Monday, August 8, 2011

Defcon 19 Badge Contest: In General


Of my four years of going to Defcon, I had the most fun this year at Defcon19.

Granted, my first year was pretty fun.  There were lots of antics going on, and I went to a lot of talks.  And Defcon17, we got an invite to the Facebook party at Studio54 where DualCore and YTCracker were playing.  And last year, Defcon18, was kind of a blur.

But none of those years had a badge hacking contest I could actually participate in.

When I heard the badge this year was going to be non-electronic, I scowled.  I waxed cynical.  I joked to people that they were going to print the badges on hot-pink cardstock.  It was hard to imagine any badge being as cool as this, this, or this.

As with every year, there were not enough badges.  Here's a quick summary of just how lucky I was to even get one.  I got in line at 2:50 on Thursday.  I stood in line for an hour and a half, the line stopped 14 people away from the front, waited 30 minutes, got told lots of conflicting information about badge availability and wait-times, waited longer, got to the front of the line, got told more metal badges on there way, but if I registered right then I'd get a badge of shame paper badge non-redeemable for a metal badge later, heard there were badges left at Caesar's Palace (where Blackhat was letting out), left the line, tried to call Roland so he could get me a badge there but my phone battery died, heard that all metal badges were gone for good, Roland arrived from Caesar's, got back in line for two hours, and 25 people away from the front of the line it stopped again, then heard the good news ripple up from the front: A small Fedex package had arrived with a small number of metal badges.

Color me ecstatic and incredibly lucky.  Here's a picture of my beautiful badge:

And not only is it stamped on antiqued oxidized titanium, printed on the last supply of .040"sheet-titanium left in the United States, but it is also part of a complex series of puzzles, a conspiracy if you will, that permeated the entire con.

Clues were hidden in the badge itself, in the lanyard (see the binary in the pic?), in the con program, in the T-shirt art, in the badge talk, on twitter, in the signs, in the hallway art.  There was even a hired actor, though I never saw him, who would play out scenes to give further clues.

It was a well-designed game.  Most of the clues were repeated in various places, so everyone had a chance to find them.  I also get the sense clues hidden behind incredibly complex encryption or puzzles could also be found through much more simple means.  For example, we heard that one person build some kind of gear machine that eeked the word "candy" from the crypto wheel, but most people got that answer by giving a password to a "Z" agent, and the agent just told them the word.  (Not that it was easy to find all the clues that gave you the password or told you about the Z agents, but that was certainly more accessible than whatever crazy math and hardware hacking was required to interrogate the crypto wheel.)

Starting Thursday night, Roland and I became obsessed with finding clues and cracking codes.  We stayed up until 2am Thursday night.  Every once in a while, one of us would ask the other, "Want to go out tonight, find a party?"... no.

I haven't had this much fun in this kind of way since I was a kid, back when I was the first in my class, every week, to crack the weekly brain-teaser.  Or when I'd obsess on a text adventure on my TI 99/4A, trying to solve puzzles for days at a time.  These days with whiz-bang video games, and busy schedules, it's hard to find the patience for recreational intellectual heavy-lifting, when we can simply google a solution or even a full walk-through on the internet.

This badge contest made me remember how much fun it can be to work something out.  It made me feel smart.  For the first time at Defcon, amongst some of the l33test people on earth, I actually felt l33t.

That's not to say we actually solved the puzzle, and we couldn't have gotten as far as we did without stealing other people's solutions talking to people.  But it wasn't designed for any one person to beat.  LosT designed it to make us all more social.  The clues required too broad a skillset and knowledge spectrum, mostly the sort of thing you can't simply google.  And the badges themselves were all different, requiring interaction to gather the data.

I must say, we started the contest being secretive, hoarding our knowledge.  There's a certain type of elation when you can gloat personally and sometimes publicly that you know something they don't know.  But it really would have been much more productive to share, I think.  And it would have made us just as happy.  Not only that, but if we were going for l33tness and geek status points, we probably would have gotten more if we'd shared from the get-go.  Especially given just how light-weight and inexperienced at puzzle-solving that we are (or were....)

We did much better at the early puzzles, and my personal strong-point was noticing clues.  I usually didn't have the foggiest what to do with the clues, even though I thought I did...  If I had pointed them out early, publicly, I would have earned higher hacker cred.  Since I didn't solve the puzzle, the fact that I noticed the 33 tattoo in the program on the first day, doesn't really matter since I still don't know what that damn 33 was for.  I know it was important because I saw this clue coming up again over time -- on an added sticker in the rotunda, written on a coin stuck on the wall, etc.  i.e. LosT was saying, "Hey you guys keep missing this clue!" ... I had it all along, and someone else could have done something with it.

Not that geek status is the end-goal.  It's just part of the fun.  Solving the pieces for their own sake was its own kind of elation.  But there are multiple ways to display l33tness, and sharing is one of them.

We are definitely planning to do this again next year, and when we do, we plan to collaborate this time.  I'm not exactly sure what form that will take.  This year, there was an IRC channel, but I wanted to keep my netbook off the Defcon network and didn't want to pay for (pwned) hotel wireless.  Next year I may consider bothering with it.

In fact, being without internet+netbook was a huge barrier.  My method of problem-solving relies on the gathering of as much information as quickly as possible, then eliminating distractions as quickly as possible.  Use of the internet on a larger screen with a keyboard is necessary for that.  My Android simply wasn't up to that task.  I would also like to develop a more systematic method for storing information and testing theories.

Here are a couple of pictures from my notebook, to illustrate some of my thought processes and the kinds of clues we were collecting:




A collaboration group did form, and even though we didn't participate with them, we happened to be present when they won.  That was was really cool.  On Sunday afternoon, we found the collaborators in the chill-out room and started hovering, listening to them, and trying to figure out how they'd solved this or that, and what they were currently working on.  Thirty minutes later, they got the email reply from LosT confirming they'd won.  I'm not sure the full solution, but they emailed the number 108 and some other info to eban at 1o57.org, but we had no idea how they found that or what the other info was.  Roland and I spent another hour or so trying to reverse engineer from there, and actually got a lot further along, but decided to quit out of sheer exhaustion.

So thanks very much to LosT boY for accomplishing the goals you listed in the badge talk: The badge contest was accessible to all, and you got some of us introverted nerds to interact for a change.

In my next post, I will detail some of the specifics and list the clues we found and puzzles we solved or at least worked on for a long time.  Some of the clues from this year were intended to carry over to next year, so if you plan to participate, pay attention!

See you next year!

1 comment:

  1. Sweet, sounded like fun.

    I wish they didnt' cluster these conventions and conferences like this year. I mean, why is Norwescon and Sakuracon the same weekend?

    Anway, glad you had fun and got a sweet badge out of it.

    ReplyDelete