At the very least it lowered the barriers for agents without satellite or maritime intelligence. Another piece of information extracted from the Strava episode is that the carrier is not going through a GPS-jammed location, or jamming it itself.
An intelligence satellite - which is not a super common utility nations have - will locate where the aircraft _was_ X hours ago, or at least many minutes ago.
A constantly updated missile with a rather simple GPS tracker would benefit A LOT from a live location of its target.
IIRC USA had similar issues with soldiers using Strava exposing secret bases[0]. I wonder wat kind of connectivity they had, was it Satellite internet for the carrier or did it sync once they got close to the shore? For the first one maybe they should switch to whitelist and not whitelist Strava.
This is a common problem across militaries. It is difficult to stop soldiers from leaking their location if they have access to mobile phones and the Internet. Individual cases are usually a combination of naïveté, ignorance, and an unwillingness to be inconvenienced.
It still happens in Ukraine, where immediate risk to life and limb is much more severe than this case.
Even if you could fix egregious cases like directly sharing location, I'm pretty sure any access to the internet could be compromised via clever use of data brokers.
Surely this is a disciplinary problem? Why is it difficult to stop? What reason is there for having a personal device linked to a public network and publishing data to a public forum when on military duty?
More than accurate enough to put an ASM in the right ballpark.
Modern militaries face some interesting challenges.
Possibly mobile apps should be designed to be somewhat secure for military use by defaul, backed by law.
Alternately, phones should have a military safe OS with vetted app store. Something like F-droid, or more on toto phone ubuntu, but tailored.
Obviously, you still need to be security conscious. But a system that is easy to reason about for mortals would not be a bad idea.
Rules like secure by default, and no telemetry or data exfiltration, (and no popups etc), wouldn't be the worst. Add in that you then have a market for people to actually engage with to make more secure apps, and
A) Military can then at least have something like a phone on them, sometimes. Which can be good for morale.
B) it improves civilian infrastructure reliability and resiliance as well.
Especially aircraft carriers deliberately let their position public in order to cause the fear and alignment that are destined to. It's that they don't publish their accurate position but only the approximate.
An aircraft carrier can be seen with the naked eye from 10 meters above the shore for about 28 miles.
So the entire Spanish coast, Moroccan coast, Algerian coast, mallorca, sardegna, Sicily, tunesia, the Greek isles, and who knows how many cruise ships, fishing vessels, and commercial aircraft all saw this ship.
Think about it: suddenly, in the middle of the desert in Afghanistan/Iraq/Syria/Niger/Djibouti a bunch of people start using a fitness tracker every morning (and the clusters show up in Strava). Did some village suddenly jump on the "get fit" bandwagon? Or could it be a bunch of US Marines/SpecOps/etc people trying to keep fit.
Seems we need a new digital category for Darwin Awards.
This is the modern way to die of stupidity — use your fitness watch app to log your miles on an online app instead of locally — so reveal your operational location.
The US had one of its secret bases in Afghanistan fully mapped for anyone to see by its residents logging their on-base runs.
Now, the French aircraft carrier is pinpointed en route to a war zone.
Yes OPSEC is hard, and they should be trained to not do this, but it seems to be getting ridiculous. If I were in command of such units, I'd certainly be calling for packet inspection and a large blacklist restriction of apps like that (and the research to back it up).
Local first is not just a cute quirk of geeks, it is a serious requirement.
What's funny is I can imagine the sailor not understanding how the code works and properly setting up a "privacy zone" while at port to mask his location and verifying it was working while there
then of course while at sea, it's the same ship but different location
not like your home or workplace typically relocates itself
imagine being a coder at Strava trying to figure out how to deal with that, it's techically not possible
However it's a great marketing opportunity for Stryd footpod which can track distance without GPS
I wonder what a moving deck at even 10mph would do to a Stryd though
The GPS must have added 10mph? But it's all relative to the deck vs the sea, hmm
Along with the Strava secret base location leak, another interesting one was the ship with a contraband Starlink:
As the Independence class Littoral Combat Ship USS Manchester plied the
waters of the West Pacific in 2023, it had a totally unauthorized Starlink
satellite internet antenna secretly installed on top of the ship by its gold
crew’s chiefs. That antenna and associated WiFi network were set up without
the knowledge of the ship’s captain, according to a fantastic Navy Times
story about this absolutely bizarre scheme. It presented such a huge security
risk, violating the basic tenets of operational security and cyber hygiene,
that it is hard to believe.
The chief who set up the WiFi network, dubbed “STINKY,” definitely knew
better. Then-Command Senior Chief Grisel Marrero’s “background is in Navy
intelligence, and she earned a master’s degree in business administration
with a concentration in information security and digital management,
according to her biography,” Navy Times noted. She was later convicted at
court-martial earlier this year on charges related to the scheme.
