Monday, August 6, 2012

DEFCON 20: The Badge Contest

DEFCON 20 = Best Defcon Evar.  For me at least.

This post is about the Badge Contest.  I have also written about the rest of the con, like how my reading went, the amazing parties, and the surprise talk by Kevin Mitnick I was lucky enough to catch.

Last year Roland and I spent a lot of time distracted by the first annual badge challenge.  I wrote about it here.  This year, I knew there would be another contest, and I debated whether I wanted to obsess over clues and miss a lot of talks.  I figured I'd play it by ear.

We did end up playing around with the badge challenge for a while... and we made zero progress in the first two days.  None.  Not a budge.  We decrypted one very simple newbie puzzle, which was just a clue to a real puzzle, and that's it.

This year's challenge was much, much harder.  Not a casual game, but hardcore mode.  The bar was frankly too high for amateur solvers.  We didn't expect to win this year.  After all, we're newbies.  But we did expect to get past the first level.

So unfortunately, this post is going to be more of a critique than a write-up of puzzle details.  It breaks my heart, because I know Lost puts his soul into giving people a good experience.  He's made it clear that he does not want to overly frustrate and that he wants to encourage everyone to participate.  Lost fills many, many shoes at the con, and I appreciate all he does.  Defcon was truly awesomesauce this year, and I'm sure a lot of that was due to his efforts.

However I'm a big believer in constructive critique, and in transparency, so here is a rundown of the frustrations that we experienced.  For actual detailed write-ups of the clues, there are two: and

The short answer is, there were too many locks, too many keys, and no way to tell which key fit what lock, or even which were keys or locks.  None of the first layer puzzles were easy, so we couldn't start eliminating factors from a huge pile of raw data.  The Mystery Challenge was also going on this year, which added to the confusion for those of us purely working the Badge Challenge.  At least one major clue has now been identified as mC (the circuit rotunda), and I now suspect several other clues we found (and spent time on) were part of the mC because they were not mentioned in the badge write-ups.  As novices, we had no way to distinguish the bC clues from the mC clues.

I arrived at Defcon on Thursday while Roland was still at BlackHat at Caesars Palace.  The news came pretty fast that we'd have to do some electronic badge hacks in order to solve the puzzle.  That intimidated me, and I almost decided to enjoy Defcon without the added distraction...

Then I found myself in the greater rotunda, staring at the numbers and the symbols, and I was hooked.  As with last year, I whipped out the notebook and started writing everything down.  Started taking pictures.  Started basic cryptanalysis.  For example, I immediately noticed the numbers in the greater rotunda were 1-26, so it was some kind of substitution cipher.  So far so good.

Then Roland arrived and we went at it for a few hours.  We had piles of crypto and clues, from the program, from the lanyards, from the badges, from the Defcon DVD, from other attendees, from around the con.  And...

We got nowhere.

Lost's Twitter hints weren't helpful.  Some of them were things we'd already gathered from the Badge Talk or other sources.  Like that we needed all three lanyards.  That we needed to use Quick Fox (the pangram clue already told us that).  Other tweets only added to the pile of data we had, with no arrows as to how to apply any of it.  At one point, based on a Tweet, we started trying to apply Rail Fence to all the codes, which was another big time waster.

Lost hinted at the hall signs, but I saw nothing.  Part of the problem was my mistaken assumption, based on last year's example, that all the signs were the same (so I only checked a couple of signs).  The other issue is that the special signs were stolen at some point, so it would have been impossible to notice them.  We had one of the sign codes from the DVD, but not the other two.

From a game design perspective, the first layer of puzzles was too hard and gave no encouraging breakthroughs.  Had we managed to unlock the second layer, it would have been easier, with lots of carrots.  The write-ups describe several URLs (unlocked by solving the difficult first layer puzzles) containing simple reversed-letter strings.  Easy-sauce.  Accessible.  (What to do with them would have been the challenging part.)

If the goal of the game is to get everyone involved, you have to make the first levels easy and rewarding.  On the first day, groups of random strangers were forming in the halls to examine the clues.  We were sharing, we were playing with the badges, we were taking pictures of each other's notes.  By Friday afternoon, the groups had dwindled to a few lone souls, and by Saturday, all but the most hardcore had given up.  The winner of the contest was a Mystery Challenge team.  I'm sure that wasn't the point.

It would have worked better had there been multiple easy first-layer ciphers all vaguely pointing to a deduction.  Some examples of "easy" ciphers might be: a brute-forceable cryptogram, clues hidden in the source of an HTML page, image steganography, an obvious OTP, ROT13, binary or hex.  Instead, there was a single Atbash code with a specific URL, which in and of itself might have been easy without the overwhelming distractions.

Atbash was totally fair.  It's simple enough, and listed at the top of the list on the Rumkin cipher reference  page.  But our chances of guessing or brute forcing this were reduced by all the other distractions and time wasters we tried based on other clues and obvious suspects, like multiple pangram cypher types, OTPs, Rail Fence...

Like rats (or polar bears) whacking at the food button, we eventually gave up when no pellets came out.

I have a few suggestions, from a game design perspective, which could help next years challenge be more fun and accessible.

