I don't understand why that youtuber was acting like spy satellites going over was such a big deal, they are going over the entire planet, all the time.
dont give these OSINT quality signals away ... that's one of the indicators that allow you on first scan to id (potentially) low quality content. Ie: fully llm gen; the author doesnt look over the docs or doesnt care for 'details'.
“The first Matrix I designed was quite naturally perfect, it was a work of art, flawless, sublime; a triumph equaled only by its monumental failure. The inevitability of its doom is apparent to me now as a consequence of the imperfection inherent in every human being. Thus I redesigned it, based on your history, to more accurately reflect the varying grotesqueries of your nature. However, I was again frustrated by failure. ”
They are definitely on the horizon! I am a HUGE fan of both of those projects and they are definitely on the roadmap for the architecture...
Right now, ShadowBroker is really optimized for 'blinking blip' real-time radar tracking (streaming the raw GeoJSON payload from the FastAPI backend directly to MapLibre every 60s), so we get as close to as smooth 60fps entity animations across the map.
Moving to something like Martin would be incredible for handling EVEN MORE entities if we start archiving historical flight and AIS data into a proper PostGIS database, but the trade-off of having to invalidate the vector tile cache every few seconds for live-moving targets makes it a bit overkill right now....
Protomaps is really cool also when you just want maps for a country and to serve them without too much of a hassle, their CLI has pretty much everything you need: https://docs.protomaps.com/pmtiles/cli
I set that up for an agricultural project a while back.
It's pretty interesting to see. My very first real software job was working on ground processing algorithms for the US Navy's Maritime Domain Awareness system, which is the "real" version of something like this that actually gives centimeter scale live activity detections of basically the entire world. The engineering effort that goes into something like that is immense. Bush announced in like 2004 or something and we didn't go into full operational capability until 2015. Thousands of developers across intel, military, commercial contractors, for over a decade, inventing and launching new sensor platforms, along with build outs of the data centers to collect, process, store, and make sense of all this.
I wish these weekend warriors would work on a project like that someday, to see what capabilities truly take. You want to know what's happening in the world, you need to place physical sensors out there, deal with the fact that your own signals are being jammed and blocked, the things you're trying to see are also trying to hide and disguise themselves.
The attention to detail is something I've never seen replicated outside. Every time we changed or put out a new algorithm, we had to process old data with it and explain to analysts and scientists every single pixel that changed in the end product and why.
Ah, that's my fault for not making the error handling clearer in the UI. If the map is blank, it usually means the backend is missing the .env file with the free API keys (AISSTREAM_API_KEY and N2YO_API_KEY), so it's silently failing to fetch the streams.
Did the terminal throw any Python FastAPI errors, or did it just serve the Next.js frontend? I'm going to push an update later today to show a prominent "Backend Disconnected / Missing API Keys" warning on the UI so it doesn't just look dead. Thanks for testing it!
This is fun, Playwright is a python wrapper for a node lib. So we have Next.js (full stack js/ts), with a Python backend (???), that uses a wrapper for a js/ts lib, all we need now is to shell out to node from inside that script and we have peak inception lol.
Let me ask a dumb question. Can this be run on a public server (I use dreamhost) with a web interface for others to see? Or is this strictly something that gets run on a local computer?
Well, I have to make some modifications, but that isn't recommended right now because I have a settings option with the API key right there for the free world to see, lol. I will work on making a version for hosting it, though.
You can throw it on a server and run it for you to see (or anyone else if you trust people or dont care about losing your free API keys) It's just a standard Next.js and FastAPI stack, and there are Dockerfiles in the repo so it should be pretty straightforward to spin up on a cheap VPS (like a DigitalOcean droplet or Hetzner).
Honestly, if you just want to show it off to a few people, running it locally and exposing it with a Cloudflare Tunnel or Ngrok is probably the path of least resistance.
I WILL work on having a version to host it where users have to bring their own keys to see it in the future though
Cloudflare Tunnel is solid for quick demos. One thing though — if you're planning the "bring your own keys" version, don't just throw them in a settings page. I went down that road and ended up with keys sitting in localStorage where any XSS could grab them. What worked better for me was having the backend hold the keys and issuing short-lived session tokens to the frontend. More moving parts but way less surface area if something goes wrong.
