Jump to content

Geocheck.org was hacked


Ma & Pa

Recommended Posts

I am not insisting that every CO provide an automatic checker. I just think that those that do are making an extra effort to help potential finders of their caches and I can't imagine any potential finder would prefer that the CO didn't provide that extra help. No, the CO isn't obligated to do, but there are many things in life that we're not obligated to do but we do anyway as an act of kindness or courtesy and expect nothing in return.

 

No, not insisting, just putting that "kindness" and "courtesy" silliness into it. Your sense of "courtesy" is based on your personal preferences.

 

There are, in fact, cachers who think that a checker diminishes a tricky mystery cache by making it easier. In order to be "courteous" to you, I must be "discourteous" to them.

 

Since I have to be "discourteous" to someone, I might as well trust my own feelings on the issue. It is, after all, my cache. I am not losing out if some people choose not to find it because it doesn't meet their needs.

 

Here we go again...

 

courtesy

n.

favor, help, or generosity

Link to comment

I am not insisting that every CO provide an automatic checker. I just think that those that do are making an extra effort to help potential finders of their caches and I can't imagine any potential finder would prefer that the CO didn't provide that extra help. No, the CO isn't obligated to do, but there are many things in life that we're not obligated to do but we do anyway as an act of kindness or courtesy and expect nothing in return.

 

No, not insisting, just putting that "kindness" and "courtesy" silliness into it. Your sense of "courtesy" is based on your personal preferences.

 

There are, in fact, cachers who think that a checker diminishes a tricky mystery cache by making it easier. In order to be "courteous" to you, I must be "discourteous" to them.

 

Since I have to be "discourteous" to someone, I might as well trust my own feelings on the issue. It is, after all, my cache. I am not losing out if some people choose not to find it because it doesn't meet their needs.

 

Here we go again...

 

courtesy

n.

favor, help, or generosity

 

Yes, it is generous, or "courteous" to place a cache for others to find and enjoy.

Link to comment

I am not insisting that every CO provide an automatic checker. I just think that those that do are making an extra effort to help potential finders of their caches and I can't imagine any potential finder would prefer that the CO didn't provide that extra help. No, the CO isn't obligated to do, but there are many things in life that we're not obligated to do but we do anyway as an act of kindness or courtesy and expect nothing in return.

 

No, not insisting, just putting that "kindness" and "courtesy" silliness into it. Your sense of "courtesy" is based on your personal preferences.

 

And when someone writes "Placing a decent cache for people to find is courtesy enough, isn't it?" it leads me to believe that they don't understand the concept of courtesy.

 

 

There are, in fact, cachers who think that a checker diminishes a tricky mystery cache by making it easier. In order to be "courteous" to you, I must be "discourteous" to them.

 

Adding a checker to a cache page only provides an automated *option* to confirm the solution to a puzzle. Nobody is forcing the solver of the puzzle to use it. It does't make a puzzle easier if one does not choose not to use it. Sure, one could brute force the correct coordinates by trying every possible combination of lat/long coordinates but all decent coordinate checkers I've seen put a limit on how many guesses one can make during a specific time period, but the fact that one could eventually guess the solution won't make it any easier for those that don't try.

 

 

 

Link to comment

It does't make a puzzle easier if one does not choose not to use it.

 

But it makes obtaining the coordinates of a cache easier for some puzzles. I have come across many such cases and I could provide you with many examples where

obtaining a partial solution and doing the rest with the geochecker is the fastest approach. I would not want that someone who is using such a short cut celebrates pompously a first to find on a mystery cache (I'm not into FTF hunts personally).

 

Very often checkers are much more than automatic methods to check correctness.

 

I hardly happens that someone will write a mail to the cache owner and tell him A can have any value from 0 to 9 and I'm not motivated to determine A. Please tell me which value is the right one. This is however exactly how geocheckers are used (not exclusively of course).

 

 

Of course there are limits for the number of attempts, but sometimes one just needs to try out at most 10 cases (a few of them are however often already excludable

by distance checks when one has a private data base of all caches and stages in the area). By changing IP-addresses however many more attempts are possible,

All these checkers can be tricked out easily.

 

Moreover, there are puzzles which by construction cannot lead to precise coordinates

like this one

http://www.geocaching.com/geocache/GC5711E_grazer-kopfe

as it contains an offset.

While some checkers allow checks for inprecise coordinates, it is well known that these are quite vulnerable against attacks (in particular in cache dense areas). The mystery cache above is a prime example where it would ruin the cache to offer an automatic geochecker and a good example that manual checks by the cache owner work fine. The cache is not manageable for tourists anyway - too challenging.

 

Cezanne

Edited by cezanne
Link to comment

Well I use GeoChecker.com. That is a different site altogether right?

 

Yes, and how about that??? Appears to be owned by Geocaching.com. Who knew? I'll have to look at some of your cache pages, I don't know that I've ever seen it used!

 

EDIT: Nope, never seen anyone use it. Until today, that is.

Edited by Mr.Yuck
Link to comment

Well I use GeoChecker.com. That is a different site altogether right?

 

Yes, and how about that??? Appears to be owned by Geocaching.com. Who knew? I'll have to look at some of your cache pages, I don't know that I've ever seen it used!

 

EDIT: Nope, never seen anyone use it. Until today, that is.

I've used it a few times - usually for older puzzles. Owner (according to the "contact" page) is Goldenhawk. Not sure what relationship he has with Groundspeak, why Groundspeak is the owner of the domain, etc.

Link to comment

You need not repeat yourself.

Apparently I do because it seems some people still don't understand the definition of the word courtesy.

 

Also, apparently it's ok for you and others to constantly repeat yourselves.... Whatever...

The point is what is a favour to some, could cause a discomfort to others.

Rubbish. There is no way someone offering something that you can choose whether or not to use can cause you discomfort.

Edited by funkymunkyzone
Link to comment

You need not repeat yourself.