For people who are unaware, "STINKY" was the default wifi ssid for at least a time. [0] It is a very distinct ssid, which plays into the discovery of the illicit Starlink: [1]
Sailors on the ship then began finding the STINKY network and asking
questions about it. Some of these questions came to Marrero directly, but she
denied knowing anything about the network… and then privately changed its
Wi-Fi name to “another moniker that looked like a wireless printer—even
though no such general-use wireless printers were present on the ship, the
investigation found.”
Cruising speed of Charles de Gaulle is 27knots which would give the runner a pace of around 1:10mins/km depending on direction. That would really screw up your Strava stats
It would be cool if they actually wer just altering the GPS location data before uploading, so the location reported was false. GPX/TCX files are trivial to edit. "All warfare is based on deception"
All through this whole ghost fleet thing I've had this question as to how a large ship in the sea can possibly keep its movements secret. Large media organisations seem to be unable to say where large tankers have been if they turn their transponders off.
Don't we have constellations of satellites constantly imaging the entire earth, both with visual and synthetic aperture radar, with many offering their data freely to the public? Wouldn't a large ship on the ocean stick out somewhat? And yet journalists seem lost without vesselfinder. Is this harder than I'm imagining, or are they just not paying the right orgs for the info?
Some people here say an aircraft carrier can be seen from satellites so it's not a big deal. They miss a point (as I did too): this means you can identify individuals present on the carrier, so they become vulnerable to investigation and blackmail. Another country could threaten this individual's family to give some important information or worse (sabotage).
85 comments
[ 3.0 ms ] story [ 78.6 ms ] thread[0] https://www.theguardian.com/world/2018/jan/28/fitness-tracki...
It still happens in Ukraine, where immediate risk to life and limb is much more severe than this case.
Modern militaries face some interesting challenges.
Possibly mobile apps should be designed to be somewhat secure for military use by defaul, backed by law.
Alternately, phones should have a military safe OS with vetted app store. Something like F-droid, or more on toto phone ubuntu, but tailored.
Obviously, you still need to be security conscious. But a system that is easy to reason about for mortals would not be a bad idea.
Rules like secure by default, and no telemetry or data exfiltration, (and no popups etc), wouldn't be the worst. Add in that you then have a market for people to actually engage with to make more secure apps, and
A) Military can then at least have something like a phone on them, sometimes. Which can be good for morale.
B) it improves civilian infrastructure reliability and resiliance as well.
We are not talking about stealth vehicles.
So the entire Spanish coast, Moroccan coast, Algerian coast, mallorca, sardegna, Sicily, tunesia, the Greek isles, and who knows how many cruise ships, fishing vessels, and commercial aircraft all saw this ship.
Think about it: suddenly, in the middle of the desert in Afghanistan/Iraq/Syria/Niger/Djibouti a bunch of people start using a fitness tracker every morning (and the clusters show up in Strava). Did some village suddenly jump on the "get fit" bandwagon? Or could it be a bunch of US Marines/SpecOps/etc people trying to keep fit.
This is the modern way to die of stupidity — use your fitness watch app to log your miles on an online app instead of locally — so reveal your operational location.
The US had one of its secret bases in Afghanistan fully mapped for anyone to see by its residents logging their on-base runs.
Now, the French aircraft carrier is pinpointed en route to a war zone.
Yes OPSEC is hard, and they should be trained to not do this, but it seems to be getting ridiculous. If I were in command of such units, I'd certainly be calling for packet inspection and a large blacklist restriction of apps like that (and the research to back it up).
Local first is not just a cute quirk of geeks, it is a serious requirement.
then of course while at sea, it's the same ship but different location
not like your home or workplace typically relocates itself
imagine being a coder at Strava trying to figure out how to deal with that, it's techically not possible
However it's a great marketing opportunity for Stryd footpod which can track distance without GPS
I wonder what a moving deck at even 10mph would do to a Stryd though
The GPS must have added 10mph? But it's all relative to the deck vs the sea, hmm
1. https://arstechnica.com/security/2024/09/sailors-hid-an-unau...
> master’s degree in business administration with a concentration in information security and digital management
Surely at a bare minimum the access point should not have been broadcasting its SSID.
I can assume Strava is GDPR compliant and would not publish this information without the sailors concent?
Does the French military not stress in their training the dangers of these data disclosures?
Why does the carriers network not have adequate measures against this sort of data exfiltration?
Why is Le Monde tracking a french sailors location data?
Don't we have constellations of satellites constantly imaging the entire earth, both with visual and synthetic aperture radar, with many offering their data freely to the public? Wouldn't a large ship on the ocean stick out somewhat? And yet journalists seem lost without vesselfinder. Is this harder than I'm imagining, or are they just not paying the right orgs for the info?