Jump to content

Confirm Puzzle Solutions Online

CoyoteRed

By CoyoteRed
in General geocaching topics

Followers 1

Recommended Posts

CoyoteRed

CoyoteRed

Posted
Posted (edited)

There was a thread recently about confirming coordinates before heading to field. I created this page for the our caches.

 

I've had an idea rolling around my head for a more generic page that anyone could use to create a link on their cache page so other cachers could check their solutions before heading to the field. Of course, some folks like the personal contact of phoning or emailing for confirmation, but many times there is a delay. Thus the idea of this page.

 

Moderators: This script is still beta stage and this post, being posted here in the General forums, is to gauge the interest in using this as an aid. Additionally, this is a solution for some discussions here and I feel this is the best place to get the attention of those interested. If there is enough interest then it will be fleshed out and further discussion can happen in the software forums. Once ready for release it will be free to use. The idea being it will be put on other servers so there are alternative sources. This is kind of like Clayjar's Cache Rating system in this respect. It's simply another way for me give back to the hobby and the community.

 

The script's location is here. There should be enough instructions to get you going. Don't use this script on the live cache as it will not work later, I'll be changing the "site key" after peer review. (Security reasons.)

 

How I envision it to work is you are presented with a link: Example link. You click the link to be taken to a page. You enter your coordinates and then the resultant page let's you know if you are right or not. Pretty simple.

 

The above link has information embedded for "CR's Puzzle Cache" wappoint GCGG3G. Pretend you think you solved the puzzle and you came up the coordinates N 32° 12.345 W 80° 12.345.

 

If you go to the page without the extra information in the URL, you are presented with intructions for the cache owner to create their own code.

 

Technical issues that I know I have to fix include slowing down the number of tries a person can attempt in a certain amount of time. I've done this on the person page I linked to before. The reason you want to slow folks down is to reduce the chances of someone attempting to figure it out via brute force.

 

Feedback is appreciated. Recently usability has become a big issue with me. Let me know how intuitive you think it is. How easy is it to use, etc.

 

Thanks.

Edited by CoyoteRed
Link to comment
cache_test_dummies

+cache_test_dummies

Posted
Posted

Great idea, CR.

 

I'd make use of such a thing if I ever put out a puzzle cache.

 

Question: have you given any thought to how to deal with the possibility of someone who is NOT the cache owner posting an entry for a cache, providing either real or bogus coordinates? In other words, what could be done to verify that it is the actual cache owner who is providing the coordinates?

Link to comment
CoyoteRed

CoyoteRed

Posted
  • Author
Posted

Here's some ideas for improvement...

1) limit the number of characters allowed in each field to what you would expect

2) automagically jump to the next field when all allowed digits are entered in a field

3) allow for S latitude and E longitude

Yes, I'm thinking the same thing.

 

Now my question - do I have to own a web site/page to get this to work?

No. The idea is for some folks to host it and let others use it. Many cache owners can use the same script on the same host. Once it's up there should be no need for any host intervention. There is no data that has to be stored on the host, the data is in the URL. You just need someone reliable to host it. I envision local and regional organizations hosting the script. That doesn't preclude a cache owner hosting it privately for his own caches.

 

Question: have you given any thought to how to deal with the possibility of someone who is NOT the cache owner posting an entry for a cache, providing either real or bogus coordinates? In other words, what could be done to verify that it is the actual cache owner who is providing the coordinates?

The link will be on the cache page. It will be assumed that only the owner will have access to the cache page and would, hopefully, not post a bogus link. It would only be assumed safe to follow the links on the cache page.

Link to comment
CoyoteRed

CoyoteRed

Posted
  • Author
Posted

Also, it might help to know the coordinates are not stored in the URL. That code is a mixture of the waypoint, the coordinates, and a secret key. The coordinates are then thrown away.

 

On the other end, you will have the code and the waypoint. The script will know the secret key. The puzzle solver will provide the coordinates. The provided coordinates will again be mixed with the waypoint and the secret key. The result of this will be compared to the code in the URL. If the two codes match, then the coordinates were correct.

