MOB Caches - a new tool

[+kranfagel]

Hi,

I have developed a replacement service for the MOBs. Check it out here: https://geocaching.fracz.com/mob/

The owner may create and configure the MOB on his own. The link to the MOB is based on a GC code. An authcode is generated for future edits, if needed. Consider this now as a beta version. Feel free to check it out and report any problems. The migration from the old platform should be easy - just fill in the form and change the link in the listing.

Uniqueness of connected devices is based on their IP addresses. A default 60 seconds window is configured for MOB attendees to claim their presence. The app is protected with Google Recaptcha. The app is mobile friendly.

The source code is available here: https://github.com/fracz/geocache-mob

Happy caching!

 

 

 

 

 

 

 

 

 

Edited February 1 by kranfagel
Change order of images

[+Max and 99]

Considering that some mob caches are already being archived by reviewer(s), are we allowed to create a new one with this new tool?

[+kranfagel]

Well, this has to be answered by these reviewers. But as I understand that, the only reason for archiving them was the fact that they were not solvable anymore. Now they are :-) They do not differ from any other website/tool-required mysteries out there.

Edited February 1 by kranfagel

[+Max and 99]

Cool! What are the typical mob sizes that you've seen? 

[+kranfagel]

In order to be transparent, I have published a source code of this app on Github: https://github.com/fracz/geocache-mob

I don't know if there is a typical MOB size. I think it should depend on the size of the local society and a difficulty of gathering certain number of people in particular place. I've done MOBs from 4 to 9 required people.

[Keystone]

On 1/27/2024 at 3:37 PM, Keystone said:

If someone else steps forward to offer similar functionality, it would need to be vetted in the same manner as the Mob Cache website was reviewed nine years ago.

 

As I wrote earlier in the other thread, Geocaching HQ needs to review the proposed functionality.  I just double-checked, and Reviewers have not yet been advised by HQ that the new functionality is approved for linking from cache pages.  Until we hear that approval, Community Volunteer Reviewers cannot publish caches using the replacement functionality.

 

@kranfagel, where are you in the process for obtaining HQ approval for your replacement solution?

[+Goldenwattle]

I can't say I am keen on Mob caches. As I usually cache and travel alone, I can't do them. Looking at one I would like to do for instance, however the WPs are up to over 40kms apart, and four of them.

[+kranfagel]

Hi, @Keystone!

 

Actually, I have not started any procedure. If it's needed, I'd love to, if there is an intereset in such feature. As said earlier - I publish my code and am ready for any critique or suggestions. Just wanted to add something valuable for the community and don't want anything in exchange. In particular, I created this tool because I see a great value in a few of MOB caches that have not been archived yet near my home location.

 

On the other hand, there are geocaches out there that use different tools, some even created specific for a particular caches (https://www.geocaching.com/geocache/GC9JAX9, https://www.geocaching.com/geocache/GC37EWQ or https://www.geocaching.com/geocache/GC9C5ZK - just to name a few from my coutry, the last - mine).

 

As far as I know, these apps were not reviewed by anyone but the owner & local reviewer (maybe?). Some of them even do not publish their source code. There is a warning about you leaving the Geocaching page and that's it. I see no difference between such applications and the MOB caches and I have no idea why the MOBs in particular should receive a special treatment.

 

On the other (third) hand, last year I wrote to HQ pointing out some really serious flaws of currently "supported and reviewed" 3rd party solutions and I got no attention (even an answer) from them. Even though I shown an example of how to execute an arbitrary code on any geocachers machine by leveraging an XSS attack on one of "the" tools.

 

So, from my perspective, they are not interested in community tools and suggestions like that, starting with the fact that their API is not open sourced.

 

Maybe it's just me and I'm wrong. If you think that applying for "a HQ approval" of any kind is the way to go - just tell me a few words about it where should I start.

 

Edited February 1 by kranfagel

[Keystone]

@kranfagel, you should reach out to HQ via the contact link in the Help Center.  @ChileHead reached out to HQ years ago and obtained review and approval for the original Mobcache functionality.  Once approved, HQ informed all the Community Volunteer Reviewers that links to the original Mobcache site could be included on cache pages.  We are instructed NOT to allow links from cache pages to unapproved third party functionality.  So, you'll need to clear this hurdle before anyone uses the new functionality on a cache page.

