Monday, August 8, 2011

Defcon 19 Badge Contest: In Specific

The grand post probably none of you have been waiting for.  My previous post is an overview of the badge contest.  This post gets into the very detailed list of clues and theories and musings.  It will only be interesting to participants of the contest, and even then, we only actually solved a couple of things.  So if you're looking for answers, it's likely that here you will only find more questions. :)

That being said, I stole got a few solutions from other people who were weak and capable of being social engineered willing to share their findings.
First, the badge.  Round, with a notch.  Different numbers on different human badges.  The notch seemed to be the same on every badge with the same number.  Inhuman badges were not round.  I do not know if they had notches.  I'm pretty sure inhuman badges all had the same number for the badge type, i.e. (C)ontest badges were always 60.

In the center of the badge was an Eye of Horus.  At the top of the badge was a keyhole.  I was pretty sure it matched a key symbol someplace which would reveal something in the eye or other parts of the cut-out.

The lanyard contains a series of binary, separated by colons (:), double colons (::), and Defcon logos (smiley-face and crossbones), which we dentoed with an "x".  There seemed to be two sets of binary numbers.  The second set was separated by periods (.) and had a few non-binary characters which spelled "1o57".  Obviously LosT's name.  One of the first things I did was make a .txt file with an array of these number, and when separating them by :'s, I noticed they were in 12-bit groups with the x placed in different spots.  We tried a number of different crunches on this data, i.e. looking for ASCII characters, translating into hex, etc.  Roland thought of trying to order them in order of where the x was, and we found there were two rows with the x in the 8 position and two in the 10.  The rest were unique.  This turned out to be a distraction.

We found out from chatting with someone the next day that the binary was a program: PDP-8, which is simply used to square numbers.  We took this as a clue that something needed to be squared.  But this was also a red herring.  In fact, the numbers were simply a data set used to hide another message, but not important in and of themselves: see steganography.

I learned on Saturday that these characters were used against another clue, which we had noticed in the program: ":: HACK UPON XYLEM ::"

I had searched for Xylem on the internet, and found it was a botany term, and spent a few minutes following some false leads there.  In reality, this clue worked like this:

HACKUPONXYLEM
1110110000x01: L
0x11010010100: A
0110x10010011: U
1111000x00100: N
11x1101101000: C
x101010010000: H
111x000100001: K

And so on.  It spells: LAUNCH KEY NOPMYX.  From previous clues, we knew there was one or more secret sites at http://www.defcon.org/1057/???  This was listed in the program.  We'd tried http://www.defcon.org/1057/1057, and just http://www.defcon.org/1057, and both of those gave us LosT mocking us, even in invisible black-on-black text, though I did write down everything from both pages (ha).  But NOPMYX (case sensitive) goes into the URL, and opened a page with all the clues required for the Z-Agent part of the puzzle.  More on that in a second.

Meanwhile, I researched Eye of Horus math.  Each part of the eye is a fraction, and I tried to apply that knowledge in all kinds of ways, but was only met with frustration.

There was some kind of Eye of Horus puzzle on the pages of the book, and we both beat that one to death but never figured it out.  Some of the eyes had red coloring in the inside (1/2), and some had red on the eyebrow (1/8).  Some had dots over the eye, one through five, and each of these was unrepeated.  These were only on even-page-numbers, but not every one.  They appeared next to Chinese (or Kanji) numbers 1-4.  Here are some examples:


LosT tweets on Sunday clearly indicated there was some way to decode that, possibly in the context of the One Time Pad (more in a bit), but we never did solve this.  Some of the theories we tried:

1. The positions of the eye matched the Chinese characters, either in decimal 1-4, or as a squaring function starting at 1 (1,2,4,8), starting at 2 (2,4,8,16), or starting at 1/2 (1/2, 1/4, 1/8, 1/16).  On pages with multiple eyes, we added the numbers, and tried various functions with the dots (multiplying, repeating that digit, etc.)  On the Speakers pages (pics in a moment), where the talk title started with a HUGE CAPITAL LETTER (yeah, I noticed that first thing), we tried various processes to find letter positions, but nothing helped.  The according to LosT's tweet, about decoding the numbers against the eyes, we tried all of the above also against the page number itself -- subtracting, adding, halfing, quartering, and so on.  We ran a lot of those against a number that later showed up on the "candy" website.  More later.

