Strava is a fitness app. So, apprently, the security detachment of political figures tends to use the app, presumably because they're into fitness and keep in shape, and their location can be tracked through the app.
As the security detachment tend to travel with the people they protect, political leaders locations can be inferred.
The article talks about body guards not being allowed to use social media/apps while on the job, they allow for provisions on use when not on active duty. So, I guess, the guards get a day off, use the app, wherever they are, broadcasting their location.
Crazy stuff.
kkielhofner 3 hours ago [-]
Shouldn't be much of a surprise, this made news back in 2018 when the same was realized with soldiers and secret military bases:
Yeah, the targetting isn't that difficult, I guess. If you know crown prince Akeem Joffer was in New York 5 days ago, and is in Paris 3 days ago, you can probably diligently query Strava users who weren't in New York for a long time but showed up 5 days ago, and see if they showed up in Paris 3 days ago, and boom, you've found a member of his entourage.
Even if they use the anonymizing feature that masks their start/end points, if you find a few other members, you could be able to triangulate a big hotel near them and guess that that's where the crown prince stayed... and the next time you hear he's coming to NY/Paris, you have this information.
mandevil 4 hours ago [-]
Cell phone tracking is better at surveillance than the best stuff the military has.
https://www.washingtonpost.com/national-security/2024/02/22/... has a fun story about a time at Fort Irwin (US Army laser tag in the desert) one side couldn't figure out how an attack helicopter got through their defenses, until they did some queries on a commercial cell phone tracking database and found the cellphone moving across the desert at 120mph. Hole identified, plugged for the next round.
And also talks about how the Ukrainians and Russians are having a great deal of trouble with cell phone OPSEC even after years of shooting war.
wildzzz 3 hours ago [-]
An old coworker used to work on what is basically a Stingray for air platforms with some sort of directional finding capability. Presumably, you'd strap it to a drone and fly it over villages where you suspect bad guys are. Do this every few days and in multiple locations and you'd establish patterns of movements and links between networks of people.
giraffe_lady 1 hours ago [-]
Or where journalists or doctors are. The technology is neutral, after all.
computerthings 6 minutes ago [-]
All to often "bad guys" are just a fig leaf for the absolute worst guys.
“Now the police dreams that one look at the gigantic map on the office wall should suffice at any given moment to establish who is related to whom and in what degree of intimacy; and, theoretically, this dream is not unrealizable although its technical execution is bound to be somewhat difficult. If this map really did exist, not even memory would stand in the way of the totalitarian claim to domination; such a map might make it possible to obliterate people without any traces, as if they had never existed at all.”
- Hannah Arendt
jklinger410 3 hours ago [-]
Cell phone tracking _is_ what the military has.
Seeing through walls with WiFi is better. Or slurping up the main pipes and decrypting it. Which they also have.
taeric 4 hours ago [-]
Probably not better than the best stuff the military has... Still really good, mind.
And, yeah, unintended uses are usually prime locations for security breaches. For a long time (maybe still?) metadata on pictures that people post would reveal far more than people meant. Thumbnails of cropped pictures, even.
FactKnower69 3 hours ago [-]
>Probably not better than the best stuff the military has...
Military tech is always a decade ahead of civilian, that's why the US has easily won every armed conflict they've entered into in the past 50 years
JohnMakin 2 hours ago [-]
I know for a fact that swaths of critical military infrastructure sit in AWS, so I personally doubt this is true.
chatmasta 2 hours ago [-]
I’m not sure this has been true since the advent of the internet. I don’t believe there’s an entire shadow sphere of academia that is decades ahead of what’s openly published.
For nuclear energy, this might be true. But for nearly any other topic I’m very skeptical.
paganel 2 hours ago [-]
> has easily won every armed conflict they've entered into in the past 50 years
That's just false. Ok, maybe you don't count Vietnam, because the US "entered" there in the '60s, but Afghanistan was a sure loss and I'd say the same for Iraq (seeing how it's now in Iran's sphere of influence, which it wasn't under Saddam). Yes, they might have won some tactical battles, most probably all of them, come to think of it, but the wars themselves were lost.
Turns out soldiers enjoy tracking their runs around the base!
OgsyedIE 3 hours ago [-]
The simplest solution to this is bureaucratic. Establish an app approval cybersecurity office within some agency and have the office make two lists: apps that have specific security configurations that need to be enabled and apps that are outright banned.
Then you just make compliance with the lists necessary for certain security clearances.
Muromec 1 hours ago [-]
Nononon, you make one list:
- apps that are allowed to be installed, pinned by version with a person responsible for monitoring them
r00fus 3 hours ago [-]
This is why I only use Strava to share with my followers.
Yes, it's an extra step after my workout to edit, add pics if any, choose my activity level if I was too lazy to put on my HR monitor, and then only post to my followers.
