.
The country intervening in most foreign elections is the United States with 81 interventions, followed by Russia (including the former Soviet Union) with 36 interventions from 1946 to 2000—an average of once in every nine competitive elections 
Yes, definitely, again another thing beyond dispute. Not sure what the point is you're trying to make though.
but from a counter intelligence standpoint that's finger painting bar
Australian government metadata requests was well over 300,000 last year, nearly 1000 requests a day all warrantless, can come from tiny local councils or horse racing orgs. Trust us, they say, there's oversight in hidden tribunals, they say.
The FBI isn't saying "normal people are at risk from FaceApp" but "US intelligence is at risk from the use of FaceApp". In the (very short) linked letter, it specifically calls out "elected officials, candidates, political campaigns, [and] political parties".
Considering all US intelligence agencies unanimously agree that Russia already attacked US candidates and political parties in the past, saying "yeah but everyone does it" is about as off-topic of a remark as you can get. To my knowledge the FBI has never publicly disclosed Australia's efforts to meddle in US elections.
Australians legally do metadata and spying better than everyone else on many metrics and then share it with the multiple eyes. Something to remember when the media is whipping up a threat frenzy.
Given Australia's treatment of whistleblowers and slow descent into authoritarianism, I very much envy the few protections Americans take for granted.
I've seen this sort of "argument" a lot lately. Not sure why people think it communicates anything other than lazy cynicism.
That everyone (to a rounding error) has sex does not mean that everyone has sex with everyone.
Aren't all threats potential threats, until they are actual? I dunno, maybe the FBI has a formal delineation between potential threat, threat, and . . . whatever is after that. But I doubt it.
It seems fishy that the Apple provided Files app didn't recognized my SD card
Facebook is an industrial-scale stalking operation. I doubt FaceApp (or frankly any government actor) could pull off something like that even if they wanted to.
This is political grand-standing at best, and would be a non-issue if you replaced the geographic location of the dev team with any other countries
I get it, Russia is the Big-Bad-Boogeyman right now. But if you think for a second that a real attempt at counterintelligence would publicly come from such an obvious point of interest, than I have a bridge to sell you
However, 2) I would imagine the probability that FaceApp does not have a vulnerability in it somewhere is extremely low, as in my experience essentially every single app has security flaws in them; the problem in your mental model is that you think someone would "find" a "component" that would be a smoking gun of some form, whereas only an idiot would make a back door something other than a security vulnerability (as essentially every single app has security vulnerabilities). Were any placed there on purpose? No one would ever know.
This is a legitimate threat model. I'm not sure why you think it wouldn't be. Spies and others do use fake identities. The threat model is that there is that there is a way to determine who is faking their identities.
A picture is a username... Are you trying to say that your face isn't personal identifying identification (PII)? I'm not sure what your argument is here, because it can't be that. That argument would be absurd, so I'm sure I am misunderstanding.
The funny thing to me is it nitpicks about the terms of service. Will a TOS prevent a foreign intelligence agency from using the data for nefarious purpose? That sounds silly.
It's a tit-for-tat response, showing that if they want to make this a trade war, their companies will get hurt too. So yes, national grandstanding.
Edit: Wups, dates are wrong. This FBI release is from November 25, so the Russian law is likely in response to it, not vice versa. Still national grandstanding, but the idiot party isn't necessarily the Russians.
Edit: Obligatory “why are you booing me, I’m right?”
We have seen lots of examples of ad analytics SDKs that push the iPhone beyond its intended sandbox. Most of them have been banned, but some operated for years before getting banned. It would be a disservice to brush away those concerns as fearmongering.
Why don’t we have the ability to restrict at the OS level which domains an app can send information to? Then we can finally host backend software locally on servers of OUR choice.
I would love to see more OPEN SOURCE apps running on servers of our choice, and communication over mesh networks. In fact I’d love for most functionality to be client-side and an option for ALL data sent to servers to be end-to-end encrypted at the OS level. I dont want to have to trust the APP manufacturer to pinky swear it’s all end to end encrypted. The OS should have a little badge saying none of the data sent by the app is being sent in a way the server can decrypt because the OS intercepts and encrypts it with keys the app can’t get. That may still leave side channels such as timing based information to tunnel through. But if we restrict what domains the app can talk to, we can close that loophole too.
That’s what I would love to see ... finally put an end to server side landlords owning your data just cuz they own the infrastructure!
Seems like a "pot" should have more knowledge than average on which kettles to call "black".
Seems like the word "potential" is conspicuously missing from the title of the submission
Especially useful for capturing younger users who are more likely to be anti-Putin.
Inb4 Cambridge Analytica, FB didn't just hand off the data to them, users had to use a special third-party app within FB and explicitly give it permission to access the user data. And those APIs aren't available anymore after the backlash either way.
Then there's LinkedIn's public profiles, Github's public profiles, Twitter's profiles. This is just privacy theatre.
You could easily profile pictures of high ranking American officials, their parents, their children, etc.
In other words, data like this can increase your attack surface
We detached this subthread from https://news.ycombinator.com/item?id=21689071 and marked it off-topic.
Which is horrible, because you judge by what is said or done, not accusing people of wrong think/motive. It’s akin to self censorship, the suppression of view points in the name of ‘protecting freedom/democracy’
There will be hostile forces and actors, but we cannot lower ourselves down to their level to fight them because it’s convenient, while sacrificing our own value in doing so. In which case, we would have lost before we even begin.