About 3 years ago, a former russian submarine commander accused of a missile attack in Ukraine that killed 23 civilians, was shot and killed, apparently after his route was tracked via Strava
This provides a great cover for intelligence agencies to avoid disclosing their actual data source. Just point to Strava and hand-wave a little. Nobody will suspect that you actually had an in via a close associate of the target.
It’s called parallel construction in many related circles and is used on a daily basis even in communities like yours.
For example, do you have information obtained from illegal surveillance technology to know of an illegal activity happening in a house? Well, why not just ask very forcefully of someone facing inflated jail time, whether they happen to remember… after thinking really hard about it… having seen that illegal activity in that particular house they definitely have been in, to get the warrant approved by a judge.
Crazy to die because you used a jogging app. Really goes to show the value of privacy. And, you know, not committing war crimes that would make people want to hunt you down and kill you. Either or.
Location data is arguably more important than financial or medical data. Atleast in a context where someone is after you. Thanks to bribery and data brokers, it doesnt have to be anyone in Govt or LE tracking you. Collect certain identifiers from a device or account and you can track almost anyone. Financial and medical data access is certainly bad, but your location data can be used to orchestrate a stalking campaign or a murder in a deniable way.
It is why after the U.S. kills or captures some foreign leader, they brag about figuring out their routes and daily habits. It is not a stretch to say that it could also be done, and probably has before, in the U.S.
Extreme penalities should be put in place for any location data access without a court order... And your location should never be allowed to be sold or shared with any non court approved third party. It really is that serious and if the public had the bandwidth to be concerned over another issue, maybe something would change.
Who knows, maybe all the public needs to take it seriously are some real life examples of location data being used illegally...
Some countries make a citizen's residential address public under certain circumstances, i.e. business ownership. There's nothing you can do to erase it once it is registered. It really sucks because you may have a business that involves having a public product that is used by thousands of people. Any disgruntled user can look up where you live.
Hmm yeah but then I'm one of 80 million choices in my country. Committing war crimes tends to single one out.
I do really value my privacy but the problem is one doesn't control this very much.
Recently in Holland one of the major ISPs got breached and 6 million customers got their data leaked. This is something you can't take control as a customer and you're not going to move every time this happens.
Also, not too long ago we had this big book that contained everyone's address unless they opted out, just saying. Was even delivered for free yearly.
>Hmm yeah but then I'm one of 80 million choices in my country.
If we are talking about some sandom terrorist or something like that, yes.
But sometimes it's more personal despitethe fact that you did nothing wrong objectevly.
Jealocity (you got a girl and her ex. took it too close to heart), envy, disputes in an alterd stated (drunk figh). Etc.
My uncle (mother's side) has a schizophrenia and constantly threatens to find someone to kill me and my entire family (including his sister of course).
Yes? Why do you think I am American or do not find that utterly reprehensible? Downthread I even already said that it's obviously fair game for Iranians to hunt down any American officer they could kill.
I have to call out this disingenuous mob like language which is basically saying "because this person served in the military of a UN Security Council member, it is justifiable to murder them in the street years into their retirement"
how is a submarine commander committing war crimes?
by the same way of thinking, it would be completely justified for people from many countries to show up at random US service members houses and shoot them in the street , or perhaps attack their embassies, commit suicide bombings...
This is a common problem across militaries. It is difficult to stop soldiers from leaking their location if they have access to mobile phones and the Internet. Individual cases are usually a combination of naïveté, ignorance, and an unwillingness to be inconvenienced.
It still happens in Ukraine, where immediate risk to life and limb is much more severe than this case.
Along with the Strava secret base location leak, another interesting one was the ship with a contraband Starlink:
As the Independence class Littoral Combat Ship USS Manchester plied the
waters of the West Pacific in 2023, it had a totally unauthorized Starlink
satellite internet antenna secretly installed on top of the ship by its gold
crew’s chiefs. That antenna and associated WiFi network were set up without
the knowledge of the ship’s captain, according to a fantastic Navy Times
story about this absolutely bizarre scheme. It presented such a huge security
risk, violating the basic tenets of operational security and cyber hygiene,
that it is hard to believe.
I disagree with the characterization that this is a security flaw unaddressed by Strava. Does anyone (French military in this case) really want Strava to be responsible to decide if the data is from a sailor on a military ship vs. a tourist on a cruise ship. Its operational security and the French military alone is responsible for polices and processes that maintain its security.
The idea that the public profile is the problem is ludicrous. The French military should have a problem with any geolocation data about its deployed sailors ever leaving its own networks.
IIRC USA had similar issues with soldiers using Strava exposing secret bases[0]. I wonder wat kind of connectivity they had, was it Satellite internet for the carrier or did it sync once they got close to the shore? For the first one maybe they should switch to whitelist and not whitelist Strava.
I am more surprised at the concept of something the size of aircraft carrier being expected to have some level of location privacy. I would think the general area of the world it's operating at could be deduced easily from its last port of call and other things, a cheap amateur home-made radar can have a general idea within a few sq-km resolution by pinging from any littoral up to a few hundred km. I would also have thought, anyone that would care about targeting an aircraft carrier that's at a greater distance away from a coast would also have access to satellite imagery and high-altitude UAV.
