u/JohnDisinformation

New theory. When I posted before, there were loads of tankers just sat there waiting. It looked like a holding pattern. Now a lot of that visible queue has gone.

I do not think that automatically means the situation has eased off. My read now is that the waiting phase may have ended and the movement phase has started. Ships were likely sitting on standby for instructions, pricing, insurance clarity, routing decisions, or cargo allocation. Once that signal came through, the obvious backlog disappeared.

What makes it more interesting is that since I posted that before, there seems to be a lot more AIS weirdness in the area as well. That is the bit that changes the feel of it.

A quiet map does not always mean a quiet situation. Sometimes it means the opposite. The easy-to-see waiting traffic vanishes, and what replaces it is patchier, stranger, less transparent movement. Gaps. Odd tracks. Less clean visibility. So my new theory is this: those tankers did not just disappear because nothing is happening. They may have got their orders, dispersed, and whatever comes next is showing up with a lot more AIS noise and a lot less clarity.

The visible queue may have been the pause. This may be the part where things actually start moving.

So this is not really a “look at my project” post. It is me putting the current version in front of people who might actually use something like this and asking a simple question: does it help your workflow, or is it just interesting to poke around?

It is called Phantom Tide. The aim is to make it easier to inspect aircraft activity, vessel movement, warnings, weather, and map context together instead of bouncing between separate tools and trying to stitch it all together manually.

A lot of the recent work has been on the engineering side rather than just adding more things to click: better history views, calmer refresh behaviour, more honest source state, render and performance fixes, backend hardening, and generally trying to make it feel more like a usable working surface than a pile of layers.

There is a public link in the repo, and here is an evaluation key if you want to test it properly:

Tier: Eval key
Expires: 2026-04-12T09:25:42.967839Z
Key: pt_live_02653df6b243.HLNGdjNZhogQgDpSkxocOxZai0QJe6w7

Repo:
https://github.com/tg12/phantomtide

What I care about most is blunt feedback from people who would genuinely use something like this:

• does it help you get to an answer faster
• what feels useful versus decorative
• what feels confusing, noisy, or overbuilt

Where I want to take it next is beyond passive tracking and more toward workflow-driven alerting: aircraft entering restricted airspace, repeat boundary loitering, AIS gaps or spoof-like behaviour around critical infrastructure, thermal hits with no obvious traffic explanation, and cross-domain signals that only become interesting when multiple weak indicators start agreeing.

After that comes the user layer: logins, saved watchlists, persistent analyst state, sharable links, and collaborative handoff, so it stops being just a live map and becomes something you can actually work from over time.

So this is not really a “look at my project” post. It is me putting the current version in front of people who might actually use something like this and asking a simple question: does it help your workflow, or is it just interesting to poke around?

It is called Phantom Tide. The aim is to make it easier to inspect aircraft activity, vessel movement, warnings, weather, and map context together instead of bouncing between separate tools and trying to stitch it all together manually.

A lot of the recent work has been on the engineering side rather than just adding more things to click: better history views, calmer refresh behaviour, more honest source state, render and performance fixes, backend hardening, and generally trying to make it feel more like a usable working surface than a pile of layers.

There is a public link in the repo, and here is an evaluation key if you want to test it properly:

Tier: Eval key
Expires: 2026-04-12T09:25:42.967839Z
Key: pt_live_02653df6b243.HLNGdjNZhogQgDpSkxocOxZai0QJe6w7

Repo:
https://github.com/tg12/phantomtide

What I care about most is blunt feedback from people who would genuinely use something like this:

• does it help you get to an answer faster
• what feels useful versus decorative
• what feels confusing, noisy, or overbuilt

Where I want to take it next is beyond passive tracking and more toward workflow-driven alerting: aircraft entering restricted airspace, repeat boundary loitering, AIS gaps or spoof-like behaviour around critical infrastructure, thermal hits with no obvious traffic explanation, and cross-domain signals that only become interesting when multiple weak indicators start agreeing.

After that comes the user layer: logins, saved watchlists, persistent analyst state, sharable links, and collaborative handoff, so it stops being just a live map and becomes something you can actually work from over time.

Random OSINT thought: would it be worth building a hashing pipeline for repeated spam/copypasta posts like this, then tracking how often the same or near-identical message hash appears across accounts in a short time window?

My thinking is that if the same text, or lightly modified variants, suddenly spike across multiple accounts, that is a decent signal for coordinated amplification or low-grade misinformation/seeding. You could probably combine exact hashes with fuzzy hashes / similarity scoring so it still catches small edits like country names, emojis, punctuation changes, or reordered phrasing.

Feels like there is maybe a useful detection model here: not “is this false” but “is this being pushed in an obviously synthetic way?” That alone would already be valuable.

So this is not really a “look at my project” post. It is me putting the current version in front of people who might actually use something like this and asking a simple question: does it help your workflow, or is it just interesting to poke around?

It is called Phantom Tide. The aim is to make it easier to inspect aircraft activity, vessel movement, warnings, weather, and map context together instead of bouncing between separate tools and trying to stitch it all together manually.

A lot of the recent work has been on the engineering side rather than just adding more things to click: better history views, calmer refresh behaviour, more honest source state, render and performance fixes, backend hardening, and generally trying to make it feel more like a usable working surface than a pile of layers.

There is a public link in the repo, and here is an evaluation key if you want to test it properly:

Tier: Eval key
Expires: 2026-04-12T09:25:42.967839Z
Key: pt_live_02653df6b243.HLNGdjNZhogQgDpSkxocOxZai0QJe6w7

Repo:
https://github.com/tg12/phantomtide

What I care about most is blunt feedback from people who would genuinely use something like this:

• does it help you get to an answer faster
• what feels useful versus decorative
• what feels confusing, noisy, or overbuilt

Where I want to take it next is beyond passive tracking and more toward workflow-driven alerting: aircraft entering restricted airspace, repeat boundary loitering, AIS gaps or spoof-like behaviour around critical infrastructure, thermal hits with no obvious traffic explanation, and cross-domain signals that only become interesting when multiple weak indicators start agreeing.

After that comes the user layer: logins, saved watchlists, persistent analyst state, sharable links, and collaborative handoff, so it stops being just a live map and becomes something you can actually work from over time.

Got an attribution edge case that feels more OSINT than pure sysadmin.

I run a niche public-facing app and noticed a very repetitive pattern hitting one endpoint over and over. The source IP attributes publicly to ASN6966 / U.S. Department of State infrastructure, and the request pattern is heavily concentrated on a single auth/session path. I am not claiming this means a person at State was manually hitting the site, and I am not calling it an attack from this alone. It could be egress, automated validation, a scanner, shared proxy infrastructure, or something much more boring.

What I am interested in is the analytical ceiling here. Once you have a public ASN attribution, a suggestive hostname, and a repetitive request pattern, where do you stop? To me this looks like one of those cases where infrastructure attribution is real, but actor and intent are completely unresolved.

How would people here write this up without drifting into narrative inflation?

Edit, The BIMC portion is the strongest clue. In State Department documentation, BIMC refers to the Beltsville Information Management Center, which is part of the Department’s telecommunications and core infrastructure environment. The Foreign Affairs Manual describes BIMC as part of the DTS network and related enterprise operations.