[+kranfagel]

Wrote, thank you

 

Quote

Hi,
recently the MOB caches app has been shut down and all the caches out there that use this feature are about to be archived. That's such a pity, because they have a great value on building the geocaching community.
I have developed and published a replacement app and described its features on the Forum topic: https://forums.geocaching.com/GC/index.php?/topic/396356-mob-caches-a-new-tool/
I have been instructed then to contact you with an approval request for this app, so reviewers can publish caches that uses the new application instead of the old one.
The source code of the app is published on GitHub: https://github.com/fracz/geocache-mob
Please let me know what else I can to for this MOB replacement application to be approved.
Best,
Wojciech (kranfagel)

 

[Keystone]

Nice letter! Please post an update here when you receive an answer from HQ.

[+arisoft]

39 minutes ago, Keystone said:

We are instructed NOT to allow links from cache pages to unapproved third party functionality.

 

As the author of many third-party functional caches, I'm quite surprised that I hadn't received this information. It would be quite frustrating to see a lot of effort put into making something like this and then be surprised afterwards that the project requires some kind of unspecified review. If this guidance is not a trade secret, I would be more than welcome to see details of the guidance and when it is supposed to follow. Perhaps it only applies to functions performed by others than the owner of the tool himself?

[+thebruce0]

I think the distinction is that linking to an external site is okay with disclaimer; linking to a functional external website as well, dependent on the functionality. For mob caches that make use of geolocation on the web it's an exception I think that requires approval. That's how I interpret the guidance.

[+arisoft]

3 minutes ago, thebruce0 said:

That's how I interpret the guidance.

 

Do you have access to the guidance?

[+thebruce0]

uh, for example

1 hour ago, Keystone said:

We are instructed NOT to allow links from cache pages to unapproved third party functionality.  So, you'll need to clear this hurdle before anyone uses the new functionality on a cache page.

 

[Keystone]

1 hour ago, arisoft said:

If this guidance is not a trade secret, I would be more than welcome to see details of the guidance and when it is supposed to follow.

 

For the public-facing guidance, please see Section 6.9 in the Help Center: Software, apps, technology, and downloads.  Privately, the Reviewers have more detailed guidance, which includes advice to question links to websites that are geocaching or technology related (among other things).  We do not need to question links to websites if Geocaching HQ has indicated their blanket approval.

[+kranfagel]

What do you mean by "question links to websites"? After your message I understand that the HQ approval is not required for the cache to published. It just makes the publishing easier for both owner and reviewer. The regulations you linked clearly state that online free resources are permitted. 

[+arisoft]

15 minutes ago, kranfagel said:

What do you mean by "question links to websites"? After your message I understand that the HQ approval is not required for the cache to published. It just makes the publishing easier for both owner and reviewer. The regulations you linked clearly state that online free resources are permitted. 

 

I am also confused. The Help Center is totally limited to Apps that needs to be downloaded. I have one cache which is using location services functionality, but it is not an App and does not require downloading. It is just a web page you open from the link.

[Keystone]

2 hours ago, Keystone said:

We are instructed NOT to allow links from cache pages to unapproved third party functionality. 

Here is another way of saying "question a link" to a site like the OP's new Mobcache functionality.  If I saw a cache page that links to the OP's website, I wouldn't publish it.  I would "question" it by asking Geocaching HQ if it was permitted.  I would only publish the cache page after they said "yes."

 

If a link is approved by Geocaching HQ, all the Reviewers will know that.  Examples of links that are approved include project-gc.com and flagcounter.com.  I do not need to "question" these when I see them, because they're already approved.

[+kranfagel]

Are you saying that all of the geocaches I mentioned and the @arisoft is talking about were approved by HQ during the review process behind the scenes? That would be a huge surprise for me.

[Keystone]

28 minutes ago, kranfagel said:

Are you saying that all of the geocaches I mentioned and the @arisoft is talking about were approved by HQ during the review process behind the scenes?

 

No, I didn't say that.  I've explained the process for reviewing links to third party websites that are included in cache descriptions.  Individual cache pages are published by local Reviewers if they meet the Geocache Hiding Guidelines, including the guidelines relating to cache page content.