In a nutshell, we never figured out what the eye code was all about.  (Badge numbers didn't seem to correlate here either.)

Where to next.  Here are some clues from the program I tried to pay attention to:


Not sure what was up with the Rollieflex, an old-timy camera, but the number700005 seemed important, since they're part of 1057.  I also never figured out what was going on there on page 33 (the tattoo points there).  I did notice (before realizing it was page 33) that those tears in the film strip look a little like keyholes....  So I lined up the badge keyhole to all of them and nothing interesting fell out.  ARGH!  I also lined up the key to this:


And there, some cool things appeared through the gaps, like "another puzzle" and "used to unlock" which ought to have meant something, but what?  Coincidence?  Nothing else I aligned the badge with in the program gave me anything either.

Other clues pointed back again to that damn film strip, especially the the last "keyhole" on the bottom, but nothing loosened up there.

The most exciting of the above clues was the one thing we actually did that everyone else struggled with.  On Thursday, Roland and I both noticed it, and said, "That looks like shorthand!"  Both of us have parents who once knew shorthand.  But with them far away, we struck out to transcribe it ourselves.  It was really frustrating, because shorthand is designed to squish as much info in as small a space as possible.  This made it hard to look up in reference guides, because a lot of the strokes are almost identical, defined by things like length and direction the pen was going when the curve is made.  But after long hours with Gregg's Shorthand Dictionary, Roland found the very images which had been photoshopped into the program.  By Friday, we knew the shorthand spelled: The password is Little Sister.

Very exciting, but not a lot of good when we didn't know what the password went to.

From talking to a few people in the hall and talking to LosT, I'm pretty sure we were one of the first people to figure this one out.  A tweet the next day, giving this hint: If you can read the "kiss"- ask an older person or fans of the Mighty Boosh- I'm old greggg! indicated some people might have struggled with even knowing what shorthand is.

So we're pretty proud of that one.  Our best achievement unlocked in this game.

We googled "The password is little sister" and it was something of a Googlewhack.  There was only one link for this.  Easter egg, or clue for next year?  It didn't seem to contain anything useful, just a chapter from a Harry Potter fanfic, but given the title, I know it means something: Scatter My Ashes Where They Won't Be Found.  (The clue "found" was oft-repeated.)

We also found all the stuff on the CD.  Actually, it was on the website: http://www.defcon.org/1057/badge but the link was from the CD, so I shall refer to it thusly from here on.

On the CD were a large number of clues, which we mostly ignored because we kept forgetting about them.  They were in a .zip file, and I was mostly on my phone, so it was inconvenient to return to the MacBook and netbook and so on.

But there was a .pdf copy of the crypto-wheel for convenient reference.  This wheel was also printed on a massive decal in the main Rotunda of the con.  Truly awesome.  Here's a pic of the wheel for reference:


This wheel involved a number of puzzles, the easiest of which was the message encrypted in the numbers printed at the bottom of the large hall signs for the con.

As far as I could tell, the numbers were the same on every sign, which was sort of frustrating, given the incomplete feel of the message.  Here it is, letter for letter, with no typos.  I've used a slash (/) to indicate probable word separations:

WE/OENETRATE/YOU/RATE/YOUR/SECURITY/LEVELS/LOOK/WITHIN/YOURSELF/WHERE/THE/EYE/LACKS/MESSAGE/THERE/HOBOES/THUD/OF/HORROR

I believe the "O" should be a "P", so it would say "We penetrate you", however this was most likely not a mistake.  I have a theory on this which I will discuss later.  I focused a lot on looking for a message where the "eye lacks a message".  A number of other clues had a similar vibe.  This made me also focus again on page 33: Two of those "keyholes" aligned with words in the center of the eye of the badge, but the third one pointed at a blank spot.  But none of the other gaps revealed anything.

HOBOES THUD OF HORROR is an anagram for "Brotherhood of Horus".  Brotherhood has 11 characters, which matches a number that came up later (on the "Candy" page), but using it as an OTP key didn't work.