If you want to host for friends/trusted devices, you can put it on a Tailscale or Zerotier style network and just let trusted devices access the server wrt to the OP's point about open secrets. Or you could probably make a PR to load the settings from somewhere else.
I'm excited to see tooling of this nature and scope. Looking forward to seeing similar tooling oriented around all human needs so we can start tracking the meeting of needs to better meet needs, particularly in ways that don't require money.
As was already said in one of the reference videos, it's impressive what one person can do.
But the next step is to define an architecture where authors can defined/implement plug-ins with particular modular capabilities instead of one big monolith. For example, instead of front-end (GUI) and back-end (feeds), there ought to be a middle layer that models some of the domain logic (events: surces, filters, sinks; stories/time lines etc.).
What's with so many people creating new accounts to promote LLM generated projects? Are they people who don't care about HN and just trying to self promote? Existing users creating new accounts? Lurkers?
It's a bummer because sometimes the headline seems cool, but its always generated blah blah recently. I don't think I've seen a non-AI readme on here in months..
Everyone has their own hueristic, but if it took someone 6 hours or whatever to make some whole big app, my confidence that they will continue to maintain or care about it even next week is pretty much zero... How could they? They've already made three other apps in that time!
I don't care if the code is perfect, all this stuff just has the feel of plastic cutlery, if that makes sense.
Very cool! Although, the concept, the feeds, the design and everything reminds me of https://www.worldmonitor.app/ - also live and deployed btw, if you want to check out the interface.
Is this kind of Hyper-awareness of data you can't actually do anything about even a desirable thing, or just a pathway into a hole of hyper-alert stress and low Self-efficacy?
> ShadowBroker is a real-time, full-spectrum geospatial intelligence dashboard
You might consider changing this to a more accurate headline, like "Air and Space domain awareness."
"Full spectrum Geospatial intelligence" most commonly refers to full color satellite photos (sometimes including near infrared).
In the Geospatial world, "spectrum" almost always takes on its literal meaning - the spectrum of light. And "Geospatial intelligence" refers to intelligence gathered from Geospatial platforms, not intelligence about the locations of those platforms.
assessment = "ANALYSIS: "
if any(k in keywords for k in ["strike", "missile", "attack", "bomb", "drone"]):
assessment += f"{random.randint(75, 95)}% probability of kinetic escalation within 24 hours. Recommend immediate asset relocation from projected blast radius."
elif...
The multi-source aggregation approach is exactly right for this use case -- the value isn't any single feed, it's the correlation between them. Flight diversions, AIS gaps, and social spikes at the same coordinates at the same time tell a very different story than any one of those signals alone.
Curious whether you're doing any timestamp normalization across feeds. Marine AIS in particular can be spoofed or delayed, and correlated analysis gets messy fast if the time windows aren't aligned.
Here's my thorough analysis after reviewing the entire project:
---
## Verdict: Not malicious
This is an *OSINT (Open Source Intelligence) dashboard* called "ShadowBroker" that aggregates publicly available real-time data — flights, ships, satellites, CCTV, news, radio, weather, earthquakes, stock markets, and geopolitical events — onto a map. The name references the infamous hacking group but the code itself contains no malware.
---
## What `start.sh` does
1. Checks for Node.js and Python 3
2. Creates a Python venv and installs dependencies from `requirements.txt`
3. Installs npm packages from `frontend/package.json`
4. Runs `npm run dev` which starts both a Next.js frontend and a FastAPI (uvicorn) backend
*No obfuscated commands, encoded payloads, curl/wget to suspicious URLs, reverse shells, or hidden steps.*
---
## What the full codebase does
It fetches data from these *legitimate public sources*:
- No data exfiltration — nothing sends your personal data anywhere
- No reverse shells or backdoors
- No cryptominer code
- No encoded/obfuscated payloads
- No filesystem scanning or credential harvesting
- No network scanning or port scanning
- The `subprocess.run` call in `network_utils.py` uses argument lists (not `shell=True`), preventing command injection
---
## Noteworthy concerns (not malicious, but worth awareness)
1. *`cloudscraper` + Playwright stealth* — Used to bypass Cloudflare/Turnstile protections on Liveuamap and OpenMHz. Legally gray (may violate those sites' ToS).
