Hacker News

About 3 years ago, a former russian submarine commander accused of a missile attack in Ukraine that killed 23 civilians, was shot and killed, apparently after his route was tracked via Strava

https://edition.cnn.com/2023/07/11/europe/russian-submarine-...

https://gijn.org/stories/investigations-using-strava-fitness...

This is a common problem across militaries. It is difficult to stop soldiers from leaking their location if they have access to mobile phones and the Internet. Individual cases are usually a combination of naïveté, ignorance, and an unwillingness to be inconvenienced.

It still happens in Ukraine, where immediate risk to life and limb is much more severe than this case.

Is an aircraft carrier's location supposed to be secret? Pretty hard to hide from a satellite I'd imagine.

What's interesting here isn't that nation-states can track aircraft carriers - they've always been able to. It's that Le Monde did it with what's essentially a consumer API. The 2018 Strava heatmap incident showed this data leaks passively; now we're seeing it used for active, targeted tracking by journalists with a story idea and some scripting. That gap closing is the actual news.

I seriously doubt there is a country on earth which lacks the capability to detect an aircraft carrier's presence in the Mediterranean sea.

We are not talking about stealth vehicles.

IIRC USA had similar issues with soldiers using Strava exposing secret bases[0]. I wonder wat kind of connectivity they had, was it Satellite internet for the carrier or did it sync once they got close to the shore? For the first one maybe they should switch to whitelist and not whitelist Strava.

[0] https://www.theguardian.com/world/2018/jan/28/fitness-tracki...

An aircraft carrier can be seen with the naked eye from 10 meters above the shore for about 28 miles.

So the entire Spanish coast, Moroccan coast, Algerian coast, mallorca, sardegna, Sicily, tunesia, the Greek isles, and who knows how many cruise ships, fishing vessels, and commercial aircraft all saw this ship.

Cruising speed of Charles de Gaulle is 27knots which would give the runner a pace of around 1:10mins/km depending on direction. That would really screw up your Strava stats

How does the smart watch have any service out in the middle of the Med? Must be getting it from the ship, are they not firewalling outbound traffic?

This is a repeating phenomenon, and probably worse on land. Fitness and run tracking apps also reveal troop locations and concentrations on land (location clusters reported by apps targeted at non-local-language audiences stick out like a sore thumb).

President Xi - my country yearns for freedom.

Some people here say an aircraft carrier can be seen from satellites so it's not a big deal. They miss a point (as I did too): this means you can identify individuals present on the carrier, so they become vulnerable to investigation and blackmail. Another country could threaten this individual's family to give some important information or worse (sabotage).

It's been a problem for nearly 2 decades.

Think about it: suddenly, in the middle of the desert in Afghanistan/Iraq/Syria/Niger/Djibouti a bunch of people start using a fitness tracker every morning (and the clusters show up in Strava). Did some village suddenly jump on the "get fit" bandwagon? Or could it be a bunch of US Marines/SpecOps/etc people trying to keep fit.

It would be cool if they actually wer just altering the GPS location data before uploading, so the location reported was false. GPX/TCX files are trivial to edit. "All warfare is based on deception"

More than accurate enough to put an ASM in the right ballpark.

Modern militaries face some interesting challenges.

Possibly mobile apps should be designed to be somewhat secure for military use by defaul, backed by law.

Alternately, phones should have a military safe OS with vetted app store. Something like F-droid, or more on toto phone ubuntu, but tailored.

Obviously, you still need to be security conscious. But a system that is easy to reason about for mortals would not be a bad idea.

Rules like secure by default, and no telemetry or data exfiltration, (and no popups etc), wouldn't be the worst. Add in that you then have a market for people to actually engage with to make more secure apps, and

A) Military can then at least have something like a phone on them, sometimes. Which can be good for morale.

B) it improves civilian infrastructure reliability and resiliance as well.

Along with the Strava secret base location leak, another interesting one was the ship with a contraband Starlink:

  As the Independence class Littoral Combat Ship USS Manchester plied the 
  waters of the West Pacific in 2023, it had a totally unauthorized Starlink 
  satellite internet antenna secretly installed on top of the ship by its gold 
  crew’s chiefs. That antenna and associated WiFi network were set up without 
  the knowledge of the ship’s captain, according to a fantastic Navy Times 
  story about this absolutely bizarre scheme. It presented such a huge security 
  risk, violating the basic tenets of operational security and cyber hygiene, 
  that it is hard to believe. 
  

https://www.twz.com/sea/the-story-of-sailors-secretly-instal...

Merde!

All through this whole ghost fleet thing I've had this question as to how a large ship in the sea can possibly keep its movements secret. Large media organisations seem to be unable to say where large tankers have been if they turn their transponders off.

Don't we have constellations of satellites constantly imaging the entire earth, both with visual and synthetic aperture radar, with many offering their data freely to the public? Wouldn't a large ship on the ocean stick out somewhat? And yet journalists seem lost without vesselfinder. Is this harder than I'm imagining, or are they just not paying the right orgs for the info?

If I were china I would buy strata and offer all features free of charge

Those LeMonde guys are pretty sharp, it was on Twitcher only yesterday ... https://x.com/MyLordBebo/status/2034734061613129740

That's nothing, we also have this: https://github.com/BigBodyCobain/Shadowbroker

What's funny is I can imagine the sailor not understanding how the code works and properly setting up a "privacy zone" while at port to mask his location and verifying it was working while there

then of course while at sea, it's the same ship but different location

not like your home or workplace typically relocates itself

imagine being a coder at Strava trying to figure out how to deal with that, it's techically not possible

However it's a great marketing opportunity for Stryd footpod which can track distance without GPS

I wonder what a moving deck at even 10mph would do to a Stryd though

The GPS must have added 10mph? But it's all relative to the deck vs the sea, hmm

Seems we need a new digital category for Darwin Awards.

This is the modern way to die of stupidity — use your fitness watch app to log your miles on an online app instead of locally — so reveal your operational location.

The US had one of its secret bases in Afghanistan fully mapped for anyone to see by its residents logging their on-base runs.

Now, the French aircraft carrier is pinpointed en route to a war zone.

Yes OPSEC is hard, and they should be trained to not do this, but it seems to be getting ridiculous. If I were in command of such units, I'd certainly be calling for packet inspection and a large blacklist restriction of apps like that (and the research to back it up).

Local first is not just a cute quirk of geeks, it is a serious requirement.

I recall something similar happened on US ships last year because of the Applewatch.

[dead]

[dead]

[dead]

[dead]

[dead]

[dead]

[flagged]

Maybe it was just an old stupid treason? Someone against the war and… hard to believe there are no rules about location.

Many questions:

I can assume Strava is GDPR compliant and would not publish this information without the sailors concent?

Does the French military not stress in their training the dangers of these data disclosures?

Why does the carriers network not have adequate measures against this sort of data exfiltration?

Why is Le Monde tracking a french sailors location data?