Legs
usually riding on Zwift...
- Location
- Staffordshire
<is contemplating RGT for when he gets back onto the bike...>
Page may contain affiliate links. Please see terms for details.
BurningLegs
Guru
In my industry of cyber security, people who take this approach of exploring security problems and then disclosing them responsibly are rewarded. Often financially, almost always with a public thanks and recognition of their contribution. They never get kicked out. I am a strong advocate of it, and think it is really positive for cyber security and in this case anti-cheating.
But the actions of this researcher don't quite pass as "responsible disclosure". He cheated in a race. He's been banned for cheating in a race. He tried to mitigate it by entering a TT, but he still crossed a red-line of cheating in a race. Zwift have to maintain that red-line and must be seen to ban anyone who cheats in a race.
I do have sympathy for him and I hope Zwift overturn the ban, but he could (and should) have demonstrated this weakness in a meet-up or in a free-ride session.
The problem is that responsible disclosure relies on a contract between vendor and researcher where the researcher agrees not to cross certain red lines (e.g cheating in a race, even as a test), and gives the vendor reasonable time to fix issues. In return, the vendor typically agrees to resolve issues promptly (usually with a published timeline) and allows the researcher to share their findings publicly once the issue is fixed. It works well, but it relies on the terms being publicly available and an acknowledgement of the "rules" in advance.
Zwift don't have a security disclosure policy - it would help both the community and Zwift themselves if they published one!
Blimey - is this the first time I've actually been in support of a Zwift policy decision?!
But the actions of this researcher don't quite pass as "responsible disclosure". He cheated in a race. He's been banned for cheating in a race. He tried to mitigate it by entering a TT, but he still crossed a red-line of cheating in a race. Zwift have to maintain that red-line and must be seen to ban anyone who cheats in a race.
I do have sympathy for him and I hope Zwift overturn the ban, but he could (and should) have demonstrated this weakness in a meet-up or in a free-ride session.
The problem is that responsible disclosure relies on a contract between vendor and researcher where the researcher agrees not to cross certain red lines (e.g cheating in a race, even as a test), and gives the vendor reasonable time to fix issues. In return, the vendor typically agrees to resolve issues promptly (usually with a published timeline) and allows the researcher to share their findings publicly once the issue is fixed. It works well, but it relies on the terms being publicly available and an acknowledgement of the "rules" in advance.
Zwift don't have a security disclosure policy - it would help both the community and Zwift themselves if they published one!
Blimey - is this the first time I've actually been in support of a Zwift policy decision?!
Last edited:
Peter Salt
Bittersweet
- Location
- Yorkshire, UK
Don't entirely agree. Working in the IT sector for some time now and also have experience of it.In my industry of cyber security, people who take this approach of exploring security problems and then disclosing them responsibly are rewarded. Often financially, almost always with a public thanks and recognition of their contribution. They never get kicked out. I am a strong advocate of it, and think it is really positive for cyber security and in this case anti-cheating.
But the actions of this researcher don't quite pass as "responsible disclosure". He cheated in a race. He's been banned for cheating in a race. He tried to mitigate it by entering a TT, but he still crossed a red-line of cheating in a race. Zwift have to maintain that red-line and must be seen to ban anyone who cheats in a race.
I do have sympathy for him and I hope Zwift overturn the ban, but he could (and should) have demonstrated this weakness in a meet-up or in a free-ride session.
The problem is that responsible disclosure relies on a contract between vendor and researcher where the researcher agrees not to cross certain red lines (e.g cheating in a race, even as a test), and gives the vendor reasonable time to fix issues. In return, the vendor typically agrees to resolve issues promptly (usually with a published timeline) and allows the researcher to share their findings publicly once the issue is fixed. It works well, but it relies on the terms being publicly available and an acknowledgement of the "rules" in advance.
Zwift don't have a security disclosure policy - it would help both the community and Zwift themselves if they published one!
Blimey - is this the first time I've actually been in support of a Zwift policy decision?!
Used to work for a telecoms company who also happened to be a reseller of server solutions. As part of our standard operations we did some penetration testing and whenever a vulnerability was discovered we informed the supplier. If the issue wasn't addressed in a timely manner, as a responsible reseller - we had to inform the clients.
Similar situation here, articles suggest the problem was flagged to Zwift many times and they had ample time to resolve it but didn't. Taking that into account, I believe that the whistleblower's actions are fully justifiable and shouldn't result in any negative consequences. Heck, they should ask him if he knows other exploits.
<Tommy>
Illegitimi non carborundum
- Location
- Camden, London
In my industry of cyber security, people who take this approach of exploring security problems and then disclosing them responsibly are rewarded. Often financially, almost always with a public thanks and recognition of their contribution. They never get kicked out. I am a strong advocate of it, and think it is really positive for cyber security and in this case anti-cheating.
But the actions of this researcher don't quite pass as "responsible disclosure". He cheated in a race. He's been banned for cheating in a race. He tried to mitigate it by entering a TT, but he still crossed a red-line of cheating in a race. Zwift have to maintain that red-line and must be seen to ban anyone who cheats in a race.
