
U.S. military revising its rules after fitness trackers exposed sensitive data - Nycto
https://www.washingtonpost.com/world/the-us-military-reviews-its-rules-as-new-details-of-us-soldiers-and-bases-emerge/2018/01/29/6310d518-050f-11e8-aa61-f3391373867e_story.html
======
mikestew
_One popular route on a base in Iraq has been nicknamed “Base Perimeter” by
the U.S. runners who regularly use it._

I'm truly gobsmacked that it never occurred to anyone that this might pose a
problem. Maybe not the 19 year old grunt who signed up because getting a
master's in CS wasn't in his future, but c'mon, there isn't _someone_
responsible for preventing data leakage? This is not some corner case, or some
side-channel attack; Strava's _whole business model_ rotates around "track
where you've been with extreme accuracy, and let the world know about it".
Otherwise I'd just keep the data locally, like I did in the old days.

But even if kept locally, what happened to the worry of radio leakage? Ten
years ago I worked on some stuff that might end up being used by the military,
and I distinctly remember a co-worker who used to be pretty high up in the
army (colonel, maybe?) pointing out that in the field things like Bluetooth,
et. al., were generally frowned upon for what I _thought_ would be obvious
reasons. Perhaps with the subsequent advent of more and more devices emitting
radio signals, what used to be obvious isn't so obvious anymore, so now we let
military personnel run around with devices on their wrist that signal to
anyone within 30m that they're there.

~~~
meritt
> Maybe not the 19 year old grunt who signed up because getting a master's in
> CS wasn't in his future

Can we please drop the elitist attitude and explicit assertion that enlisted
military personnel are stupid and that CS students are intelligent.

~~~
mikestew
I never brought up intelligence, I brought up the fact that I don't expect a
Marine boot camp graduate with no specialized education to be the one thinking
about these hard questions. Just like you don't want me, someone who has only
fired an AR15 a few times, covering your ass on patrol. But despite your
protestations to the contrary, the underlying assumption in my statement was
that the military has _someone_ on board, intelligent or not, who has been
trained specifically to think around these very topics. That someone should
not be a 19 year old kid who's only training consists of handling a rifle and
whatever else combat troops are trained to do. There should be someone else
who tells that kid, "hey, take off that FitBit before you head out."

~~~
meritt
> who signed up because getting a master's in CS wasn't in his future

Why did you make this statement? How did that help reinforce your point?

I don't disagree with your broader point at all, but I am annoyed by the fact
that you made a causal connection between enlisting in the military because
"because getting a master's in CS wasn't in his future"

~~~
mikestew
_casual connection between enlisting in the military because "because getting
a master's in CS wasn't in his future"_

"Casual connection"? There was a direct connection with quite a few folks I
grew up with. Because college costs _money_ , which they didn't have. Argue
all you want, I've seen it with my own eyes. You're the only one implying
anything about intelligence.

------
atonse
What an interesting time to be in intelligence gathering.

Why even bother breaking into an air gapped DoD network to get classified data
when you can target all these third party cloud companies that have secondary
data that isn't air gapped in classified networks, and most won't have the
security resources to really lock things down.

This is somewhere in the awkward middle between what's called "open source
intelligence" and traditional intelligence.

I don't envy defensive cybersecurity staff and their jobs/responsibilities.

~~~
strictnein
One of the jokes going around Twitter last night was whether or not Strava
would be able to handle the server load from all the intelligence agencies
breaking in and dumping their data.

This isn't just heat maps they have, they have the movement and timestamped
location of millions of people around the world. Undoubtedly some of those
people are "interesting" to someone, especially since Strava just revealed
that a lot of them hang out in unique places.

edit: For example:
[https://twitter.com/thegrugq/status/957851350099832834](https://twitter.com/thegrugq/status/957851350099832834)

~~~
atonse
Geez yeah no kidding. And they'll have other account data like first and last
names. But then again, it's likely they've already been hacked (same with
FitBit) and don't even know it.

The data these companies have is too valuable, cleanly IoT collected, and
keyed by email, for nation states to not try to get.

------
Jhsto
I think that the idea of privacy is wishful thinking if the people in these
locations are allowed to have their own unvetted electronics. It would not
take more than one trojan smartphone application with a social media login
until you are able to identify the person (and maybe graph more out of that,
no GPS needed!).

And as an anecdote, back during my conscription, we were told to disable
location services altogether and not take photos during training sessions, but
I honestly think it had more to do with keeping in mind the best practices
rather than avoiding anything to get "leaked". The officers were sometimes
seen with phones of their own, meaning the government issued tinfoil ones.

------
mathiasben
What activity would generate the tracks in the middle of the ocean? As I
understand Strava whenever I switch it on it tracks my activity at that moment
until I switch it off. Looking at the heat maps I get the impression that
there is always on data being tracked in addition to those that are intending
to track a specific activity. Do fitbit worn 24/7 submit data constantly to
strava?

~~~
msrpotus
Running on cruise ships, maybe?

~~~
mathiasben
there's tracks from what looks like the Bermuda-Newport yacht race.

------
jacquesm
I saw this unfolding bit by bit and thought: Wow, these people have not been
paying attention during the AOL 'anonymized' research database fiasco.

Let's wait to see how long it will take before someone figures out how to ID
the security detail jogging with a president somewhere.

~~~
mathiasben
look at the whitehouse lawn in the heat map, there's what looks like data from
someone walking the yard.

~~~
netsharc
Obama wears/wore a Fitbit. But the tracks on top of the WH look like
intermediate paths, e.g. someone jogs past the SE corner at e.g. 9:20, and the
GPS signal is lost, and then they are spotted again at 9:40 at the NW corner,
then the line would be drawn across the WH.

Like any other data breach, it speaks for the customers who want offline, non-
cloud solutions...

~~~
mathiasben
that makes sense.

