Jump to content

Unknown which leads to a web page


fotimyr

Recommended Posts

I recently got a mystery cache (Unknown cache) with an online puzzle published. The D/T difficulty was set to 4.5/1.5. The (aparently quite challenging) puzzle eventually led the cacher to a URL which presented him/her with a username and password dialogue box. After guessing the (easy) username/password combo, the cacher was then presented with web page and the coordinates encrypted in a very simple way. This is all hosted on my own, private web server which is physically located in the attic of my house.

 

At no point is the cacher required to leave any personal information behind, nothing needs to be downloaded and no web site registration needs to be done.

 

This has sent a cabal of the more seasoned geocachers in the area up in arms. They wondered - in the now edited logs - if this is actually within Groundspeak's guidelines and that the whole thing was rather "unsympathetic" and cruel. They also didn't like the fact that the web page visits were logged. The latter is in my opinion a by-effect of serving web content in the first place, but that seems to have fallen on deaf ears. I disabled the cache until the matter could be resolved, since I have no intention of getting into an argument with the ... uhh ... Tribal Elders.

 

So, is an unknown of this type within the guidelines or not? What do you think?

Link to comment

who would know the guidelines better than the reviewers? so if it was published it is within the guidelines but then again i've seen situations where they go back on their original decision

 

personally i say it is within the guidelines, we have a few similar ones here

people concerned with web pages logging their visits should not use the internet at all, they should perhaps educate themselves that every page they go to logs their visit :lol:

 

are they even aware that PM caches only has an audit log? :anibad:

Edited by t4e
Link to comment

Thanks for the feedback. I haven't been geocaching regularly for for more than a few months, so I was unsure what to make of all the fuss.

I have nevertheless archived the cache in question since the puzzle's been compromised by asking publicly about it. Or specifically: I also posted a similar question on our local geocaching forum.

Link to comment

I certainly find a LOT of caches that are actually outside of the caching guidelines, but it has to be really egregious before it is worth making a fuss over. Some time you just have to be callous and say "if you don't like it, let me know and I'll talk you through how the ignore button works." There will be some days when you wish you had a secret button that adds your cache to their ignore list!

 

I should add this though... When they go to the website that you provide, it needs to be very obvious, perhaps even explicitly stated, that they shouldn't enter their geocaching.com username and password. If people are entering in their gc.com password and you are logging those attempts (and thus have their username/password) then I agree, that is totally inappropriate, and in many countries may even be illegal.

Edited by Sky King 36
Link to comment

You say you have to guess the username/password? If this were me and I came to a webpage where I had to enter information without any knowlege of what it was I'd be upset too. I wouldn't know that they did't want personal info. With all the problems of identity theft and malware designed to infiltrate your computer and steal info guess I'd have to wonder about using the website too. Maybe you just need to take the info on the webpage ( the final encryption for the cache) and put it into a physical cache somewhere (multi).

 

I recently got a mystery cache (Unknown cache) with an online puzzle published. The D/T difficulty was set to 4.5/1.5. The (aparently quite challenging) puzzle eventually led the cacher to a URL which presented him/her with a username and password dialogue box. After guessing the (easy) username/password combo, the cacher was then presented with web page and the coordinates encrypted in a very simple way. This is all hosted on my own, private web server which is physically located in the attic of my house.

 

At no point is the cacher required to leave any personal information behind, nothing needs to be downloaded and no web site registration needs to be done.

 

This has sent a cabal of the more seasoned geocachers in the area up in arms. They wondered - in the now edited logs - if this is actually within Groundspeak's guidelines and that the whole thing was rather "unsympathetic" and cruel. They also didn't like the fact that the web page visits were logged. The latter is in my opinion a by-effect of serving web content in the first place, but that seems to have fallen on deaf ears. I disabled the cache until the matter could be resolved, since I have no intention of getting into an argument with the ... uhh ... Tribal Elders.