Ok, so the Z-Agents.  We didn't go through this process ourselves; we only found out about it afterward.  Above, the binary puzzle led to http://www.defcon.org/1057/NOPMYX.  That page instructs you to find the Z agents (a handful of people with "Z" badges) and include the passphrase from earlier (The password is little sister) on an Ace of Spades card.  They would give you a security question, which you would answer with "Every day is Halloween", and they would reply "Damn right", and they'd give you the next clue.  I'd love to include some of the specific text, but the Defcon website is down today.  (Did they get hacked? lulz.)

We didn't jump through those hoops, because we were told the next clue was "Candy".  Which led to http://www.defcon.org/1057/candy.  On this page there was a striking image of the Sheep of the Damned, which also appeared on the CD.  I still don't know what this image had anything to do with it (we briefly checked its metadata for anything interesting, too) but here is the text from the page:

You have found us.  Do not trust the SLEEPER AGENTS you may have discovered.  Send the phrase: The Jamie Dodger has been eaten to:
 28    14 19 28 39 4 31 28    18 11 36

You may be wishing I would speak to you, or illuminate where you may find the key.  It's in that place where I put that thing that time.

Wait for a return from the postman.

Jammie Dodger is probably another Easter Egg.  A Jammie Dodger was used as a self-destruct button on the TARDIS in a recent Doctor Who episode (which I have not yet seen), and was used less-interestingly in a number of other Doctor Who episodes.

We did a view source and noticed the extra spaces.  Those did not appear on the page itself.  That threw us off:  We knew we were looking for a One Time Pad (OTP), but weren't sure if it would have 11 characters or 13 (the spaces indicating to skip those characters or bring them over directly).  We spent lots of time looking for and finding strings of characters and numbers of these lengths, including doing lots of math and other funny business to various things, but to no avail.  We knew from a tweet that it had something to do with the program, specifically the speaker/talks pages with the giant letters, but didn't know which letters to take as the OTP, and spent a majority of our time trying to wring the secrets from the eyes at the bottom of pages.

Turns out the answer to that was much more simple.  By that time we were spying on talking to the group in the chill out room, and someone told us it's simply the first 11 large letters on the talk descriptions in the program.  No advanced maths required.

The contest had already been won by then, but we kept plugging away at it.  We found the numbers translated to E L O S T B O Y N E T.  Drop an @ and a . into the spaces hidden in the source, and we have an email address.  I emailed the passphrase, and exactly one hour later, received this reply:
We have verified that agents have compromised our communications channel.

You need to identify the compromised H, and replace with the Z.

We have verified that there is only one H value that has been compromised.

You may use the SUN/MOON to verify, you do remember how to calculate those, correct?

When you identify the compromised H, analyze and report.  The message stream will identify for you a name.

Report to the identity here:

_____________@%LosT 0x2E Organization

Within your message confirm the compromised H, as well as the sum of the moons and stars.




Sent via phone. Please excuse typos.

Now, by this time, we knew the final answer was 108 (obviously a Lost TV show Easter Egg) and something else emailed to eban@1o57.org.  We had heard they got 108 by adding 48 + 60, and they got those two things from the badge somehow.  Something to do with Log12, and the notches on the badges, and looking at the front and back of the badge (sun/moon hints) and I'm not that far along in math so ???  We were trying to reverse engineer the answer, and really wanted to know how they got to it.  But as we worked on it, it became apparent there was more than one way to get there.  We were on to something that had nothing to do with Log12, but couldn't quite make it work.  Partly because I hadn't gotten all the badge numbers and notch positions recorded.  This was Sunday evening by this time, so...

But we did notice that if we used the crypto-wheel, and took badge notches and lined them up, and then reversed the badge, and took both of those numbers that the notch pointed to, and added them, we got numbers that correlated with letters in ASCII.  We also tried subtracting the badge number, and also got letters.

