Shortly after completing the ShmooCon 2010 badge puzzle, G. Mark Hardy told me in that he’d be contributing a puzzle for QuahogCon, the last weekend of April. I knew I wouldn’t be attending, so I offered to proofread the puzzle before he published it. I never heard back, so a couple days before the con I asked if I could play along at home (provided, of course, it was okay with the conference organizers).

He forwarded my request to the con, which reacted by posting a note on the official QuahogCon website:

G. Mark couldn't make it to QuahogCon, but he put together this great puzzle for us. David Schuetz, a veteran puzzle solver also can't make it to QuahogCon, but will be solving the puzzle remotely for fun. It'll be a beat the clock scenario to see who solves it first, David or an attendee.

D’oh! This was posted about midday on Saturday (I saw it a little before 1:00 in the afternoon). I’d hoped to leisurely play along for fun (and, I’ll admit, bragging rights), but I really hadn’t expected a gauntlet to be so publicly thrown down. I wasn’t even at home when I saw the message, and worse, the conference attendees had received the puzzle the previous evening. Fortunately, we were on our way home at the time, and I was lucky enough to get a “pass” to focus on the puzzle for a couple hours. I mean, once my name was used, I really didn’t have a choice, did I?

While still in the car (not driving!), I was able to look at the puzzle:

Solve Me First Then Solve Me
first second

If you'd like to try to solve this yourself, then STOP now, as the rest of this post is full of spoilers. Those two images are all you need (from the con, anyway) to solve the puzzle. Click on each image for a higher-resolution copy.

I counted squares, and immediately concluced that the first stage was a Sudoku puzzle. I didn’t have a Sudoku solver on my phone, so I tried to be patient. Once we got home, I gathered up a netbook and a pad of paper, and set to work. First, I had to convert the nautical flags to letters. This was pretty simple, thanks to the wonders of Wikipedia. Turns out, the flags spell out (on the diagonal) “QUAHOGCON”.

Q O  UA  
 U  Q  H 
C A  N  O
   H  OCG
N    G U 
OA    C  
 CH  A O 

Problem is, that’s only eight letters, and we need nine, to map to the numbers 1-9. Well, shoot. Let’s just try and solve it anyway. So with pencil and paper, and as it turns out, only one easily-rectified mistake, I solved the Sudoku puzzle.


The trick here is to just trust your instincts and go with it. Assume the last number is a “space,” and that you simply don’t have any on the board when you start. Getting a Sudoku puzzle with one number missing altogether probably doesn’t happen much, but that doesn’t mean it’s impossible. At this point, it’s nearly 2:00 and I have a completed Sudoku square. What’s the second square spell?


Random text. Okay, so we’ve got an 81-character string of random text, in a 9x9 grid, and another string of not-quite-random text, in another 9x9 grid. One’s the ciphertext, the other is the key. Put ‘em together, and you’ve solved it. At this point, I’m getting pretty excited – it’s a one time pad. Simple. Surprisingly simple. But wait, how do I do it?

I figure that the trick here is to take every character in stage 2 and offset it by some number based on the key found in stage 1. But what are the offsets? Do the letters Q, U, A, H, O, G, C, and N (and space) map to 1-9, in order? (that is, do I assume Q = 1, U = 2, etc.)? Or is it alphabetical? (A = 1, C = 2,G = 3, etc.) Does the space come first, or last, in the list? Should the numbers be 0 through 8, or 1 through 9?

I set up a couple of squares in a spreadsheet to do the alphabet addition for me, and tried a bunch of the possibilities. After about an hour, I’d gotten nowhere. And I can hear the kids starting to get out of hand outside (plus, I felt a little guilty playing a game while my wife’s doing yard work). So I decide to take a break. During a pre-break visit to in the little cryptographer’s room, it hits me – I’m doing it wrong.

The letters QUAHOGCN don’t equate to 1-8 (nine, with space). They equate to QUAHOGCN. That is, I don’t have to convert the letters to numbers, I simply use the letters as-is. Duh.