 

So, is an unknown of this type within the guidelines or not? What do you think?

Edited by Luckless
Link to comment

I know you have to submit the final coordinates of a puzzle cache but do you have to provide the method of solution. My perception is that this would violate the guidelines since it requires logging into a personal web server violates this guideline: Geocache listings that require additional website registration, installs or downloads are generally not publishable.

Link to comment

Generally if it has been approved by a reviewer it meets guidelines. Sometimes there are changes made after publication to take it out of compliance. Perhaps a note to the reviewer to take a look at it currently.

 

I was always told that logging on to a seperate server wasn't kosher but maybe he has met all the restrictions.

Link to comment

The web pages in question never logs the entered password (it's an Apache 1.3.x using BASIC AUTH), only the username, but I understand the concern. In addition, the dialogue box contains the exact geocache name as found in the cache listing, so there's no question where you've ended up. But in any case, they had no problem rushing out for an FTF and then later complain loudly in the online logs. Numbers guys will be numbers guys, I guess.

 

And as I stated above: the method involved in finding the final coordinates WAS in accordance with the guidelines: no downloads, no installs, no personal info needed, no website registrations.

Edited by fotimyr
Link to comment

Generally if it has been approved by a reviewer it meets guidelines. Sometimes there are changes made after publication to take it out of compliance. Perhaps a note to the reviewer to take a look at it currently.

 

I was always told that logging on to a seperate server wasn't kosher but maybe he has met all the restrictions.

 

A cache that has been approved by a reviewer might always meet the guidelines for several reasons. As you said, change made after publication and be one reason. There are also guidelines which are not verifiable and unless there is something in the description that the reviewer can see the reviewer might publish the simply because information has been withheld (for example, if the CO buried the cache).

 

Logging onto a separate server isn't really an issue unless the external site is commercial in nature. I've done a puzzle which had *several* web sites created specifically for the puzzle where one had to enter in a code or a user id/password to get past a "login screen". It's pretty obvious thought the it's part of the puzzle and one isn't expected to enter "real" credentials. It's also not as if the person do the puzzle is *guessing* the login/password, but rather that solving another part of the puzzle will tell you what you probably should enter. There was one that might look like you had to guess the username but if you put the website into the context of the theme of the puzzle it would be an educated guess.

Link to comment

According to the guidelines:

Geocache listings that require additional website registration, installs or downloads are generally not publishable. Geocache listings that require a geocacher to visit another website will not be published if the finder must create an account with, or provide personal information to, the other website.

 

Entering a username/password isn't a problem. Since the username/password are provided by the cache owner, the seeker is not required to register for or create an account on or provide personal information to the web site. This is essentially the same as a puzzle that uses a third-party site to verify a keyword, and then provides the final coordinates in response.

Link to comment

This is just another unintended consequence of guidelines written the way they are. Without the rationale for a guideline, people will take a literalistic view. The guidelines says "Geocache listings that require a geocacher to visit another website will not be published if the finder must create an account with, or provide personal information to, the other website". Without the rationale for this guideline a literalistic view might say that if there you need to enter a user ID and password then the cache is requiring an account. Beyond the issue of whether this is requiring you to provide personal information, however, is a reasonable fear that the page is a phishing scam, hoping that you enter a real username and password that can be used on another website. Perhaps a disclaimer on the cache page similar to the one the guidelines require for downloads in in order.

 

"Alert: You are about to download a file that contains further details needed to find this geocache. As the cache owner, I represent that this file is safe to download although it has not been checked by Groundspeak or by the reviewer for possible malicious content. Download this file at your own risk. [insert link here]"

 

I understand the need to keep the guidelines simple and easy to read. However, now that the guidelines are part of the Groundspeak Help Center and are several pages of hypertext, I don't see why a link to a page or two or rationale and clarifications can't bee provided. I could help clarify situations like this to someone who doesn't understand the difference between requiring someone to provide personal information to a third party and a puzzle that has you guess (or solve) a passkey to get the coordinates from a website.