2. *CORS wide open* (`allow_origins=[""]`) in `main.py` — acceptable for a local-only tool, but means any website you visit could make requests to your local backend on port 8000 while it's running.
3. *API key management* — The `/api/settings/api-keys` PUT endpoint writes to `.env` on disk. It does validate against a whitelist of known keys and rejects newlines, but it's exposed without authentication on localhost.
4. *Resource consumption* — The scheduler makes hundreds of outbound API calls per hour from your IP to public services (ADSB, OpenSky, CelesTrak, USGS, RSS feeds, etc.).
5. *UAV data is fake* — `fetch_uavs()` generates simulated drone positions in conflict zones. It's not real tracking data.
6. *Dependencies are all legitimate* — `fastapi`, `yfinance`, `feedparser`, `playwright`, `beautifulsoup4`, `requests`, `sgp4`, etc. are all well-known Python packages. Frontend deps (Next.js, React, MapLibre, Tailwind) are standard.
---
*Bottom line*: Safe to run. It's a hobbyist OSINT dashboard with an edgy name. No malicious behavior detected anywhere in the codebase.
Neat aggregation. One thing worth adding to the feed pipeline: a staleness signal. Several of these sources (threat feeds especially) have update cadences measured in hours, not seconds. Displaying last-updated timestamps per source would help users weight freshness vs. noise when triaging.
hbarka | a month ago
operatingthetan | a month ago
edit: no idea why they deleted the comment but they linked to this video https://www.youtube.com/watch?v=0p8o7AeHDzg
kjs3 | a month ago
whattheheckheck | a month ago
And add chronological feeds of govtrack.us along with all politicians social media feeds
btbuildem | a month ago
[OP] vancecookcobxin | a month ago
erichocean | a month ago
mentalgear | a month ago
totetsu | a month ago
afatparakeet | a month ago
Have you seen these projects?
https://github.com/protomaps/PMTiles
https://github.com/maplibre/martin
[OP] vancecookcobxin | a month ago
Right now, ShadowBroker is really optimized for 'blinking blip' real-time radar tracking (streaming the raw GeoJSON payload from the FastAPI backend directly to MapLibre every 60s), so we get as close to as smooth 60fps entity animations across the map.
Moving to something like Martin would be incredible for handling EVEN MORE entities if we start archiving historical flight and AIS data into a proper PostGIS database, but the trade-off of having to invalidate the vector tile cache every few seconds for live-moving targets makes it a bit overkill right now....
afatparakeet | a month ago
Great project, will be contributing!
[OP] vancecookcobxin | a month ago
KronisLV | a month ago
I set that up for an agricultural project a while back.
laborcontract | a month ago
I need a realtime OSINT dashboard for OSINT dashboards.
operatingthetan | a month ago
laborcontract | a month ago
skinnymuch | a month ago
nonameiguess | a month ago
I wish these weekend warriors would work on a project like that someday, to see what capabilities truly take. You want to know what's happening in the world, you need to place physical sensors out there, deal with the fact that your own signals are being jammed and blocked, the things you're trying to see are also trying to hide and disguise themselves.
The attention to detail is something I've never seen replicated outside. Every time we changed or put out a new algorithm, we had to process old data with it and explain to analysts and scientists every single pixel that changed in the end product and why.
[OP] vancecookcobxin | a month ago
the_real_cher | a month ago
apples and oranges
rustyhancock | a month ago
No planes etc.
No helpful output in the command window.