Apparently I do because it seems some people still don't understand the definition of the word courtesy.

 

Also, apparently it's ok for you and others to constantly repeat yourselves.... Whatever...

 

I did not say that you are not allowed to repeat yourself, just that there is no need to do so.

The point I tried to make is that I both narcissa and myself have well understood what courtesy means.

 

The point is what is a favour to some, could cause a discomfort to others.

Rubbish. There is no way someone offering something that you can choose whether or not to use can cause you discomfort.

 

Rubbish is not a very polite reply. Anyway, apparently either I did not manage to explain my point in a foreign language or you do not want/cannot understand the point.

 

Certain puzzles get considerably easier by adding a geochecker as this allows for incomplete and alternative solution approaches. It is not the same feeling for those who solve the puzzle to be 10 among 150 who solved it in an alternative way or to be a member of a smaller exclusive group. The same effect applies with regard to favourite points and logs.

 

There is a reason why cache like this series

https://www.geocaching.com/seek/nearest.aspx?key=jagdkommando&submit4=Go

are popular among a certain group. If you have a look at the cache descriptions you will come across the explicit mention of "being happy about having accomplished something not everyone can accomplish". While this cache series focuses more on the physical aspect, the same kind of reasoning of course also applies to the intellectual aspect within geocaching. Making challenging caches easier so that more people manage them changes the level of enjoyment of a considerable group of those who manage the original challenge.

 

It is a completely different feeling to reach a mountain summit that can only be reached by difficult climbing than to climb up a mountain just to meet 1000 people who came there by cable car.

So of course building a cable car and making the mountain more accessible to a large public affects and spoils the experience of those who could go there without the cable car.

 

Those puzzle caches for which there exist alternative approaches or those for which the solutions are shared on a large scale typically have a much lower percentage of FPs and nice logs than those for which this is not the case. Personally I do not care much about FPs, but FPs and in particular the percentages are used by many cachers to select caches they potentially will enjoy. A cache owner who does not make it easier to log a puzzle cache without fully solving the underlying puzzle which can include not offering a geochecker will do a favour to the target audience of such a challenging puzzle cache while at the same time not offering a favour to the group of cachers who would like to profit from a geochecker. Is this so hard to understand?

 

Suppose A, B and C work in a team. C, the head of the team can do A a favour by organizing all team meetings at 8:00 a.m. while B who prefers to sleep until 8:30 will be very unhappy. Of course this example does not fit exactly to the geocaching context. It should just demonstrate that what is a favour to one, can be the opposite to someone else.

 

A lot of what is written about puzzle caches, sharing coordinates etc relies on the wrong general assumption that people are not affected by how others are caching.

 

 

Cezanne

Edited by cezanne
Link to comment

 

And when someone writes "Placing a decent cache for people to find is courtesy enough, isn't it?" it leads me to believe that they don't understand the concept of courtesy.

 

 

What is the point of placing a cache, if not as a courtesy to other cachers?

 

Why must we all make sure our caches adhere to a narrow set of tastes?

Link to comment

The point I tried to make is that I both narcissa and myself have well understood what courtesy means.

Apparently not.

 

Offering a geochecker is by definition a courtesy (a favour, help). It does *not* mean that not offering a geochecker is discourteous as those too meanings of courteous/courtesy are not the same. Continuing to feign offence from the use of the word courtesy in this way is not really positively contributing to the discussion.

 

In fact if one wanted, one could be very discourteous about offering the courtesy of a geochecker. For example, one could write on the page "If you're really stupid, here's a geochecker for you". :)

Link to comment

You need not repeat yourself.

Apparently I do because it seems some people still don't understand the definition of the word courtesy.

 

Also, apparently it's ok for you and others to constantly repeat yourselves.... Whatever...

The point is what is a favour to some, could cause a discomfort to others.

Rubbish. There is no way someone offering something that you can choose whether or not to use can cause you discomfort.

 

People are funny and take issue with all sorts of things. Some people take issue with the lack of a third-party website link on a cache, some people take issue with its presence.

 

Placing a cache for others to find is, in and of itself, a courtesy to other cachers. It is unreasonable to expect cache owners to place caches for your specific tastes and abilities, and silly to whine about lack of "courtesy" because a cache isn't for you.

Link to comment

Well I use GeoChecker.com. That is a different site altogether right?

 

Yes, and how about that??? Appears to be owned by Geocaching.com. Who knew? I'll have to look at some of your cache pages, I don't know that I've ever seen it used!

 

EDIT: Nope, never seen anyone use it. Until today, that is.

I've used it a few times - usually for older puzzles. Owner (according to the "contact" page) is Goldenhawk. Not sure what relationship he has with Groundspeak, why Groundspeak is the owner of the domain, etc.

 

OK, they must have "acquired" his website, not unlike they "acquired" itsnotaboutthenumbers.com (not to be confused with the New Zealand based blog). Makes sense, it's a pretty basic website, design wise. No offense to Mr. Goldenhawk, but I'd expect Geocaching.com would come up with something much more snazzy if they got into the Geochecker business. :)

 

EDIT: almost forgot. Here's a WHOIS lookup to prove I'm not crazy.

Edited by Mr.Yuck
Link to comment

You need not repeat yourself.

Apparently I do because it seems some people still don't understand the definition of the word courtesy.

 

Also, apparently it's ok for you and others to constantly repeat yourselves.... Whatever...

The point is what is a favour to some, could cause a discomfort to others.

Rubbish. There is no way someone offering something that you can choose whether or not to use can cause you discomfort.

 

People are funny and take issue with all sorts of things. Some people take issue with the lack of a third-party website link on a cache, some people take issue with its presence.

 

Placing a cache for others to find is, in and of itself, a courtesy to other cachers. It is unreasonable to expect cache owners to place caches for your specific tastes and abilities, and silly to whine about lack of "courtesy" because a cache isn't for you.

