Strava, a smartphone app that tracks "athletic activity" using GPS, published an interactive heatmap of user activity around the world. That heatmap included some U.S. military bases:
Military personnel around the world have been publicly sharing their exercise routes online - including those inside or near military bases.
Online fitness tracker Strava has published a "heatmap" showing the paths its users log as they run or cycle. It appears to show the structure of foreign military bases in countries like Syria and Afghanistan, as soldiers move around inside.
The US military is examining the heatmap, a spokesman said. Air Force Colonel John Thomas, a spokesman for US Central Command, told the Washington Post that the US military was reviewing the implications.
Strava said it had excluded activities marked as private from the map. Users who record their exercise data on Strava have the option of making their movements public or private. Private data, the company said, has never been included.
The "private" option is for people who like to track their step count during sexual activity, not protecting the operational security of the military base you're stationed at.
Also at The Guardian, which contains more examples than the BBC for those who don't want to enable JavaScript to view the interactive one linked to above.
(Score: 2) by tangomargarine on Monday January 29 2018, @04:07PM (3 children)
I think my definition of either "sexual activity" or "step" doesn't align with the way these people are using it.
"Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
(Score: 0) by Anonymous Coward on Monday January 29 2018, @05:04PM (1 child)
Obligatory: Adam Sandler - Sex or Weight Lifting [youtube.com] (audio only, NSFW)
(Score: -1, Spam) by Anonymous Coward on Monday January 29 2018, @05:30PM
Flesh slapping against flesh. Punching. These things could be heard from within the building. Eventually, a man exited the establishment; he looked refreshed, as if he was a new man. And what a great man he was; a man who utilized others so that they could reach their full potential; a man who gave others opportunities; a man who gave others hope. Later, someone would stumble upon the corpse of a naked woman in that very same building.
(Score: 3, Insightful) by bob_super on Monday January 29 2018, @05:14PM
> Strava said it had excluded activities marked as private from the map.
Which confirms that they have it.
"Next, from Strava : The sex rating app ! Know how good your show-off guy really is before you're disappointed !
People may elect to be excluded from our app, or our Tinder/grindr partnership, when they subscribe to our $200/mo membership!
Subscribe to our $1000/mo plan for access to our DataOptimizer services!"
(Score: 4, Interesting) by VLM on Monday January 29 2018, @04:40PM (12 children)
I suspect this is example #153116 of the general societal problem of everyone in every country in both the government and corporate ecosystem has free access to data one thousand times more detailed, but because your next door neighbor, who ironically doesn't care at all, has no access, we as a culture use that to pretend no one has the data and have to act all shocked and dismayed that my neighbor, who as I already stated, doesn't even care, could obtain access to the data.
I was in the army a quarter century ago, got out before 9/11. It sounds very much like stories about modern high schools, where today there's armed guards to shoot anyone entering or leaving, but in the old days the doors were open and people freely wandered around. Back in the old days there were of course guarded buildings surrounded by barbed wire and cameras and guards where you needed a pass to get in; however no armed guards to prevent access to the bowling alley, library, or PX (essentially a socialized government on-base department store). I would imagine life on base would be very weird, almost an entirely different lifestyle for people in the army in 1990 vs 2018.
(Score: 2) by tangomargarine on Monday January 29 2018, @05:19PM (8 children)
Even just in the last 5 or 6 years. When I went down to my alma mater last Halloween, I found that the replacement cafeteria on campus, you can apparently only get into by swiping your campus ID. The old cafeteria, you could just walk in and pay with cash if you were some random person on the street. *Why* exactly does a cafeteria need to be secured?!
One could argue it had something to do with the same building also being a dorm, but I think the doors to the dorm wing were keycarded as well anyway.
"Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
(Score: 2) by DannyB on Monday January 29 2018, @05:33PM (7 children)
You cannot be allowed access to the dorms, because you might be a cereal killer or rapist.
You cannot even be allowed access to the students in the cafeteria because you might promote unacceptable ideas to the kiddies. And it might poison their young minds and affect how they vote.
If a lazy person with no education can cross the border and take your job, we need to upgrade your job skills.