First, have some method of separating the bC from the mC.  That may not be a problem next year since the rumor is that this year's mC was truly (and sadly) the last.  But if both are going on, maybe a "#bC" and "#mC" signature next to clues from each (as is done in Twitter).  Or create fictional characters who are leaving the clues, and include signatures (initials, a name, a symbol like a rose or Kanji character or the Eye of Horus).  Make it clear those are the rules, so that any beginner can quickly pattern-match and easily figure out, "This clue is not for me."  Of course this method will make it harder to place intentional red herrings, and it throws many forms of steganography right out, but ... maybe it doesn't have to. :)

Another thing would be to give hints as to which clue goes to what puzzle.  I'm not asking for dead giveaways, and I still want to be able to sort some things out.  I don't want to be applying all three forms of Quick Brown Fox (plus the Wizard's Pangram, et. al), to every single crypto at the con.  (To be fair, the pangram clue was right next to the puzzle it belonged to, but also to be fair, not all clues this year and last were so closely associated.)  So perhaps a color scheme - puzzles printed in green match clues printed in green.  Or some other scheme.. again, it could leverage fictional characters: this key has Agent X's signature, but this puzzle has Horus's Eye, so they don't go together.  Or some indicator of when you'll need each piece of information.  If from the start we're being given bits of a later puzzle, there should be some indicator that we don't know enough to work that one.

Some misdirection and confusion is fun.  Too much is overwhelming.

If there are going to be interactive badges, have them spit our some kind of content out early on.  Anyone who tries even a little bit should get some kind of, "Nice try, keep going".  The method of getting that should lead logically to the more difficult and meaningful answer.  Like if you sync with one other badge type, it flashes SOS in Morse Code or "MISS!" in binary or says "GAME OVER" when you wave the LEDS back and forth.  Then we'd know when we're barking up the right tree.

My last suggestion: Give some low hanging fruit.  Make a couple early of puzzles so ridiculously easy that any Defcon attendee will realize this game actually is for them.  TryThis0ne's first puzzle is one such example.  You have to solve it before you can even access the other puzzles.  Anyone who's ever done a newspaper cryptogram can solve it.  Feel free to taunt those who crack them, like, "I was just testing to make sure you were awake, but my dog could solve that puzzle."  After that, ramp it up.  Steeply.  Terribly.  Painfully.

Parenthetically, DEFCON 20's contest, a few easy attempts rewarded you with a taunt, like, "Did you really think it would be that easy?"  If I recall, they were things like guessing Lost's name in the URL, and messages hidden in same-color text on the HTML page.  Those messages were actually encouraging.  They sent a clear subtext: "Hey, you're smart enough to try the obvious things, and you found something.. not something useful, but something.  You can do this."

Now for the good points:

In the badge talk, Lost mentioned a goal that he successfully accomplished: He wanted the game to be more social.  That definitely worked.  I found myself talking to more people on the first day than I've talked to for entire cons.  People were excited to share and help and try to beat the challenge.  We were holding up badges, talking about them, trying to figure out what made them tick.  We were looking at each other's lanyards, trying to figure out why we needed all three...

He also continued the backstory mythology from last year, of the Brotherhood of Horus and secret societies.  There was mention of a comic book, and I'm looking forward to that.  I wrote a story for this year's short story contest based on the clues from last year's badge contest, so I'm looking forward to see how next year's mythology develops.

The contest was also inspiring.  Lost did a great job both years of making us curious.  These puzzles remind me that I'm smart, and they bring back the feeling I had as a kid, when I'd excitedly try the brainteaser every Friday at school, and I'd usually win.  It helps me remember that I love puzzles, and that just because I've aged and experienced failures and forgotten how to do grade school math doesn't make me any less capable than I was as an eight year old.

The hands-on aspects of the Badge Challenge is essential and awesome and inspiring.  It lets me participate in Defcon in a way that makes me feel I could participate in "higher-level" contests, if I wanted.  The badge challenges have made me feel like I belong at Defcon and I'm not just a poser or a tag-along.

After DEFCON 19, Roland and I were inspired to do more puzzles during the year, but we didn't follow up.  This year, we did.  We found, which is a site full of puzzles and hacking challenges.  And we started playing a new MMORPG, The Secret World, based on its inclusion of real puzzles and crypto that you have to actually solve before you can complete quests.  My brain cells are grateful for the exercise.

A questioner at the badge talk Q&A asked about online resources for doing more puzzles, and he was directed to Martin Gardener (possibly these sites, Puzzle Playground and Math Puzzle) and Notpron.  I haven't checked those out, but if I tire of TryThis0ne and TSW, I have a fallback plan.

Most of all, I look forward to the badge challenge at DEFCON 21!  Maybe with some practice, we'll get a little further next year.


  1. Very cool write-up! Had everything gone as planned with the signs, website, etc, I think you would have had a much easier time. I am completely amazed by the teams that managed to finish both challenges in spite of the chaos.

    Good luck next year!
    Also, IMHO, the Myst series of games are still the most fun puzzle games to this day.

    1. Thanks Ellen. :) That makes sense. Totally looking forward to next year. I'm assuming you helped with puzzle design, setup, etc?

      I loved the Myst series. They owned the Adventure genre and it never recovered.

      TryThis0ne and TSW are both great because they feature crypto and hacking challenges. Even TSW, as an MMO, offers things like password guessing, looking up employee data on fake websites, and translating Morse code. Not to mention creepy conspiracy theories :)

    2. In a way. :)

      I'll check out TryThis0ne. Don't have time for another MMO just yet. We've been playing TERA to de-stress post con.

      Try hacking your badge if you haven't yet. Just add a blinking LED or something cheap to it. You'll be surprised how easy it is.

    3. Yeah, TSW isn't the best de-stressor because it's not mindless in the slightest. I find it refreshing now, but lots of times I would hate having to work at it.

      It's funny because I used to be pretty good with a soldering iron and I spent a year in college for hours a day sitting in the same electronics lab burning resistors on my breadboard because I was bored. (The teacher knew that burning smell was me.) I honestly think my greatest fear is having to face how much I've forgotten and having to compete with my past self. Part of me feels like that past-me was a fraud. That's true of the puzzles, too, but there I seem to have broken through the fear... by... guess what? Doing. :)