[+arisoft]

3 hours ago, Keystone said:

Here is another way of saying "question a link" to a site like the OP's new Mobcache functionality.

 

I don't understand what this is about. Here is an example:  https://coord.info/GC644N5

According to current reviewer guidance,  does this kind of cache "question a link" to a site?

It was published without permission from HQ. I know this for sure, because the reviewer asked a permission from the HQ later, long time after the cache was published.

[Keystone]

I see that GC644N5 has a link with a URL that includes the term "checker."  Assuming this is a "Geochecker," I'm not aware of any guidance from Geocaching HQ that approves this site generally for links on cache pages.  Examples of Geocheckers that have been authorized by HQ for use on cache pages include, without limitation, Certitude, GC-Apps and GeoCheck.  There are also several checker sites that are NOT allowed to be linked from cache pages.

 

But this thread is about @kranfagel's GeoMob application, and getting that functionality approved by HQ (like the original functionality by @ChileHead) so that Reviewers can publish cache pages that link to the application.  Now that we have a good understanding of the need for external links to be approved by HQ, let's get back on topic.

[+Nutty_and_Evil]

Fortunately, when I created my 2 MOB caches, I also added an alternative method of getting the co-ords (from info at GZ, sign etc) in the listing
I did this for those that cache alone or if the MOB website was down etc
So I was lucky in that I did not get mine archived because they were still findable, I just needed to alter the listing
I hope to use the method listed here,
I have just created a page to give it a try, I saved the code that it created for editing, but at the moment I cannot see a page to edit it~
Maybe because I am in a rush getting ready for work I will look a bit later
 

[+kranfagel]

You can find a small edit link at the bottom of the created MOB page.

[+ChileHead]

When I first created the mob application about 10 years ago, I had planned to do it for a single cache that I had published alongside an event.  When I decided to make it general purpose and allow others to do the same, I took the concept to the reviewer forums and directly reached out to several people at HQ to discuss.  There had been some concerns at the time about the concept, which I addressed.  The new platform here does not address one of those concerns, but I won't get into that here, that would be something HQ can discuss with the new app owner and it may not be a concern any longer.

 

There is likely less of a concern about "one off" apps used in apps vs an app that is general purpose.  As a reviewer if I saw an offsite link that was not in the list of approved sites, I would probably bring it to others to discuss.  If it appeared to be something designed to be used for many cache listings, the discussion would probably be more lengthy and involve more people from HQ.

 

Since I developed this tool, the EU GDPR regulations have gone into effect.  I have no idea whether or not use of IP addresses falls into any of the regulations, but it's a possible problem.  I doubt it is, as there is no direct personal identifiable information associated with it, but again it's an issue HQ should probably weigh in on.

[+gander.pl]

@kranfagel Your "code quality enthusiast" does not match the code posted (PHP+HTML+JavaScript+Vue in one file). But it works, that's probably the most important thing. Are you planning to rewrite it to some micro-framework? Or consider completely using only Vue, which can then be pushed to a serverless service on GitHub or Cloudflare. You could then use a tool like SurrealDB to store and process geolocation data. https://docs.surrealdb.com/docs/surrealql/functions/geo

 

@ChileHead since you closed the website, I have one very important question: do you still have the database and do you have the right to lease the domain? It would be possible to recreate the tool on this data in the same domain, and in compliance with GDPR regulations.

[+bflentje]

On 2/1/2024 at 7:30 AM, Keystone said:

unapproved third party functionality.  

 

Interesting use of language. I would have thought it was just another way to solve a mystery cache.

[+kranfagel]

16 hours ago, gander.pl said:

@kranfagel Your "code quality enthusiast" does not match the code posted (PHP+HTML+JavaScript+Vue in one file). But it works, that's probably the most important thing.

 

Haha, yeah, you got me! I totally agree with that. The next step would probably be refactoring it into a simple REST API, and then - maybe - making it serverless, as you suggested. The thing is, time was crucial here; providing a tool and initiating discussion at least halted the archiving process of some existing MOBs out there. So what you see in the repo is a result of urgency, the required level of security and functionality, and the need for easy deployment on one of the machines I already had. There was also a vague hunch that it wouldn't be welcomed. I'm happy to adjust the code so it meets my GitHub description after at least a "yellow light" on this topic.