(Score: 2) by tangomargarine on Monday January 29 2018, @05:38PM (3 children)
I mean, if that were their reasoning they should lock up the academic buildings, library, and student center, too.
"Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
(Score: 2) by VLM on Monday January 29 2018, @06:17PM (2 children)
Yeah funny you should mention that...
Where I live this is mostly an anti-homeless thing. So state-U suburban expensive suburb branch campus about three blocks from where I live, no lockdown. The state-U branch in the old "big city" has guards to keep the homeless out. Take a non-credit night class by home, you don't even need a parking permit and no door is ever locked, take a non-credit night class by work and the guards make it feel like you're going thru an airport checkpoint. "papers please" checking your ID and all that.
An army base would be an interesting place for a homeless person to live. Wasn't an issue back when I was in, back when bases were pretty much wide open.
(Score: 1) by starvingboy on Monday January 29 2018, @08:15PM (1 child)
? Having spent some time on military bases in my youth, you had to have a base ID in order to actually do anything. Sometimes they'd check just going into the BX, and you definitely needed one in order to buy anything, from candy to movie tickets.
Carrying your ID was a rite of passage as a base kid.
(Score: 2) by VLM on Wednesday January 31 2018, @12:25PM
Yeah, maybe both true. In retrospect looking like a 19 year old enlisted I might have been waved thru everything to save time, I don't remember ever showing a ID.
Seriously though, like they check ID at the on-base Burger King or the post library or post museum or the bowling alley? I guess if they did, they did, but ...
(Score: 2) by frojack on Monday January 29 2018, @07:19PM (1 child)
Cereal killers would be trying to get into the cafeteria.
They probably came from the dorm. Who knows what goes on in those dorms.
No, you are mistaken. I've always had this sig.
(Score: 2) by DannyB on Monday January 29 2018, @07:23PM
I know what goes on in the dorms. That is the rappists I mention along with the cereal killers.
Imagine rappists unable to get their rap music to rhyme, in the dorms! Poisoning the minds of the kids.
If a lazy person with no education can cross the border and take your job, we need to upgrade your job skills.
(Score: 1, Funny) by Anonymous Coward on Monday January 29 2018, @07:37PM
Like this guy!
https://mashable.com/category/cookie-monster/ [mashable.com]
(Score: 0) by Anonymous Coward on Monday January 29 2018, @06:57PM (2 children)
In seventh grade, we were allowed to wear knives on our belts.
Typically a Bowie knife.
The times they are a changing.
(Score: 2) by DutchUncle on Monday January 29 2018, @07:21PM
Where were you living? Where I was we had to conceal things better. :-)
(Score: 3, Funny) by DannyB on Monday January 29 2018, @07:26PM
Early 1970's. About 4th grade, can't remember precisely. Not allowed to have fingernail clippers. Because it's a weapon!
Reminds me of TSA today. On an airplane: Look! I've got nail clippers! I'm going to take over the plane! You better stay back or I'll use these nail clippers! Nobody will be able to overpower me with my trusty nail clippers!
If a lazy person with no education can cross the border and take your job, we need to upgrade your job skills.
(Score: 3, Interesting) by DannyB on Monday January 29 2018, @05:30PM (9 children)
A single data point doesn't matter. Google, for example, doesn't care about me personally. My information is a drop in the ocean. Lost in the noise. Google simply wants to put better ads in front of my eyes. Facebook simply wants to reprogram my brain, manipulate society, create a programmable zombie army of living people for Zuck's personal amusement, and harvest people's organs when they are no longer convenient sources of data.
So it seems like there is no real harm done by corporations having your unimportant data.
Who could possibly care about your exercise data. What is it useful for except testosterone induced bragging rights.
Once you aggregate that data, we now see what can happen with seemingly harmless data.
I suppose this means the military needs to educate people that even the most harmless data can leak classified secrets. And this is an excellent example of how.
I imagine that once upon a time the military strictly controlled personal communications between deployed personnel and back home. Reading and censoring letters. Potentially monitoring phone calls. If not in practice, then at least in principle if needed.
By allowing people to use their personal devices to connect to the net, even using military provided WiFI or cell sites, this is an example of how harmless data can spill important secrets.
