back to article US Pentagon scrambles after Strava base leaks. Here's a summary of the new rules: 'Secure that s***, Hudson!'

The American military has ordered a review of its grunts' personal electronics – after the Strava fitness app used by soldiers revealed base locations and other operational security gaffes. In November, the exercise-tracking software maker released a "heatmap" to show where in the world people were using the application to …

  1. Sgt_Oddball
    Mushroom

    never let it be said

    Uncle Sam doesn't know how to lock a stable door.... irrespective how long ago the horse got bored and wandered off to far reaching places. Though I really hope it stays away from the 1.5 kilotons of tnt off the Thames estuary. Unless it's July 4th natch.

    I wonder if we'll hear the boom up north?

    1. Prst. V.Jeltz Silver badge

      Re: never let it be said

      Uncle Sam seems first on the ball here. Zero mention of UK military doing anything, yet anyone can wear a strava gizmo right?

      Seems to me Strava is at fault for collecting a load of (apparently maybe almost ) anonymised data and then publishing it to the entire world (+dog)

    2. G2
      Pint

      Re: never let it be said

      it's anonymized and don't worry - it's just metadata.

      quoted from various 3-letter-agencies.

      https://www.theguardian.com/technology/2013/jun/21/nsa-surveillance-metadata-content-obama

  2. Anonymous Coward
    Anonymous Coward

    Yeah, right!

    "In response, the Pentagon has urged servicemen and women to lock down the privacy settings on their apps"

    The average user has no clue how to adjust any so-called "privacy" settings and older devices have hardly any privacy settings whatsoever.

    Some custom Android OS's have at least some privacy settings in the form of AppOps.

    (Lineage for example), but to block internet access to apps requires ROOT in order to alter Iptables rules.

    This is the problem with governments wanting or allowing massive slurp but expecting security at the same time.

    About 2 months ago I made a comment on another forum and I suggested that many of our military troops locations were already known to shady app developers/phone manufacturers and I got downvoted into oblivion.

    1. Phil O'Sophical Silver badge

      Re: Yeah, right!

      The average user has no clue how to adjust any so-called "privacy" settings

      Suitable instructions for most IoT devices can be found here: http://www.willitblend.com/

    2. iron Silver badge

      Re: Yeah, right!

      OS versions and privacy controls don't matter in this case, just don't sign up to a third-party "share my training routine" website. Simple enough for even jar heads to handle.

      1. Prst. V.Jeltz Silver badge

        Re: Yeah, right!

        Its not just the strava gizmo , and not just uncle sam

        What has happened here is that people have used an application that links to the internet. Thats not uncommon. Not sure why US army is singled out , I'm sure people from all walks of life who might not want their location known are using these things - and other things.

        Every app on your phone want to know where you are and wants to tell everyone it can.

        Are soldiers allowed phones on bases? In fact are base locations secret?

        What about all the soldiers running around hunting pokemons?

        The only way to prevent this kind of data breach would be to remove all IOT things from soldiers.

        and its not IOT btw , its "I" , because this could just as easily happen using a phone or a laptop or a tablet.

      2. David Nash Silver badge

        Re: Yeah, right!

        Many people probably think they are signing up to a "log my training routine" rather than "share my training routine".

  3. Anonymous Coward
    Anonymous Coward

    Just the beginning, expect lots more 'IoT' Clusterfucks...

    From the foot solders to the commanding officers, talk about naive. Especially as the Chinese army banned these things immediately! I blame the corp behind the app too. Showing off without thinking about the consequences. CES was full of this shit again this year. Journalists reported a total lack of awareness of IoT and privacy related issues in general.

    1. Brewster's Angle Grinder Silver badge

      "Showing off without thinking about the consequences."

      More like showing what's possible. Any app that's popular with squaddies would reveal the same information to its authors. It's because the brass have had their noses rubbed in it (after the information has been floating around for a couple of months) that policies are being draft and training given.

  4. YourNameHere

    This is normal operating procedure...

    This gives you an idea of how this data can and is used. If that company collecting the data is forced to or just gives this data to a foreign government(Enter government name here) and a normal business practice, then it can be used for all sorts of interesting data collection and mischief(Enter your type here).

    1. Jared Vanderbilt

      Re: This is normal operating procedure...

      Agreed, it's actually a very efficient business model. Tech companies are very good at building innovative products that consumers want. They're also very good at slurping data that governments, businesses, miscreants, ... are willing to pay for. Privacy was always an illusion anyway.