 

Meanwhile, I have also talked to some reviewers, and they mentioned that the main concern is the storage of IP addresses. I do see the problem, but it can be easily addressed by hashing them before storage. The application does not need to know the IP address of devices; it just needs to check if it is unique in the last minute. Other methods, like checking the browser string and cookies, are also available, but they are easier to spoof.

 

The question posed to @ChileHead is also important. A non-harmful way of shutting down such a project would be to simply give the code away to someone who has resources at this time, instead of deleting the service. If the domain cannot be leased (because there is also other stuff on it), it could at least redirect to the new location of the same tool. It would require minimal work from anyone - just the approval of a new domain by HQ with the tool they had already approved before.

 

By the way, there's been no response from HQ yet.

Edited February 6 by kranfagel

[+CheekyBrit]

13 hours ago, kranfagel said:

By the way, there's been no response from HQ yet.

Thanks for the update. I await their response through you with baited breath. This is exciting.

[+ChileHead]

18 hours ago, kranfagel said:

Meanwhile, I have also talked to some reviewers, and they mentioned that the main concern is the storage of IP addresses. I do see the problem, but it can be easily addressed by hashing them before storage. The application does not need to know the IP address of devices; it just needs to check if it is unique in the last minute. Other methods, like checking the browser string and cookies, are also available, but they are easier to spoof.

 

As far as I know, HQ has not weighed in on what any concerns are.  I have speculated on a couple things, but that's all it is.  

 

18 hours ago, kranfagel said:

The question posed to @ChileHead is also important. A non-harmful way of shutting down such a project would be to simply give the code away to someone who has resources at this time, instead of deleting the service. If the domain cannot be leased (because there is also other stuff on it), it could at least redirect to the new location of the same tool. It would require minimal work from anyone - just the approval of a new domain by HQ with the tool they had already approved before.

 

I doubt there is a concern with the actual code, or domain it lives on, they never saw my code.  I own a number of domains I use for various projects, so leasing isn't something I'm interested in providing, and honestly the actual endpoint is irrelevant.  I expect at this point HQ just wants to re-examine the concept as it's been nearly 10 years since the original hack I threw together in a few hours.

 

[+jorgepinan]

Hi @kranfagel, I made some tests with your new tool and I am having problems with the coordinates where I am supposed to be:

In the coordinates shown, the digit of the longitude degrees and the digits of the longitude minutes always are 1 unit higher that the real values where I am. Also, a character "-" is added just before the digit of the longitude degrees. Example:

I am at N 43° 18.080' W 003° 03.308'

But the tool shows N 43° 18.080' W 0-4° 04.308'

 

I tested with my android smartphone and with Chrome browser in my PC. Same result.

I know other person that has the same problem.

 

Maybe the code will be fixed after the HQ approval? Or should it work fine right now?

 

Thank you for your work!

Jorge

[+kranfagel]

There was a problem with converting coordinates on S/W side. Should be fixed now :-)

[+kranfagel]

On 2/7/2024 at 1:50 PM, kranfagel said:

Dear Wojciech,

 

Greetings from Geocaching HQ. 

 

Thank you for submitting your page for our teams to review. 

 

At this time, this page is not approved. Any site or app used on a cache page needs to adhere to all international privacy laws, including a privacy policy and disclosure requirements.

 

In addition, the concept of mob caches was an exception to the additional logging requirement guidelines and would not be publishable today.

 

We appreciate your efforts and ingenuity.

 

Best regards,

 

Geocaching HQ Admin

 

 

[+arisoft]

1 hour ago, kranfagel said:

In addition, the concept of mob caches was an exception to the additional logging requirement guidelines and would not be publishable today.

 

I thought that the player must sign the logbook without ALRs? How is this possible?

[+arisoft]

Archive

16/02/2024

Mob caches were published as an experiment using specific technology that required players to be in the same place and to enter a code at the same time to learn the final coordinates. This was an exception to the guidelines at the time and is not a publishable concept today.

The original site used for this purpose has been removed, and therefore, HQ has decided to archive all active caches originally intended to be solved using this method. Due to privacy laws, we are not seeking an alternative site at this time. We are respectfully requesting that the cache owner please remove the cache container and contents as soon as possible.