I have seen more concerning things being revealed like locations of secret bases, and even internal building maps by looking at troops' WiFi. but those are secret places.
This is always Strava isn’t it? Was it Finnish security services that leaked the exacti location of the president because some of them wanted to share their runs? Why don’t militaries and security services just ban it?
Cruising speed of Charles de Gaulle is 27knots which would give the runner a pace of around 1:10mins/km depending on direction. That would really screw up your Strava stats
An aircraft carrier can be seen with the naked eye from 10 meters above the shore for about 28 miles.
So the entire Spanish coast, Moroccan coast, Algerian coast, mallorca, sardegna, Sicily, tunesia, the Greek isles, and who knows how many cruise ships, fishing vessels, and commercial aircraft all saw this ship.
This is a repeating phenomenon, and probably worse on land. Fitness and run tracking apps also reveal troop locations and concentrations on land (location clusters reported by apps targeted at non-local-language audiences stick out like a sore thumb).
What's funny is I can imagine the sailor not understanding how the code works and properly setting up a "privacy zone" while at port to mask his location and verifying it was working while there
then of course while at sea, it's the same ship but different location
not like your home or workplace typically relocates itself
imagine being a coder at Strava trying to figure out how to deal with that, it's techically not possible
However it's a great marketing opportunity for Stryd footpod which can track distance without GPS
I wonder what a moving deck at even 10mph would do to a Stryd though
The GPS must have added 10mph? But it's all relative to the deck vs the sea, hmm
Sarah Adams (ex-CIA, The Watchfloor podcast) literally discussed this possibility yesterday in a podcast titled "Your Phone Isn't Safe Right Now"
Most people here are tech savvy and understand VPNs, location sharing in apps, privacy agreeements, metadata in shared/posted JPEG files, etc but the episode I mentioned is like 20 minutes & provides maybe 100 different things you can do to reduce your footprint & increase your security while traveling abroad.
According to her, the biggest threats were fitness apps & dating apps (both of which are mentioned heavily here in the comments)
Think about it: suddenly, in the middle of the desert in Afghanistan/Iraq/Syria/Niger/Djibouti a bunch of people start using a fitness tracker every morning (and the clusters show up in Strava). Did some village suddenly jump on the "get fit" bandwagon? Or could it be a bunch of US Marines/SpecOps/etc people trying to keep fit.
More than accurate enough to put an ASM in the right ballpark.
Modern militaries face some interesting challenges.
Possibly mobile apps should be designed to be somewhat secure for military use by defaul, backed by law.
Alternately, phones should have a military safe OS with vetted app store. Something like F-droid, or more on toto phone ubuntu, but tailored.
Obviously, you still need to be security conscious. But a system that is easy to reason about for mortals would not be a bad idea.
Rules like secure by default, and no telemetry or data exfiltration, (and no popups etc), wouldn't be the worst. Add in that you then have a market for people to actually engage with to make more secure apps, and
A) Military can then at least have something like a phone on them, sometimes. Which can be good for morale.
B) it improves civilian infrastructure reliability and resiliance as well.
Seems we need a new digital category for Darwin Awards.
This is the modern way to die of stupidity — use your fitness watch app to log your miles on an online app instead of locally — so reveal your operational location.
The US had one of its secret bases in Afghanistan fully mapped for anyone to see by its residents logging their on-base runs.
Now, the French aircraft carrier is pinpointed en route to a war zone.
Yes OPSEC is hard, and they should be trained to not do this, but it seems to be getting ridiculous. If I were in command of such units, I'd certainly be calling for packet inspection and a large blacklist restriction of apps like that (and the research to back it up).
Local first is not just a cute quirk of geeks, it is a serious requirement.
533 comments
https://edition.cnn.com/2023/07/11/europe/russian-submarine-...
https://gijn.org/stories/investigations-using-strava-fitness...
For example, do you have information obtained from illegal surveillance technology to know of an illegal activity happening in a house? Well, why not just ask very forcefully of someone facing inflated jail time, whether they happen to remember… after thinking really hard about it… having seen that illegal activity in that particular house they definitely have been in, to get the warrant approved by a judge.
> not committing war crimes that would make people want to hunt you down and kill you
People may want to kill you for different reasons though. No need to commit any crimes.
It is why after the U.S. kills or captures some foreign leader, they brag about figuring out their routes and daily habits. It is not a stretch to say that it could also be done, and probably has before, in the U.S.
Extreme penalities should be put in place for any location data access without a court order... And your location should never be allowed to be sold or shared with any non court approved third party. It really is that serious and if the public had the bandwidth to be concerned over another issue, maybe something would change.
Who knows, maybe all the public needs to take it seriously are some real life examples of location data being used illegally...
>
People may want to kill you for different reasons though. No need to commit any crimes.Or "crimes". (Stay away from windows.)
I do really value my privacy but the problem is one doesn't control this very much.
Recently in Holland one of the major ISPs got breached and 6 million customers got their data leaked. This is something you can't take control as a customer and you're not going to move every time this happens.
