DEFCON 21 Badge Contest

By: [MLF]

Smashed Again by CK(Crypt Killer), Decrement, Elegin, Beeker

Not complete....

This is our write up for the Defcon 21 Badge challenge. A huge round of applause to Lost and Ellen and anyone else who helped age me by 10 years in 3 days. I joke in the write up, don’t take any of seriously, I don’t. If we can’t laugh, we can’t live.



I hope everything is correct ,but should there be mistakes, take it up with Lost not me or anyone from the team. Seriously email us and we will fix it or add it ( maybe).



We had a great time and getting black badges is always fun. Seriously, you should try it.

The Badge Challenge

The Program

The first four paragraphs on page 3 of the program is a play on words for Fiddler on The Roof.

"A fiddler on the roof... Sounds crazy, no? But here, in our little village of Anatevka, you might say every one of us is a fiddler on the roof. Trying to scratch out a pleasant, simple tune without breaking his neck. It isn't easy. You may ask, why do we stay up there if it's so dangerous? Well, we stay because Anatevka is our home. And how do we keep our balance? That I can tell you in one word! Tradition! Tradition Tradition Tradition Tradition Tradition Tradition Because of our traditions, we've kept our balance for many, many years. Here in Anatevka, we have traditions for everything. How to sleep. How to eat. How to work. How to wear clothes. For instance, we always keep our heads covered, and always wear a little prayer shawl. This shows our constant devotion to God. You may ask, how did this tradition get started? I'll tell you. I don't know. But it's a tradition. And because of our traditions, every one of us knows who he is"

The idea is that we are hackers not fiddlers , we each are a Hacker On The Roof in vegas.

Keyword is HackerOnTheRoof.

Now Go to this URL : https://www.defcon.org/1o57/dc21/HackerOnTheRoof/



Traditions!



Seeing Everyone Come Out Near Defcon Helps All Learn Fun:



ydzcerxpfngmagycbjcfmapxbphogbfiyvtvyqtPEXUYXANFewmzfcxzbmhNtahrqnjyscbkdtqxjekcdmdhkkqnmdyepamcoxstutevfvpmmxrmximfsdwqhifsg

(This is used later. Notice if you take the first letter of each word, it spells "SECOND HALF")

The Lanyards

There are four lanyards and when they are all lined up you get a staza of music in Bass Clef where dots on lanyard edges correspond to notes on lines and dots on lanyard centers correspond to dots in spaces. Starting from the bottom line: G,A,B,C,D,E,F,G,A http://en.wikipedia.org/wiki/Bass_clef

ADD A DEAD ACE BADGE

(used in final answer)

Note: Our original decryption was “Add dead ace badge” due to a poor photo job that left out a character. Thankfully, over the course of puzzle solving, we had heard multiple decryptions of the text, so had a few other texts to try (Add dead face badge, Add a dead ace badge, Punch Lost in face badge,All your base are belong to us).

The Badges

The suits we named rotary,smiley, floppy, and crypto. We liked crypto better than other terms because if looks better in code ,all having 6 letters, and we like crypto better!

A LOT OF BADGES!!!!!! WE DON'T NEED NO STINKING BADGES!!!!!!! YES WE DO!

Looking at the badge matrix you can see all data on them. The parts we used for the solutions are in the bottom right on the front of badge. Each suit had different symbols: pi, e (Euler's number), reflected binary code(gray code) , Linear feedback shift register.

The symbols were the key to the order of the text on each badge using the very very light 3 bit binary number.

The order for the Linear feedback shift register is as follows:

111, 011, 001, 100, 010, 101, 110, 111

(for more information https://en.wikipedia.org/wiki/Linear_feedback_shift_register )

The 3-bit binary on each badge needs to be ordered after the register. The decimal numbers were converted to alpha using 0=A, 1=B, etc.. Since there were two badges labeled 111, we would have to try each in our final decryption

The order for the e (Euler's number AKA the base of the natrual logarithm) is as follows:

Using the 3-bit binary in decimal form the order is where the number first occurs in e.

e = 2.71828182845904523536

2,7,1,4,5,0,3,6

The order for the pi is as follows:

Using the 3-bit binary in decimal form the order is where the number first occurs in pi.

pi = 3.14159265358979323846264338327950

3,1,4,5,2,6,7,0

The order for the Gray Code is as follows:

000, 001, 011, 010, 110, 111, 101, 100

(for more information http://en.wikipedia.org/wiki/Gray_code )

That was a lot of stuff..no worries..we will use that #$%^ soon

The Floor Graphics

Solar Clock/Watch

This is system used by mathematicians for calculation in ancient parts of Eastern Asia. ( More here http://en.wikipedia.org/wiki/Counting_rods )

Believe it or not, Cryptkiller figured it out by staring at it long enough to make his eye’s bleed. We also talked to another person who figured it out using the bleeding eye method.