Yes, this means I get less likes and can't participate in challenges etc. But it's really about sharing with my colleagues and friends so they can motivate me for my next ride.
marcellus23 3 hours ago [-]
You can set your activities to be private by default, you don't need to change it for every activity individually after you upload it.
r00fus 3 hours ago [-]
Yes, mine are. I explicitly share some activities.
soco 2 hours ago [-]
It's not clear to me whether the location was made using the public, as in shared, information, or information set as private. So did they masquerade as followers, or hacked the system?
loeg 2 hours ago [-]
You're a bodyguard for a head of state? Probably no one cares about your location.
zardo 3 hours ago [-]
> This is why I only use Strava to share with my followers.
You travel with one of the most powerful people in the world?
tonymet 3 hours ago [-]
I wouldn’t trust their security restrictions. Their API and authentication is primitive. For a while I ran a basic bot to automate data extraction. Their security is 20+ years behind other social networks .
You likely have bot followers and API calls that can read your latest activity GPX data
loeg 2 hours ago [-]
Facebook is barely 20 years old. No active social network is "20+ years" advanced of any other, because it's longer than their entire history.
tonymet 53 minutes ago [-]
What takes one person a year takes another person 5
TrevorJ 3 hours ago [-]
Not sure if the format for this article is standard these days, but oh man do I hate it.
davidsawyer 2 hours ago [-]
Reads like a remix of how Axios articles are.
netsharc 3 hours ago [-]
In video form (the Guardian article talks about a Le Monde investigation):
The 2nd video focuses on the US Secret Service, finding 26 profiles of Biden's protection (and 100+ users who were geolocated inside the S.S. training facility). During the credits of that video, a journalist says, "Despite our warning about this issue to the US authorities, 14 of the 26 profiles are still public."
slibhb 4 hours ago [-]
Was there a breach with Strava or did people simply choose to publish their location publicly?
pndy 3 hours ago [-]
They recently introduced "Athlete Intelligence" [1][2] feature that wasn't received well by users so I'd guess this is a pr stunt so people would forget about it
Along these lines some cyclists have had their gear stolen by thieves who figured out where they live from Strava data.
They have a feature to block part of your route when near your home but some folks aren’t aware of it (or learn the hard way)
nickff 3 hours ago [-]
That feature is fairly recent, and I believe it is now enabled by default.
hondo77 3 hours ago [-]
If by "is fairly recent" you mean "has been around for over six years", yes.
aynyc 2 hours ago [-]
Strava deserves all the blames it get, but don't you need some serious skills to find out who are the agents guarding Biden/Harris/Trump? I mean, if you can literally track down the names of Secret Service agents guarding VIPs, then you can probably easily track them with other means (phone for example) no?
Speaking out of most likely ignorance of Secret Service, I was in the US Marines. I dealt with marine snipers a few times during training exercises, we were mainly serve as security protections. I've seen them train, shoot and handle combat scenarios. If any of those marine snipers want to take shot at a VIP, I can't imagine Secret Service will be able to do anything to stop it. Some of the snipers are putting rounds into a postal stamp at 1,000 yard / 900 meters.
loeg 2 hours ago [-]
> Strava deserves all the blames it get
Not sure why Strava deserves any blame here. It's explicitly a social network for sharing your location and other training data. If you use it and share your location, that's it functioning exactly as designed.
MR_Bulldops 1 hours ago [-]
Strava has (rightfully) received no blame, so they were accidentally right!
loeg 1 hours ago [-]
It's pretty clear that at least some users in this thread blame Strava for some things.
sam_lowry_ 3 hours ago [-]
The problem with Strava is how invasive their location sharing is.
One has to actively search to disable it. And the integrations with Garmin Connect and the others are even worse.
notatoad 3 hours ago [-]
it's not "invasive", it's a location sharing app.
if you don't want to share your location, you probably should not use location-sharing apps.
RobRivera 2 hours ago [-]
A fitness app that features location-sharing features.
When I think of location sharing apps, I think of garmin inreachme for search amd rescue.
tedunangst 1 hours ago [-]
Was the Biden Xi meeting supposed to be a secret? I think it's generally not difficult to locate the president.
TheRealPomax 2 hours ago [-]
I guess strava users didn't learn from the first time.
tonymet 3 hours ago [-]
Strava has suffered from this and had known attacks for 10+ years now. There was a famous case around Colorado of a mistaken doxxing attack driven by Reddit. Due to mistaken identity, attackers pursued an innocent victim using their Strava account. The Strava location was the cause of both the mistaken identity case and abused to find and dox the victim.
Strava’s anonymization algorithm (the bubble feature) is primitive and trivially de-anonymized with basic triangulation.
The company has never adequately responded to privacy concerns despite many abuse cases.
loeg 1 hours ago [-]
> Strava’s anonymization algorithm (the bubble feature) is primitive and trivially de-anonymized with basic triangulation.
