Triangulating Strava Users
Last week the news was revealing details of guard patrols and the active use of secret military facilities; this week the news is about leaking user’s private locations they try to keep the service from revealing. Strava, the popular athletic activity-tracking app, allows users to establish “privacy zones” to hide their activity near certain locations, such as residences or workplaces. The idea is sound, for users deserve to control the visibility and sharing of their location information, especially to keep something like a home address private.
However, the implementation is too precise. While the location information within the privacy zone may not be shared, the paths that users exercise on are stopped at a precise distance from the center of the privacy zone. The home address may not directly be shared, but it can be precisely recovered by triangulating it using the starting/stopping points of only a few paths.
We may try to protect certain information from becoming public while we openly share other related information, but obviously properly keeping things private isn’t so easy. This all begs the question: can this kind of information sharing ever not be harmful?
Just Use HTTPS Already
Encrypting communication to a web server has long been easy to do, providing security and privacy gains at a continually decreasing cost. But even still, in 2018, there are services and sites that don’t use HTTPS by default. Based on Google’s analytics, anywhere from 68% to 78% of web traffic is protected with HTTPS, meaning there’s still an uncomfortably large portion - 22% to 32% - that isn’t.
Starting in June of this year, Google Chrome will be alerting users of non-HTTPS sites that the communication is not secure, putting pressure on site operators to just get a cert already and enable HTTPS, preferably by default. For many cases Let’s Encrypt should be more than enough for admins to freely and easily get the certificates they need. Just about every popular hosting provider/ one-stop-site-shop offers dead-simple SSL options for cheap (or free), including the likes of GoDaddy and Squarespace.
There’s still a few months left before the change takes effect, and certainly some extra time after that for users to upgrade their browser, but it’s better to migrate now and save last-minute change headaches later, especially for deployments that are relatively complicated.
John Perry Barlow Passes On
John Perry Barlow, co-founder of the Electronic Frontier Foundation and Freedom of the Press Foundation, and Grateful Dead lyricist, passed away on February 6th. While you may not know his name, he’s one of the many people who have played an important role in shaping the web and Internet as it grew, and continues to grow.
Maybe take a moment to peruse his work, such as the Declaration of the Independence of Cyberspace, or listen to one of the songs he co-wrote. Or read a more encompassing, better written epitaph than this paragraph ever could be.
About the Cylance Research and Intelligence Team
The Cylance Research and Intelligence team explores the boundaries of the information security field identifying emerging threats and remaining at the fore front of attacks. With insights gained from these endeavors, Cylance stays ahead of the threats.