The numbers are a straight alpha conversion giving the following text:

DEFCON21KEYWORDORRERY

"It was a sign that Lois was trying to help you, but you weren't finished.

Take what Lois gave you and OTP with your Smiley suit.

(But you're not done yet!)"

Lois is key here, as usual with Lost’s challenges there are multiple paths to answers. We actually found Lois Runtz ( not to mention 50 other lois references ) way before the actual real clue for it was discovered but it didn’t make sense until we got the other clue.

Block Cipher

Credit where it is due: https://github.com/ryanshoff/dc21badge .

I would really like to know how DAFUQ you got there. Seriously, how the did you figure it out?

http://www.apprendre-en-ligne.net/crypto/bibliotheque/shadow/shadow340715.pdf

This is the reference we found while contesting...

It also contains other ciphers that may be useful next year? http://www.nku.edu/~christensen/section%205%20symbols.pdf

( http://www.docstoc.com/docs/54185227/The-Shadow-Chain-of-Death )

( http://www.learningace.com/doc/1110885/67b34e1fd73c05586e3c4be0fa74c572/section-5-symbols page 21)







Update

Hey,

I guess I'll take a bit of credit for figuring this out if ryanshoff got this from the defconbadgepuzzle

Google group (he was also in the room at the time I believe). I found the circle puzzle by Googleing "ciphers with symbols"

or something along those lines and stumbled across http://www.nku.edu/~christensen/section%205%20symbols.pdf and saw the circle pattern(pg24)

while listening to a talk in Room 3. I immediately ran back to the 1o57 room and told a group there

(that is how I ended up on the other team that finished the challenge a half an hour after you guys).

We shared this info with everybody (in the room & Google Group) because we didn't think we had any chance of finishing, let alone winning.



The page after (pg25) somebody else immediately recognized this as the weird cipher from the floor.

Anyhow, the guys in the room who I ended up working with quickly translated both using these ciphers and found these two keywords

(homodoxian and syzygy) and the rest was history :)

Thanks,

Sam Erb



All the above being said this was still a pain. Even know how it works it still hurts to look at it.

The decoded brain hemorrhage is “KEYWORDHOMODOXIAN” ??!!

Ok seriously lost, wtf. What spelling bee did you watch and think “Holy $#$%^ I love that word”.

Since it does not have a wiki entry, I am fairly confident it is not a real word.

And to really take this point home ( http://prettygoodword.livejournal.com/263263.html ) .

It has only been document as being used once in the entire written history of mankind. Wait, strike that, @$%&ing twice.

KEYWORD HOMODOXIAN

https://www.defcon.org/1o57/dc21/homodoxian/

"Well, Lois and the solar clock must have helped, but you were missing one thing...

Take what the solar clock showed and OTP that with your rotary suit, then by golly you've got a key."

Trollville Interlude

Some evil hatched creature decided to mess around with the cipher by removing part of the last set of characters.

In the end, not a real big deal since it if you knew the cipher it would fall out anyway.

It makes me laugh now, but OH at the time.

The Signs

Key Hole Signs

All the Keyhole (crypto ) symbol signs were encoded in ROT13 ( some were triple ROT13):

SEARCHING FOR ANOTHER CLUE

THE KING OF KEY HOLES MAY HELP

REFLECT ON WHAT YEAR THIS DEFCON IS

YOULL FIND THE ZONE BSIDE YOU

BASS YOUR KEYWORD NOT ON A QUIET STOP BUT THE REAL ONE WITHIN

AND WITHOUT SPACE OF COURSE"



This clue infested disaster is broken down like so :

“THE KING OF KEY HOLES”: Geddy Lee (RUSH) on the King keyhole (crypto) badge.

“REFLECT ON WHAT YEAR THIS DEFCON”: defcon 21 , flip 21 to get 12 and 2112 is a RUSH album.

“YOULL FIND THE ZONE BSIDE”: Bside of the 2112 album the Twilght Zone track.

