Lock up your apps, say police — thieves use ride-tracking sites to target bikes

All good. Naming bikes especially: you'll know what MuddyFox87 is, even if looks retro to most. Stick up photos of your first MTB if you really want discretion.

Some more

* Don't use your real name. Strava lets you use "!" as a surname, hence, "Contender !", "Thighmeister !", or "Faceplant !" or any other nickname you want.
* keep any joined up instagram account anonymous too.
* get some distance from your house before starting/stopping recording. If you go via a friends house, start after you leave it. Else correlating "rode with" routes can find the second house on the road.
* If you end up having to return home, stop and restart, or make it private.
* be selective about which Strava clubs you join. They leak information.

As an example, take this leader board from bristol. Too many names are real; in a smaller town easier to track down. Then there's facebook, linkedin... What's worse, you can click on any of the rides that placed and get the full ride, including start/finish points even if they start or stop in a privacy zone. Real name + nearby/actual starting points is too much data to publish.

Be paranoid: you know it makes sense.

contender wrote:

All good. Naming bikes especially: you'll know what MuddyFox87 is, even if looks retro to most. Stick up photos of your first MTB if you really want discretion.

Some more

* Don't use your real name. Strava lets you use "!" as a surname, hence, "Contender !", "Thighmeister !", or "Faceplant !" or any other nickname you want.
* keep any joined up instagram account anonymous too.
* get some distance from your house before starting/stopping recording. If you go via a friends house, start after you leave it. Else correlating "rode with" routes can find the second house on the road.
* If you end up having to return home, stop and restart, or make it private.
* be selective about which Strava clubs you join. They leak information.

As an example, take this leader board from bristol. Too many names are real; in a smaller town easier to track down. Then there's facebook, linkedin... What's worse, you can click on any of the rides that placed and get the full ride, including start/finish points even if they start or stop in a privacy zone. Real name + nearby/actual starting points is too much data to publish.

Be paranoid: you know it makes sense.

And wear a tin foil hat as well so they can't read your mind as well?

I for one have my real name on Strava.
My Instagram account is joined to it and not anonymous.
I start Strava on my doorstep, and regulary ride with mates, resulting in a lot of 'rode with' rides.

I've never had anyone come and try nick my bike, because people just don't use strava for it.
You may as well just not ride outdoors if you're going to be so paranoid.
Do you ride a different route every day?
After all someone could easily see you ride past one day and then just wait around.

glynr36 wrote:

And wear a tin foil hat as well so they can't read your mind as well?

I for one have my real name on Strava.
My Instagram account is joined to it and not anonymous.
I start Strava on my doorstep, and regulary ride with mates, resulting in a lot of 'rode with' rides.

I've never had anyone come and try nick my bike, because people just don't use strava for it.
You may as well just not ride outdoors if you're going to be so paranoid.
Do you ride a different route every day?
After all someone could easily see you ride past one day and then just wait around.

That's like saying "I've never had a car stolen, therefore people don't nick cars".

Out of interest, if you have never had a car stolen, or a house burgled, do you leave your car/house unlocked?

Surely if the police think that it might be a tool that criminals are using, it is worth taking a few sensible precautions.

PaulBox wrote:

glynr36 wrote:

And wear a tin foil hat as well so they can't read your mind as well?

I for one have my real name on Strava.
My Instagram account is joined to it and not anonymous.
I start Strava on my doorstep, and regulary ride with mates, resulting in a lot of 'rode with' rides.

I've never had anyone come and try nick my bike, because people just don't use strava for it.
You may as well just not ride outdoors if you're going to be so paranoid.
Do you ride a different route every day?
After all someone could easily see you ride past one day and then just wait around.

That's like saying "I've never had a car stolen, therefore people don't nick cars".

Out of interest, if you have never had a car stolen, or a house burgled, do you leave your car/house unlocked?

Surely if the police think that it might be a tool that criminals are using, it is worth taking a few sensible precautions.

Leaving a car/house open is not analogous to Strava though.
Bikes always have and always will get stolen.
I just don't think Strava is a factor in bike theft at all.
People could just watch you come in and out your house and decide they'll break in for your bike/ambush you on the bike.
What 'sensible' precautions do you take against that then?
Ride the first 5k with a blanket over your bike?

glynr36 wrote:

Leaving a car/house open is not analogous to Strava though.

