Ah, ShmooCon 2011. This time we’re in a new building, The Washington Hilton, and a little earlier than usual: the last weekend of January. But aside from that, it’s still ShmooCon. And it wouldn’t be a ShmooCon without something fun on the badges. For the third year in a row, the puzzle came from the subtle and devious mind of G. Mark Hardy.

This time, I was actually helping out at the con. I’d been a little concerned about whether I’d be able to fairly compete for the puzzle, since I might get exposed to the badges, or programs, or other material, before anyone else is. Heidi did her best to ensure that I didn’t learn anything unfairly – to the point that the Wednesday before the con, when I was helping with some of the check-in code and at the bag stuffing party, she repeatedly told everyone that “David’s not allowed to see inside the programs!” She’s so helpful.

Though I have to admit, it was certainly frustrating being surrounded by 1500 copies of the puzzle, and not being able to do anything about it.

Adding to the stress was the fact that I’d won (or shared winning) this contest in 2009 and 2010. The fact that this drive to keep winning was purely internal didn’t make it less real. And being somewhat not-100%, physically (more on that later) certainly didn’t help. More than once I’d wished I’d simply opted out of the contest at the beginning.

So anyway, the con started, I got my badge, my buddies got theirs, and we were off!

As always, if you’d like to try to solve this yourself, then STOP now, as the rest of this post is full of spoilers. If you’d like a copy of just the raw data (ciphertexts and other clues revealed during the contest), click here.

Pretty quickly we decided that there were probably five badges total: one for staff, one for speakers, and three for attendees. Each badge was made to look like a school hall pass, and had fields for the “student”’s name, the reason they were issued the hall pass, and the teacher who issued it. The names were all amusing, but didn’t really pertain – the important parts were the lines the names were written on. Two of the lines weren’t really lines, but were finely drawn Morse code.

Being hungry, we went off to lunch and, while waiting, decoded all five badges. We ended up with this (first line is hall pass reason, second line is the authorization, right column is the decoded text):

Badge Text Morse Code Badge Type
A Room With a Moose 2 YESTERDAYAttendee
Mr. Shmoo 3 TELEGRAPH
F5 Fingers 0 MOGADISHUAttendee
Anon E. Moose 1 ARMADILLO
I Haz Barcodes 4 HYPNOTISTAttendee
Bullwinkle 5 EUCALYPTI
Lost Voice on Alcan 8 ORANGE CABSpeaker
A Noony Moose 9 STIMULATE
Yearly Migration 6 MICROBREWStaff/Security
Dr. Doc Doctor, MD 7 OBJECTIVE

It seemed pretty obvious that they needed to be put in numerical order. This gave us:

0 MOGADISHU
1 ARMADILLO
2 YESTERDAY
3 TELEGRAPH
4 HYPNOTIST
5 EUCALYPTI
6 MICROBREW
7 OBJECTIVE
8 ORANGECAB
9 STIMULATE

Almost immediately we noticed “MAY THE MOOSE BE WITH YOU” read down the first column and up the last. So, that’s one part done. What other parts were there to the puzzle?

On the bottom of several pages were individual letters in a large font. Taken together, these spelled out:

RJWUD TKOOA EGPAD CRLUS

Obviously some ciphertext. I tried basic attacks (various Caesar shifts, “obvioius” Vigenère keys, etc.) but didn’t get anywhere.

On page 6 of the program was some base-64 data. I quickly entered that into an online tool and decided it was binary data, likely encrypted output from OpenSSL, and therefore almost certainly not part of G. Mark’s puzzle.