What do I mean by that? It’s simple modular arithmetic, using letters as a base-26 number system. Take A, for example, and “add” B to it. B is the 2nd letter of the alphabet, A is the first, so 2 + 1 = 3, or C. A + B = C. C + D = G. And so forth. When you reach the end of the alphabet, wrap around – so Z + A = A. In this case, the first square of the key is Q, and the first square of the ciphertext is C. Q + C = T. The second squares are N and A. N + A = O. O + Z = O. The plaintext starts with “TOO.” How should I handle the spaces in the key? Let’s just treat them as zeroes, so we’ll replace them with Z (since Z plus any letter gives the original letter).

I tweak my spreadsheet, and out comes the answer. No further decryption necessary. But, wait, there’s a bug. One of the lines is wrong. No matter, it’s pretty easy to see what it’s supposed to mean. At 3:15, I send off a quick tweet to @quahogcon, they follow me, and I send them the solution in a direct message. Puzzle completed, challenge met. Woohoo!

Here’s the result grid:


And the final message, with corrections and punctuation (keeping with tradition, “Z” is read as a space):

Too bad we didn't get Seth MacFarlane to talk. We will try for that next year. G. Mark.

So in just about two hours of actual work, I’d solved the puzzle. And I’d managed to be the first, too. I was now able to go outside and help with the yard work. :)

Later that night, I hadn’t seen any activity on twitter talking about the puzzle, and it occurred to me that I might’ve scared people off. I wrote the con organizers, and suggested that they remind people that I wasn’t playing for a prize, and a little after 11 that night, they did just that. I’m told they also provided a few hints during the closing ceremony. But over the next several days, I never heard of anyone working the puzzle.

It’s now been over three weeks since the con, and I can only presume that people have given up completely. Why is that? Was the puzzle too hard? I wouldn’t think so. Personally, I thought it was pretty easy (I mean, even with the better part of an hour spent in a blind alley I still solved it very quickly) (and I’m famous for going down crazy blind alleys). Everything about it was pretty straightforward.

The few people I heard from said they stumbled on the Sudoku bit. As I said, I just ignored the problems and forged right ahead, which may be part of why I was able to get that stage solved quickly. Over-analyzing the puzzle there could certainly slow you down.

But even then, how obvious is it that you’d add the two parts together? Well, it’s clear that stage 1 can’t have any real meaning, at least not in a linguistic sense, as it’s really the result of a mathematical process. It can’t be text. And it doesn’t give any kind of “Ah-Ha!” feeling when you solve it, other than the satisfaction a Sudoku usually does. So it must mean something else.

Stage 2 is more clear. It looks pretty random, and has a fairly nice distribution of letters – unlike the first stage, which has only eight letters and a space. So it should be pretty obvious that one’s the key while the other is the ciphertext. At least, obvious to the kinds of folks who enjoy these sort of challenges.

And that’s probably where the game fell down. There’s only a limited fraction of any community that enjoys these kinds of puzzles. Even in the hacker / security community, where that’s likely to be larger than in the general public, it’s still a limited fraction. And of those, only some fraction will even feel in the mood to try, and only some fraction of them will keep at it beyond a few initial attacks. Especially so if there are interesting talks to hear or parties to attend. Add to that the fact that QuahogCon had only about 150 attendees, and you can see that the potential pool of players was probably pretty small.

That pool can be enlarged somewhat if the prize is good enough. But I’m not sure what the prize was, here – it wasn’t shown on the web site, and I didn’t see the opening or closing ceremonies. So maybe it wasn’t cool enough to drive more people to try. Or maybe it was, but people still couldn’t figure it out. I don’t know.

Maybe there’s a lower limit to the size of a con, below which it’s just not going to be worth having this kind of contest. Even at ShmooCon, with 10 times as many people, only two teams solved the badge puzzle. Then again, maybe we just need to get more people to develop their skills. Which, I suppose, is part of why I’m trying to document these contests. It should be obvious that I really like being the first to solve puzzles. But it’s also a lot more exciting when there’s competition. Hopefully, we can start getting more people involved, especially if the puzzles remain as good as this one was.

UPDATE! I had the pleasure of meeting Dennis Brown, the designer of the QuahogCon badge, at a talk at DEF CON 18. He’d tweeted a few days earlier that they had a couple extra badges lying around, and I asked if I could have one as a prize for solving the puzzle. He generously agreed, and gave it to me at the talk. It’s really cool, and was fun watching it get totally owned by the other QuahogCon badges in the audience. Too bad I only have one, and can’t participate in any new Zombie battles….

(view Archived Comments from the old site)