“BASS YOUR KEYWORD NOT ON A QUIET STOP BUT THE REAL”: Song was based on 2 episodes of The Twilight Zone; "Will the Real Martian Please Stand Up?" and "Stopover in a Quiet Town"

The key word is:

WillTheRealMartianPleaseStandUp

Finally I Realize Special Timing Hinders All L0sT Finalists: (FIRST HALF)

Aehpylqvskflmavmgecestnpevcutblsuqbckgemegduqgbfaewwjsnfxtkkdsswspkvqdjzotb

Jack Sign Ciphers

On the bottom left of 4 of the Hacking Village signs were ATBASH ( http://en.wikipedia.org/wiki/Atbash ) encoded text:



- 74 (J) (ATBASH)

- EVENIFYOUWANTTOBELIEVEONEOFTHEJACKSDOESNTBEL

- 65 (A) (ATBASH)

- ONGDONTOUTFOXTHEMJUSTSCULLYALONGIFYOUASKTHEY

- 81 (C) (ATBASH)

- MIGHTLOANYOUAKEYTHEYTOOARELOOKINGFORLEEANDNO

- 75 (K) (ATBASH)

- TANAGRAMICALLYSPEAKING



- Together:

- EVEN IF YOU WANT TO BELIEVE ONE OF THE JACKS DOESNT BELONG DONT OUT FOX THEM JUST SCULLY

ALONG IF YOU ASK THEY MIGHT LOAN YOU A KEY THEY TOO ARE LOOKING FOR LEE AND NOT ANAGRAMICALLY SPEAKING

A few things are taken from this absolute mess. We got most of it AFTER we found the answer via a clue from Lost and finding Lois.

Since hindsight is 20/20, The Jacks are the refering to the playing cards and the and LEE and ANAGRAMICALLY refer to Lois.

Of the 4 jacks one didn’t belong, that was the Guy Fawkes jack (only one with a mask).

The other three were the Lone Gunman from X-Files. The Lone Gunman sometimes worked with a

thief name Yves Adele Harlow ( an anagram of Lee Harvey Oswald ) whose real name is Lois Runtz.

I can only guess this was a stab to the horrible way the lone gunman characters to written off,

we all know they deserved better.

"Having trouble with the first and second half?

Well, put on your key suit and OTP your disc...but that's not all..."

1o57 Sign

There were some ciphers in the image around lost in the spade symbol but they were not a big deal.

(morse code,binary,pigpen, that we know of)



This one meant something:

This solution was also from the Chain of Death, Shadow novella.

the result is:

"HAVE FUN NEED HELP JUST ASK PASSCODE SYZYGY"



SYZYGY? I actually like this one because it came from the Dreadstar comic book that I have and collected as a kid.

( https://en.wikipedia.org/wiki/Syzygy_Darklock )

(more likely it is that fact it ties x-files and orrery and clockwork orange all together in one swoop )

( https://en.wikipedia.org/wiki/Syzygy_%28The_X-Files%29 )

The Last Bit But, Not the Least Significant

Last piece ( almost )

At this point we were at the conference area in the 1o57 room and we were head to head with another team.

Ok, if you made it this far you got something wrong with you. Since you're here let me summarize some crazy down to just ouch.

Lets ignore the lanyard for now ( again ), we have the badge ciphers, floor ciphers, and the sign ciphers.

ALL the keywords pointed us to webpages that told us we need to One Time Pad everything together. Ready for the train wreck.

The LoisRuntz url tells us to “key suit and OTP your disc.”

The orrery url tell us “Take what Lois gave you and OTP with your Smiley suit”

The Twice used word in human history homodoxian url states “Take what the solar clock showed and OTP that with your rotary suit”

The solar clock was the floor cipher that used counting rods (how does he find this stuff ) which deciphered the orrery url.

With the OTP inception, We basically OTP the $#%^ out of all the badge ciphers and for the kick we pad the short ciphers.

Just to add a little excitement, we had to figure out that all the suit’s got ROT13 except the rotary suit.

I know, absolutely devious and slightly masochistic.

As the Word Who Must Not Be Named (homodoxian) tells us “ by golly you've got a key.”

“GOLLY” did you really type that out or was that a typo.I am going with a typo.

We have a key and now we need a lock. Back to the beginning, the HackerOnTheRoof url

“ Seeing Everyone Come Out Near Defcon Helps All Learn Fun” Take the first letter of each word and you get SECONDHALF,

the cipher text on that page is the second half of the cipher text. The first half is on the “WillTheRealMartianPleaseStandUp” url,

“Finally I Realize Special Timing Hinders All L0sT Finalists “. Again,Take the first letter of each word and you get FIRSTHALF.