  5. Gene Cash Silver badge

    Blue on blue

    This is self-inflicted. The US Army actually issued FitBits to quite a few people. No concern about opsec at all.

    https://www.military.com/daily-news/2013/10/22/army-issues-fitbit-bands-in-test-fitness-program.html

  6. Michael H.F. Wilkinson Silver badge
    Facepalm

    Sigh

    And then my missus wonders why I did not install a weight and fitness tracking app that came with the new scales she bought me. I am quite capable of tracking my progress, even without pen and paper, let alone an app. It's called remembering things! Besides, why on earth does the app only work if it has internet access? Oh, wait! It wants to store my weight and fitness data in the cloud! The 64GB of storage is clearly not sufficient for the deluge of data generated by this app, I suppose.

    Thanks, but no thanks. I will store these data in my personal wetware, which I can carry without inconvenience, even in the gym, and which won't leak data (especially when wearing a tinfoil hat), unless I choose to tell someone.

    1. Rich 11

      Re: Sigh

      It's called remembering things!

      This ancient technology has the additional advantage of being highly editable if circumstances should so require.

      1. Anonymous Coward
        Anonymous Coward

        Re: Sigh

        I read that as "highly edible" and am now hungry... where did I put those snacks?

        1. onefang

          Re: Sigh

          Highly edible memories? So you are a zombie then?

    2. Prst. V.Jeltz Silver badge

      Re: Sigh

      "And then my missus wonders why I did not install a weight and fitness tracking app that came with the new scales she bought me. "

      Well , unless you are James bond or Jason Bourne , does it matter if the fitbit co know that you ran down to the beach and back this morning?

      You could tell them but then youd have to kill them?

      Are you sure those scales arnt giving your weight away to the CIA? or isis?

  7. smudge
    Facepalm

    A new variant on an old theme

    I was reminded of this. Not directly related, but it is about giving away secret locations.

    Many years ago, the UK, France and Germany were going to co-operate on a military communications satellite programme called TRIMILSATCOM. Until someone pointed out that whenever one nation pointed a satellite's spot beams at their special forces on the ground, the other two nations, with access to the telemetry, would know roughly where these forces were.

    End of co-operation. UK developed the next generation of Skynet - don't know what the others did.

  8. Anonymous South African Coward Bronze badge

    Dabbsy article in El Reg this Friday? Should be a real hoot :)

  9. Anonymous Coward
    Anonymous Coward

    IOT Hysteria

    Can't help thinking that there's just a wee bit of 'sky is falling' hysteria going on here. Beeb had some pundit talking about 'unprecedented detail shown up by tracking' alongside a google earth image that was half a pixel off reading the date on the copy of the Sun on a dashboard.

    It's a sort of security by obscurity theatre - let's turn off Strava and then our brave boys will be safe, because without Strava the only way the baddies will find us is to follow the red and white signs until they find a big group with short hair and designer khaki.

    and actually.... why not bundle up a box of fitbits, drive them round in circles in a dinghy on the Solent, to make everyone think your aircraft carrier is parked there, while actually it is sneaking through the Dardanelles....

    1. Rich 11

      Re: IOT Hysteria

      I don't think aircraft carriers can do sneak, and I'm pretty sure that nothing larger than a canoe can get through the Dardanelles without being noticed. The strait is so narrow that Xerxes had two pontoon bridges built across it so his army could invade Greece.

      1. Anonymous Coward
        Anonymous Coward

        Re: IOT Hysteria

        Ha - the Turkish navy will look out and see a big ship passing through. 'Is that the Brit's aircraft carrier?' - 'No - can't be it hasn't got any planes, must just be another drunk Italian showing off to his mistress'

        1. hplasm
          Devil

          Re: IOT Hysteria

          ITYM

          "'Is that the Brit's aircraft carrier?' - 'Yep - must be -it hasn't got any planes,"

    2. Inspector71

      Re: IOT Hysteria

      I say we take all IOT devices, put them in a pile, then take off and nuke them all from orbit.

      It's the only way to be sure.

      1. Prst. V.Jeltz Silver badge

        Re: IOT Hysteria

        well you best put your phone in the pile too , or you're wasting your time.

        Its the only way to be sure.

  10. disgruntled yank

    Don't see it.

    Somebody or other had a Strava map showing very neatly the location of a base in Afghanistan. It was amusing, but I can hardly imagine that anyone in the province, whether friendly or hostile, or simply concerned not to get blown up by land mines or sentries, didn't already know this.