Page 12 had a section titled “Crypto Contest” with the following block of text:

CRYPTOCONTEST
MWHFGYBBXQBJA
OXIHADLIDWXVW
OUXGHIPCSAPHI
SZHWHPGMAXGNI
EYTKNSIYMJPJD

This one I just left alone for the time being. On page 27, we found a word search game:

0 1 2 3 4 5 6 7 8 9 
S A V E H I M O M G 
S E X H I B I T O M 
D E C I M A L D P A 
B A R R O R M A K R 
F U R W E I N T O K 
P C P T N T B O O M 
G V M U H O C A R K 
W I S E A N D O D I 
I O R V S E U T D K 
N O T H E R E L I E 
N O T T H E R E L I

It didn’t take long for us to start finding words and names in the square. Popping out at us were SAVE, HI MOM, EXHIBIT, DECIMAL, and NOT HERE. Also the names G MARK, WINN, GOD MINUS ON(e), and amusingly enough, DARTH NULL. Also, SECRET CODE. And some others. How many of the words we found were deliberate, and how many were accidents of the encoding? That wasn’t a purely academic question, as we figured that whatever letters were left over (not part of words) would themselves constitute a ciphertext.

Finally, the back of the schedule card had the following:

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z A B C D 
A S H M O O C O N A B D E F G I J K L P Q R T U V W X Y Z L 
B H M O O C O N A B D E F G I J K L P Q R T U V W X Y Z S E 
C M O O C O N A B D E F G I J K L P Q R T U V W X Y Z S H S 
D O O C O N A B D E F G I J K L P Q R T U V W X Y Z S H M S 
E O C O N A B D E F G I J K L P Q R T U V W X Y Z S H M O M 
F C O N A B D E F G I J K L P Q R T U V W X Y Z S H M O O O 
G O N A B D E F G I J K L P Q R T U V W X Y Z S H M O O C O 
H N A B D E F G I J K L P Q R T U V W X Y Z S H M O O C O S 
I A B D E F G I J K L P Q R T U V W X Y Z S H M O O C O N E 
J B D E F G I J K L P Q R T U V W X Y Z S H M O O C O N A T 
K D E F G I J K L P Q R T U V W X Y Z S H M O O C O N A B H 
L E F G I J K L P Q R T U V W X Y Z S H M O O C O N A B D A 
M F G I J K L P Q R T U V W X Y Z S H M O O C O N A B D E N 
N G I J K L P Q R T U V W X Y Z S H M O O C O N A B D E F E 
O I J K L P Q R T U V W X Y Z S H M O O C O N A B D E F G V 
P J K L P Q R T U V W X Y Z S H M O O C O N A B D E F G I E 
Q K L P Q R T U V W X Y Z S H M O O C O N A B D E F G I J R 
R L P Q R T U V W X Y Z S H M O O C O N A B D E F G I J K G 
S P Q R T U V W X Y Z S H M O O C O N A B D E F G I J K L M 
T Q R T U V W X Y Z S H M O O C O N A B D E F G I J K L P A 
U R T U V W X Y Z S H M O O C O N A B D E F G I J K L P Q R 
V T U V W X Y Z S H M O O C O N A B D E F G I J K L P Q R K 
W U V W X Y Z S H M O O C O N A B D E F G I J K L P Q R T M 
X V W X Y Z S H M O O C O N A B D E F G I J K L P Q R T U M 
Y X Y Z S H M O O C O N A B D E F G I J K L P Q R T U V W X 
Z Y Z S H M O O C O N A B D E F G I J K L P Q R T U V W X I 
  A B C D E F G H I J K L M N O P Q R S T U V W X Y Z A B C D 

"Thanks to Gary Phillips for providing the Jim Sanborn font"

The little attribution was clearly to help people unfamilar with the image to narrow their google search a little bit. Jim Sanborn is the artist who created a sculpture at CIA Headquarters called Kryptos. Half of the sculpture is ciphertext, the other half is a keyed Vigenère tableau. The image on the schedule card was likewise a keyed Vigenère, though not properly constructed. I figured this would be used to decode the last part of the puzzle, and didn’t think much more of it. (There’s also a little easter egg in the rightmost column. “LESS MOOSE THAN EVER GMARK MMXI”).

