U.S. military revising its rules after fitness trackers exposed sensitive data
washingtonpost.comOne popular route on a base in Iraq has been nicknamed “Base Perimeter” by the U.S. runners who regularly use it.
I'm truly gobsmacked that it never occurred to anyone that this might pose a problem. Maybe not the 19 year old grunt who signed up because getting a master's in CS wasn't in his future, but c'mon, there isn't someone responsible for preventing data leakage? This is not some corner case, or some side-channel attack; Strava's whole business model rotates around "track where you've been with extreme accuracy, and let the world know about it". Otherwise I'd just keep the data locally, like I did in the old days.
But even if kept locally, what happened to the worry of radio leakage? Ten years ago I worked on some stuff that might end up being used by the military, and I distinctly remember a co-worker who used to be pretty high up in the army (colonel, maybe?) pointing out that in the field things like Bluetooth, et. al., were generally frowned upon for what I thought would be obvious reasons. Perhaps with the subsequent advent of more and more devices emitting radio signals, what used to be obvious isn't so obvious anymore, so now we let military personnel run around with devices on their wrist that signal to anyone within 30m that they're there.
Tech evolves at least a magnitude faster than our thinking and even faster than our institutions.
Institutions tend to optimize so they run close to the redline, busy with a lot of stuff as it is. Adding more tasks, making them important, making everyone get educated and compliant is a huge undertaking.
Noticing and discerning what needs to be prioritized, in areas presenting such volatility and new possibilities as smartphones, apps, and data security could be daunting to do selectively.
They could ban cell phones / bt devices altogether but that will likely not go well.
As for our relationship with security, I find Richard Feynman’s experiences delightfully relevant:
http://calteches.library.caltech.edu/34/3/FeynmanLosAlamos.h...
Edit: typo
> Maybe not the 19 year old grunt who signed up because getting a master's in CS wasn't in his future
Can we please drop the elitist attitude and explicit assertion that enlisted military personnel are stupid and that CS students are intelligent.
I never brought up intelligence, I brought up the fact that I don't expect a Marine boot camp graduate with no specialized education to be the one thinking about these hard questions. Just like you don't want me, someone who has only fired an AR15 a few times, covering your ass on patrol. But despite your protestations to the contrary, the underlying assumption in my statement was that the military has someone on board, intelligent or not, who has been trained specifically to think around these very topics. That someone should not be a 19 year old kid who's only training consists of handling a rifle and whatever else combat troops are trained to do. There should be someone else who tells that kid, "hey, take off that FitBit before you head out."
> who signed up because getting a master's in CS wasn't in his future
Why did you make this statement? How did that help reinforce your point?
I don't disagree with your broader point at all, but I am annoyed by the fact that you made a causal connection between enlisting in the military because "because getting a master's in CS wasn't in his future"
casual connection between enlisting in the military because "because getting a master's in CS wasn't in his future"
"Casual connection"? There was a direct connection with quite a few folks I grew up with. Because college costs money, which they didn't have. Argue all you want, I've seen it with my own eyes. You're the only one implying anything about intelligence.
This is getting down-voted but it's fair criticism of the parent comment. As a former Army grunt-turned-dev, I can personally verify that there are many very smart military personnel. They do deserve some blame for failing to imagine how their data could be used by our adversaries. It's a major OPSEC issue, no doubt, and a great learning opportunity for the military. Troops on the ground are adopting consumer tech too quickly for the DoD to keep up. In my experience in wartime operations overseas, this is often a failure to see the forest for the trees; that is, you're too involved in operations on the ground to see the danger of the (seemingly) innocent technology you're using to make your life easier, better, etc.
What an interesting time to be in intelligence gathering.
Why even bother breaking into an air gapped DoD network to get classified data when you can target all these third party cloud companies that have secondary data that isn't air gapped in classified networks, and most won't have the security resources to really lock things down.
This is somewhere in the awkward middle between what's called "open source intelligence" and traditional intelligence.
I don't envy defensive cybersecurity staff and their jobs/responsibilities.
One of the jokes going around Twitter last night was whether or not Strava would be able to handle the server load from all the intelligence agencies breaking in and dumping their data.
This isn't just heat maps they have, they have the movement and timestamped location of millions of people around the world. Undoubtedly some of those people are "interesting" to someone, especially since Strava just revealed that a lot of them hang out in unique places.
edit: For example: https://twitter.com/thegrugq/status/957851350099832834
Geez yeah no kidding. And they'll have other account data like first and last names. But then again, it's likely they've already been hacked (same with FitBit) and don't even know it.
The data these companies have is too valuable, cleanly IoT collected, and keyed by email, for nation states to not try to get.
I think that the idea of privacy is wishful thinking if the people in these locations are allowed to have their own unvetted electronics. It would not take more than one trojan smartphone application with a social media login until you are able to identify the person (and maybe graph more out of that, no GPS needed!).
And as an anecdote, back during my conscription, we were told to disable location services altogether and not take photos during training sessions, but I honestly think it had more to do with keeping in mind the best practices rather than avoiding anything to get "leaked". The officers were sometimes seen with phones of their own, meaning the government issued tinfoil ones.
What activity would generate the tracks in the middle of the ocean? As I understand Strava whenever I switch it on it tracks my activity at that moment until I switch it off. Looking at the heat maps I get the impression that there is always on data being tracked in addition to those that are intending to track a specific activity. Do fitbit worn 24/7 submit data constantly to strava?
Running on cruise ships, maybe?
there's tracks from what looks like the Bermuda-Newport yacht race.
the more I look over the heat map the more I think that there's always on data being tracked out here. there's NO WAY this is just running and cycling routes.
There's a button with waves which I assumed at first was swimming but seems to also trace boat routes.
I don't know how to explain that still.
Nor I. Let's just have some popcorn and enjoy the fall out I guess.
I saw this unfolding bit by bit and thought: Wow, these people have not been paying attention during the AOL 'anonymized' research database fiasco.
Let's wait to see how long it will take before someone figures out how to ID the security detail jogging with a president somewhere.
look at the whitehouse lawn in the heat map, there's what looks like data from someone walking the yard.
Obama wears/wore a Fitbit. But the tracks on top of the WH look like intermediate paths, e.g. someone jogs past the SE corner at e.g. 9:20, and the GPS signal is lost, and then they are spotted again at 9:40 at the NW corner, then the line would be drawn across the WH.
Like any other data breach, it speaks for the customers who want offline, non-cloud solutions...
that makes sense.
I looked this up on the map and the only activity I see is in The Ellipse and Lafayette Square. I see no activity at all around the White house itself or the South Lawn. Has the data since been scrubbed?
The Pentagon is also entirely dark.
this is what I see when I look at the south lawn https://imgur.com/DslRELO
it's faint, indicating it may only be one or two users who tracked their activity there, but it's there.
I switched to another color and set to only foot traffic and I see some faint activity but it appears to run along the fence, I don't see anything inside what I think is the secure perimeter of the White House grounds. I admit to not being familiar with the perimeter there though.
there's tracks on the runways at Andrews air force base.