One way to fix is to educate. If it is not believed that the low level personnel are capable of understanding, not tech savvy enough, to grasp what is and isn't a risk, then maybe simply forbid internet access.
Imagine this. A web site that you visit, or other innocent app that you use. It gathers your physical location. But no other important personal information about you other than an anonymous identifier. So all the provider can gather is pairs of anonymous IDs and geolocations. Now analyzing this simple two column table, you can observe that at certain class of IDs seem to move to various "at home" locations in the US (especially if "at home" is a military base),. and then at other times, some of those anonymous table rows then move to clusters of similar IDs which might be a secret base.
One fix might be to somehow eliminate any possible way your device could send any type of geolocation information. But how? Use GPS spoofers in personnel quarters and common areas? What about if you simply take a photo and Google is able to recognize that this photo is taken in Elbonia even though the photo tag says Ohio. Modern Android phones also have barometers. What about clusters of harmless barometer readings and associated anonmyous IDs. Could that reveal secret bases?
It's a tough problem to solve. Other than simply not allowing use of any type of internet connected personal devices. Or any type of geolocation devices. It could be that the military could come up with a smallish range of smartphones and apps that are government approved -- and are issued to deployed personnel as the only mobile phones they are allowed to use deployed to classified locations.
If a lazy person with no education can cross the border and take your job, we need to upgrade your job skills.
(Score: 0) by Anonymous Coward on Monday January 29 2018, @05:39PM (7 children)
One major data point for IDing you is MAC addresses. Spoof them, browser imprint info, etc., and you'll fuzz up the databases.
(Score: 2) by DannyB on Monday January 29 2018, @06:13PM (6 children)
Unless there is some monkey business I am not aware of, the MAC address shouldn't leave the local network you are on. It is lost at the first router.
There are way better things to I-Ding you such as browser cookies, and various forms of stealth cookies. Even combinations of "harmless" info such as your exact user agent string, OS, type of processor, screen resolution, time zone. If JavaScript is enabled, then it is probably possible to identify which JS engine is in use. If JS engine conflicts with your user agent string, this provides a significantly more unique part of the overall identifier of who you are.
If a lazy person with no education can cross the border and take your job, we need to upgrade your job skills.
(Score: 2) by VLM on Monday January 29 2018, @06:46PM (1 child)
Feature not a bug.
Its a remake of the old Hollywood movie plot about RF-ID passports where all you need is a sniffer to smell if someone's worth kidnapping, don't even need a decode/decrypt.
The modern hyper over complicated solution is you get a wifi or bluetooth sniffer on base or coffee house or whatever and sniff up a long list of american soldier's addresses, then the IED triggers when a known american soldier address walks within five feet. As with most hyper over complicated Hollywood movie plots its a hell of a lot simpler and faster to have a lookout attach a wire to a battery or at most do some foolishness with a modified RC car toy.
In Hollywood they'd IED blow them up, but in the real world its probably more logistically useful to have a live real time map of where "they" are vs where your caches of stuff and VIPs are located, and then use the live map data to keep your good stuff away from "them". Might not be able to fly a paper airplane without ADA radar detecting (and launching?) on it, but it would be pretty easy to sniff the hell out of soldiers phones or other electronics. US owns the air technical monitoring, opfor owns the ground technical monitoring.
(Score: 3, Interesting) by DannyB on Monday January 29 2018, @07:00PM
You seem to assume an enemy who already knows where the base is. Where it's coffee house is. Etc.
The point of TFA was that a secret, formerly unknown base, becomes discovered because of clusters of fitness tracking devices with unusually good scores.
I was speculating about other ways to discover such bases. Such as a number of known IDs that seem to move from the vicinity of military bases (known locations) to foreign locations in tight clusters in unknown, unpublished, and possibly behind enemy lines locations.
I was also speculating about possible measures to prevent discovery of secret unknown bases. If the enemy doesn't know where the base is, they can't plant an IED. If the base is a small secret base, its security might be largely based on its secrecy. It may not be heavily defended. Once the enemy discovers the location of a secret rebel base from fitness trackers, the imperial stormtroopers can storm right in.
If a lazy person with no education can cross the border and take your job, we need to upgrade your job skills.