So by now, we’re done with lunch, and have found a place to sit for the opening ceremonies. I didn’t really play too much with the puzzle then, but near the end, I started again. I first tried some of the usual suspects against the code on page 12 (Vigenère, mostly), but didn’t see anything pop out at me. Then I looked a little more closely at it.

The first row “CRYPTOCONTEST” was obviously just a header. What I didn’t notice right away was that the first column also spells something. MOOSE. I had a hunch, tried it, and was quickly rewarded. The key for each of the five rows is the first letter in that row. That is, the first row (after the header) starts with the M in MOOSE, so that row is a Caeser cipher shifted by M (or, in this particular case, what’s commonly called ROT-13). The next two rows were shifted by 15 letters (O), etc. So, about 4:00 on Friday, I’d decoded it:

JUST LOOK DOWN
ITS LOW TO HIGH
FIRST AND LAST
GO DOWN THEN UP
TO FIND THE KEY

This was to be the last progress I made for nearly 24 hours. And even this wasn’t much progress, since we’d already “looked down” (at the badges) and found the key (“MAY THE MOOSE BE WITH YOU.")

On the other hand, now I know what I’m supposed to do with that phrase. And now that I’m thinking about it, the key has 20 letters, and the text on the bottom of the pages has 20 letters. Woohoo! Let’s just add one to the other, and….er…nothing. Okay, subtract. Subtract the other way? Start with 1 instead of 0? No? Shoot. After about 20 minutes, I give up (plus, the room was getting warm) so we get up to stretch our legs. I played with it a little more during the Keynote, but again, got nowhere.

After the con closed down for the evening, and we’d made (and changed and changed again) reservations for dinner, I ran into G. Mark. I told him a little about what we’d done so far, and mostly tried to get a feel for whether we had the right approach on the word search bit. Naturally, I didn’t get much help.

The next morning, when I woke up, I had a bit of a medical scare. See, I’d slipped on ice a little over a week before and banged my right knee pretty badly. It was still a little swollen, but I was making do. Well, when I got out of bed, I saw huge bruises all over my foot – which hadn’t been injured at all when I fell. Naturally, this Freaked Me Out. I ended up spending most of the morning going to, being at, and returning from, the local urgent care clinic. Fortunately, I checked out fine – the diagnosis was that invisible bruises got exacerbated by all the walking at the con, and also that extended use of Motrin and Alleve made the bruising appear much worse. Relieved, I returned to the con, and to the talks.

I kept playing with the codes, off and on, over the afternoon, but made no progress. In the meantime, G. Mark tweeted a few hints, but they don’t help me much. At 3:51, he tweets that “The tools you received in the challenge will work best without unauthorized modificaions.” What the hell is that supposed to mean? Tools? I can’t think straight, and decide to go upstairs to take a quick nap. On the way to the elevator, I get another tweet from G. Mark: “Serious breakthrough for one of the teams! Competition get hot or eat thier bits!” Great, so now I’m tired, AND bummed out.

Once in my room, I pull out the swag bag and begin going through it. I try opening all the pens, to see if perhaps there’s a clue hidden inside something, but have no luck. Then I look at the schedule card. I look at the tableau on the back. The one that was made incorrectly. I shake my head and quietly muter “No. No, you didn’t.” And then I start copying the tableau onto the computer so it’ll be easier to trace out (the font he used didn’t really line up into nice columns).

Basically, this kind of Vigenère tableau uses a different base alphabet. In the traditional cipher, the key simply switches among different Caesar shifts for each letter in the plaintext. A keyed tableau mixes up the alphabet itself, making it even harder to break. Of course, even in a keyed alphabet, the alphabet can only have 26 letters. It CERTAINLY can’t have the letter O appear three times, as it did in this table. I’d tried using a keyed Vigenère with the “MAY THE MOOSE BE WITH YOU” key many times, with many variants, but got nowhere, because I was always constructing the keyed alphabet correctly.

