More Spying on Spies

Strava’s heat map has made a lot of people step back and realize, “wow, there are side-channels to data.” Most of us in the computer security world have known that for a long time; some of us have spent our lives trying to stop such channels from happening; it’s a frustrating way to spend your life but, as Townes says, “it beats sitting around waiting to die.”

The Strava heat-map really does make it ridiculously easy to find American activity in dark parts of the world. [strava]

Back in May, 2017, I went searching for the alleged secret US base near At Tanf in Syria [stderr] – at that time, the basic tool was google satellite map: you zoom in and out looking for the characteristic elongated rectangle that represents an airfield surrounded by a security fence.

We amateurs have only basic tools: coffee and patience; if we were really trying to do this properly, we’d be using differential time like the NRO guys did – what you do is you render the map from last year for the left eye, and the map from this year for the right eye, look through a stereoscopic viewer, and all the changes literally jump right off the screen at you. That sort of technique used to be classified – but now I believe it’s used in molecule-mapping and protein design, so it’s probably obvious for satellite data as well. Dino Brugioni appears to tease that they were using such techniques with Corona satellite images in the 60s. In those days you had the problem of correctly orienting and scaling a print from film that was recorded on separate pre-GPS satellite passes; I would very much like to see how that was done! Nowadays I imagine it’s a matter of correctly operating Google’s map API to get the data across time; I suppose you could color-map the parts of the scene that changed, based on change rate (pixel count?) and it’d literally leap off the screen.

The state of the art commercial stuff takes advantage of depth-cues collected from LIDAR – you can map a building’s growth over time assuming that is significant activity. [Harris Geospatial] This stuff is only for people with a government-level budget.

Source: Harris Geospatial

I believe that map is a heat-map based on change of depth; note how the car (which changed more than the buildings) is colored. As you’d expect, there is an unbelievably gigantic tsunami of data, and a limited number of analysts: the natural go-to answer for everything is to use AI. It’s probably something AI will be pretty good for, which is why I am concerned that ubiquitous facial recognition is just the tip of an iceberg that, at the bottom, includes group-identification and clustering, group membership analysis, and group formation detection. In other words “warn us if people who appear to have been in the black bloc at this particular protest ever appear to be collecting in the same zone in the future.” [national defense]

If you recall, I searched around At Tanf, Syria, looking for the base where Russians supposedly bombed CIA-sponsored insurgents, and where some special forces operators had been hanging out.

That is what I found, back then, by just google map-whacking around. Strava shows a different view at the same coordinates – there’s activity right down at the other end of that road:

I have no idea what’s going on there, but google maps offers a pretty good view:

Fort Zinderneuf

I wonder what Dino Brugioni would pick out from that image. Sadly, I lack the skills. I don’t see signs of bomb damage, but what do I know?

More interesting, I went looking for the base I couldn’t find with mere google – the airfield being used for various purposes in “Kobane, near Majbij” which is a pretty vague description. Back before I had Strava data, I just scrolled around looking at lots of pixels. Add the Strava data and it gets kind of interesting: there’s something going on where there is nothing:

If you turn Strava’s satellite map on, it appears that there is a building surrounded by empty fields, and people are engaging in some structured movements around in these empty fields.

Let’s look at it with Google maps: [google maps]

Oh, look! It’s people walking around in a cloud-bank! And the scale of the clouds is absurdly wrong.

At Alec Muffett’s suggestion, I paid $25 from Microsoft’s Terraserver to get a map that didn’t have fake clouds rendered in all over it:

Air Base Zinderneuf!

There has been some debate about whether the Strava data potentially discloses anything really secret, or whether it’s mostly “that place we expected activity around, there’s activity around it.” In this case, I located and mapped a secret base that I had not been able to find with just eyeballing satellite maps, and I did it very quickly. Making the screenshots, writing this, and paying Terraserver by credit card took longer than finding the base did.

------ divider ------

Operation Crossbow – how 3D glasses helped defeat Hitler (depth cues used in surveillance photographic analysis) [bbc]

Here is some interesting stuff about “Earth View” which was the CIA-built (via In-Q-Tel) satellite mapping application that was the first generation visual intelligence search engine. [bi]