Seeing as I am a cyclist, I use Strava to keep track of my rides and also to help me improve. The same is true for millions of other cyclists, runners, and other weekend warriors. Which is when I saw this news over the weekend, I was kind of floored:
Sensitive information about the location and staffing of military bases and spy outposts around the world has been revealed by a fitness tracking company. The details were released by Strava in a data visualisation map that shows all the activity tracked by users of its app, which allows people to record their exercise and share it with others. The map, released in November 2017, shows every single activity ever uploaded to Strava — more than 3 trillion individual GPS data points, according to the company. The app can be used on various devices including smartphones and fitness trackers like Fitbit to see popular running routes in major cities, or spot individuals in more remote areas who have unusual exercise patterns.
However, over the weekend military analysts noticed that the map is also detailed enough that it potentially gives away extremely sensitive information about a subset of Strava users: military personnel on active service… In locations like Afghanistan, Djibouti and Syria, the users of Strava seem to be almost exclusively foreign military personnel, meaning that bases stand out brightly. In Helmand province, Afghanistan, for instance, the locations of forward operating bases can be clearly seen, glowing white against the black map.
Well, Strava is in a whole lot of trouble. But it does illustrate that when companies like Strava, or Map My Run which is owned by UnderArmor, or Runtastic collect the data on millions of users, that data can have all sorts of unintended consequences. For example, I had a brief look at this and these maps (which for the record I have used previously to design cycling routes for myself) clearly outline what I assume are patrol and supply routes. Thus if you’re a bad guy who wants to kidnap or kill people, this would be a great way to figure out where to set up shop so that you could do just that. I am guessing that all these app companies are going to have to get together with the US military to get this sorted for that reason alone. I’m also going to guess that the US military is going to have to crack down on the usage of these sorts of apps to avoid this problem going forward.
VMware Patches Spectre Vulnerability In VMware Fusion…. So, What About Parallels Desktop For Mac?
Posted in Commentary with tags Parallels Desktop, VMWare on January 29, 2018 by itnerdIf you run virtual machines on your Mac, you have two choices. You can run VMware Fusion or Parallels Desktop. In both cases, you have to worry about the fallout from the Spectre and Meltdown CPU issues. And in the case of VMware Fusion, they’ve addressed Spectre in their latest update. Specifically, they’ve addressed an attack vector that only appears on virtual machines. Plus VMware has provided specific instructions on how their users can secure themselves.
So, that leaves Parallels Desktop For Mac. What are they doing to protect their users? Well, the closest thing to advice that I have seen is these Tweets:
And:
The problem with this response is that patching macOS and whatever operating systems that you’re using in your virtual machines isn’t enough as pointed out by VMware. Thus there has to be a patch for the virtual machine software. Now I tried to find any further communication from Parallels and I could not. Thus you have to wonder if Parallels is working on something, or are they ignoring this. I say that because in the absence of any info, people will wonder if the company actually cares. Thus if I were Parallels, I’d be putting out some sort of statement of Spectre and Meltdown ASAP, because VMware has beaten them to the punch and is drawing a pretty stark comparison between the two products that has VMware in control of the message on this issue.
UPDATE: Parallels released an update to Parallels Desktop For Mac. The release notes make no mention of Spectre and Meltdown fixes. So I pinged Parallels over Twitter. Here’s what I got back:
The release notes that is referenced in the Tweet is the same one that I looked at prior to pinging them on Twitter. Thus it doesn’t appear that they’ve done anything to mitigate Spectre and Meltdown despite the fact that their nemesis VMware Fusion has.
4 Comments »