 

As a courtesy to others I will hold the door open for those trying to enter a building right behind me. I don't do it because others expect or demand me to do so, but because it's polite, courteous action that makes it easier for someone walking behind me to enter the building. But I'll only hold the door open for 2.3 seconds because holding the door open for 2.3 is enough courtesy. If they can't get through the door in 2.3 seconds maybe they should find another building to enter.

 

Sorry (not really), but I just got get how the inclusion or exclusion of a coordinate checker has anything whatsover to do with specific tastes and abilities, and the tired old "you don't have to find every cache" meme. The use of a coordinate checker can ensure that someone that has chosen your puzzle cache to solve isn't wasting their time searching in a location because you haven't created a puzzle which has an ambiguous solution. It can help someone that has no physical or mental impairments that would make your cache inaccessible, if, in fact there were actually searching where the cache was located. It can help prevent confrontations with land owners and LEOs when the person that solved your cache is search in an area where you have not obtained permission. It can improved the overall experience for those that just want to confirm with a click of a button and typing in the coordinates they derived from the puzzle. It's available 24 hours a day and provides an almost immediate response, and perhaps best of all, if there is a coordinate checker on a web site it's completely optional for those that solve a puzzle whether or not to use it.

 

 

 

Link to comment

As a courtesy to others I will hold the door open for those trying to enter a building right behind me. I don't do it because others expect or demand me to do so, but because it's polite, courteous action that makes it easier for someone walking behind me to enter the building. But I'll only hold the door open for 2.3 seconds because holding the door open for 2.3 is enough courtesy. If they can't get through the door in 2.3 seconds maybe they should find another building to enter.

 

Sorry (not really), but I just got get how the inclusion or exclusion of a coordinate checker has anything whatsover to do with specific tastes and abilities, and the tired old "you don't have to find every cache" meme. The use of a coordinate checker can ensure that someone that has chosen your puzzle cache to solve isn't wasting their time searching in a location because you haven't created a puzzle which has an ambiguous solution. It can help someone that has no physical or mental impairments that would make your cache inaccessible, if, in fact there were actually searching where the cache was located. It can help prevent confrontations with land owners and LEOs when the person that solved your cache is search in an area where you have not obtained permission. It can improved the overall experience for those that just want to confirm with a click of a button and typing in the coordinates they derived from the puzzle. It's available 24 hours a day and provides an almost immediate response, and perhaps best of all, if there is a coordinate checker on a web site it's completely optional for those that solve a puzzle whether or not to use it.

 

Oh boy, nothing like a door-holding analogy!

 

To be clear, I am not asking others to remove these third-party links from their own caches. It's a personal choice on the part of the cache owner. If you are uncomfortable looking for mystery caches that don't use them, that's totally understandable. Happily, there are many caches out there that do meet your needs.

 

I honestly just can't fathom the attitude that cache placement isn't good enough - that a cache owner who puts thought and time into devising, placing, and maintaining a cache must be subject to criticism and complaint because he or she chooses not to add a third-party link that isn't connected to Geocaching.com or required for publication.

Link to comment
I honestly just can't fathom the attitude that cache placement isn't good enough - that a cache owner who puts thought and time into devising, placing, and maintaining a cache must be subject to criticism and complaint because he or she chooses not to add a third-party link that isn't connected to Geocaching.com or required for publication.

 

Amen. It's part of the whole "I'm entitled to every conceivable convenience" theme that presently dominates geocaching. Sorry, folks, but in this one case I agree with Narcissa.

 

BTW, the very fact that geocheck.org's database of cache coordinates could be hacked is indicative of very poor design. Geochecker does not have a database, but encodes the answer in a hash in the URL, so even if the key were hacked it would still require a fair amount of effort to get the coords. Those checkers that store the final coordinates, such as geocheck and Certitude, are just asking for trouble. I don't know about geocheck, but the fact that Certitude was hosted on a free website hosting service for many years (it still may be; I don't know any more) is representative of the lack of care given to protection of your puzzle solutions.

Link to comment

BTW, the very fact that geocheck.org's database of cache coordinates could be hacked is indicative of very poor design.

 

I agree with you to some extent. However, the features the community wishes to use and what they asked for also plays a role.

geocheck.org has become that popular in German speaking countries due to its features. Geochecker.com was the first geochecker I've seen and many cachers are not satisfied with what it offers.

 

It's not only about offering approximate coordinate checks (which are less safe e.g. on evince too), but also about e.g. offering gpx files with the waypoints etc. Of course this cannot be done without storing coordinates. IN some cases the geochecker tells the correct coordinates of the cache -

it could be that the correct coordinates for the geochecker are say in Vienna and the cache final is somewhere in another city (of course within the 2 miles rule around the header coordinates).

In other cases the geochecker provides further information on how to proceed for multi stage puzzle caches etc

 

It also has become popular to offer hints and spoiler photos via the geochecker sites which provides those with even more information and power.

 

I also wonder how safe some of the options project-gc offers for paying members are (including getting a file with solved puzzle coordinates which waits at the site for download for some time).

Edited by cezanne
Link to comment

The point I tried to make is that I both narcissa and myself have well understood what courtesy means.

Apparently not.

 

Offering a geochecker is by definition a courtesy (a favour, help).

 

Yes, it helps those who want to check their solution.

It also helps however in some cases those who do not wish to solve the puzzle, but obtain the coordinates.

In those cases it is an annoyance to those who solve the puzzle and are proud of it and do not appreciate that

the cache owner's design allows for the easy way.

 

It does *not* mean that not offering a geochecker is discourteous as those too meanings of courteous/courtesy are not the same.

 

I fully understood this from the very beginning.

My point was that by offering a geochecker for certain caches you do a favour to some cachers, while you do the opposite to other cachers.

 

By holding open the door for Mr X, I do not at the same throw the door upon Mr Y. That's the difference.

Of course I was not talking about the option to hold open the door to Mr X and telling him at the same time what an awful person he is.

Link to comment

You need not repeat yourself.

