I’ve always liked puzzles. As kids, we were constantly working on jigsaw puzzles of ever increasing size and complexity. Whenever an article about Mensa appeared in the newspaper, my dad would give me the sample questions from it to figure out. And when I started Geocaching a few years back, that love for puzzles returned stronger than ever.
I currently work in the information security industry. The security community has many conferences throughout the year at which people gather to discuss research, reconnect with colleagues from across the country, and occasionally play some games.
Over the last eighteen months, I’ve become something of a security conference puzzle connoisseur. I have been the first to solve puzzles at three different conferences, and have even solved puzzles from two cons I didn’t even attend. I have already described a few of these on this blog, but I thought it might be a good idea to have a single index to put them all in one place. Hence, this post, which I’m writing on the plane home from DEF CON 18.
I hope to eventually document not only those puzzles I’ve attempted, but other interesting challenges and contests. Some of these are very imaginative, and some ate infuriating, but I think it’d be a shame for their details to be lost. And, hopefully, some of these descriptions might inspire future puzzle authors to create newer challenges.
ShmooCon V, February 2009
The start of my current puzzle mania. This puzzle came in multiple parts, spread across eight different conference badges distributed to attendees. The badges featured Morse Code and barcodes, mathematical sequences, and took me three weeks to break. I was the first to solve the puzzle. Second place went to a team of three, only a couple of hours after I had submitted my entry. Click here for solution.
Panda Labs Crypto Contest, June 2009
This contest was not associated with a conference, but was a promotion for an internet security firm. Over the course of a few days, I (and several others) decoded hints, downloaded files, played audio noise through a spectrogram, and decrypted the final answer. I was 5th of about 8 contestants to solve the puzzle.
ShmooCon VI, February 2010
The worst winter storm to hit Washington, D.C. in my lifetime just happened to fall e weekend of this conference. While not attending talks, fighting a nasty head cold, or foraging for food on Connecticut Avenue during an honest-to-God blizzard, I worked to collect clues from six different badges, a program schedule, conference quick reference card, and three large posters by registration that I’d missed for almost two full days. The puzzle featured geolocation, bearings, ranges, and airport codes from 11 different airports around the world. Working with a my good friend Бурак (pronounced “du-rok,” and not his real name), we came in first place. The second place team submitted their answer nearly 18 hours later. Click for solution.
DEF CON 2008 / ShmooCon 2010
Also at ShmooCon that year, a still-unsolved puzzle from DEF CON 16 was reintroduced by its author in the hopes that someone would finally crack it. I collected the various clues for the puzzle (not yet realizing that all five were already published on the web). I took a more classic, pencil-and-paper approach to this more traditional cryptographic challenge, though I used a computer towards the end. About a week after ShmooCon, I solved the puzzle. As of August 2010, nobody else has broken this code. Click here for solution.
XKCD,Volume 1, March 2010
This collection of strips from the popular online comic was published in 2009, but it was months before I became aware of the extensive series of puzzles and hidden jokes sprinkled throughout the book. Over about 10 days, I pieced together solutions for almost all of the puzzles, assembling the key that decrypted the book’s final challenge. I wish I could say that I solved this one entirely on my own, but a couple of times I became impatient and snuck a clue or two from the online discussions. Still, I’m happy about some of the approaches I took, and especially of being able to guess the system used in the penultimate cipher text of the book.
## QuahogCon 1, April 2010
A few weeks after ShmooCon, I learned that another crypto challenge would be introduced at a conference in Rhode Island at the end of April. I asked the author and conference organizers if I could play along at home, and solved this nautically-themed visual cryptographic puzzle in about X hours. Unfortunately, nobody who actuarially attend the conference ever solved it, even in the three weeks before I published the solution. Click here for solution.
THOTCON 0x01, April 2010
The same weekend as QuahogCon, another conference took place in Chicago. A few days after the con, the program handed out to attendees was published on the web, and reference made to a puzzle. Though I was on travel when it was released, I simply couldn’t resist the challenge (they say the first step is to admit you have a problem). Over the next two [3?] nights, I solved another multiple stage, cryptographic and steganographic puzzle. I do not believe anyone else solved this challenge, either. Click here for solution.