I was using an analogy. You said that you use Strava, you haven't had your bike stolen, therefore bike thieves don't use Strava to target bikes.
I said therefore, if you had never had a car stolen would you leave your car unlocked, or do you believe that to do so would make your car more susceptible to being stolen?

glynr36 wrote:

Bikes always have and always will get stolen.

Absolutely.

glynr36 wrote:

I just don't think Strava is a factor in bike theft at all.

But just because you think something, doesn't mean it is correct. If I was going to nick bikes, I think I might use the Strava to help me. So why wouldn't an actual bike thief? (And I do agree, that I might be wrong).

glynr36 wrote:

People could just watch you come in and out your house and decide they'll break in for your bike/ambush you on the bike.
What 'sensible' precautions do you take against that then?
Ride the first 5k with a blanket over your bike?

You seem to be struggling with with the meaning of the word sensible.

Sensible is to turn on your privacy zone, not list details of your bikes, just name them Road Bike 1 or MTB 1 / 2 etc.

And wear a tin foil hat as well so they can't read your mind as well?

I wouldn't wear a tin foil hat as they show up well on CCTVs and that would mark you down as suspicious to The Man.

I actually work in "google-scale" datamining infrastructure, which is why I get to go to google for coffee, LinkedIn for lunch and Facebook for an early evening tequila. I'm not being over-paranoid, simply planning ahead.

If you look at the coverage of the issue in Bristol Traffic you can see that (a) I know what is possible, and (b) I pre-empted some of the Snowden revelations, not because I was involved in that work, but because I know what people like Facebook get up to.

I am happy that the usual bike-thieves around Bristol aren't up to using this data —yet. I'm making recommendations about what information security policy (fancy work: INFOSEC) you'd need to stop someone like me doing it. Because I do know about things like "Deanonymization", data aggregation etc. The main reason there isn't a Bristol Traffic article naming and shaming the top 5 sprinters on the railway path the topic is that I don't want the basic tactics to become known.

What you have to consider though is how secure that data is two years from now, once someone does work out how to do bulk grabs of the rides (notice how even "private" rides have a URL which you can share?), how you can automate getting the entire list of people who have completed some black-run MTB trail then look for their names on linked in? Once your data is out there, it's not going to go back.

This was an article on INFOSEC, so that's what I covered.

Like you noted, operational security, OPSEC, matters more today. Which, in Bristol, means making sure nobody follows you from the Ashton Court MTB trails, the Suspension Bridge after a road ride or back from Wales with your MTBs on the roof.

1. Once you've crossed the bridge into Clifton, hit the back lanes at speed and see if some teenagers are tracking you. If you suspect, take some evasive action involving hill climbs
2. Don't leave bikes you care about in a garage. Bring them in, with the good ones away from the front door and out of sight. Ideally: locked
3. If you do keep it in a garage, have an alarm and let the neighbours have your contact details for when the alarm goes off.
4. Ride a beater around town. If you have a nice bike, cable tied inner tube and electrical tape work wonders.
5. If you have a driveway, don't park a car then, especially an expensive one, with a bike rack on top
6. When heading back with bikes on a car, do some rat-running rather than come straight off the motorway and back to your house via main roads

The only time I've had a bike stolen so far was when some kids grabbed it while loading it in my driveway, pushing over my son in the process, while my wife was just inside the front door. I wasn't paranoid enough then.

More recently
-someone hit the shed of a friend, a friend whose BMW in the driveway had a visible roof rack.
-someone grabbed two bikes from a friend's garage. The police were called by a neighbour, but not the owners. It's now believed the thieves were still in the garage at the time, something the owners could have checked better than the police.
-A school-parent on a good road bike got tracked home by some teenagers, and even though he went past his house when he noticed them, he was still robbed within the week.

Most worrying recently was someone got mugged in Leigh Woods Bristol, at knife point, at the same time of I day I'd to a mid-morning ride. I don't see a good defence there except ride a busier periods or with friends. A helmet cam could get some photos of the thieves, but wouldn't stop it happening.