Apparently I do because it seems some people still don't understand the definition of the word courtesy.

I thought it was very kind of you to repeat the definition of courtesy. Thank you very much. You didn't have to do that.

 

courtesy

n.

favor, help, or generosity

 

With anything else, when the majority tend to do something, it's often taken for granted, and the minority are sometimes frowned upon, whether it's adding geocheckers, or logging a FTF within a few minutes. Once people get used to "everyone" doing something, then it no longer is a courtesy, but expected. Unfortunately.

Edited by 4wheelin_fool
Link to comment
I was writing about the mysteries with (almost) no outdoor experience. Sit 5 hours before screen and drive to find a micro under the stone near road.

 

And those are the typical mysteries where you need a checker.

I agree that you never need a solution checker, but in my experience, the times I appreciate having a solution checker have little to do with whether there is an "outdoor experience" or how long it takes me to solve the puzzle sitting at the computer. The times I appreciate having a solution checker are times when the puzzle itself is cryptic and ambiguous, especially if there are a lot of red herrings, or a lot of "noise" hiding the "signal". Those are situations where it's easy for puzzle solvers to come up with their own "solutions" that weren't intended or anticipated by the CO, where a solution checker would be useful.

 

But I've found plenty of puzzle caches with little "outdoor experience", where most of the experience is sitting at the computer, but where a solution checker would be redundant and pointless.

Link to comment

But I've found plenty of puzzle caches with little "outdoor experience", where most of the experience is sitting at the computer, but where a solution checker would be redundant and pointless.

 

Not redundant and pointless for those who want to get the coordinates by hacking the checker.

 

The point the poster you replied to made was rather that for puzzle caches which involve a lot of work at home and then do not offer a great outdoor experience, the owners of the caches are to be blamed if coordinates are shared.

Link to comment

But I've found plenty of puzzle caches with little "outdoor experience", where most of the experience is sitting at the computer, but where a solution checker would be redundant and pointless.

 

Not redundant and pointless for those who want to get the coordinates by hacking the checker.

 

 

Or just contacting a previous finder and ask for the solution, which is probably more likely going to happen if the CO hasn't provided a coordinate checker.

 

Geocheckers have been around for a long time. Do you know of any other case where one was hacked other than the most recent incident?

 

The point that niraD is making is that for caches which have an unambiguous solution, a geocacher is unecessary because if you've solved the puzzle there is no doubt that you have to correct coordinates. Where a geochecker is helpful is when it may appear that you've solved the puzzle, but the coordinates you've obtained are not where the cache is located. This could easily happen or puzzles that require obtaining information from some web page. I have on more than one occasion answered a question using a web site which produced digit that was used in the coordinates only to discover that had I looked at a different web site I would have seen a different answer.

Edited by NYPaddleCacher
Link to comment

Geocheckers have been around for a long time. Do you know of any other case where one was hacked other than the most recent incident?

 

To be fair this incident has not become known because the developper of the checker became aware of it, but only because one German cacher decided to take the iniative and made a link to the file with the >27000 caches (only the caches, not the solutions) available in public and then people started to investigate and found out some strange coincidences which then led then finally to the conjecture that geocheck.org must have been hacked which then got confirmed.

The hack must have have happened quite a while ago.

 

The list with the >27000 caches is only one of a large number of such lists and a lot is happening in the dark and most of what happens never becomes known in the public. To add to the story: I recently learnt that the file also contained solutions to a few not yet published caches for which however already a geochecker has set up and some caches which have not yet been found. So if someone decides to add a geochecker one idea might be to add it at a later time when the first finds have already happened. The first finders are typically not tourists who argue that they really need a very fast reply.

 

I'm pretty sure e.g. that quite some strange things happen in the Czech republic, but it's harder to find out about it due to the language barrier and the closed circles there. (Edit: Somewhere I read about a file >100000 final coordinates, among others containing apparently all mystery caches in the Czech republic. Rumours talk about other such gigantically large files too.)

 

The point that niraD is making is that for caches which have an unambiguous solution, a geocacher is unecessary because if you've solved the puzzle there is no doubt that you have to correct coordinates.

 

I fully understood niraD's post and I agree with him. I do not agree however at all with Geolog81.

 

The type of caches that are particularly vulnerable against being attacked by geocheckers as solution methods are however of a different type.

 

Where a geochecker is helpful is when it may appear that you've solved the puzzle, but the coordinates you've obtained are not where the cache is located. This could easily happen or puzzles that require obtaining information from some web page. I have on more than one occasion answered a question using a web site which produced digit that was used in the coordinates only to discover that had I looked at a different web site I would have seen a different answer.

 

Yes, of course that can happen, but this is nothing which cannot be handled by asking the cache owner for confirmation. Those who cannot wait, can choose other caches.

Edited by cezanne
Link to comment

Please stay on topic, and treat each other with courtesy.

Now back to your discussion.

 

Could you please be so kind and explain briefly what is regarded on-topic in this thread. Thank you.

 

My intent is not to argue about what is off-topic (that's the moderators' decision) - it is a sincere question as the background

behind what happened is something that troubles me a lot.

 

The thread could be either meant just to inform people in this forum that geocheck.org has been hacked. Then there is

not much that can be discussed at all without going off-topic and it would make sense to open up a new thread (which however probably is dangerous as long as this thread exists and one might be blamed with opening duplicate threads).

 

If the story behind the hack and the connection with how and why the hack became known and the implied issues of whether

geocheck.org and other checkers should be used in view of what happened is regarded off topic in this thread, then the thread is dead I guess.

Edited by cezanne
Link to comment

If the story behind the hack and the connection with how and why the hack became known and the implied issues of whether

geocheck.org and other checkers should be used in view of what happened is regarded off topic in this thread, then the thread is dead I guess.

I appreciate the information on how this list was compiled, how the developer became aware his server was compromised and don't think it's off topic.