We have KEY and CIPHER. OTP and DONE.

The results is :

HOPE YOUVE BEEN HAVING FUN AND YOUVE MET SOME NEW AND INTERESTING PEOPLE

BUT YOU HAVENT FINISHED YOUR JOURNEY YET

YOU NEED TO SEND EMAIL TO DEFCONDJSTEPHANIEANDMICHELLE AT GMAIL

BE SURE TO INCLUDE YOUR BEST CON MOMENT AND THEY LOVE PICTURES



Ok sweet, lets email DEFCONDJSTEPHANIEANDMICHELLE at gmail with the have crazed looking picture of the four of

us and let them know how much we love inflict frontal lobe damage to ourselves.

email returned error

Google DJSTEPHANIEANDMICHELLE and guess what D.J., Stephanie, and Michelle daughters on Full House.

OMG@! This must be a mistake. Replace DJSTEPHANIEANDMICHELLE with FULLHOUSE and send an email to DEFCONFULLHOUSE ..

Response:

Final Puzzle

The uber badges were given to 1o57 by the timelords. They used sonic encoding as a BASSis for passing to us this information.

But it will take 4 to find the truth. They call the Ubers by their age, such as "<age> badge".



Bring 1o57 the true age of the Uber badges, written on red paper.

Oh, and don't forget, the time lords kept their time in seconds. 1o57 can't deal with numbers that large (14 digits? too big!)

So please name the Uber in YEARS (6 digits is so much more manageable).

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

NOT FINISHED AND RED PAPER

Once we calmed down, Beaker took off to get @”%#@ red paper. I am not sure what happened all I know is

that I heard screaming, bones crushing, and what I can only guess was human flesh being devoured

( I try not to think about how he got the paper ). By the time he got back with what looked like freshly soaked red parchment

( pretty sure he made it from the flesh of someone), we already had the answer.



let’s break this down:

-“sonic encoding as a BASSis for passing to us this information.

But it will take 4 to find the truth.” ,

this is referencing the lanyard bass clef cipher.

-They call the Ubers by their age, such as "<age> badge".

Here we remove BADGE from ADDADEADACEBADGE



We now take the lanyard answer ‘ADDADEADACE” and converted to decimal from base16;

Time Lord Age (seconds): 11947221899982

and divided the $#%^ out of it until we got it into years:

Years: 378842 (in years)





(note: we worked it out with a calculator) THE FINAL ANSWER!!!!!!!!!!!!!!!!!!

We wrote the wrong answer on the red paper and handed it to lost.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

(Next we just put "0xaddadeadace seconds to years" in google and got 378843)

DONE.

Things were a little fuzzy, but from what I remember, the roof disappeared, it became day, the sky opened ,and angels descended down

to give us a pat on the back. I could be off on that, a little. I am pretty sure it was not day since it was like 1 a.m.,

the light must have been coming from heaven or something.

Unsolved Mysteries

- DT vs LOST badges

- Rotary and Smiley suits have DT highlighted on their reverse

- Floppy and Keyhole suits have Lost highlighted



- Crypto and Hacker badges

- Lost and DarkTangent each had their own badges depicting themselves

- The reverse of these badges had the Gallafrayan name of The Doctor (from dr. who)

- Doctor Who tie-ins

- Dr. Who's name is written in Gallafrayan on the reverse of the Uber, Hacker, and Crypto badges

- In the simple decryption of the Floppy suit, the line "the river" is skipped

- River Song is said to be the only person who knows the doctor's real name



- The Labyrinth

- Lost wore a shirt depicting The Labyrinth (with David Bowie)

- Other floor art

- No apparent crypto hidden

- Solar Clock Cipher

- Depicts two positions with 1057 written in sticks and rods

- One with a keyhole in the middle, the other without a keyhole

- PunkAB's theory: 15 suit symbols (~45 deg) separate the two holes.

- Rotating the dial 45 deg would also align the clock hands

- Hour hand at 9, minute hand at 12 (Coincidentally, 9:00pm == 21:00)

- Also, if viewing the cipher as a depiction of a lock, the large floppy planet would act as a counter weight





Update

9:12 would, as you say, translate to 21:12, hence once again pointing you to the aforementioned Rush album. It's also the positioning of the clock on the Rush album cover art for Clockwork Angels.

cryptokill3r at g m a i l

elegin at g m a i l