Here's an example.  I have badge number 30, and the notch is in the "2 o'clock" position.  That points to 16 on the crypto-wheel.  If I flip the badge (sun/moon clues), it points to 99.  Add them, it's 115, which is "s" in ASCII.  If I subtract 30, I get 85, which is "U" in ASCII.  Any badge with a 5 o'clock or 7 o'clock notch will give the number 116 which is "t", and when we subtracted some of those numbers, those all gave nice neat ASCII letters, too.  It was very non-arbitrary, so we know it meant something, but that's as far as we got.  Now that my mind is fresh and I have a proper desktop computer, and all these details organized, I'm thinking of how easy it would be to go further, but things were much different Sunday at 6pm in the hall with a laptop. :)

I had another theory, related to the clue about the compromised H (human).  As near as I could tell, the only badge number without a notch was "3".  I remembered something from the day before (a clue I haven't talked about here yet):


(There were two goatse clues, the other was a QR taped to the rotunda crypto-wheel, but those were undoubtedly one of the many people messing with us).  On the same day, a footprint appeared in tape on the "24" position of the wheel in the rotunda, at 23 degrees.  I searched the area it pointed to a while, and found that someone was holding the clue I should have found: A coin with "33" printed on it, and a sketch of Anubis? 


All of the coin stuff aside (that is a WHOLE other story!), everything is pointing to that position on the wheel.  Not only that, but remember the message before, decrypted from the crypto-wheel, where the O should have been a P?  That was the "3rd" character in, and a "24" on the wheel.  If agent "3" was "compromised", they might have sent us the wrong character.

What we really should have done day one was pay for a print out of the wheel.  I suspected at some point we'd have to rotate this wheel, especially when the Z was a ?  What I really wanted to do was rotate the Z to the "24" position, and start trying to decode all kinds of things using this.  But without a paper copy and a pair of scissors, this was extremely difficult.  We had to manually count backwards five spaces any time we wanted to check something, which was a real pain.  So we didn't get very far down this track either, but I know it means something, and probably would have led us to the same answer those other guys got with the Log12 nonsense.

There were a number of other clues we never used.  Most we didn't even spend much time on, and a few of them I kept in the back of my mind.  Something kept niggling me.. that "where the eye lacks message".  On Sunday, the rotunda wheel got a few additions.  Most had been kicked off by foot-traffic by the time we got there (someone told us about it, and I saw the tape).  The Eye of Horus had a sicker of the "33" tattoo design from the program, and this:


It's just an "o" with some lines on the side, kind of like an eye.  The left eye "lacks message".  There were also a lot of tweets coming from @1o57 about suns and moons being the same thing (I will post all of those in a bit).  So I looked up more Egyptian mythology, and learned that Horus contains both the sun and the moon (because he is the sky).  He and Set got into a fight, and Horus lost is left eye, which is the moon, and that's why the moon is darker than the sun.  And here we have a left eye with nothing in it.  The downward point on the Eye of Horus on the crypto-wheel also points to that left eye in the Defcon logo.

This one drove me crazy, partly because Roland thought it didn't mean anything when I was so sure it did, and partly because it was important precisely because there was nothing there.  I was told when there was nothing there, that's where.. something would happen, but I didn't even have that part of the message ("Where the eye lacks message there..." and it cuts off).  There what?  I guess I'll never know.

The other rotunda had its own decal.  At the cardinal points there was a schematic-looking thing that I learned was to a logic gate.  At the inputs of each, there were Chinese characters.  Most were numbers, but a few were not.  Here's a picture of one:


And a close-up:



We never got very far on that, though I wanted to do some truth tables, and I noticed there were four sets of three-digit binary groups on the lanyard (010, 111, 011, 100).  LosT tweeted that we shouldn't worry about the logic functions but rather the mathematical functions these imply, but forget that! :)  Someone else mentioned this puzzle had something to do with narcissistic numbers.

P.S. One thing I learned through all this is that Wikipedia sucks at math articles.  They all assume you have mid-college-level math already, and don't do a good job of explaining how things work in a clear way to someone who stopped at pre-calc 20 years ago.