Seems fun but doesn't seem to be working.
spzb | a month ago
DetroitThrow | a month ago
[OP] vancecookcobxin | a month ago
[OP] vancecookcobxin | a month ago
Did the terminal throw any Python FastAPI errors, or did it just serve the Next.js frontend? I'm going to push an update later today to show a prominent "Backend Disconnected / Missing API Keys" warning on the UI so it doesn't just look dead. Thanks for testing it!
rustyhancock | a month ago
AH4oFVbPT4f8 | a month ago
porridgeraisin | a month ago
AH4oFVbPT4f8 | a month ago
fastapi==0.103.1
uvicorn==0.23.2
yfinance>=0.2.40
feedparser==6.0.10
legacy-cgi==2.6.1
requests==2.31.0
apscheduler==3.10.3
pydantic==2.11.0
pydantic-settings==2.8.0
playwright>=1.58.0
beautifulsoup4>=4.12.0
sgp4>=2.22
cachetools>=5.3.0
cloudscraper>=1.2.71
reverse_geocoder>=1.5.1
lxml>=5.0
python-dotenv>=1.0
and be on python 3.13 and it should get you up and running
edwcross | a month ago
trick-or-treat | a month ago
ionwake | a month ago
[OP] vancecookcobxin | a month ago
serf | a month ago
first llm to stop using those damn colors for every single transparent modal in existence is going to be a big step forward.
vavkamil | a month ago
DetroitThrow | a month ago
tfghhjh | a month ago
everything is open source
porridgeraisin | a month ago
hettygreen | a month ago
Let me ask a dumb question. Can this be run on a public server (I use dreamhost) with a web interface for others to see? Or is this strictly something that gets run on a local computer?
[OP] vancecookcobxin | a month ago
You can throw it on a server and run it for you to see (or anyone else if you trust people or dont care about losing your free API keys) It's just a standard Next.js and FastAPI stack, and there are Dockerfiles in the repo so it should be pretty straightforward to spin up on a cheap VPS (like a DigitalOcean droplet or Hetzner).
Honestly, if you just want to show it off to a few people, running it locally and exposing it with a Cloudflare Tunnel or Ngrok is probably the path of least resistance.
I WILL work on having a version to host it where users have to bring their own keys to see it in the future though
silverstream | a month ago
[OP] vancecookcobxin | a month ago
Karrot_Kream | a month ago
garyfirestorm | a month ago
How long before we see this UI in some Iran related news story
[OP] vancecookcobxin | a month ago
blitzar | a month ago
https://www.yahoo.com/news/articles/why-f-ck-x-big-220249332...
@grok who should we boomb next?
CountGeek | a month ago
rationalist | a month ago
born-jre | a month ago
https://github.com/blue-monads/potato-apps/tree/master/cimpl...
i should finish but have not have time
efromvt | a month ago
coolius | a month ago
crawfordcomeaux | a month ago
jll29 | a month ago
As was already said in one of the reference videos, it's impressive what one person can do.
But the next step is to define an architecture where authors can defined/implement plug-ins with particular modular capabilities instead of one big monolith. For example, instead of front-end (GUI) and back-end (feeds), there ought to be a middle layer that models some of the domain logic (events: surces, filters, sinks; stories/time lines etc.).
I would like to see a plug-in for EMM (European Media Monitor) integrated, for instance ( https://emm.newsbrief.eu/NewsBrief/alertedition/en/ECnews.ht... ).
amelius | a month ago
driverdan | a month ago
alephnerd | a month ago
Of course it's commoditized and a dime-a-dozen today, but if this is what HN terms as "AI slop" then apparently human SWEs weren't that much better.
driverdan | a month ago
alephnerd | a month ago
beepbooptheory | a month ago
Everyone has their own hueristic, but if it took someone 6 hours or whatever to make some whole big app, my confidence that they will continue to maintain or care about it even next week is pretty much zero... How could they? They've already made three other apps in that time!
I don't care if the code is perfect, all this stuff just has the feel of plastic cutlery, if that makes sense.
polynomial | a month ago
gregjw | a month ago
chid | a month ago
pugworthy | a month ago
Archive version...
https://web.archive.org/web/20120112012912/http://henchmansh...
anigbrowl | a month ago
Nothing wrong with that. Beats a boring corporate dashboard any day. Video game and similar interfaces work for a reason.
david_shi | a month ago
blitzar | a month ago
raised_hand | a month ago
4mitkumar | a month ago
fittingopposite | a month ago
4mitkumar | a month ago
poemxo | a month ago
Then again they were named after a video game character so it's probably fair.
lloeki | a month ago
(spoiler alert if you ever intend to play ME)
https://masseffect.fandom.com/wiki/Shadow_Broker
totetsu | a month ago
cloudez | a month ago
ahannigan | a month ago
tylervigen | a month ago
You might consider changing this to a more accurate headline, like "Air and Space domain awareness."