Link to comment

If the story behind the hack and the connection with how and why the hack became known and the implied issues of whether

geocheck.org and other checkers should be used in view of what happened is regarded off topic in this thread, then the thread is dead I guess.

I appreciate the information on how this list was compiled, how the developer became aware his server was compromised and don't think it's off topic.

 

I think the off topic warning was about the ongoing side discussion about courtesy, and whether COs should use checkers.

 

Another option which a local cacher uses instead is a checksum, so for example he will say "the co-ords are Nab cd.efg, Whijk lm.nop, all the digits add up to 52"; of course that makes it fairly easy to guess the result if you have most of the numbers, but his puzzles tend to be of the kind that once you know the theme it would be unlikely for you to get most but not all of them.

Link to comment

I think the off topic warning was about the ongoing side discussion about courtesy, and whether COs should use checkers.

 

Probably, but when a popular geochecker gets hacked and (multiple) lists with thousands of final coordinates become known, the topic of whether checkers should be used is ultimately linked to the hack topic. I see now way to separate these threads of discussions from each other. The same by the way applies also to the topic of final lists for cheaters too. All these things (and many others) are interrelated.

 

For example, it neither does come as a surprise to me from where the attack on geocheck.org apparently has been started nor that the Czech republic is an outlier on statistics like here http://project-gc.com/Statistics/Infographics (Germany has about 8 times as many inhabitants). Scoreboards of all kinds, merit badge systems, challenge caches with absurd number requirements they all have contributed much more to the present situation than cachers who have hidden mystery caches.

 

The hack of geocheck.org will certainly not be the last hack of a site which contains cache coordinates and I'm sure that it was not the first such hack. The issue is just that normally the preferred way to deal with such topics is to keep everything secret. Out there is a huge group of cachers who would do a lot to obtain their personal geocaching goals and to outperform others regardless of the means it takes to achioeve the goals.

Edited by cezanne
Link to comment

I think the off topic warning was about the ongoing side discussion about courtesy, and whether COs should use checkers.

 

Probably, but when a popular geochecker gets hacked and (multiple) lists with thousands of final coordinates become known, the topic of whether checkers should be used is ultimately linked to the hack topic. I see now way to separate these threads of discussions from each other. The same by the way applies also to the topic of final lists for cheaters too. All these things (and many others) are interrelated.

 

For example, it neither does come as a surprise to me from where the attack on geocheck.org apparently has been started nor that the Czech republic is an outlier on statistics like here http://project-gc.co...cs/Infographics (Germany has about 8 times as many inhabitants). Scoreboards of all kinds, merit badge systems, challenge caches with absurd number requirements they all have contributed much more to the present situation than cachers who have hidden mystery caches.

 

The hack of geocheck.org will certainly not be the last hack of a site which contains cache coordinates and I'm sure that it was not the first such hack. The issue is just that normally the preferred way to deal with such topics is to keep everything secret. Out there is a huge group of cachers who would do a lot to obtain their personal geocaching goals and to outperform others regardless of the means it takes to achioeve the goals.

 

It is my feeling that you are taking the hacking of a coordinate checker site a little too seriously. This isn't a case of identify theft or credit card numbers stolen. The compromised coordinates won't affect much, and as has been pointed out here already, in most areas, if you know the right people, a phone call is all that it will take to get the solution to any local puzzle cache anyway. This is a big yawn to me.

Link to comment

It is my feeling that you are taking the hacking of a coordinate checker site a little too seriously. This isn't a case of identify theft or credit card numbers stolen. The compromised coordinates won't affect much, and as has been pointed out here already, in most areas, if you know the right people, a phone call is all that it will take to get the solution to any local puzzle cache anyway. This is a big yawn to me.

 

If you know the right people, you will probably get the solutions of your local puzzle caches (or at least most - in my area you certainly would not get all of them as some cachers like myself and other would not give the solutions of some very challenging caches away which have not been found by cachers who are willing to give the solutions away).

 

With this method you will hardly get the coordinates of all puzzle caches of several countries.

 

The hack of geocheck.org is just a symptom of a much wider and larger problem.

 

In some areas there are increasingly large groups of cachers who think that whatever they do to obtain found it logs is justified.

 

It might be a big yawn to you, in countries largely affected by such lists each such list led to the archival of a considerable number of precious caches which means a loss to those honestly interested into the caches and due to an even higher rate of frustrated cachers. The thread in a German caching forum that deals with the list that showed up in a German facebook group has meanwhile grown to over 36 pages and what happened has certainly been the topic of the week within geocaching in the Germany and also some neighbouring countries.

 

It's not the individual value of a single solution for a cache (be it a puzzle cache, a multi cache, an EC etc), it's the attitude behind which is that caches are hidden just to allow cachers to reach their personal goals. I do think that at the point where there are lots of cachers who write logs which boil down to "Today we were on cache tour and visited 200 caches. We did not waste our time with doing this cache, but got the coordinates from somewhere else" the cache owners need to tolerate this and continue with maintaining their caches instead of giving up.

 

 

 

Cezanne

Link to comment

It is my feeling that you are taking the hacking of a coordinate checker site a little too seriously. This isn't a case of identify theft or credit card numbers stolen. The compromised coordinates won't affect much, and as has been pointed out here already, in most areas, if you know the right people, a phone call is all that it will take to get the solution to any local puzzle cache anyway. This is a big yawn to me.

 

If you know the right people, you will probably get the solutions of your local puzzle caches (or at least most - in my area you certainly would not get all of them as some cachers like myself and other would not give the solutions of some very challenging caches away which have not been found by cachers who are willing to give the solutions away).

 

With this method you will hardly get the coordinates of all puzzle caches of several countries.

 

The hack of geocheck.org is just a symptom of a much wider and larger problem.

 

In some areas there are increasingly large groups of cachers who think that whatever they do to obtain found it logs is justified.