 

There is no way to extrapolate the coordinates from the code.

 

Also, each site should have it's own secret key. This would mean the URL for one site will not work on another. This is to reduce the chance of brute forcing the solution and it working everywhere. I've tried to reduce the chances of brute forcing (trying every combination until a solution is reached) as much as possible without letting it get too complicated. The script will be distributed to whomever wants it and a secret key is useless if everyone knows it.

Link to comment
cache_test_dummies

+cache_test_dummies

Posted
Posted

Question: have you given any thought to how to deal with the possibility of someone who is NOT the cache owner posting an entry for a cache, providing either real or bogus coordinates? In other words, what could be done to verify that it is the actual cache owner who is providing the coordinates?

The link will be on the cache page. It will be assumed that only the owner will have access to the cache page and would, hopefully, not post a bogus link. It would only be assumed safe to follow the links on the cache page.

Oh, right.

 

I guess one of the problems I was thinking of was the possibility that somebody could enter a set of coordinates in for a cache which they don't own before the owner gets a chance to enter the real coordinates, effectively tying up the solution for that particular GC number. But I see now that in your example it appears that a combination of a code number (code=df8af4f5c5572e3f1fb64c5acdd30c86) and the GC number is used in the link which retrieves the solution page. Assuming that the system of setting up a solution page allows for the possibility of multiple entries of the same GC number, then there is no opportunity for someone to tie up a solution slot for someone else's cache.

 

Using a code number and GC number combination also allows a cache owner to change the solution if the cache coordinates ever need to be updated. You wouldn't have to give a cache owner an 'edit' option on the exiting coordinates, you'd just allow them to create a whole new code number / GC number combination to include in their link on their cache page.

Link to comment
BillsBayou

+BillsBayou

Posted
Posted

My puzzle caches all have links to my Answer Validation Tool. I wrote it so people wouldn't need to email me to confirm the solutions to my puzzles.

 

It's not as useful as yours for multiple caches, however. All of my answers are hard coded into the PHP script. However, for multi-stage caches, users could enter any of the stages and still get a validation response. I'm not sure how your script would handle multi-stages.

 

My solution to a brute force attack is to email answers to the cacher. If they want to check millions of answers, they'll have to deal with millions of responses in their "In" box.

 

If I were to distribute this tool, I'd probably change it to utilize a MySQL database. The cache owner would have a secret front-end (with password perhaps) they'd use to enter the answers. The cache owner could also use this tool management script to check hit statistics on each of the caches.

Link to comment
BigWhiteTruck

+BigWhiteTruck

Posted
Posted

My puzzle caches all have links to my Answer Validation Tool. I wrote it so people wouldn't need to email me to confirm the solutions to my puzzles.

 

It's not as useful as yours for multiple caches, however. All of my answers are hard coded into the PHP script. However, for multi-stage caches, users could enter any of the stages and still get a validation response. I'm not sure how your script would handle multi-stages.

 

My solution to a brute force attack is to email answers to the cacher. If they want to check millions of answers, they'll have to deal with millions of responses in their "In" box.

 

If I were to distribute this tool, I'd probably change it to utilize a MySQL database. The cache owner would have a secret front-end (with password perhaps) they'd use to enter the answers. The cache owner could also use this tool management script to check hit statistics on each of the caches.

 

Yeah, but he doesn't need a database or anything to store the answers, he is one-way hashing the coordinates and then including the hash in the link to the validator as a get request. Then someone writes in the coordinates in the validator, it hashes their input and sees if it matches. It's quite ingenious really. Very similar to password validation on a unix system. This script could sit on any php-enabled site as a single file with no supporting files or databases.

Link to comment
BillsBayou

+BillsBayou

Posted
Posted

This script could sit on any php-enabled site as a single file with no supporting files or databases.