Here’s what G. Mark’s alphabet looks like:

SHMOOCONABDEFGIJKLPQRTUVWXYZ

and here’s what it should have looked like:

SHMOCNABDEFGIJKLPQRTUVWXYZ

Those extra Os mess everything up. But how bad does it really make it? Well, let’s take the table, and the key we got from the badges, and start decoding. First, take the first letter of the key “M” and find the row that starts with M. Then, I go over to the first letter of the ciphertext “R” and straight up to the header row to find the letter “I.” This is the first letter of the plaintext.

The next key letter is A, with ciphertext J, looking straight up I get P. So now I’ve got “IP.” I keep at this for a while, and eventually turn the ciphertext (top) into plaintext (bottom):

RJWUD TKOOA EGPAD CRLUS

IPADD RE??S HMOOC ONVII

Only two letters, both of which are key letter O paired with cipher letter O, are ambiguous. Each could be R, S, or U. It’s pretty easy to see what the right decryption is just by looking at the context. So the letters at the bottom of the page decrypt to:

IP ADDRESS SHMOOCON VII.

Woohoo! Finally! Progress! Now I just need to open a browser…and…er…hm.

Okay, maybe it’s telling me to get the ip address for the shmoocon.org site and surf to that by IP, not by name. This will almost certainly give me different data that way. But then what do I do with the VII? Also, since I’ve been helping out with the ticket sales system, I know a little bit about how the ShmooCon server is configured. And one bit of knowledge worries me – the address on the webserver itself is not the same as the address that browsers go to, because there’s a load balancer in between the server and the world. So I’m wondering – did they account for this when they set it up?

I sent a note to G. Mark mentioning I had a concern, and went back down to the conference. Not long after getting there, he walks by, and we talk for a bit. Not to worry, he tells me, everything is working fine. Cool. He asks me what parts I have left, and I told him the only piece of the puzzle I haven’t used is the word search, and talk again about how to get a ciphertext out of the puzzle by eliminating words, etc. He looks at me and tells me “back off.” I’m not sure if this means “back off asking questions, I won’t tell you anything” or “back off from that approach, it’s wrong.” Either way, I know that’s where I need to go next, so I run over to the Intrepidus Group table and pull out the program.

But how am I supposed to get an IP address out of the puzzle, using “SHMOOCON VII” as the key? S appears in the first column twice, and also once in column 2. There are 3 Hs in column number 4, and it appears twice in column 3. Maybe it’s the column with the most of each letter? No, there are 2 Ms in both columns 6 and 9. Maybe the total number of occurrences of each letter? That probably wouldn’t work either, ‘cause then you’d have 3 digits forced to the same number, which seems unlikely.

After a little while, I remember that the table has 11 rows, which had struck me as a little odd, not for any particular reason, but just that there must be a reason for 11 rows. This little bit of trivia had been completely forgotten until this moment. “SHMOOCON VII” has 11 letters. One letter per row?

Let’s see… There is only one S in the first row, and it’s under column 0. Hm. One H in the second row, under 3. Only one M in the third row, and it’s beginning to look like I’m on to something, though the number still seems weird. In the end, I get this:

03448155389

Heh. Tricky. IP addresses are just big 32-bit numbers, but we typically split them into four 1-byte blocks for easy readability. For human convenience. However, many applications don’t care and can take a single big number just as easily as a dotted-quad address. However, I’m not 100% sure about the iPhone browser. And when I try entering that number, sure enough, it doesn’t work. So I convert it to hex and get CD86ACFD. Converting each pair of digits to decimal, I get 205, 134, 172, and 253. So the address I need to surf to is:

http://205.134.172.253/

Now I’m getting excited. I get back a simple web page, with the title “Well done!”, and the following text:

Good things come in threes.
Add this to the other plaintexts.
Tell that person you solved it.

