Jump to content

Cheat prevention


GeoGern

Recommended Posts

I wasn't originally going to post this or respond to any of the comments made by others about preventing users from cheating on cartridges, but after much consideration I decided that maybe I could offer an alternative view point for cartridge authors to consider.

 

But first, please note that I am not responding to any one person or attempting to "attack" anyone else's opinions or posts on this forum. In fact, I am posting this in a new thread so that hopefully no one will think I am singling them out. Also, my purpose in these forums is not to get in to ideological debates or to justify technical or procedural decisions made in the Wherigo platform. I am hoping that by posting this I will provide food for thought and maybe some help with understanding why the Wherigo platform is what it is today.

 

To start with, Wherigo is more than just geocaching. It is more than just gaming. Wherigo is a platform for enabling all sorts of location-based activities, whether those activities be education, tourism, vertical market applications, or, yes, even gaming. With such a broad range of applicability, not all desired features will necessarily be "baked in" to the core platform. And some features, like cheat prevention, could even conflict with the goals of another activity. Also, please be aware that Wherigo (like location-based activities as a whole) is in it's infancy and has much room for growth and improvement. Of course, I recognise that gaming is the crazysexycool and exciting thing right now and something that the core geocaching audience is going to think of first and relate to best.

 

Another thing to keep in mind is that "openness" is an important concept that we tried to keep in mind while designing Wherigo. We _want_ to see what the creative community (you!) can do with Wherigo and we _want_ to encourage discovery and learning with Wherigo. But "openness" also comes with a cost, and preventing some forms of cheating can be one of those costs. That doesn't mean that it can't be done and that there aren't creative solutions to combating the enterprising "cracker." But, it might take a bit more effort, or it might even require some non-technical solutions.

 

I say all this merely as an alternative viewpoint. I am guessing that some of you will disagree with me, and that's okay. But healthy disagreement is good for the platform and the community, as it will promote dialog and "out-of-the-box" thinking. Perhaps by leaving cheat prevention as "an exercise for the reader" someone will come up with an unexpected solution that will be light-years better than anything we could have dreamed up within our insulated little cubicles here in the Lily Pad. That'd be wonderful! And who knows, maybe that solution will even be incorporated into future versions of Wherigo! (Author-permitting, of course.)

 

On to some specific comments that I'd like to address:

 

The GWC file format is easily decompiled.

Well, I suppose that depends on who is making that claim. Certainly clever programmers and hackers are going to discover that there is no "Digital Restrictions Management" (DRM) or encryption used to protect the contents of the GWC file. Yes, someone is going to figure out where things like the "completion code" and other important bits of data are stored in the file and post instructions on how to decompile the cartridge. (Well, partially. As far as I have been able to find, there is currently no decompiler for Lua 5.1, so the actual script code will be difficult to decompile. Right now. Until someone writes a Lua 5.1 decompiler, etc.) So, yeah, someone who wants to can come along and grab the cartridge completion code for your cart and "unlock" it on the website and claim to have completed the cart when they didn't really. Actually, we should *be* so lucky. If Wherigo becomes so popular that this becomes a serious problem then I'll personally be glad to be faced with it. But Wherigo unfortunately does not have that problem at this time. Of course, future versions of Wherigo may make strides to address this issue by protecting carts in some way, but please remember that we, the Wherigo developers, only have so much time and resources and getting into an "arms race" with the world-wide cracker community isn't something that does anyone (other than the crackers) any good. Wouldn't you like to see bugs addressed and new features added?

 

The answers to questions asked of the user are easily found by opening the GWC file in a text editor.

Well, again, I think this depends on who's making that claim. Sure, anyone can open a GWC file in a text (or hex) editor, or dump the strings to a file, or decompile the cart, etc. But not everyone is going to be sophisticated enough to determine whether "ZCartridge" or "zitemSecretCode" or "42 + 23 = l33t sekret" is important to solving the game or just random script code. There are, of course, technical solutions to this available to you, the cartridge author, right now. You could include a bunch of strings and words and phrases in your cart. How is the "cheater" to know which one is the correct one? (See above about my thoughts on decompiling the script code.) Use rot13 or some other encryption scheme to "protect" the answers. Better yet, hash the answers so that they cannot even be decrypted! Sure, most of these suggestions are not easily done by the beginner cart author, but proper protection of secret information isn't an easy concept. Not if you are serious about keeping determined crackers at bay. Of course, you could enhance (or even replace) your technical protections altogether by using social- or community-based methods. Is someone completing a lot of carts all over the country (or world) within days (or hours) of the cart being released? "Expose" them to the community (or confront them directly). Or maybe take some cues from people that have dealt with this issue for a lot longer: virtual cache owners. Ask the user to provide some sort of evidence apart from the completion code; maybe a photo of them playing the cart; or a word or phrase emailed (or posted) separately; or the log file from the device when the cart was played. There are so many ways that I won't even try to list more here. And some helpful early adopters have already posted there own (excellent) suggestions on this forum. Please remember that sometimes solutions can be more than just technically solved.

 

But what about the Emulator?!?

Yes, cartridges can currently be played in the Emulator. This is a Good Thing. Not only does it allow the cartridge author to design and test without having to constantly run outside to check their changes, but it gives people not in your area a chance to experience your creativity and design skills. It *is* a good suggestion to give you, the cart author, the ability to deny others to play your cart in the Emulator, and I am sure we'll look in to the possibility of adding that in a future version. (Although, honestly, you're more likely to do more harm than good to your cart by taking advantage of this potential feature. But, I respect your right to make that decision for your own creations.) And there are already some clever ideas floating around the forums to accomplish this right now. You can, of course, incorporate questions that can only be answered by being physically present at the location the cart is designed for. You could also check the user's altitude and block them from playing if it is 0 and remains 0, as the Emulator currently does not simulate altitude and always sets the player's altitude to 0. Again, search the forums for some other insightful thoughts on this issue.

 

Without feature/protection X, I won't make a cartridge.

I am sorry you feel that. Honestly, I am. Of course, I am biased, having invested a lot of my own energies in to this platform; but for someone to walk away because of a shortcoming that exists today is disappointing. As Jeremy has said, we want this platform on as many different devices as possible and we want to improve and grow Wherigo into something that can truly make an impact on a lot of people. But it's not going to happen instantaneously and it's not going to happen without feedback and participation from *you*. I personally believe it is better to get something out there now, than to wait until Wherigo is perfect and meets everyone's needs. (Like that is ever going to happen anyway!) So join us! Help us make it the platform that *you* want. Or sit back, walk away, or give up. But know that in doing so Wherigo may never become what you want, because we're unlikely to get to where *you* are going without you.

 

Cheers,

-peter

Link to comment

I like the idea that you want to keep it as open as possible. This does mean that the author of the cartridge must be aware that there are (currently) some easy way's to 'complete' the cartridge and therefore must be aware to add some extra questions.

I like the idea of hashing the answer :-), maybe you can add it to the builder that some question/answers are only in hashed form in the cartridge; making it very hard to deduct the answer from the cartridge.

Uploading a log as 'proof' is also not very secure; the log can be tampered with with easily.

 

Most effective against 'logging' when only emulated is to create a (slightly) different path through your questions when it is run inside the emulator, e.g. skipping a question, or asking one extra.

Link to comment

All of my Wherigo cartridges will be Wherigo caches. If the physical logbook isn't signed, the online logs for both the cartridge and the cache will be deleted. If that isn't enough, then I guess I'll put a logbook at each stop/zone. You must sign all logbooks to "prove"you completed the challenge.

 

I'd much rather the cartridges be more secure so I don't have to resort to doing this. Perhaps I'll wait and see if it becomes a problem first.

Link to comment

Thanks you for for your views, I agree with most of them and look forward to the way the game develops. Hope to launch my own very soon. Think I will do the 'add the final code to the log book' answer to the short cutting bit for now and make my first a simple one. Cheers MaxKim.

Link to comment

I can't possibly agree with GeoGern more. I've geocached for quite some time, but never what you would call 'hard core'. I've got just over 100 geocaches under my belt.

 

However, after thinking and writing about geocaching and georelevant content for almost two years now, I've always felt that Geocaching is just the first step in a very exciting phenomena that has yet to be built. Wherigo is the second step.

 

I love that Wherigo has tools built in to make geo puzzles/adventures, but I see many more applications for this software. And if we narrow the tool to be only tuned to puzzles/adventures, then we miss out on all sorts of innovative things that can be done.

 

There are still a lot of bugs to be worked out, but that is to be expected. I'm excited to see where we started (geocaching), I'm excited to see where we are (Wherigo), and I think we are heading for even more really cool innovations that stem from these ideas.

Link to comment

I think I've heard someone mention this, but I've got a "red herring" planned for my Wherigo and its "sister" cache. At the very end of my cartridge, one of the messages says "Look here by the trail, in the tall grass, for the cache." What cheaters won't realize is that I've hidden a message in one of my zones that says "Don't believe character (X) when he describes the location of the cache, use these coords..."

 

It should prevent some bogus logs. I'll keep a close eye on the log to catch any others.

Link to comment

I think I've heard someone mention this, but I've got a "red herring" planned for my Wherigo and its "sister" cache. At the very end of my cartridge, one of the messages says "Look here by the trail, in the tall grass, for the cache." What cheaters won't realize is that I've hidden a message in one of my zones that says "Don't believe character (X) when he describes the location of the cache, use these coords..."

 

It should prevent some bogus logs. I'll keep a close eye on the log to catch any others.

 

Sorry, but I don't see how that would prevent cheaters.

As far as my ital-english understood from your idea, is that if I play your cart in the emulator I would see the hidden message anyway.

Plus if the coords are in some text... it will be even easier to find the cache without playing the cartridge.

 

Kazuma, geocaching-italia

Link to comment

Perhaps, Kasuma, he meant the message about not believing a character was to be found in a physical container? I'm not sure, but that's the only possibility that would make sense.

 

From all this talk, I think I will still favor my way. A Wherigo cache will require the player to upload a completed cartridge. All I need to do is insert whatever check I want at the very end of my cartridge. If the player is playing it in the field, mark the cartridge as complete; if not, don't set it as complete. Therefore, people can use the emulator to play the cartridge, but can't get that important completion sign, which means s/he can't claim the cache as found.

 

This will deter those who wish to play for numbers while still letting the curious enjoy the experience. It's an easy, workable approach.

Link to comment

A Wherigo cache will require the player to upload a completed cartridge. All I need to do is insert whatever check I want at the very end of my cartridge. If the player is playing it in the field, mark the cartridge as complete; if not, don't set it as complete. Therefore, people can use the emulator to play the cartridge, but can't get that important completion sign, which means s/he can't claim the cache as found.

 

This will deter those who wish to play for numbers while still letting the curious enjoy the experience. It's an easy, workable approach.

 

Please excuse me if this has been discussed before.

 

I'm not seeing where it is a requirement of logging a find on a Wherigo cache to have to upload a completed cartridge.

 

This would appear to be an ALR (additional logging requirement) that would bump it to the mystery/puzzle cache category.

 

From the Cache Listing Requirements/Guidelines.

 

WherigoTM Caches

 

A Wherigo geocache uses your Wherigo cartridge to lead you ultimately to the physical geocache location. The cartridges must reside at Wherigo.com. If a cartridge is used as a requirement to find a geocache, it is considered a Wherigo cache, regardless of whether it may also have a puzzle or multi-cache component.

 

Cache saturation applies only to physical containers, and not virtual elements. Standard geocaching guidelines apply.

 

A device that can play Wherigo is not considered special equipment.

 

and on ALRs:

 

Mystery or Puzzle Caches

 

Caches with mandatory requirements in addition to signing the logbook should be listed as mystery caches. Examples include sending the cache owner a verification codeword found inside the logbook, performing some task at the cache location and taking a photograph, or writing the online log in a format or with content that satisfies the cache requirements. The mystery cache designation assists finders in identifying that something extra is required in order to log a find.

 

----------------

 

Now I'm sure TPTB could change this if they thought it was a good idea.

 

Personally, I think everyone is way to stressed out about armchair caching a find or hacking the code. Wherigo is in its infancy. Give it a chance to grow up and mature. Enjoy the fact that you are given the chance to be part of it. And that cachers want the smiley and the icon so bad they will do anything to get it.

 

Deane

AKA: DeRock & the Psychic Cacher - Grattan MI

Link to comment

You're right; it doesn't explicitly state that. My mistake for inferring from something I did in fact read. However, I would beg to differ that requiring a completed cartridge would move it to a mystery cache. Completing the cartridge would be seen as part of the Wherigo experience and as much a check as the signature on the log book.

Link to comment

You're right; it doesn't explicitly state that. My mistake for inferring from something I did in fact read. However, I would beg to differ that requiring a completed cartridge would move it to a mystery cache. Completing the cartridge would be seen as part of the Wherigo experience and as much a check as the signature on the log book.

 

That's correct. As a reviewer I would see that as a Mistery cache.

 

What you have said before, anyway, is good. To reach the final point of my Wherigo cache you must answer a question whose response can be located in the final zone of the Wherigo tour. If you don't answer the cache the cartridge is not set. The answer is indeed encrypted with your code. maybe in the next release I'll add the Emulator check on the deviceID that appears to be the best solution on that issue.

 

I don't personally like the option of inserting the unlocking answer in the cache because that would give some sort of hint on the location of the cache.

 

Then if a geocacher is good enough to unlock the cartridge or find the cache without finishing the cartridge... well, he has been good, so why deleting the log?

 

 

Kazuma, geocaching-italia

Link to comment

I think I've heard someone mention this, but I've got a "red herring" planned for my Wherigo and its "sister" cache. At the very end of my cartridge, one of the messages says "Look here by the trail, in the tall grass, for the cache." What cheaters won't realize is that I've hidden a message in one of my zones that says "Don't believe character (X) when he describes the location of the cache, use these coords..."

 

It should prevent some bogus logs. I'll keep a close eye on the log to catch any others.

 

Sorry, but I don't see how that would prevent cheaters.

As far as my ital-english understood from your idea, is that if I play your cart in the emulator I would see the hidden message anyway.

Plus if the coords are in some text... it will be even easier to find the cache without playing the cartridge.

 

Kazuma, geocaching-italia

 

Yep, I've placed a note in the physical container that alters the instructions for finding the geocache. You need to read that note, figure out that one of my characters is lying, and then find the cache using an "adjustment." And I'd agree, worrying about cheaters doesn't make sense. Truth be told, I really didn't consider that fact when building my cartridge. This was intentional, not an oversight. I'd rather design something with real players in mind. :drama::anicute::huh:

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
×
  • Create New...