"Full spectrum Geospatial intelligence" most commonly refers to full color satellite photos (sometimes including near infrared).
In the Geospatial world, "spectrum" almost always takes on its literal meaning - the spectrum of light. And "Geospatial intelligence" refers to intelligence gathered from Geospatial platforms, not intelligence about the locations of those platforms.
rakag | a month ago
hofrogs | a month ago
ryanholtdev | a month ago
Curious whether you're doing any timestamp normalization across feeds. Marine AIS in particular can be spoofed or delayed, and correlated analysis gets messy fast if the time windows aren't aligned.
touchchoice | a month ago
---
## Verdict: Not malicious
This is an *OSINT (Open Source Intelligence) dashboard* called "ShadowBroker" that aggregates publicly available real-time data — flights, ships, satellites, CCTV, news, radio, weather, earthquakes, stock markets, and geopolitical events — onto a map. The name references the infamous hacking group but the code itself contains no malware.
---
## What `start.sh` does
1. Checks for Node.js and Python 3 2. Creates a Python venv and installs dependencies from `requirements.txt` 3. Installs npm packages from `frontend/package.json` 4. Runs `npm run dev` which starts both a Next.js frontend and a FastAPI (uvicorn) backend
*No obfuscated commands, encoded payloads, curl/wget to suspicious URLs, reverse shells, or hidden steps.*
---
## What the full codebase does
It fetches data from these *legitimate public sources*:
| Category | Sources | |---|---| | Aviation | adsb.lol (open ADS-B), OpenSky Network (OAuth2) | | Maritime | aisstream.io (AIS vessel tracking) | | Satellites | CelesTrak (NORAD TLEs), SGP4 propagation | | CCTV | TfL London, Singapore LTA, Austin TX, NYC DOT, OpenStreetMap | | News | NPR, BBC, Al Jazeera, NYT, GDACS, NHK RSS feeds | | Radio | Broadcastify (scraping), OpenMHz API | | Weather | RainViewer | | Earthquakes | USGS GeoJSON feed | | Markets | Yahoo Finance (defense stocks, oil) | | Geopolitics | GDELT, Liveuamap (Playwright scraping) |
---
## Things that are NOT present (good signs)
- No data exfiltration — nothing sends your personal data anywhere - No reverse shells or backdoors - No cryptominer code - No encoded/obfuscated payloads - No filesystem scanning or credential harvesting - No network scanning or port scanning - The `subprocess.run` call in `network_utils.py` uses argument lists (not `shell=True`), preventing command injection
---
## Noteworthy concerns (not malicious, but worth awareness)
1. *`cloudscraper` + Playwright stealth* — Used to bypass Cloudflare/Turnstile protections on Liveuamap and OpenMHz. Legally gray (may violate those sites' ToS).
2. *CORS wide open* (`allow_origins=[""]`) in `main.py` — acceptable for a local-only tool, but means any website you visit could make requests to your local backend on port 8000 while it's running.
3. *API key management* — The `/api/settings/api-keys` PUT endpoint writes to `.env` on disk. It does validate against a whitelist of known keys and rejects newlines, but it's exposed without authentication on localhost.
4. *Resource consumption* — The scheduler makes hundreds of outbound API calls per hour from your IP to public services (ADSB, OpenSky, CelesTrak, USGS, RSS feeds, etc.).
5. *UAV data is fake* — `fetch_uavs()` generates simulated drone positions in conflict zones. It's not real tracking data.
6. *Dependencies are all legitimate* — `fastapi`, `yfinance`, `feedparser`, `playwright`, `beautifulsoup4`, `requests`, `sgp4`, etc. are all well-known Python packages. Frontend deps (Next.js, React, MapLibre, Tailwind) are standard.
---
*Bottom line*: Safe to run. It's a hobbyist OSINT dashboard with an edgy name. No malicious behavior detected anywhere in the codebase.
ryanholtdev | a month ago