(Score: 0) by Anonymous Coward on Monday January 29 2018, @06:49PM (3 children)
On first guess, is there's a DOM call in the browser to exfiltrate your MAC addresses?
(Score: 2) by DannyB on Monday January 29 2018, @07:05PM (2 children)
Why would a browser offer the MAC address to JavaScript? I can't think of any good reason. The MAC is only useful for the first network hop to your local router. After that, it's gone.
If a lazy person with no education can cross the border and take your job, we need to upgrade your job skills.
(Score: 0) by Anonymous Coward on Monday January 29 2018, @08:22PM (1 child)
It is useful as an identifier.
(Score: 2) by DannyB on Tuesday January 30 2018, @03:31PM
It's not useful to ME, the browser owner. The browser is supposed to be the User Agent. I already know my MAC address. Or can determine all of my MAC addresses (from all of my multiple net interface cards, transceivers and usb dongles) by other means than the web browser.
If a lazy person with no education can cross the border and take your job, we need to upgrade your job skills.
(Score: 3, Interesting) by VLM on Monday January 29 2018, @06:35PM
Not bad, but a more realistic real time analysis would be something like long term observation proves on average 10% of soldiers wake up two hours before duty, whenever that is, and go jogging. So at any given instant you can predict the number of soldiers going outside the wire on patrol two hours from now fairly accurately, 24x365. So a tenth of a platoon worth of jogging soldiers at two hours before local sunset indicates exactly one platoon sized patrol going outside the wire at sundown, prep a platoon's worth of IEDs etc.
A more insidious app would be Creech AFB is where all the UAV pilots live, so analysis of exercise patterns indicates shift changeover time is 4pm, so if you're going to F around and try to get away with something, plan it around end of shift when the previous shift is tired and/or right at shift changeover time. Of course in the real world no one could possibly be that stupid so I'm sure the shifts are all staggered... right?
Somewhat more sinister is direct action, this graph shows the number of people out on the base exercise track per hour, here's the GPS coordinates of that track and some mortars, I'm sure the bad guys can figure out when to fire for maximum effect.
A real Hollywood plot is DISA/NSA/redacted already knows and 99% of those plots are disinfo. There's only 50 navy seals in theater, not even at that base, but 500 seal accounts uploading fake data, the whole battalion is just a vmware cluster of hosts uploading fake data? Huh. You could really mess with the enemies mind, until they figure it out. Oh look all the known exercise jock accounts for an entire infantry company has evacuated from the supposedly now deserted village, what could possibly go wrong if we visit the supposedly now empty village LOL then boom like fifty claymore mines go off and the preplan arty barrage starts LOL scratch one opfor unit?
The meta issue is its a lot simpler and cheaper to buy an airline ticket if necessary and sit in the Starbucks near the base main exit for a couple hours and put little tally marks in a paper notebook, oh look almost no traffic out the gates except its super busy 4:05pm to 4:15pm, huh I wonder when shift change is, maybe 4pm? It doesn't require much thinking or training or CS degrees or data mining nosql databases.
(Score: 0) by Anonymous Coward on Monday January 29 2018, @06:44PM (5 children)
Based on what this vulnerability actually reveals, I can say with authority that this is a massive problem.
I'm dead-certain that the FSB, ISIS, and the PLA are dying to know where every lard-ass supply sergeant or tinhorn 2nd Lieutenant goes jogging.
(Score: 2) by DutchUncle on Monday January 29 2018, @07:24PM (4 children)
Yes, especially if they're jogging at a forward operating base or advance airfield that isn't already on the map.
(Score: 0) by Anonymous Coward on Monday January 29 2018, @07:47PM
Awww, way to ruin a good knee-jerk reaction!
(Score: 0) by Anonymous Coward on Monday January 29 2018, @09:16PM (2 children)
Said bases and airfields are pretty obvious to satellites, recon drones, sigint, and some guy on a camel with binoculars.
(Score: 3, Funny) by Bobs on Monday January 29 2018, @09:27PM
True, but those camels tend to be really obnoxious, and often won't tell you what they see thru the binoculars. Might be easier to look it up online.
(Score: 2) by EvilSS on Monday January 29 2018, @10:16PM