I do have sympathy for him and I hope Zwift overturn the ban, but he could (and should) have demonstrated this weakness in a meet-up or in a free-ride session.
The problem is that responsible disclosure relies on a contract between vendor and researcher where the researcher agrees not to cross certain red lines (e.g cheating in a race, even as a test), and gives the vendor reasonable time to fix issues. In return, the vendor typically agrees to resolve issues promptly (usually with a published timeline) and allows the researcher to share their findings publicly once the issue is fixed. It works well, but it relies on the terms being publicly available and an acknowledgement of the "rules" in advance.
Zwift don't have a security disclosure policy - it would help both the community and Zwift themselves if they published one!
Blimey - is this the first time I've actually been in support of a Zwift policy decision?!
I think I’m somewhere in the middle ground here.
I do find zwift’s response somewhat aggressive. I think their approach would be slightly more valid if they followed through and took a more robust position in shoring up the system against cheating.
Ok so they’ve banned this guy. Does that mean they’ll also fix what is a completely obvious flaw.
mjd1988
Guru
I can't believe it's been around for two years and isn't better known about, sticky watts etc seem fairly well known. As others have said the issue could be fixed immediately and there's no real reason why not to. Do feel bad for the guy, hardly a mastermind to use it and then blog about it being cheating.
BurningLegs
Guru
But the crucial thing is that there will be a signed agreement between the parties defining the scope of that testing. Zwift's mistake here is in not having a published policy in the legal section of their website, not in banning the guy. He should have been banned (and I think the ban should be overturned).
Your ex-employer will have negotiated their "right to test" into the contract with that service provider. The service provider will have included a scope of the permitted testing, with red-lines such as no destructive testing, probably no denial of service attempts, and more. If Zwift ever publish a policy, I think they'd be advised to red-line the ZADA violations so that the ZADA team can continue to immediately ban anyone who is found to be in violation (even if it is overturned at a later date).
bobinski
Legendary Member
- Location
- Tulse Hill
In my industry of cyber security, people who take this approach of exploring security problems and then disclosing them responsibly are rewarded. Often financially, almost always with a public thanks and recognition of their contribution. They never get kicked out. I am a strong advocate of it, and think it is really positive for cyber security and in this case anti-cheating.
But the actions of this researcher don't quite pass as "responsible disclosure". He cheated in a race. He's been banned for cheating in a race. He tried to mitigate it by entering a TT, but he still crossed a red-line of cheating in a race. Zwift have to maintain that red-line and must be seen to ban anyone who cheats in a race.
I do have sympathy for him and I hope Zwift overturn the ban, but he could (and should) have demonstrated this weakness in a meet-up or in a free-ride session.
The problem is that responsible disclosure relies on a contract between vendor and researcher where the researcher agrees not to cross certain red lines (e.g cheating in a race, even as a test), and gives the vendor reasonable time to fix issues. In return, the vendor typically agrees to resolve issues promptly (usually with a published timeline) and allows the researcher to share their findings publicly once the issue is fixed. It works well, but it relies on the terms being publicly available and an acknowledgement of the "rules" in advance.
Zwift don't have a security disclosure policy - it would help both the community and Zwift themselves if they published one!
Blimey - is this the first time I've actually been in support of a Zwift policy decision?!
Nick,
Sounds like you should contact them direct and offer your services.
I hear what you say. Perhaps the user has not behaved perfectly, but given Zwift appear to have ignored him when he contacted them direct bringing it into the open really is not worthy of a ban.
I hate FB - stuff I read earlier appears to have gone
BurningLegs
Guru
Okay, looks like Zwift might be doubling down rather than removing the ban?! 
My view for what it is worth is that Zwift as usual are behaving shoddily. Whilst they are right to clamp down on cheating, in reality pretty much every race has some kind of cheating occurring which they do very little about - a couple of races to gather data to prove to Zwift about a major exploit should not warrant a ban, even if the culprit did technically break the terms and conditions. As usual the problem is Zwift's abysmal attitude to bugs and features because quite frankly they don't really care about their users. They would rather keep spending money on 3D artists for yet another expansion than fix the fundamental flaws in the system, plus work on things they announce yet never deliver.
The fact that Zwift have shoddy processes and they did not fix a pretty major flaw in the years they have known about it is not a big surprise, the cack handed way they are dealing with it is more of a surprise to me.
The fact that Zwift have shoddy processes and they did not fix a pretty major flaw in the years they have known about it is not a big surprise, the cack handed way they are dealing with it is more of a surprise to me.
Peter Salt
Bittersweet
- Location
- Yorkshire, UK
Oooooh, it's getting spicy...
alex_cycles
Veteran
- Location
- Oxfordshire
Peter Salt
Bittersweet
- Location
- Yorkshire, UK
Football fans discussing geopolitics? That must be spectacular
Football fans discussing geopolitics? That must be spectacular
There is more politics and current affairs on there than football
mjd1988
Guru
Oh is it Luciano from zwiftinsider?