That is not true. It picks a single random centroid near your privacy location and does the privacy feature based on that. Triangulation finds the random centroid, which is crucially not your hidden location.
paganel 2 hours ago [-]
People should just stop using Strava, or at least stop making their Strava data public to the world (not sure if that's an option cause I've never used that app). They should just run/cycle, whatever, forget about gps.
loeg 1 hours ago [-]
> not sure if that's an option cause I've never used that app
You can make your account private, or individual activities private (including by default).
blackeyeblitzar 3 hours ago [-]
What’s the point of Strava? Can’t people easily cheat on the results to outcompete others? Like what happens if I use an e-bike to beat the best times?
jerlam 3 hours ago [-]
There is no reward for getting the best time. Also, the people that you beat are extremely motivated to investigate and flag your activity; it will look pretty obvious that it was ridden on an e-bike due to incorrect / missing data like heart rate and wattage.
I have the record on a short inconsequential running course near me. I occasionally get a notification that someone beat my record and I am forced to look at it; it is always someone on a bike or car, and I flag it and it eventually goes away. Also, my own record activity has been flagged multiple times despite it only being slightly faster than the second place finisher - I no longer bother trying to contest it. The joke is on the flagger since I have run the exact same record time, several times, so I still have the course record.
It's even possible to do dumb stuff in pursuit of a personal best without using an app at all.
But it should be noted that the Strava user in question doesn't seem to have been cheating. For some reason, they were trying to set a legitimate score in an ill-advised way. There's no evidence here that cheating in Strava is a problem.
Is Strava promoting unsafe riding? Maybe. I don't really think so. But it's not connected to the cheating question.
mikeryan 3 hours ago [-]
The vast majority of Strava users are only competing with themselves or, at best, to be atop a daily leaderboard for a somewhat popular segment.
Beretta_Vexee 2 hours ago [-]
The cycling leaderboard around where I live are full of professional cyclists capable of overtaking an e-bike while remaining in zone 2.
People don't use Strava in the hope of getting a good place on the board but to compare themselves with their friends, club members and the pros.To follow their own development and that of their friends, to discover new paths, new events, and so on.
Above all, it's a social network based around sport. No baby photos, no politics, just people happily practising their sport - it's the anti-Tweeter and it's great.
r00fus 3 hours ago [-]
Strava is a social app with a gamification angle. I use the social to share my rides (only) with people who follow me and to view people I follow to get inspired.
I also use the gamification to compete - but really only against myself.
recursive 3 hours ago [-]
It's fun. Don't take the leaderboards too seriously. The kind of people that would care about high placement at any cost tend not to be the kind of people who care about strava. (mostly)
People that can legitimately get a KOM on a segment tend to be known in a local community. If someone new shows up at #1, it's pretty obvious looking at their workout if its legit or not to someone familiar with the sport.
What's the point of wikipedia? Can't people just easily publish fake information? Like what happens if I make an article about myself?
It's pretty much a solved problem.
Rastonbury 20 minutes ago [-]
I once jogged to my car and drove somewhere close forgetting to turn Strava off getting all the PBs and split records
kjrfghslkdjfl 2 hours ago [-]
FitoTrack.
That's all I have to say about this.
harry8 2 hours ago [-]
I also endorse FitoTrack on droid as a user.
Along with Out-Run on iphone.
Both work well and are pleasant to use. Record your exercise for yourself with no cloud.
As the security detachment tend to travel with the people they protect, political leaders locations can be inferred.
The article talks about body guards not being allowed to use social media/apps while on the job, they allow for provisions on use when not on active duty. So, I guess, the guards get a day off, use the app, wherever they are, broadcasting their location.
Crazy stuff.
https://www.theguardian.com/world/2018/jan/28/fitness-tracki...
Even if they use the anonymizing feature that masks their start/end points, if you find a few other members, you could be able to triangulate a big hotel near them and guess that that's where the crown prince stayed... and the next time you hear he's coming to NY/Paris, you have this information.
https://www.washingtonpost.com/national-security/2024/02/22/... has a fun story about a time at Fort Irwin (US Army laser tag in the desert) one side couldn't figure out how an attack helicopter got through their defenses, until they did some queries on a commercial cell phone tracking database and found the cellphone moving across the desert at 120mph. Hole identified, plugged for the next round.
And also talks about how the Ukrainians and Russians are having a great deal of trouble with cell phone OPSEC even after years of shooting war.
“Now the police dreams that one look at the gigantic map on the office wall should suffice at any given moment to establish who is related to whom and in what degree of intimacy; and, theoretically, this dream is not unrealizable although its technical execution is bound to be somewhat difficult. If this map really did exist, not even memory would stand in the way of the totalitarian claim to domination; such a map might make it possible to obliterate people without any traces, as if they had never existed at all.”