    Perhaps Twitter will add a geolocation feature, and shock all the tourists who didn't know where the White House is.

    1. John Brown (no body) Silver badge

      Re: Don't see it.

      "Somebody or other had a Strava map showing very neatly the location of a base in Afghanistan. It was amusing, but I can hardly imagine that anyone in the province, whether friendly or hostile, or simply concerned not to get blown up by land mines or sentries, didn't already know this."

      The heat map shows the most used routes and therefore the better places for IEDs without someone having to hang around to gather that intel.

  11. Rich 2 Silver badge

    I'll be watching you

    Of course, we need to get away from the apparently obsessive need to "share" everything we do. And we need laws to stop the obsessive collection of such data (though I fear it's WAY too late for that now).

    Nobody seems to give a shit about their own privacy these days. In fact, we actively go out of our way to tell anyone who'll listen everything about ourselves.

    And even when the consequences are pointed out, most people will just shrug and carry on regardless

    It's as well we're destroying the planet we live on - we really are too stupid to live.

    1. Anonymous Coward
      Anonymous Coward

      Re: I'll be watching you

      Why? Surely privacy is a transient 20th century phenomenon? For about 99.9% of human's existence on the planet we lived in small family and tribal groups where everyone and their aunt knew exactly what you were up to pretty much all the time. And if they didn't know you were probably some kind of weirdo and they threw rocks at you.

      We get social affirmation from sharing our lives with others, and I'm fairly sure we always have. We are social animals, it's are equivalent of picking lice from the troupe's fur.

      I find it motivates me to go running knowing a) my friends have been out and b) they'll notice if I'm a slob. What are the consequences? Decathlon might try and flog me some trainers? A burglar might notice that I've run 2kms from home and deduce that it's a great time to rob my house, cos even if I get home i'll be knackered wheezy mess? The CIA might choose the moment to swoop in and pluck me from the park in a black helicopter?

  12. anothercynic Silver badge

    There's a difference...

    We're all human, squaddies, journos, techno geeks, all of us.

    So someone had a privacy zone set up for their home location when they signed up to Strava. Four months later, they sign up to the US Marines. They've forgotten about this privacy zone thing. They end up at Camp Pendleton. Given they (and everyone in Oceanside, California) know where Camp Pendleton is, and how... tightly controlled and 'safe' it is, it's not a Strava issue. So six months after that, they get deployed to Kandahar. Now we're getting into more... *ahem* problematic territory, but, again, they've forgotten that now they're deployed actively, they should update their privacy zones (and/or enable group activities that makes things 'safer'). So their Strava account continues to broadcast their locations.

    So who is at fault here? The squaddie? Or perhaps should the Department of Defence work with people like Strava to define privacy zones inside Strava, and then auto-filter any routes that start/terminate or spend the majority inside that zone to be visible only to users that start/terminate spend the majority inside that zone etc? Ultimately, the data is Strada's USP, and if that's their business case, they could be a little bit more sensible with using it. This is again the classic 'just because you have the data doesn't mean you should use it' scenario.

    Would options like 'Are you in the military' be useful (i.e. you select it and verify you *are* in the military), which automatically blanks you for bases? Granted, that doesn't resolve the 'I work as deep cover operator for the <insert alphabet trifecta here>' situation, but it just may lessen the impact this has. It does require someone like Strada to work more with different organisations, but would also place a big responsibility on them (like which organisations would trust someone like Strada with the locations of their most secret bases, especially when their enemies do the same)!

    1. Anonymous Coward
      Anonymous Coward

      Re: There's a difference...

      Why do we want the government to have the ability to hide their activities?

    2. Anonymous Coward
      Anonymous Coward

      Re: There's a difference...

      New fool proof find the secret place system - log in to strava, look for the white space on the map.....

      Surely we can get cleverer. Have a 'sneaky' mode. Your runs are still logged and shared, but randomly shifted to a bit of Antarctica - so you still get to track your run, challenge buddies etc, but the baddies get really really cold chasing phantoms around an icy desert?

  13. Nimby
    Facepalm

    It's a fitness TRACKER.

    Imagine that! Wearing a DEVICE that describes itself as a TRACKER can actually be used as a TRACKING DEVICE! Huh. Whodathunkit.

    Camouflage uniform? Check.

    Black facepaint? Check.

    Suppressor? Check.

    Night vision goggles? Check.

    Fitbit? Absolutely dude! No way am I losing out on the miles from this hike!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like