In part one we covered Registration, and the time between Registration and the actual Challenge beginning.  Last year evilpacket and I competed as a team of two (with lots of help from friends and random passers-by), and did OK, but felt like we could do better with more team members and a more diverse skillset, so we assembled a crack team made up of a few seasoned MC veterans, and a couple of people new to the challenge.

And so it begins…

We join our heroes well rested and ready to believe six impossible things before breakfast. Then they had breakfast. The Challenge was slated to start at 10:57, but was pushed back, and wound up starting about noon. We were given a single envelope, containing two sheets of paper, and instructions to return in one hour. Our team quickly went to a quiet place to open our envelope and figure out our next steps. Based on the instructions we were given (the first sheet of paper), and our role (one of three, determined by the 2nd sheet of paper), we decided on a basic strategy to try and determine what role the other teams were playing. We went back to the contest area and began talking to the other teams, noting our observations about their behaviors and drawing conclusions. This was actually one of the more difficult pieces of the contest, as we were already dealing with a group of people who’s default state is basically paranoid, and the added pressure of not wanting to give up any info without gathering some of your own only heightened that tendency. Many of the teams got together and decided that it would be a good idea to create a 4th role, that of the Zombie. Our team did not take part in the Zombie invasion.

After what seemed like quite a while LosT asked the team leader for each team to gather around his table. He then instructed us to take a position in any one of three lines, based on what we had been able to discern about the other teams’ natures. The Zombie teams, true to the Zombie nature, congregated in a single line. Our team chose to start a new line, and when given the opportunity to move I chose to stay in line. Unfortunately the Human in my line switched lines shortly after, and I was left in line with a Slayer, so I was “slain”. At this point, each archetype was asked to congregate, and boxes were handed out. We also received a single transparency with our box. LosT then explained that we had “tokens” that we could use to buy hints, or turn in at the end of the contest for points. If we convinced the other groups in our archetype to all turn in a token with us, we would receive a major hint. If we turned in a token without the other groups, we would receive a minor hint. The Vampire groups congregated and exchanged contact info, then headed in separate directions to open their boxes.

Opening the box

Team Psychoholics returned to our room to open the box in privacy. We noted on the way that each group received a different colored box, but we later found out that the contents of all the boxes were similar. As you can see from the pictures, the contents of the box were rather random. We assumed that the candy and plastic army men with missing limbs probably didn’t mean too much, while the passphrase card and paper with backwards text were probably more important. The transparency was also intriguing. We guessed from our knowledge of LosT that the two strings of asian-looking characters were Chinese and Korean. Chaoskitty immediately began working on getting that sheet translated, and the rest of us settled in to try and figure out where to go from here. We felt that the page with backward text was pointing us to the program, so PunkAB started working on deciphering the gray code while the rest of us tried various things with the ciphertext from page 25. Once again we turned out to be over-thinking the problem, as the ciphertext was a sort of rail-fence cipher. Chaoskitty was also successful in her translation of the characters in the transparency, which we will cover later.

We wound up using a major hint with all the other Vampire teams, and LosT let us know we were on the right track, but we had missed something simple. He also gave us a picture of an alien with 17 fingers. Shortly thereafter PunkAB had the solution to the page 25 text. Once we deciphered it, we had a hint, “BADGE FACADE”. The other hint we needed was in the page with backwards text. The page told us that we could check our work in “Some Places”. It also mentioned a “grey” military “facility”, which we took to mean Area 51, and that “when” and “where” were the key. After much brain-wracking, we figured out that we needed to convert our hint from base-17 to base-10. This gave us a number, and when you added the digits of that number together, or SUMmed the PLACES, the answer was 51. We quickly wrote this down on our card and turned it in to LosT. He congratulated us and handed us a micro-SD card. At this point we took a vote and decided that it must be time for dinner, so we went across the street to the Hilton and had a decent meal in a cafe, the name of which I can’t remember at the moment.

Dinner

Being geeks, of course we had a computer with us at dinner, so we went ahead and took a look at the SD card we had received. It contained about 1GB of apparently random music files, mostly in MP3 format. There wasalso a readme.txt, which read:

So I know you’ve been working hard.
Here is some music to work by.
Put it on, set it to random play, and enjoy!
(It’s quite the mix…I know, I have weird taste~)

Now I know you are asking yourselves,
Why did he give this to us?

Well- I could have copied my M.O. from other years,
and there could be something sneaky-  but that would be
LAME.  I wouldn’t have the audacity to do that to you
again.

Enjoy!