Link to comment

You say you have to guess the username/password? If this were me and I came to a webpage where I had to enter information without any knowlege of what it was I'd be upset too. I wouldn't know that they did't want personal info. With all the problems of identity theft and malware designed to infiltrate your computer and steal info guess I'd have to wonder about using the website too. Maybe you just need to take the info on the webpage ( the final encryption for the cache) and put it into a physical cache somewhere (multi).

 

 

seriously? :unsure:

Link to comment

As a reviewer, this sounds like it meets the guidelines perfectly. niraD summed it up very well.

 

They also didn't like the fact that the web page visits were logged.

So you have their IP address in your server logs. So what? Not like you can determine anything about anybody with just an IP address.

 

Do these people also realize that many cachers include pictures on their cache pages that are hosted on other websites. Viewing these cache pages, and hence the pictures, also log a visit from their IP address. I've never heard anybody get up in arms about that.

Link to comment

You say you have to guess the username/password? If this were me and I came to a webpage where I had to enter information without any knowlege of what it was I'd be upset too. I wouldn't know that they did't want personal info. With all the problems of identity theft and malware designed to infiltrate your computer and steal info guess I'd have to wonder about using the website too. Maybe you just need to take the info on the webpage ( the final encryption for the cache) and put it into a physical cache somewhere (multi).

How could you possibly you set up a puzzle cache where those trying to solve it would have to enter personal information to arrive at the final coordinates? Would the cache owner not have to already know that personal information in order to make it work? Sorry... doesn't compute.

Link to comment

So what if the user has to locate a particular type of webpage or application that already exists to solve a puzzle. Is that allowed?

 

Sure. For example I've seen quite a few puzzles which use some sort stenography to embed information in an image. There are several commercial and open source image editors that will be able to detect and display that information (Photoshop, for example). That's different from encrypting a set of coordinates in such a way that a specific application has to be downloaded and used to extract the information.

 

I agree with toz that most of the problem here is how the guideline are written. Technically, whenever one access a web page they're requesting and downloading data, using a browser, which may have been downloaded from another site. That data may often include executable code (i.e. javascript) that runs in a browser (that includes the Groundspeak sitse). Although there are all sorts of virus/malware checkers that can be used, the best tool is common sense. If a site is asking for any kind of information when one chooses to provide it, and what information your providing, essentially boils down to a trust issue. If I get an email message from, say, Bank of America asking me contact them through some link because my account is overdrawn, I'm not going to do it because I don't *have* an account at BofA. Those that are attempting to steal your identity are getting a lot more clever with their phishing scams but a reasonable amount of common sense will got a long way to protecting your personal information without resorting to going off the grid entirely.

Link to comment

You say you have to guess the username/password? If this were me and I came to a webpage where I had to enter information without any knowlege of what it was I'd be upset too. I wouldn't know that they did't want personal info. With all the problems of identity theft and malware designed to infiltrate your computer and steal info guess I'd have to wonder about using the website too. Maybe you just need to take the info on the webpage ( the final encryption for the cache) and put it into a physical cache somewhere (multi).

How could you possibly you set up a puzzle cache where those trying to solve it would have to enter personal information to arrive at the final coordinates? Would the cache owner not have to already know that personal information in order to make it work? Sorry... doesn't compute.

 

The only way I see that as a problem would be if the webpage user/password request is logged (as mentioned earlier I think), and then if someone enters a private username/password, that would be logged and viewable by the person who hid the cache.

 

It still doesn't compute for me, because I don't enter usernames and passwords unless I know I set them up for that site myself. And if its a puzzle cache I'm working on, I quite naturally assume the username/password is something I am meant to solve as part of the puzzle.

 

I've done several caches that used this method and enjoyed them very much, although those were caches with a heavy storyline which left absolutely no doubt that you were meant to figure out the required username and password, not enter in something personal of your own.

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
×
  • Create New...