KVATY DBKZA BZICB USYWO

Cool. Okay. So…there are 20 characters there, and I’ve got two other 20 character strings. So I need to get this plaintext and add them all together. Again, I try the usual suspects, and get nowhere. Then I stop and think for a moment. And realize that I’m being an idiot. Of course I can’t take three English strings, add them together, and get English again. (I mean, maybe, but it’d be tough to arrange). I need to add the new ciphertext to the two plaintexts. Basically:

MAYTH EMOOS EBEWI THYOU
IPADD RESSS HMOOC ONVII
KVATY DBKZA BZICB USYWO

Now there are a few different ways you can “add” letters together. First, you can simply number them starting with 1 (so A + A = B, because 1 + 1 = 2). Or you can number them starting at zero (so A + A = A, A + B = B, but B + B = C). The latter is actually an easy way to implement the Vigenère cipher, and since I’ve have some favorite tools to do that online, that’s what I do – enter the first string as the key, and the second string as the plaintext, hit encrypt, and I get the “sum” of the strings. Do it again with that sum as the key and the 3rd string as plaintext, and I get:

EKYPI YRQFK MMAML BMRSQ

Damn. Nothing. Well, let’s assume that it’s been encoded itself, again trying the standby Vigenère, and I’ll use GMARK as the key. Now I get:

YYYYY SFQOA GAAVB VARBG

Oooh! Oooh! That’s important! That pretty much tells me that the string starts with GMARK. So instead of GMARK as the key, I just enter “Y”, and out pops:

GMARK ATSHM OOCON DOTUS

It turns out if I’d used the other way to add, it would have been a lot easier - the “shift by Y” decode kind of undoes the offsets I’d introduced using what was supposed to be a shortcut. If you number M as the 13th letter, I as the 9th, and K as the 11th, you get 13+9+11 = 33. Subtract 26, and you get 7. The 7th letter is G. Similarly, 1 (A) + 16 (P) + 22 (V) = 39, 39 - 26 = 13 (M). And so forth. So, once again, I apparently took the long way around.

Anyway, the instructions said to “tell that person you solved it,” so I quickly sent an email to gmark at shmoocon.us. I also sent him a direct message saying “Check your .us email account.” This was at 6:21 on Saturday. At 6:28, I got a response saying I’d won, and two minutes later he announced it to the world on Twitter.

Whew! My winning streak is safe!

At the closing ceremonies, G. Mark again explained the puzzle and how it worked, which is always great fun. For one, it verified that I’d taken the wrong approach for the final plaintext addition step. It’s also great to see the responses of the crowd as things are revealed. What was really priceless for me, though, was hearing groans and “Not again!” comments from people around me as my name was announced as the winner.

I’m still amazed by my ability to overcomplicate matters, even after solving so many of G. Mark’s puzzles. In this case, I spent a good deal of time trying to determine which words were “real” in the word search puzzle, trying to build a ciphertext out of the puzzle, when really, literally 90% of the letters in that block were fluff.

Also, I’d interpreted the Vigenère table as a hint, telling me what technique to use at some critical stage of the game. In fact, it was not really a hint, so much as the actual method and half the key. G. Mark has made mistakes in his puzzles before, but those mistakes are almost always very minor and had no real impact on solving the puzzle. In this case, I tacitly assumed that the tableau was wrong, and it was wrong simply because he was having fun. What I should have assumed was that it was right, and to use it exactly as provided. Had I really thought more clearly about all that, I might’ve solved the puzzle 24 hours earlier.

In the end, though, it was another great puzzle. I was glad to see him follow somewhat the pattern he took with ToorCon, where each stage tells you where to go next and hints at the method and key to use. It wasn’t quite exactly like that, but you could see some similarities. And it’s also great that there was a stage that wasn’t pure classical cryptography, and a stage that was classical crypto, but with an unexpected twist. Being forced to think outside of the box is the best feature of any puzzle, and once again, I was not disappointed.

(view Archived Comments from the old site)