DEF CON 18, July 2010
The conference had only just begun Thursday night when Бурак and I began attacking yet another crypto challenge from G. Mark Hardy. He had been responsible for both ShmooCon puzzles, the reintroduced DEF CON / ShmooCon puzzle, and the flag puzzle from QuahogCon. This challenge was to be his most complex yet, and included trips through 19th and 20th Century literary classics, Adobe PDF, and Google Voice. We worked as as semi-independent but mutually supportive team, one jumping forward then sharing his results with the other. I made the last intuitive leap first, and declared victory about noon on Sunday. Бурак figured the last bit out a couple hours later, claiming second place for himself. Again, disappointingly, nobody else completed the puzzle. Click here for solution.
THOTCON 0x2 Pre-Sale Puzzle, September 2010
While at the beach, a quick little puzzle came out via Twitter for THOTCON. The puzzle was to lead eventually to a ticket discount code for pre-sales tickets. Predictably, I took a purist, way-harder-than-it-needed-to-be approach to the puzzle, but still managed to recover and (I believe) solve it before anyone else. And in the process I got a lot more familiar with a classic cipher. Click here for solution.
ToorCon 12 Badge Puzzle, October 2010
Yet another fine challenge from G. Mark Hardy. This one came out while I was at a wedding, and so I had to play along remotely. I couldn’t figure anything out from just the badge image, as I needed additional information, but once I got that information… This one had a quite interesting cipher I’ve not seen before, and I really enjoyed it. Click here for solution.
Civil War Message, December 2010
A message recently retrieved from an old vial that’d been locked away in a museum for over a century. G. Mark teased me with links to the stories over Christmas, and though I couldn’t avoid glimpses of the plaintext, I tried to demonstrate a reasonable method for solving the message. Which, by today’s standards at least, was far easier than it should have been. Solution, analysis, and speculation
ShmooCon VII, January 2011
Yet another great G. Mark puzzle for my favorite con, the local ShmooCon. Took somewhat longer than it should have because of typical boneheadedness on my part, plus half a day lost at the Doctor’s. Finally spurred into completing the solution at the last minute, just ahead of 2nd place. Click here for solution.
2009 Verizon DBIR Puzzle (April 2011)
I missed this when it first came around, and only learned about the contest a week or two after it’d been solved. I read the solution, knew it was pretty easy, and forgot about it. As I started to get psyched for the 2011 report (and contest), I figured it was time to try and solve this puzzle properly, trying to forget what I’d read when it came out. Click here for solution.
In mid April, G. Mark Hardy asked if I’d be attending CarolinaCon, as he had a crypto challenge ready to go. I wasn’t going, so he was kind enough to let me try the puzzle before everyone else. It actually had a trivial solution, but with a non-trivial twist that kept me stumped for a little while. Click here for the solution.
FidSecSys “Decode This” (August 2011)
A couple weeks before Black Hat 2011, Fidelity Security Systems announced a crypto puzzle for Black Hat, with a $1000 prize. I started playing, then decided the puzzle they’d posted was a just a teaser and put it aside until the conference started. Then got so lost in the weeds that what should have been an easy victory was snatched away. :( Click here for the solution.
ShmooCon 8, January 2012
After solving so many puzzles, I finally tried creating one of my own. With help and encouragement from Heidi and G. Mark, my first puzzle debuted at ShmooCon 8. It lasted until midday on Saturday, when a team of two solved it. Click here for the solution
ShmooCon 4, February 2008
I never solved this at the con. I didn’t have any computer with me at the time, and also simply hadn’t been bitten by the puzzle-solving bug yet. But now, after four years, I finally found copies of all the badge images and worked the puzzle through to completion. An interesting challenge, that also had me dusting off the cobwebs to do a little bit of minicomputer assembly code work. Click here for the solution.
BSides Phoenix, February 2012
Minding my business on a Saturday morning, then I saw a badge picture pass through my twitter feed, and bam, I’m hooked again. A fairly easy puzzle, but with some twists that kept me guessing and a couple of “well, duh!” moments. Click here for the solution.
Cipher Beer, February 2012
Coming soon. :)
Verizon DBIR, March 2012
The fourth year that they’ve had a crypto challenge in their report. I didn’t play the first year, gave up on the second, and skipped last year’s ‘cause I was too busy not winning a THOTCON puzzle. This year, though, I gave it all I had and somehow eked out a victory! Click here for the solution.