 

It might be a big yawn to you, in countries largely affected by such lists each such list led to the archival of a considerable number of precious caches which means a loss to those honestly interested into the caches and due to an even higher rate of frustrated cachers. The thread in a German caching forum that deals with the list that showed up in a German facebook group has meanwhile grown to over 36 pages and what happened has certainly been the topic of the week within geocaching in the Germany and also some neighbouring countries.

 

It's not the individual value of a single solution for a cache (be it a puzzle cache, a multi cache, an EC etc), it's the attitude behind which is that caches are hidden just to allow cachers to reach their personal goals. I do think that at the point where there are lots of cachers who write logs which boil down to "Today we were on cache tour and visited 200 caches. We did not waste our time with doing this cache, but got the coordinates from somewhere else" the cache owners need to tolerate this and continue with maintaining their caches instead of giving up.

 

 

 

Cezanne

Do we even know yet if it were a geocacher that hacked that site? Even if the person or people that did it are, or know, a geocacher, I'm guessing that their primary goal was to hack a website, not to get coordinates to puzzle caches.

 

That is contains the caches of several countries is also a fairly minor detail for most of us, since we tend to do caches that are in our little part of the world. That I can obtain the coordinates for a puzzle cache in Florida or Germany is a non-issue for me. *IF* (and that's a big if) I were to find that list and if I were to check that list, I would only be interested in those caches near me, and even then in only a small portion of those that might be in areas that I was going to go caching in anyway.

 

Are you saying that the list has surfaced (in a German geocaching Facebook page)?

Link to comment

I think the off topic warning was about the ongoing side discussion about courtesy, and whether COs should use checkers.

 

Probably, but when a popular geochecker gets hacked and (multiple) lists with thousands of final coordinates become known, the topic of whether checkers should be used is ultimately linked to the hack topic. I see now way to separate these threads of discussions from each other. The same by the way applies also to the topic of final lists for cheaters too. All these things (and many others) are interrelated.

 

I don't think I'm going off topic here but I think that the hacking of the geocheck.org site and a a discussion of the merits of providing an online geochecker on a cache page are intertwined, specifically because it has been argued that a valid reason for not putting a geochecker on a web page. In a previous post I asked, "Do you know of any other case where one was hacked other than the most recent incident?"

 

In response you post that a list containing the solutions for ~27K caches has been posted which, include a large number of caches from the geocheck.org database (according the note the owner of that site posting on the geocheck.org web page). Then you added a comment about a rumor of another list which includes over 100K puzzle solutions. That doesn't answer my question. I asked if any other coordinate checking sites have been hacked. The existence of a list of puzzle solutions isn't evidence that any other geochecker site has been hacked.

 

Here's something you can try. Pick out a few GC code for puzzle caches and enter the code in a search engine. The first hit will almost always be for the cache page on the geocaching.com page. One of the other sites in the results list will be a site (I'm not going to name it here as I'm sure that they're probably doing something that violates the GS TOS) that isn't a coordinate checker site. It's a puzzle solution sharing site. The way it works is that one can get "credits" for sharing the solution to a puzzle cache on the site, then use those credits to obtain the final coordinates for a different puzzle in their database. As I said, try the GC code for any unknown cache (it contains records for challenge caches as well) and you'll get that site in the results list. Isn't it conceivable that a list of 100K puzzle solutions might have come from hacking a puzzle sharing site (and the site I'm referring to is certainly not the only puzzle sharing site).

 

 

For example, it neither does come as a surprise to me from where the attack on geocheck.org apparently has been started nor that the Czech republic is an outlier on statistics like here http://project-gc.co...cs/Infographics (Germany has about 8 times as many inhabitants). Scoreboards of all kinds, merit badge systems, challenge caches with absurd number requirements they all have contributed much more to the present situation than cachers who have hidden mystery caches.

 

Sorry, I just don't see how a discussion of the caching habits and numbers of geocacher in the Czech republic and Germany is in any way relevant to this thread.

 

 

The hack of geocheck.org will certainly not be the last hack of a site which contains cache coordinates and I'm sure that it was not the first such hack.

 

Since you're sure that this was not the first hack of a coordinate checker, I'll ask again:

 

"Do you know of any other case where one was hacked other than the most recent incident?" I'm looking for concrete evidence. My point in asking is simply that if you're going to use the fact that the geocheck.org site was hacked as a valid reason for not including a geochecker site, then showing that the use of a geochecker other than geocheck.org is inherently insecure would help support your reasoning.

 

 

 

Link to comment

My point in asking is simply that if you're going to use the fact that the geocheck.org site was hacked as a valid reason for not including a geochecker site, then showing that the use of a geochecker other than geocheck.org is inherently insecure would help support your reasoning.

 

These third-party links are not a requirement for publication. A sense of unease about compromised coordinates, or compromised personal information is reason enough to eschew them.

Link to comment
The hack of geocheck.org will certainly not be the last hack of a site which contains cache coordinates and I'm sure that it was not the first such hack.

Just as a reminder: geocaching.com also houses a database containing the physical coordinates for every puzzle cache listed on their site.

 

And I am sure that, if and when that is hacked, some people will be alarmed and upset about it as they are about this, and some people will shrug it off.

Link to comment

Isn't it conceivable that a list of 100K puzzle solutions might have come from hacking a puzzle sharing site (and the site I'm referring to is certainly not the only puzzle sharing site).

 

No it isn't. These lists build on both - sharing and hacking and the hacking contributes considerably to let these lists grow exponentially.

 

Those who have had a look at the lists could provide convincing arguments that hacks have been involved. Some caches are on the lists but have not even been published on gc.com (but have been set up on the geochecker site) or have not been found at the time when the lists showed up and the cache owners were not involved.

 

I do not have an equally strong evidence for another hack than in the cache of the geocheck.org now because these things typically are not made public.

There is however lots of evidence that other hacks have happened before. A lot of information is hidden in social media groups which are not public and I'm not using social media at all. Some of the sources I rely on are however sufficiently reliable making me completely sure that the recent hack of geocheck is only the tip of the iceberg.