Before I do a raw data dump of all the other clues we noticed but didn't do anything with, here are all the Easter Eggs detected:

  • 108 is a recurrring number from the awesome TV show Lost.
  • Jammie Dodgers are used in a number of Doctor Who episodes, including as a self-destruct button.
  • The numbers 1057 (Lost in l33tspeak) where everywhere, including in the Eyes of Horus on the pages.  (More on that in a sec.)
  • Scatter My Ashes Where They Can't Be Found fanfic.  I wondered if this had anything to do with a tweet made about something Dan Kaminsky said, "Harry Potter, properly understood is a story about the epic consequences of losing one's password".  Or I could just be catching acquired schizophrenia from doing these damn puzzles. :)
  • The time, 8:15 on the Day 2 Clue, and 23 degrees.. these are three of the numbers from Lost the TV show.  Some of those numbers also appear on the crypto-wheel (4 and 16).  The Lost number I never noticed is 42.  Interestingly, this is the inverse of "24" which is the position on the wheel I thought Z should be rotated to.  (There was a badge number 42, but nothing to call it out as special.)

When I did some Egyptian fraction math on the eyes in the program, I got a bunch of nifty but apparently-useless fractions.  I'll be including pics from my notebook, so you can look at them there, but the important thing to note: The numerators were 1, 5, and 7.  1057 again.  Accidental?  I doubt it.

Photos of things we found laying around in the Rotundra:

And the coins:


There are actually three coins above, but I photographed both sides.  On the coin with the arrows, they point to the edge, where some kind of code was drawn.  It looked something like Morse code, but with some /'s and a < and some dark blocks as well.  I scribbled these down in my notebook, but am not confident in my ability to capture it well.  I dismissed this info, because Lost was standing there, and he told us the coins were just the goons fucking with us.  I didn't recognize him as being Lost, and tried to argue with him, and it was all embarrassing and all that, but when I found the "Anubis" coin the next day, I knew that he was fucking with us more than the goons.

There were two black lines taped at positions "47 - U" and "4 - E".  I don't know when these appeared, but I noticed on Sunday.


We found the forum entries, and I puzzled over those looking for meaning.  Found the "stop" error.

There is a QR code in the video, but I ran into supafraud Saturday night, and asked him.  He assured me it contained no clues, just a website and video of him messing around to be funny.

From the talk, I took a few notes.  I focused mostly on LosT's quote from Amazing Grace: "I once was lost but now am found, was blind but now I see".  I was hoping to get to replace a 1057 or Lost with found or some equivalent, but that opportunity never appeared.

And all of @1o57's clueful tweets: (speaking of which, http://ten-five-seven.org/ was 404ed the whole weekend, and still today.)

HINT: Digital logic- consider the mathematical functions implied by the types of gates represented, not simply as taking boolean values

HINT: If you can read the "kiss"- ask an older person or fans of the Mighty Boosh- I'm old greggg!
HINT: there are LOTS of people creating FAKE clues. Like most of the red shirt goons :) If it's not elegant, it's not me ;)

HINT: there are Z badges floating around the conference.....

Hint : if you have passed a card to z and are stuck- you are now dealing with a OTP. And you have the key

Hint: The eyes on the bottom of the pages are used against the page numbers for decoding...

The otp info you are looking for is in the program

If I SPEAK about the TRACKS that BIG foot left, I might break the LETTEr of the law.

The moon can sometimes appear as bright as the sun, depending on how you look at it.

H3 agents are rogue.

The sun and moon are opposed..kind of

Ra stands in opposition to horus

Every badge has both a sun and a moon

The dial is a sequence. It has a name. So do the badges

The sun can be seen with the naked eye. So can the moon.

Sun is position. Directly. Moon is position , directly. Every h has a sun and a moon
I noticed some ogham written on the keys in the skull pic from the CD.  I heard this image was from some previous Mystery Challenge, and like I said, we kept forgetting to look at the stuff from the CD.

And... all the notes from my notebook.  This doesn't include any of the text files or Excel files or most of the things Roland worked on.


This marks the end of my data-dump.  Maybe it will come in handy next year, or help other people who were working on the contest. :)  I really look forward to working on the next one.  Thanks again, LosT!

2 comments:

  1. Thank you for taking the time to share this.

    -1o57

    ReplyDelete
  2. Thanks for taking the time to read it, but more importantly, for hosting the contest. :D

    ReplyDelete