Ryan “1o57″

LAME is an open-source MP3 encoder, and audacity is an open-source audio editing and recording package. Given the nature of the files, we assumed that we were going to need to pull some data out of the audio files. When we returned to the conference PunkAB mixed us up some tasty mojitos and we settled in to check out the audio. We downloaded audacity and LAME and then we split into small groups, some listening to the music, others doing hexdumps of files that looked promising, others looking at the files in audacity. After a bit, I noticed that there were three files on the SD card that had been modified that morning. One was the readme.txt from above, another was an MP3 that had some text letting us know that he wasn’t repeating last year’s trick of hiding some BASIC Stamp code in a file with a .MP3 extension, and the third, Marchofprogress.mp3, was garbage. After listening to this song in audacity it was immediately apparent that something was not right, it was simply a high pitched squeal. When looking at the hexdump of this file, we noticed a WAV header, and changed the extension to .WAV, turned the file into static. We then started trying to speed it up, slow it down, shorten it, stretch it, etc. None of these ideas bore fruit.

One by one, team members decided to sleep on the problem. I stayed up late working on lots of dead ends, and finally decided to call it a night. That night I had dreams about aliens playing music. This contest gets in your head. Stay tuned for part three tomorrow!

Another defcon has come and gone. It’s two weeks later and I finally feel like I’m starting to be halfway normal again. For the second year evilpacket and I competed in the LosT@con Mystery Challenge.In this series of posts we’ll go over the Mystery Challenge in detail, from registration right through to the end

Registration

So this year’s registration started off with a post from LosT on his ten-five-seven.org site on June 1st.. The post included a picture by an artist named eddie the y3t1. evilpacket and I started looking at the image, and quickly concluded that it was not just an image. Embedded in the image was a .rar archive containing a single text file, named DeadBeef. This file contained a quote from Willy Wonka, and a block of ciphertext. We attacked the ciphertext several ways, but wound up discovering that it was simple ROT13. LosT left us a clue to this, as the last word in the Willy Wonka quote was “rotten”. Once we deciphered the block, we had instructions for where to send an email to register. A few minutes later we were happy to see Team Psychoholics added as the second successful registration.

Over the course of the next several weeks we watched as other teams were given some clues, and some red herrings. At some point he mentioned that people should hang out in #mysterychallenge on UnderNet, so we started doing that. We obsessed about whether or not we were actually registered, due to some comments by LosT. Eventually, we wound up meeting some really cool people, in the forms of chaoskitty, krux, and PunkAB. Chaoskitty and krux were still trying to get registered when we met, and they seemed like cool people. Chaoskitty managed to figure out the registration just before the deadline and added Team Halibut to the list of registered teams. PunkAB was also still working on registration, having come into the game a bit late. He also managed to figure out the puzzle right before the deadline, sliding in as an alternate. After getting to know these folks evilpacket and I decided to invite them to join our team, since we only had three people, and they were teams of 2 and 1, respectively. We had previously invited an employee of one of our clients to help, as this was going to be his first defcon, so gunslingor was along for the ride, too. After all was said and done we had a team of 6 people, with very diverse skill sets, ranging from instrumentation and controls engineering to system administration to hardware hacking to consumption of large quantities of alcohol (that was mostly my job…)

For the next several weeks we hung out in the IRC channel and got to know our new teammates better, and trying to outthink LosT. Every hint he posted was deconstructed, every comment disassembled. Eddie the y3t1 posted the phrase “n0t 4ll m4gn3t5 4ttr4ct” (this is “leetspeak” for “not all magnets attract”). A google search for this phrase turned up exactly one other webpage, which just happened to be a picture on Eddie the y3t1′s deviantart page. This page contained two binary strings which had several interesting characteristics. PunkAB spent MANY hours trying to decode the binary strings, and we finally decided that we had stumbled on this clue early and we shelved it for later. LosT posted a clip from the film Primer. This led us to find the movie, rent it, and watch it. Good movie, incidentally. After watching the movie evilpacket decided that in order to win the Mystery Challenge this year we were going to have to solve time travel. Many other leads were followed and discarded as dead ends, or filed away for later use.

Arrival

We arrived in Las Vegas Thursday so we could register early and make sure we got the cool badges. We met up with our new teammates and started talking about the challenge. As soon as we registered and started looking at the defcon program we found a few things which stood out. The first was on page 9, it was a small picture:

Image from page 9 of the defcon program

The text reads:

“Not all who wander are LosT

When you look into the eyE

gray skies seem clear

You may find truth when you begin to question

what you base your beliefs ON

OFten we defeat ourselves”

Even though the contest hadn’t yet started, we suspected this might have something to do with the challenge. Our first clue was that the guy in two of the pictures is LosT… IT turns out that this design is something called “gray code“. A couple people started working on this, trying to figure out what it might mean. In the meantime, we also had another clue. On page 25, we found this image:

Image from page 25 of the defcon program (click for larger version)

The first thing we tried with this was a frequency analysis, and it sure looked like English to us, but as with a lot of things in the Mystery challenge we were over-thinking it, and spent a LOT of time trying different things before we finally deciphered it. At this point the contest still hadn’t started, so we all decided to turn in early and get lots of rest before the official start of the Challenge.

Stay tuned for part two, where the contest starts, and we all lose a little piece of ourselves…