 

Oh, it's nice alright. I think my father passed down some of his accounting genes (I'm sure he registered the debit). I like my programs to leave accounting trails when they run. As of now it's all quiet from my ISP, so nobody's doing anything strange with the tool. Then again, that's ALL I know about the tool. I'd like to know how often it's hit, which caches get hit the most, how wrong people are...

 

I just realized something significant about who I am and where I came from. My father's an accountant, and my mother's in real estate. Is it any wonder I'm a Data Miner? :mellow:

Link to comment
KKTH3

+KKTH3

Posted
Posted

I wonder if there is any leniency to let someone know if they are close or not - like "within 50 feet of correct coordinates" or "within 12 miles of correct coordinates." I have a cache that requires some estimating and the point is that if you guess closely you should find the cache without being bang on correct. It would kind of suck to be off by only 0.001 degrees and only get a "Sorry, that is not correct" response when the coordinates are actually good enough.

 

Granted, this would definately make brute force a much more likely solution route, but maybe there are ways to still prevent that - within 50 feet response is actually within 30 feet and within a half mile is 31 feet to a quarter mile, so on.... so that people dont trianglulate proper coordinates. Then again - that might be more difficult to do than to just solve for the proper coordinates in the first place!

Link to comment
CoyoteRed

CoyoteRed

Posted
  • Author
Posted (edited)

Okay, I think I got it fleshed out.

 

Live Demo: Demo

Example Link: Check Solution (Coords: N 32° 12.345 W 80° 12.345)

 

I added automatic tabbing for the code generation input boxes only. I feel sometimes automatic tabbing is confusing when you don't know it's going to happen. I don't want confusion when folks are trying to check their solution. Feel free to copy and paste the code from the other section to check section if you want.

 

I added a simple Turing test to prevent (slow down) scripts POSTing directly to brute force the solution. This makes the package two files. Still pretty light weight though.

 

I added a simple timer to the submit button to delay a human from manually brute forcing the solution. Remember, the site key is secret. An attacker will need to use your script to find the solution. Anything that you put in the way will slow them down. This is not industrial strength stuff, just enough so a n00b programer can't trivially write something to will expose the solution.

 

Yes, this means javascript must be turned on to use. A host can easily remove the JS for a wider audience, but it removes a throttling mechanism.

 

Added support for the whole globe of coordinates, i.e. North, South, East, and West coordinates.

 

File can be downloaded HERE. Requires PHP and GD library. Should work on any PHP4 installation and above, though.

Edited by CoyoteRed
Link to comment
CoyoteRed

CoyoteRed

Posted
  • Author
Posted

I wonder if there is any leniency to let someone know if they are close...

 

No, the script does not know the coords. It only checks to see if the codes match. Therefore, there is no way to determine if it is close.

 

In order to do what you are asking and have it open to the public it would greatly increase the complexity. You have to start will a user system and keep track of them. That in itself is much more complex than this script.

 

Now, there are numerous caching sites out there that rely on PHPnuke. It wouldn't be to hard to create a module to add in that does this. If someone wants to do that, then feel free. I just wanted to get this script off my "Let's see if I can do this" list.

Link to comment
CoyoteRed

CoyoteRed

Posted
  • Author
Posted

Oh wow, is this live?

 

Umm... It is now.

 

I changed the site key from the one in the download. I then had to get a new code and change my post above. (So, if it wasn't working for you in the past few minutes, that's why.)

 

So, yes, it is now live. Feel free to use this one or download host your own copy.

Link to comment
Right Wing Wacko

+Right Wing Wacko

Posted
Posted

We have something similar on the WSGA website.

 

It will not give the user the coordinates, but will tell them:

 

1. X people entered the same coordinates you did

2. Y People entered different coordinates than you did.

3. X people claim to have found it at the coordinates you entered.

4. Y People claim to have found it at different coordinates.

5. The coordinates you entered Match / Do Not Match the coordinates entered by someone claiming to be the cache owner.

 

I like the idea you have about allowing only a certain number of entries at a time... I will have ti implement that in ours.

 

WSGA Puzzle Verifier

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
Followers 1
Go to topic listing
×
×
  • Create New...