 

From my personal point of view too much has happened to make me trust into geocheckers in my coin of the world. Shortly before the hack of geocheck.org has become known, I planned to add the multi checker to one of my multi caches to provide an alternative way of obtaining the final coordinates.

It was the hack of geocheck.org which made me change my mind, and not any sort of philosophical debate about courtesy etc.

Noone has asked me to provide the multi checker app. It has been solely my own idea and my wish to do some cachers a favour which I now have let die due to what happened to geocheck.org.

 

 

Sorry, I just don't see how a discussion of the caching habits and numbers of geocacher in the Czech republic and Germany is in any way relevant to this thread.

 

It is relevant to why the hack and its effects are something I and others care about much.

 

"Do you know of any other case where one was hacked other than the most recent incident?" I'm looking for concrete evidence.

 

As written above, I cannot provide you with an explicit statement like in the case of geocheck.org where the owner admitted the hack, but there exists enough evidence

that previous cases happened (at least as early as 2013, but probably earlier). Some of the links that I could have provided you with back then do not exist any longer in the public (or have never existed publically).

 

What happened to geocheck.org never would have become known to the public if it were not for cachers who managed to get access to closed social media groups and to stay there without being kicked out for a sufficiently long time to learn about what is happening and then dared to make it public. A lot of happens in East Europe no one here becomes aware of because it's a closed community to which it is hard and almost impossible to get access to as a non-local who never will get trusted. Without having access to such closed circles, one typically can only provide indirect evidence that something must have taken place that goes beyond manual sharing of solutions (e.g. if solutions are known for a greater number of unpublished caches), but no actual proofs in the form that someone who actively took part into illegal actions admits what has been done.

 

I need to admit however that I'm not aware of evidence for issues with all existing geocheckers (e.g. I have not heard about cheats exploiting evince), but I'm not sure whether this is only caused by the fact that some of them are much more secure than others (of course while at the same time offering less features) or also caused by the fact that those checkers are less popular in the countries where those cachers live who have the energy and will to obtain as many cache solutions.

 

To sum up, those for whom the situation that the coordinates of their puzzle caches become publically known is not a catastrophe, could still rely on geocheckers. Those for whom this does not apply, are in my opinion better off by avoiding geocheckers.

 

Cezanne

Edited by cezanne
Link to comment

My point in asking is simply that if you're going to use the fact that the geocheck.org site was hacked as a valid reason for not including a geochecker site, then showing that the use of a geochecker other than geocheck.org is inherently insecure would help support your reasoning.

 

These third-party links are not a requirement for publication. A sense of unease about compromised coordinates, or compromised personal information is reason enough to eschew them.

 

And that's a perfectly valid reason (though I don't share a sense of unease about compromised personal information). So why all the hand waving about "you don't have to find every cache"?

 

You also stated earlier that it doesn't bother you if someone chooses to obtain the coordinates for one of your puzzles without solving the puzzle (e.g. through a PAF network) so I don't really understand your concern about compromised coordinates.

Link to comment

My point in asking is simply that if you're going to use the fact that the geocheck.org site was hacked as a valid reason for not including a geochecker site, then showing that the use of a geochecker other than geocheck.org is inherently insecure would help support your reasoning.

 

These third-party links are not a requirement for publication. A sense of unease about compromised coordinates, or compromised personal information is reason enough to eschew them.

 

And that's a perfectly valid reason (though I don't share a sense of unease about compromised personal information). So why all the hand waving about "you don't have to find every cache"?

 

You also stated earlier that it doesn't bother you if someone chooses to obtain the coordinates for one of your puzzles without solving the puzzle (e.g. through a PAF network) so I don't really understand your concern about compromised coordinates.

 

Where did I express that concern? I appreciate that it is a big concern for other cache owners, even though it's not something I, personally, am fussed about.

 

My personal reasons for ignoring those websites aren't about compromised coordinates. If someone's determined to find a cache without solving it, there's nothing I can do to stop them, so why worry about that? I just don't see a need to have some nuisance link on my cache page. If that causes people to avoid my cache, then clearly it isn't the cache for them.

Edited by narcissa
Link to comment

My point in asking is simply that if you're going to use the fact that the geocheck.org site was hacked as a valid reason for not including a geochecker site, then showing that the use of a geochecker other than geocheck.org is inherently insecure would help support your reasoning.

 

These third-party links are not a requirement for publication. A sense of unease about compromised coordinates, or compromised personal information is reason enough to eschew them.

 

What sort of personal information was compromised?

 

I see that you have exactly one puzzle cache, and that at one time, you did have one or another geochecker site linked, but have since removed it. Why is this so important to you? At least Cezanne has a number of puzzles.

Link to comment

"Do you know of any other case where one was hacked other than the most recent incident?" I'm looking for concrete evidence. My point in asking is simply that if you're going to use the fact that the geocheck.org site was hacked as a valid reason for not including a geochecker site, then showing that the use of a geochecker other than geocheck.org is inherently insecure would help support your reasoning.

 

Logical fallacy. Burden of proof in the wrong direction.

 

The burden should be on the checker owners to assure that their checkers are secure, not on the users to prove that they are not. In general, anything created on the Web by a non-expert should be assumed insecure.

 

Claiming that the concerns about insecurity are an "excuse" is backwards.

 

BTW, I tried making a puzzle cache a few years ago that is not easily defeated. It was a lot harder than it looks. And if somebody really wanted to, I am certain they could defeat it.

 

ABTW: I'm pretty disappointed in the quality of arguments you have been offering in this thread. I usually see much better from you.

Link to comment

My point in asking is simply that if you're going to use the fact that the geocheck.org site was hacked as a valid reason for not including a geochecker site, then showing that the use of a geochecker other than geocheck.org is inherently insecure would help support your reasoning.

 

These third-party links are not a requirement for publication. A sense of unease about compromised coordinates, or compromised personal information is reason enough to eschew them.

 

What sort of personal information was compromised?