[+ChileHead]

2 hours ago, arisoft said:

 

I thought that the player must sign the logbook without ALRs? How is this possible?

 

The thought of an ALR was raised when I first released this 10 years ago. Personally I wouldn't call it an ALR but I can see the concern.

 

To alleviate this, I deliberately did not use IP addresses to determine attendance, but instead used sessions. What does this mean? One person could act as multiple people with multiple browser instances (not just tabs) which allowed a slightly tech savvy person to do this on their own.

 

[+arisoft]

28 minutes ago, ChileHead said:

The thought of an ALR was raised when I first released this 10 years ago. Personally I wouldn't call it an ALR but I can see the concern.

 

It is as ALR as Adventure Lab bonus caches are. I am pleased that this ALR nonsense was not referred in the archive sweep message.

 

Jigidi puzzles are known to register IP-addresses. (Used for banning abusers) Are Jigidi caches the next victim?

Edited February 16 by arisoft

[Keystone]

10 minutes ago, arisoft said:

Are Jigidi caches the next victim?

 

You can figure out the answer by reading this page.

[+barefootjeff]

43 minutes ago, arisoft said:

Are Jigidi caches the next victim?

 

I hope so .

[+thebruce0]

4 hours ago, kranfagel said:

At this time, this page is not approved. Any site or app used on a cache page needs to adhere to all international privacy laws, including a privacy policy and disclosure requirements.

 

So... that makes it sound like ANY external website requires a privacy policy and a disclosure agreement in order to be used on a cache page. That seems excessive. And way out of reach, as many websites used for puzzle caches are just websites with content.   Now mob cache functionality is more than just a website that provides content, it's functional and makes use of user data. But "any site or app" is way more far reaching than user-functional websites...  I hope that's what they were referring to, not just "any site".  I know plenty of web-based puzzles set up on personal websites that don't have any form of policy let alone intentionally adhering to any international privacy laws.

Has the approval process for any and all external website links been changed?

[+ChileHead]

45 minutes ago, arisoft said:

Are Jigidi caches the next victim?

 

To be clear, the archival of mob caches started because of my action to retire the platform, not because of any action from HQ. 

[+Team Canary]

4 hours ago, barefootjeff said:

 

I hope so .

Me too!!!

[+arisoft]

6 hours ago, Keystone said:

You can figure out the answer by reading this page.

 

It is all about data collection. So a statement that no user data is collected is what resolves all issues?

Edited February 17 by arisoft

[+capsai]

9 hours ago, Keystone said:

 

You can figure out the answer by reading this page.

Wow. they collect a lot of data.... i would ban them 

[+Ragnemalm]

"www.geocaching.com says

You're about to leave Geocaching.com.
Please note: External links have not been reviewed by Geocaching.com."

 

Isn't this all Groundspeak needs to be safe? We are visiting all kinds of pages when solving mysteries. We are allowed to link to external pages, right? As long as they are not full with ads? Or not?

 

So if I make a mystery that links to my JavaScript game, it is not OK? Or my own myst checker?

 

Where is this rule actually stated in the guidelines?

[+Ragnemalm]

3 hours ago, arisoft said:

It is all about data collection. So a statement that no user data is collected is what resolves all issues?

If that would be the case, it would be wonderful! I don't need to collect data to make a fun myst based on an online solution.

[+Ragnemalm]

13 hours ago, arisoft said:

This was an exception to the guidelines at the time and is not a publishable concept today.

I have failed to see where this is against the guidelines. Pointer, please?

[Keystone]

6 hours ago, Ragnemalm said:

Where is this rule actually stated in the guidelines?

Read my posts from earlier in this thread.

[+JL_HSTRE]

19 hours ago, arisoft said:

It is as ALR as Adventure Lab bonus caches are.

 

Adventure Lab bonus caches do not have an Additional Logging Requirement. There is no requirement to complete the AL to log the bonus cache, although that's certainly usually the easiest way to find the coordinates.

 

Additionally, Adventure Labs (and Wherigos) are official Groundspeak products. That avoids certain restrictions on third-party apps or sites that otherwise have the same functionality.