- Hannah Arendt
Seeing through walls with WiFi is better. Or slurping up the main pipes and decrypting it. Which they also have.
And, yeah, unintended uses are usually prime locations for security breaches. For a long time (maybe still?) metadata on pictures that people post would reveal far more than people meant. Thumbnails of cropped pictures, even.
Military tech is always a decade ahead of civilian, that's why the US has easily won every armed conflict they've entered into in the past 50 years
For nuclear energy, this might be true. But for nearly any other topic I’m very skeptical.
That's just false. Ok, maybe you don't count Vietnam, because the US "entered" there in the '60s, but Afghanistan was a sure loss and I'd say the same for Iraq (seeing how it's now in Iran's sphere of influence, which it wasn't under Saddam). Yes, they might have won some tactical battles, most probably all of them, come to think of it, but the wars themselves were lost.
Read like sarcasm to me.
Strava heatmap can be used to locate military bases - https://news.ycombinator.com/item?id=16249955 - Jan 2018 (271 comments)
Turns out soldiers enjoy tracking their runs around the base!
Then you just make compliance with the lists necessary for certain security clearances.
- apps that are allowed to be installed, pinned by version with a person responsible for monitoring them
Yes, it's an extra step after my workout to edit, add pics if any, choose my activity level if I was too lazy to put on my HR monitor, and then only post to my followers.
Yes, this means I get less likes and can't participate in challenges etc. But it's really about sharing with my colleagues and friends so they can motivate me for my next ride.
You travel with one of the most powerful people in the world?
You likely have bot followers and API calls that can read your latest activity GPX data
- Pt 1: https://www.youtube.com/watch?v=4eQKnV0zsMc
- Pt 2: https://www.youtube.com/watch?v=KX7f1PwXEWg
The 2nd video focuses on the US Secret Service, finding 26 profiles of Biden's protection (and 100+ users who were geolocated inside the S.S. training facility). During the credits of that video, a journalist says, "Despite our warning about this issue to the US authorities, 14 of the 26 profiles are still public."
[1] - https://www.forbes.com/sites/cyrusfarivar/2024/10/12/strava-...
[2] - https://communityhub.strava.com/t5/strava-features-chat/opt-...
They have a feature to block part of your route when near your home but some folks aren’t aware of it (or learn the hard way)
Speaking out of most likely ignorance of Secret Service, I was in the US Marines. I dealt with marine snipers a few times during training exercises, we were mainly serve as security protections. I've seen them train, shoot and handle combat scenarios. If any of those marine snipers want to take shot at a VIP, I can't imagine Secret Service will be able to do anything to stop it. Some of the snipers are putting rounds into a postal stamp at 1,000 yard / 900 meters.
Not sure why Strava deserves any blame here. It's explicitly a social network for sharing your location and other training data. If you use it and share your location, that's it functioning exactly as designed.
One has to actively search to disable it. And the integrations with Garmin Connect and the others are even worse.
if you don't want to share your location, you probably should not use location-sharing apps.
When I think of location sharing apps, I think of garmin inreachme for search amd rescue.
Strava’s anonymization algorithm (the bubble feature) is primitive and trivially de-anonymized with basic triangulation.
The company has never adequately responded to privacy concerns despite many abuse cases.
That is not true. It picks a single random centroid near your privacy location and does the privacy feature based on that. Triangulation finds the random centroid, which is crucially not your hidden location.
You can make your account private, or individual activities private (including by default).
I have the record on a short inconsequential running course near me. I occasionally get a notification that someone beat my record and I am forced to look at it; it is always someone on a bike or car, and I flag it and it eventually goes away. Also, my own record activity has been flagged multiple times despite it only being slightly faster than the second place finisher - I no longer bother trying to contest it. The joke is on the flagger since I have run the exact same record time, several times, so I still have the course record.
https://www.forbes.com/sites/kashmirhill/2012/06/20/a-quanti...
But it should be noted that the Strava user in question doesn't seem to have been cheating. For some reason, they were trying to set a legitimate score in an ill-advised way. There's no evidence here that cheating in Strava is a problem.
Is Strava promoting unsafe riding? Maybe. I don't really think so. But it's not connected to the cheating question.
Above all, it's a social network based around sport. No baby photos, no politics, just people happily practising their sport - it's the anti-Tweeter and it's great.
I also use the gamification to compete - but really only against myself.
People that can legitimately get a KOM on a segment tend to be known in a local community. If someone new shows up at #1, it's pretty obvious looking at their workout if its legit or not to someone familiar with the sport.
What's the point of wikipedia? Can't people just easily publish fake information? Like what happens if I make an article about myself?
It's pretty much a solved problem.
That's all I have to say about this.
Along with Out-Run on iphone.
Both work well and are pleasant to use. Record your exercise for yourself with no cloud.