 

I see that you have exactly one puzzle cache, and that at one time, you did have one or another geochecker site linked, but have since removed it. Why is this so important to you? At least Cezanne has a number of puzzles.

 

Yes, one on my account. I usually just help the hubby with his. We get many hearty laughs out puzzles like this one. Alice's Triangle

 

One of those third-party links would entirely defeat the purpose, and our enjoyment, of this cache.

 

It's not so important to me that I'd bother looking at someone's profile over it. :blink:

Edited by narcissa
Link to comment

"Do you know of any other case where one was hacked other than the most recent incident?" I'm looking for concrete evidence. My point in asking is simply that if you're going to use the fact that the geocheck.org site was hacked as a valid reason for not including a geochecker site, then showing that the use of a geochecker other than geocheck.org is inherently insecure would help support your reasoning.

 

Logical fallacy. Burden of proof in the wrong direction.

 

The burden should be on the checker owners to assure that their checkers are secure, not on the users to prove that they are not. In general, anything created on the Web by a non-expert should be assumed insecure.

 

Claiming that the concerns about insecurity are an "excuse" is backwards.

 

BTW, I tried making a puzzle cache a few years ago that is not easily defeated. It was a lot harder than it looks. And if somebody really wanted to, I am certain they could defeat it.

 

ABTW: I'm pretty disappointed in the quality of arguments you have been offering in this thread. I usually see much better from you.

 

What constitutes being an "expert"? Until recently, I suspect the owners of geocheck.org assumed their site was secure and that they were experts. We only know differently now.

Link to comment

What constitutes being an "expert"? Until recently, I suspect the owners of geocheck.org assumed their site was secure and that they were experts. We only know differently now.

 

I'm convinced that the creator of geocheck.org has been well aware of the increased risk involved when storing the solutions and not using a hashing approach.

Moreover, one needs to add that the creator of geocheck.org is not running the checker on his own site and also that he had no time in recent years to really take care of his project since he is busy with his job. It's a typical hobby project that grew into something much larger than originally planned just because many cachers liked the offered options (I explained some of them in a previous posting). Moving hints, spoiler photos etc to geochecker sites might be something attractive for many cache owners at first sight, but only is helpful if the data are safe on the checker's site which is difficult to achieve for a hobby site. I certainly trust gc.com more in this respect and moreover, providing data to gc.com is not avoidable anyway. Offering secret cache data at other sites too, increases the involved risk.

Link to comment

Do we even know yet if it were a geocacher that hacked that site?

 

As far as I understood, yes.

 

Even if the person or people that did it are, or know, a geocacher, I'm guessing that their primary goal was to hack a website, not to get coordinates to puzzle caches.

 

I do not think so in this case. As far as I understand the hack itself was also nothing very challenging. There have been several cases where someone hacked the account of another cache at gc.com with quite tricky approaches, but at least in two cases I have head about the hackers contacted gc.com before the public was informed and the weaknesses could be taken care of.

 

Even when googling in English about hacking and geochecker you will encounter questions on how to hack a geochecker (not meaning that very meaningful answers can be found in the public, but just that the idea of hacking geocheckers is something which certainly is a high priority wish for a certain group of cachers for whom the lists that are obtainable in a manual manner are not any longer sufficient.

 

That is contains the caches of several countries is also a fairly minor detail for most of us, since we tend to do caches that are in our little part of the world.

 

Most of the people here in this forum as they mostly come from North America.

 

The lists available to Czech cachers e.g. have a strong effect on caches in Vienna, for example. There some puzzle caches that are very challenging even for native speakers of German are

visited by cachers hardly speaking a word of English and with no command of German at all, just to provide one specific example.

 

Those who compete for badges and want to do challenge caches that require a large number/percentage of puzzle caches, often go to visit a city and then for 1-2 days do nothing else than running from one final to another.

 

Achieving say 300 puzzle caches within a month and similar goals is very difficult (not impossible) to achieve in an perfectly honest way and doing that several times makes it even more difficult.

 

The whole business has developped into much more than just obtaining the solution of a few hard local puzzle caches. If it were just 1 hacker and a few lists that hardly anyone used to really visit caches and log them, I would more or less agree with you. The reality however is a different one. There are large number of cachers who think that they have a right to visit all caches and that if the caches deal with something they do not want to deal with, then it is perfectly ok to share the coordinates on a large scale. This by far not only affects puzzle caches - everything is turned into traditionals while at the same time often going for some of those caches which are not traditionals exactly to profit from the fact that the cache type is not a traditional.

 

Are you saying that the list has surfaced (in a German geocaching Facebook page)?

 

Not the entire list of all geocheck.org caches. The German list with >27000 caches had a couple of thousand entries already before the new ones coming from the hack were entered (not by the person operating the Facebook group). Apart from a few non German caches (mainly Austrian ones from Tyrol and Vienna) most of the ones in the list that was shared within the German facebook group were German caches.

 

There are other larger lists, e.g. one with over 100000 caches containing among others all puzzle caches in the Czech republic. Of course due to far less people knowing Czech and since the Czech community is smaller and more closely knit it is far more difficult to hunt down what happens there than in Germany.

 

There apparently exist links between the various cheater networks. They are not any longer content with systems which are based on sharing systems based on

entering x solutions one gets out y solutions (e.g. x=5 and y=1).

 

 

Cezanne

Edited by cezanne
Link to comment

Ok so the Geochecker site got hacked. Ah so what! I have three puzzles on it, no big deal. What does it all mean? Answer the internet is not safe.

We all knew that, so now the hole has been plugged for now and life goes on. This teaches all who have a web site that potential holes need to be found and plugged.

These hackers are like geocache puzzle solvers. Some do it for kicks others for crime. So keep good strong passwords and different passwords for different sites.

Cache on and stop the sniping. To those that also have puzzles there you will need to go get a new password to get in. Maybe change your puzzle if you do not want your answer out there.

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
×
  • Create New...