Also, not too long ago we had this big book that contained everyone's address unless they opted out, just saying. Was even delivered for free yearly.
>Hmm yeah but then I'm one of 80 million choices in my country.
If we are talking about some sandom terrorist or something like that, yes.
But sometimes it's more personal despitethe fact that you did nothing wrong objectevly.
Jealocity (you got a girl and her ex. took it too close to heart), envy, disputes in an alterd stated (drunk figh). Etc.
My uncle (mother's side) has a schizophrenia and constantly threatens to find someone to kill me and my entire family (including his sister of course).
https://en.wikipedia.org/wiki/Mariupol_theatre_airstrike
https://en.wikipedia.org/wiki/3_March_2022_Chernihiv_bombing
https://en.wikipedia.org/wiki/16_March_2022_Chernihiv_breadl...
https://en.wikipedia.org/wiki/August_2023_Chernihiv_missile_...
https://en.wikipedia.org/wiki/Russian_strikes_against_Ukrain...
https://en.wikipedia.org/wiki/2023_Dnipro_residential_buildi...
https://en.wikipedia.org/wiki/8_July_2024_Russian_strikes_on...
https://en.wikipedia.org/wiki/Chaplyne_railway_station_attac...
https://en.wikipedia.org/wiki/Lyman_cluster_bombing
https://en.wikipedia.org/wiki/Kramatorsk_railway_station_att...
https://en.wikipedia.org/wiki/2023_Kramatorsk_restaurant_mis...
https://en.wikipedia.org/wiki/July_2022_Chasiv_Yar_missile_s...
https://en.wikipedia.org/wiki/April_2023_Sloviansk_airstrike
https://en.wikipedia.org/wiki/2024_Kostiantynivka_supermarke...
https://en.wikipedia.org/wiki/2025_Yarova_attack
And many more, the Russian armed forces being the consistent all-time barbarian horde of Europe.
how is a submarine commander committing war crimes?
by the same way of thinking, it would be completely justified for people from many countries to show up at random US service members houses and shoot them in the street , or perhaps attack their embassies, commit suicide bombings...
It still happens in Ukraine, where immediate risk to life and limb is much more severe than this case.
The idea that the public profile is the problem is ludicrous. The French military should have a problem with any geolocation data about its deployed sailors ever leaving its own networks.
[0] https://www.theguardian.com/world/2018/jan/28/fitness-tracki...
I have seen more concerning things being revealed like locations of secret bases, and even internal building maps by looking at troops' WiFi. but those are secret places.
We are not talking about stealth vehicles.
So the entire Spanish coast, Moroccan coast, Algerian coast, mallorca, sardegna, Sicily, tunesia, the Greek isles, and who knows how many cruise ships, fishing vessels, and commercial aircraft all saw this ship.
then of course while at sea, it's the same ship but different location
not like your home or workplace typically relocates itself
imagine being a coder at Strava trying to figure out how to deal with that, it's techically not possible
However it's a great marketing opportunity for Stryd footpod which can track distance without GPS
I wonder what a moving deck at even 10mph would do to a Stryd though
The GPS must have added 10mph? But it's all relative to the deck vs the sea, hmm
Most people here are tech savvy and understand VPNs, location sharing in apps, privacy agreeements, metadata in shared/posted JPEG files, etc but the episode I mentioned is like 20 minutes & provides maybe 100 different things you can do to reduce your footprint & increase your security while traveling abroad.
According to her, the biggest threats were fitness apps & dating apps (both of which are mentioned heavily here in the comments)
Think about it: suddenly, in the middle of the desert in Afghanistan/Iraq/Syria/Niger/Djibouti a bunch of people start using a fitness tracker every morning (and the clusters show up in Strava). Did some village suddenly jump on the "get fit" bandwagon? Or could it be a bunch of US Marines/SpecOps/etc people trying to keep fit.
Clearly we're not learning from our mistakes...
Modern militaries face some interesting challenges.
Possibly mobile apps should be designed to be somewhat secure for military use by defaul, backed by law.
Alternately, phones should have a military safe OS with vetted app store. Something like F-droid, or more on toto phone ubuntu, but tailored.
Obviously, you still need to be security conscious. But a system that is easy to reason about for mortals would not be a bad idea.
Rules like secure by default, and no telemetry or data exfiltration, (and no popups etc), wouldn't be the worst. Add in that you then have a market for people to actually engage with to make more secure apps, and
A) Military can then at least have something like a phone on them, sometimes. Which can be good for morale.
B) it improves civilian infrastructure reliability and resiliance as well.
This is the modern way to die of stupidity — use your fitness watch app to log your miles on an online app instead of locally — so reveal your operational location.
The US had one of its secret bases in Afghanistan fully mapped for anyone to see by its residents logging their on-base runs.
Now, the French aircraft carrier is pinpointed en route to a war zone.
Yes OPSEC is hard, and they should be trained to not do this, but it seems to be getting ridiculous. If I were in command of such units, I'd certainly be calling for packet inspection and a large blacklist restriction of apps like that (and the research to back it up).
Local first is not just a cute quirk of geeks, it is a serious requirement.
It would be another matter if that was tracking a nuclear submarine...