Hacker News new | past | comments | ask | show | jobs | submit login

I know it's against the rules to tell people to read the article, but I would encourage everyone to read the article. It specifically says this is a potential threat to

>"elected officials, candidates, political campaigns, [and] political parties"

not to the general public. The potential threat is for someone at Candidate_1's campaign taking selfies with the app, that then uploads them to Russian servers where the Russian government can see them and can also see what's in the background (sensitive documents?) or see geo-location from the app (like how Strava was leaking the coordinates at military bases [1]) or any number of things a hostile foreign government who has already hacked American elections once and is planning to do it again might want to do with pictures that interns/staffers might think are private.

[1] https://www.theguardian.com/world/2018/jan/28/fitness-tracki...






>Russian government can see them and can also see what's in the background (sensitive documents?) or see geo-location

It feels like a boy scout camp rather than government then. The same for a bunch of emails that ‘interfered’ with true democratic elections. If your organization is so fragile that revealing a tip of your pants makes everyone wonder if they are clean, then maybe that is what needs to be fixed, not someone who posts pictures of it to the internets (in this case provides a REST API for you to do that). However evil my country’s govt will ever be, the level of this nonsense is pushing the heliopause.


Never underestimate the ability of the US government to lay blame elsewhere! (1) (2)

(1) Or any human for that matter

(2) I am an American


> I know it's against the rules to tell people to read the article, but I would encourage everyone to read the article.

It's not against the rules at all, so thank you for the encouragement! I will go read the article.

What the guidelines warn against is something different: Please don't comment on whether someone read an article. "Did you even read the article? It mentions that" can be shortened to "The article mentions that."


Can apps still get information that identifies the specific device? If so, another possible threat model could be more about identifying who uses what device rather than anything specifically in the photos themselves.

For example, I already have a database of high value target's faces built from political sources like house.gov. Now I do facial recognition between that set of faces and the FaceApp faces. That allows me to identify the specific devices used by government officials. That would seem to be super valuable for more targeted attacks and/or pairing with other apps for potential kompromat.


I was thinking more along the lines of hacking because now you have a face and can identify who they work for and that they may have valuable info being a part of X person’s political campaign. Potentially you’d then install some silent update or use some new exploit to gain access to the rest of their phone. Anyone know if that is possible?

Current-gen devices provide an advertising id. It's unique to the device but can be reset to a new random value by the owner in the OS settings.

I think they're talking about just what device they have and OS version (but that's available in the user-agent anyways[0]), since that tells an adversary what exploits to purchase or put resources into developing. Who knows, maybe 30% of congress people haven't yet upgraded to an iPhone with the A12/A13 chip (which can't be exploited via the checkm8 exploit).

0: https://developers.whatismybrowser.com/useragents/explore/so...


I wonder how long that is the only threat.

I knew someone volunteering for a senate campaign. They noted their personal email suddenly had what looked like a lot of spear phishing type emails.


It specifically says this is a potential threat to > "elected officials, candidates, political campaigns, [and] political parties

But that is NOT what it says at all.

I can't emphasise how misleading this summary is! The exact quote is:

> If the FBI assesses that elected officials, candidates, political campaigns, political parties are targets of foreign influence operations involving FaceApp [then the the FBI would investigate].

Note that "IF"? That puts a pretty different spin on it to your interpretation!

Separately, it says:

> The FBI considers any application or similar product developed in Russia, such as FaceApp, to be a potential counter-intelligence threat.

@dang - I think that the current headline "FBI designates FaceApp as counterlintelligence threat" as misleading. "Designates" implies something like being added to an official list (like a sanctions list or something). A better headline would be "FBI responds to congressional query on FaceApp" or "FBI considers all Russian-built apps counterintelligence threats"


Not at all. There's plenty of people in this thread wondering what "potential" means in "potential threat". This is what that potential means. The FBI has assessed that this app is a potential threat but they haven't found any evidence that Russia's government is actually using it in this way. If the FBI finds out that it's being used as an attack vector, then they will jump in to assist.

Not misleading at all. I don't know why so many people are reading this so wrong, it's not a long letter. The Senate asked the FBI if this app was a threat to US politicians, the FBI said it could be but they don't see it being exploited at this time. If that changes, the FBI will intervene. Pretty simple to understand as long as you read the words that were written.


Your version It specifically says this is a potential threat to "elected officials, candidates, political campaigns, [and] political parties" makes it sound like the FBI said that.

In the letter it speaks separately about FaceApp specifically (~"no known campaigns") and general potential threats (~"anything developed in Russia"). Your summary combines a quote from the "no known campaign" and the "anything developed in Russia" bit to say something they never said.

Specifically the letter says the FBI will investigate any foreign influence operations involving FaceApp aimed at officials.

Your version turns that into a claim that the FBI says FaceApp is only a potential threat to those officials. The letter doesn't say that at all.

Additionally you make up a bunch of stuff around the threat model that you claim the FBI sees. ("The potential threat is for someone at Candidate_1's campaign taking selfies with the app, that then uploads them to Russian servers where the Russian government can see them and can also see what's in the background (sensitive documents?) or see geo-location from the app (like how Strava was leaking the coordinates at military bases [1]) or any number of things a hostile foreign government who has already hacked American elections once and is planning to do it again might want to do with pictures that interns/staffers might think are private.")

Again, this letter doesn't say or imply that. In-fact, the foreign influence operations may imply that the FBI is more concerned about foreign adversaries using the politician's likeness (eg for "Fake News" style videos or something).


>The potential threat is for someone at Candidate_1's campaign taking selfies with the app, that then uploads them to Russian servers where the Russian government can see them and can also see what's in the background (sensitive documents?)

good old days just less than 20 years ago back at Sun when we were strictly instructed that the computer monitors must be off when the photos would be taken. How times and basic norms of opsec have changed - these days you just tweet the straight photo of the classified monitor screen https://www.npr.org/2019/08/30/755994591/president-trump-twe...


I remember when the Sony-DPRK thing happened there was a photo of Cybercommand and it showed a wall of monitors and people were examining the tools they had open on the monitors.

There was also a photo from the Iranian Nuclear agency and it had photos of their systems and software on their website or something and it was scraped for info prior to Stuxnet.

MacAfee let some "Wired" photog take a digital photo without ensuring geotagging was disabled or removed from the metadata when he was prancing over Belize as he was escaping some plot to frame him.

Those lapses happen.


To be more precise, it seems to be a photo of what 'experts' say is 'almost certainly' an image from a 'classified' satellite or drone.

This really does not look like a photo of a monitor. Looks instead much more like the original photo?

The flash reflection and the head and shoulders shadow suggest monitor mounted at the eye level.

Is President Trump representative of modern opsec norms?

i think it is close to it. I mean for example that FBI guy - Peter Strzok - who led investigation into Clinton's mishandling of emails was himself officially found in flagrant violations of classified information handling policies in particular for storing the classified documents on his personal unencrypted devices, etc.. Somehow i don't think that Strzok is just an exception at FBI - he spent 21 years there after all - , no, he is just the one who got caught because he attracted attention (by his anti-Trump and pro-Clinton text messages on his FBI issued phone while investigating Clinton emails and Trump-Russia collusion - speaking about opsec again :)

No. He is representative of a self-aggrandizing moron.



Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: