Jump to content

100% farce is wherigo !


UK Mega Event Committee

Recommended Posts

Up to this morning I was really excited about Wherigo and even published my first Wherigo around the stray in Harrogate, England

 

Then I found that anyone around the world can simply download the data straight into the emulator and sit at home in front of the computer and 'walk' around the course finding out all the locations and in my case the location of the physical geocache at the end of it !!!

 

this person can now jump in the car, drive directly to the finish point and sign the log book

 

So what is the point......

 

Unless this farsical problem is solved you have just wiped out 100's if not 1000's of geocachers who will just switch off to the Wherigo site and not use it...

 

I for one will not be writing or publishing or even doing other Wherigo's until this stupid situation is solved.

 

easy solution... only allow the emulator to run your own designed Wherigo..... Obviously downloading to the PDA does not need to be altered as until you arrive at the first location physically you can not proceed further..

 

Awaiting your response !!!

 

An unhappy geocacher who has just seemed to waste the last four days of time ! :anibad:

 

Whoops - sorry I have posted this as the UK Mega Event committee not as myself

 

I am Robin from Harrogate Hunters !!!

Edited by UK Mega Event Committee
Link to comment

Up to this morning I was really excited about Wherigo and even published my first Wherigo around the stray in Harrogate, England

 

Then I found that anyone around the world can simply download the data straight into the emulator and sit at home in front of the computer and 'walk' around the course finding out all the locations and in my case the location of the physical geocache at the end of it !!!

 

this person can now jump in the car, drive directly to the finish point and sign the log book

 

So what is the point......

 

Unless this farsical problem is solved you have just wiped out 100's if not 1000's of geocachers who will just switch off to the Wherigo site and not use it...

 

I for one will not be writing or publishing or even doing other Wherigo's until this stupid situation is solved.

 

easy solution... only allow the emulator to run your own designed Wherigo..... Obviously downloading to the PDA does not need to be altered as until you arrive at the first location physically you can not proceed further..

 

Awaiting your response !!!

 

An unhappy geocacher who has just seemed to waste the last four days of time ! :anibad:

 

Whoops - sorry I have posted this as the UK Mega Event committee not as myself

 

I am Robin from Harrogate Hunters !!!

 

Couldnt you use some kind of information in the "Real World" in conjunction with the Wherigo experience to prevent this sort of thing?

Link to comment

 

Couldnt you use some kind of information in the "Real World" in conjunction with the Wherigo experience to prevent this sort of thing?

 

That would appear to make sense at first ... however ... as has been mentioned elsewhere in the forum it is possible to open cartridges in Notepad ( or any text editor ) and find the answer both to any questions asked and even final co-ords, all you need to do is look through a few lines of code such as this ..

 

zoneLocationofGeorgeGeo Visible ztaskFindGeocache zoneFinalLocation

zitemAPen MessageBox Text f Well done you have answered the question correctly !!!<BR>

<BR>

Now you can go and find the geocache. Media zmediaFaceofGeorge Callback cartHarrogatesfirst MsgBoxCBFuncs MsgBoxCB12 0 Wrong answer I am afraid....<BR>

<BR>

Try again

 

I have deliberately cut a portion of code which does not show the answer or co-ords but as you can see it does show the responses if you give the right or wrong answer !! :anibad:

 

I know HH spent an age builing his first Wherigo and I really enjoyed doing it ( bugs n all ), I was even looking forward to creating my own but not if it is possible to solve as simply as this .....

 

PLEASE PLEASE ... sort this out !!!!!

Link to comment

There are plenty of ways around this and to make sure people don't do what you're saying.

 

First, let's start off with your concern that people can pop it in the emulator and play it. In your code, do a test for the following:

Player.ObjectLocation.altitude:GetValue("ft") == 0

If the player's altitude is zero, the person is playing with the emulator. When the player enters your starting zone, test this and refuse to show any more zones.

 

Second, about getting the answers to questions from the cartridge. I created a comprehensive post some time back. Thus far, no one has been able to break the encryption.

http://forums.Groundspeak.com/GC/index.php?showtopic=185059

 

Finally, about people getting the coordinates to your final cache. Just make the final another zone and let people use Wherigo to navigate to it.

 

======================================================

 

However, I would like to suggest the following.

 

Let people play through the cartridge. If people want to use the emulator, fine. However, when it comes time to mark the cartridge as complete or navigate to the log book, use the altitude test. This way people will be able to see what you created, but not get credit for it. And if people want to mark as many cartridges as they can complete, they won't be able to do so with yours because of this test.

Link to comment
The whole cartridge code should be encrypted.

I think it should be an option to encrypt the whole cartridge. Some folks might not mind their source codes being used as tutorials by others.

 

That's not what a non-encrypted cartridge means. You can't see the source code of a compiled cartridge; you can only look at the plain text and variable names the cartridge author uses. Encrypting the cartridge would encrypt this plain text. You already can't determine program flow by looking at a cartridge.

Link to comment

First, let's start off with your concern that people can pop it in the emulator and play it. In your code, do a test for the following:

Player.ObjectLocation.altitude:GetValue("ft") == 0

If the player's altitude is zero, the person is playing with the emulator. When the player enters your starting zone, test this and refuse to show any more zones.

 

Not around here. Everything around here is at sea - level ;)

Link to comment

Up to this morning I was really excited about Wherigo and even published my first Wherigo around the stray in Harrogate, England

 

Then I found that anyone around the world can simply download the data straight into the emulator and sit at home in front of the computer and 'walk' around the course finding out all the locations and in my case the location of the physical geocache at the end of it !!!

 

As the guilty party in this ;) , can I just point out I wasn't trying to cheat ! - I was just wanting to see what the Wherigo thing is about. Without my PDA, I thought I'd have a go with the emulator to see the kind of thing that happens, expecting to just see some kind of welcome screen and not being able to go further. There are 2 wherigos in the UK at the moment, one is somewhere I know quite well (Harrogate), so I thought I'd have a look. I stumbled on the correct answer which then gave me the cache location.

 

However, since then, I have noticed that you can find all the required details as plain text within the gwc file if you look hard enough.

 

I can understand Robin's annoyance, given that he's put in some work to set the Wherigo/cache - I don't 'get' the whole authoring just yet.

 

It looks like its got huge potential for lots of fun, but 'cheating' the system needs to be designed out.

 

PS - is there a Mega-event happening somewhere in the UK? ;)

Link to comment

Save files contain information about the device playing it. We have a record of each completed cartridge (via save file) that contains this information. Though you *could* forge this information it would be difficult to do so.

 

In the future we will note which device was used to complete a cartridge so you can tell whether the user actively walked the route or used the Desktop application. If they use the unlock code embedded in the cartridge you'll know that too, and if you didn't reveal that information it would be a sure way of detecting cheats.

 

True, someone who wanted to cheat could, but there's no difference between cheating by opening a reader or having someone create a reader that cheats after breaking the encryption. The reality is no matter what kind of encryption we use it will eventually be broken by some clever engineer. Trying to beat the cheaters is a losing game as the movie and music business has already come to understand.

 

Frankly, and this is my own opinion, you should be honored to know that people from outside your area are looking at and testing your Wherigo cart. It's a new activity and people are still figuring out how this works. Be thankful people had an interest in your experience. As a new activity you should encourage anyone to try it out to increase the adoption rate.

Link to comment

 

First, let's start off with your concern that people can pop it in the emulator and play it. In your code, do a test for the following:

Player.ObjectLocation.altitude:GetValue("ft") == 0

If the player's altitude is zero, the person is playing with the emulator. When the player enters your starting zone, test this and refuse to show any more zones.

 

Let people play through the cartridge. If people want to use the emulator, fine. However, when it comes time to mark the cartridge as complete or navigate to the log book, use the altitude test. This way people will be able to see what you created, but not get credit for it. And if people want to mark as many cartridges as they can complete, they won't be able to do so with yours because of this test.

That sounds good.. if thats the answer... can you please provide full instructions on how to test for zero feet ! I have tried and cant seem to get this code implemented !

 

Secondly the idea of not letting them see the cartridge before they get on site is that there are a couple of surprises that if they are not 100% careful they fall into the trap and have to walk further...

 

By testing the cartridge on the emulator completly destroys this aspect..

 

Anyway if you can let me know how to include code in the cartridge to stop the emulator working that will be great....

Link to comment

True, someone who wanted to cheat could, but there's no difference between cheating by opening a reader or having someone create a reader that cheats after breaking the encryption. The reality is no matter what kind of encryption we use it will eventually be broken by some clever engineer. Trying to beat the cheaters is a losing game as the movie and music business has already come to understand.

 

Speaking as someone who wrote an online cache-adventure long before Wherigo existed and who has dealt with many people that played the game the way "they should have" and those that "cheated" to get the answers I'd like to say "you can't stop the cheating". I generally know, as the cache owner, those that cheated and those that didn't. I will say that the ones that didn't cheat were much more appreciative and happy when they finished the online (and the physical counter part) of my adventure cache. I even put in a few "tricks" to make the cheating harder, but I know that it'll be impossible to make it impossible. So don't even try.

 

(the best you could do would be to use a decent form of encryption and let the encryption key exist as a code in the field. Making the document itself encrypted won't help; the device will have the ability to decrypt the file and it'd be trivial to extract the decryption key from the device and decrypt all the games. Decryption and vendor-only DRM-software decoders have never worked and never will.)

 

But is this new? No... it's always been possible to cheat at geocaches in the first place. You can always simply log a cache online without actually visiting the cache (since code-word proof-in-the-cache aren't legal (on GC.com at least)). Does that stop you from placing traditional caches? No...

Link to comment

That sounds good.. if thats the answer... can you please provide full instructions on how to test for zero feet ! I have tried and cant seem to get this code implemented !

 

You have to implement the code in the lua file manually. This is what I have done:

function zoneStageOne:OnEnter()
-- #GroupDescription=EnterParking --
-- #Comment=EnterParking Comment --
if   Player.ObjectLocation.altitude:GetValue("ft") == 0 then
Wherigo.MessageBox{Text=[[Sorry, but this cartridge cannot be played in the emulator.  Please play it in real life!]],}
else
Wherigo.Dialog{{Text=[[Welcome to ... text removed for brevity.]],},}
CountdownExpired = false
ztimerTimer.Duration = 180
CountdownSeconds = 185
zoneStageTwo.Active = true
zoneStageTwo.Visible = true
zoneStageThree.Active=false
zoneStageFour.Active=false
zoneStageFive.Active=false
zoneStageSix.Active=false
ztimerStopwatchUpdate:OnTick()
end

end

This is the only zone that is visible and active at the time the cartridge is run. If the altitude is zero, it'll display a message. If it's not zero, it'll show the dialog, then set the zones and timer to what I want.

Link to comment

That sounds good.. if thats the answer... can you please provide full instructions on how to test for zero feet ! I have tried and cant seem to get this code implemented !

 

Trying desperately to be helpful :(

 

Would it be better to test for changing altitude? Even stationary a GPS will vary the height a bit (mine can vary by hundreds of feet). Therefore if someone is unlucky and just happens to be at 'zero' feet when they get to that stage it won't stop them. I guess you'd need an Old_Alt variable (Player.ObjectLocation.altitude:GetValue("ft") from the previous timestep) to compare the current altitude. Whether that's possible I've no idea (should be). Only if they are not equal would the code continue.

Link to comment
Would it be better to test for changing altitude?

Kind of what I was thinking. A bit more elegant solution would be "Opps! Are you sure you're not running this on an emulator? I'm reading zero feet altitude." This would probably prompt a new type of "bumblebee dance" to get the unit read something other than zero.

 

No... it's always been possible to cheat at geocaches in the first place. You can always simply log a cache online without actually visiting the cache (since code-word proof-in-the-cache aren't legal (on GC.com at least)). Does that stop you from placing traditional caches? No...
Yet we still guard against spoilers.

 

I think if someone is worried about players looking at files for hints and answers then the cartridge would be more like a puzzle cache. Yes, folks cheat at puzzles caches, but that doesn't mean it is condoned. Folks guard against cheaters, and even shortcuts, in various ways. While some measures are more effective than others, many folks take great pains to prevent reverse engineering the answer.

 

Right now one only needs to drop the appropriate Wherigo file into notepad and answers are revealed. I think this is unacceptable.

 

Speaking for myself, I'd probably be satisfied with just a decent protection scheme:

  • A publicly available encryption scheme that takes long keys.
  • Each cartridge uses a long unique key.
  • Encrypt all text, not just the answers. Questions are clues, too.
  • Desired, but optional: Key modified by user input. This would remove the actual key from the program making it much harder to decrypt.

Yes, I know the above is not solid. Someone with Lua programming skills can break it, but at least it is now not trivial for anyone to do so. Harder than someone simply telling everyone else where to find the final, anyway.

Link to comment

I used the altitude to check whether the cartridge is being played in the outside and used a value of greater than 5 (I dunno if the builder has changed, so zero can be used now). This works fine.

 

I also thought of using checking the device id but got no further as I didn't need it. I think that the cartridge returns a value of "builder" or the actual device ID. So if anyone wants to try that, I'd be interested to hear if it works.

 

usersDeviceID = Env.DeviceID

 

I think it would be useful to have a brief list of the various environment variables.

Link to comment

What about hashing the answer? It adds a little bit of complexity to the code, but would be impossible to decipher.

The whole cartridge code should be encrypted.. I like the idea of the Wherigo but cannot understand how the cache type was even launched without it being fully tested.. :laughing:

I deal with cryptography as part of my daily work and I can assure you that this will not work.

 

If cartridges would be encrypted completely they had to think of a secure way to get the decryption key to the player software. Of course Groundspeak could put one key into the player application that is used to decrypt all cartridges, but then someone would soon debug or disassemble the player and get the key.

 

The inability to distribute individual keys for decryption was one of the problems of the DVD encryption scheme. The other error was that they tried to gain security by obscurity.

 

I believe they should seriously consider adding optional encryption at least to strings and all positional data in the cartridge. The player software does not need to know the coordinates and boundaries of zones until they become active. And strings do not need to be present in plaint text until they are actually displayed to the user.

 

Imagine the builder would be able to encrypt this data at compilation time with keys supplied by the cartridge designer.

The player software could decrypt it in the field using keys provided by the user. That could be any kind of information the user finds on location (text or numbers on signs that are already present there or the good old piece of paper in a micro).

 

There will still be people trying to crack these keys but they would have to do that again and again for each individual key used in each cartridge. And, unlike cracking DVDs, there would be no money to save in doing so.

 

Unless, of course, Groundspeak starts to charge people for cartridge downloads - but then they will need encryption anyways.

Edited by Starglider
Link to comment

 

I believe they should seriously consider adding optional encryption at least to strings and all positional data in the cartridge. The player software does not need to know the coordinates and boundaries of zones until they become active. And strings do not need to be present in plaint text until they are actually displayed to the user.

 

 

We've been discussing this in-house and mirror some of the feelings within this thread and others. Our belief is that any encryption scheme will ultimately have holes, but we will use encryption like a bike owner has a bike lock. The lock doesn't really prevent someone from stealing a bike - it just slows them down.

 

In other words we'll employ an encryption scheme that you can't defeat by simply opening up Notepad. However you could probably find some sophisticated (or not) way to decrypt the information if you wanted. DRM is not the direction we plan to go. We just want to make it a tad more difficult to figure out an experience.

 

We won't tell you how we encrypt the cartridges. You'll have to figure that out by yourself.

Link to comment

I've only just noticed this thread as I normally only read the Building Wherigo cartridges section.

 

I made our first Wherio pretty open so people can see what it's like on the emulator. I used Ranger Fox's hex encryption for the answers to questions which slows people down but it's still easily crackable. To me it's much the same as PAFfing for the answer on a Puzzle cache... what's the point?

 

For our latest Wherigo, it will not be able to run in the emulator and I've done it so the player has to visit four different zones and input a numerical answer at each one. These answers will be substituted directly to create the final co-ordinates and the current (temporary) location of the final zone will move to these newly generated co-ords.

 

That way there will be no answers whatsoever 'hidden' inside the cartridge.

 

That's the plan anyway :o

 

 

Mark

Link to comment

I think what Delta68 proposed above is an excellent idea!

 

To put it more generally:

 

Instead of checking user input against a "right answer" which is somehow encrypted in the cartridge, use the user input as key to decrypt information.

 

If the key is correct, the decrypted information will make sense. If the key is wrong, the decrypted information will lead to random coordinates, or produce random text.

 

If the key is long enough, even brute force attacks to crack the code would not help, as computing power is limited.

 

Maybe it would be worthwhile to develop this idea a bit further... of course it would have to be supported in the builder

Edited by frigschneck
Link to comment

Just an update to the encryption of cartridges. We're waiting for an updated version to be deployed on the Garmin Colorado that has the code for decrypting cartridges and save files. Once this happens we'll deploy it in the Wherigo Player for Pocket PC and turn it on at the web site.

Link to comment

Just an update to the encryption of cartridges. We're waiting for an updated version to be deployed on the Garmin Colorado that has the code for decrypting cartridges and save files. Once this happens we'll deploy it in the Wherigo Player for Pocket PC and turn it on at the web site.

 

Jeremy - did that update occur yet? I try to pay attention to new updates but may have missed this one.

Link to comment

Well, I have tried to revoke this kind of easy caching by placing the final coordinates into a picture which is in an invisible zone. Once a cacher has archived that, he'll get the cache coordinates. But thanks to the idea of altitude, I was able to include this check to prevent evaluator gamers. Another possibility are invisible zones for further stages and a visibile first zone.

Anyway there is a lot of work which has still to be done before Wherigo caches can be spotted out as fully tested.

biboleck30

Edited by biboleck30
Link to comment

There are plenty of ways around this and to make sure people don't do what you're saying.

 

First, let's start off with your concern that people can pop it in the emulator and play it. In your code, do a test for the following:

Player.ObjectLocation.altitude:GetValue("ft") == 0

If the player's altitude is zero, the person is playing with the emulator. When the player enters your starting zone, test this and refuse to show any more zones.

 

Second, about getting the answers to questions from the cartridge. I created a comprehensive post some time back. Thus far, no one has been able to break the encryption.

http://forums.Groundspeak.com/GC/index.php?showtopic=185059

 

Finally, about people getting the coordinates to your final cache. Just make the final another zone and let people use Wherigo to navigate to it.

 

======================================================

 

However, I would like to suggest the following.

 

Let people play through the cartridge. If people want to use the emulator, fine. However, when it comes time to mark the cartridge as complete or navigate to the log book, use the altitude test. This way people will be able to see what you created, but not get credit for it. And if people want to mark as many cartridges as they can complete, they won't be able to do so with yours because of this test.

 

What about those of us that have the GPS hooked up to the lapto, and use a conjunction of WIFI, nRoute, and the emulator to physically walk the route as intended. You are wanting to Disable the ability to do this? I don't have the money to go out and get another 500$ unit.

 

I had no clue about the non-encryption of cartridge files... Hmm.

 

The Steaks

Link to comment

I don't know about the Garmin Wherigo Builder, but Urwigo makes it possible to 'hash' the code, exept for the intro-page, which is, after all, useless information to solve the WIG.

 

I just tested it with my own Wherigo, and it's not readable in notepad or whatever ...

It should be pretty safe and secure if on top of that you'd have the inputs come from real-world issues.

 

Just my 5c ...

Link to comment

I don't know about the Garmin Wherigo Builder, but Urwigo makes it possible to 'hash' the code, exept for the intro-page, which is, after all, useless information to solve the WIG.

 

I just tested it with my own Wherigo, and it's not readable in notepad or whatever ...

It should be pretty safe and secure if on top of that you'd have the inputs come from real-world issues.

 

It's quite easy to "decrypt" the strings scrambled by Urwigo if you know what you're doing...

Link to comment

I agree: Urwigo does make it more challenging to read the text in a cartridge, but it's not impossible (just a little more effort). It's also still possible to extract a cartridge's unlock code or even manipulate the save file so you can unlock a cartridge.

 

Nothing is completely secure. Even if it were, people could just share the cache's final coordinates and bypass all the protection you built into the cartridge. The best protection I know is to make a cartridge people want to play.

Link to comment

I just seen this thread and just had to reply. I have about 20 published Wherigo Geocaches and guess what...... I could careless if they do it at home eventhough I use the emulator blocking that urwigo puts on it, But I have found that people seem to be having a really good time playing my Wherigo's. They all work great. Just keep in mind that most cachers are not into taking the fun out of the hunt.

Keep On Wherigo'n

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
×
  • Create New...