It's Just Data wrote:
Doomsday wrote:If a tool like this falls into the wrong hands it could be devastating sites like Strava or mapmyrun. No one could be believed.
Please don't open source it and release it to the wild.
Eh, I disagree. No one should be believed right now, because Strava and similar systems aren't proof of anything. When a computer system is this insecure, the best thing to do is advertise that fact far and wide. Then everyone will realize that a posted Strava result is no more "believable" than a Facebook post. And maybe we'll see some progress towards more secure run logging systems, if there's demand for it.
By keeping this tool secret, it just plays into the hands of the few people who've already created similar tools, by making their fake results look believable in the public's eyes. With all due respect to Scam_Watcheroo, building a tool like this isn't that hard. Any programmer with some web services experience could probably do it in a couple of days. There's some lingering misunderstanding that it involves a hack or an exploit of a Strava flaw, but it's far simpler than that. There's no security in the first place.
I totally agree that any programmer with the ability to research & create algorithms could do what I did and build a Strava spoofing tool. From doing the research for this project, I've found lots of public spoofing tools but none that I would deem usable for a spoof of a transcon since they all lack cadence and heart rate. Most of them just output robotic GPS data that can easily be detected. But I am sure other people have done what I did and created a much more advanced spoofing tool that can't be detected in simplistic ways.