

Defcon Badge Walkthrough - aaronsnoswell
http://potatohatsecurity.tumblr.com/post/94565729529/defcon-22-badge-challenge-walkthrough

======
milesf
If I ever considered a transition into cryptography, this story just blew that
idea up for me, forever.

I can't imagine trying to solve this! You'd have to love puzzles with an
insatiable appetite to endure this.

Good job, team.

~~~
ShaneWilton
The sorts of crypto I've dealt with in more traditional contexts (Attacking a
web application, etc), are very different from the skillset required for
1o57's badge challenge.

They're both a ton of fun, and an aptitude for one probably hints at an
aptitude for the other, but I wouldn't discount yourself entirely, just
because one writeup scared you off :)

------
ChuckMcM
This kind of thing would make DefCon challenging for me, I'd get into the
puzzles and not attend any of the talks as I tried to figure them out!

~~~
blincoln
Like a lot of people, I find that while the talks are interesting, there are
enough other things going on that are even more fun, so the talks definitely
take a lower priority. I'd need 10+ instances of myself to have paid full
attention to everything I liked at DC22.

------
brotoss
Taking the following line from the Cryptex we can decode our message.

BBVB4RCVARLU

This is whats called an OTP or One Time Pad encryption.
[http://rumkin.com/tools/cipher/otp.php](http://rumkin.com/tools/cipher/otp.php)

OTP cannot be decrypted unless you discern the unique pad.

They lost me here, how did this get figured out?

~~~
ShaneWilton
I also completed the badge challenge (Though a few hours after this team), and
as far as I know, there was no hint as to which line of the cryptex was the
OTP. We just knew, from the 'YQESMJDOJOTM' comment on the one page, that the
cryptex was involved, so we tried every line as a key until we got something.

1o57 tends to design most of his puzzles around similar ideas, so you just
start to get a feel for how he works after a while.

~~~
tlrobinson
Are the ideas similar enough that some of the steps could be automated?

~~~
ShaneWilton
Yes. I'm working on a pet project called F0UND that's meant to automate as
much of the badge challenge as possible. There will still be a lot of human
effort involved, but I think a lot of the information gathering and cross-
referencing can be automated.

Next year the black badge will be mine, whatever it takes.

------
Sniperfish
Loved reading this. Some incredible reasoning, even being shown the answer
there are multiple stages I can't follow the reasoning that allowed them to
progress. Kudos, respect, and jealousy!

------
jsinghdreams
Great Walkthrough. How long did it take to get through the challenge?

~~~
ShaneWilton
The contest starts when you get your badge Thursday morning (8:00 AM - 3:00 PM
depending on the line), and the team that won this year finished at about 6:00
AM on Saturday.

------
ff7c11
I love the use of Google's Latin-English dictionary. Which amazingly also
includes the word microwave.

~~~
userbinator
The absurdity of Google Translate's Latin-English output was discussed in a
related item:
[https://news.ycombinator.com/item?id=8191462](https://news.ycombinator.com/item?id=8191462)

...and I agree that for this to be used in the puzzle, is extremely clever if
not somewhat fragile (it doesn't work anymore.)

------
ufmace
That was kinda insane! Now I have to wonder just how many bits of random stuff
get handed out to Defcon attendees that might or might not be part of some
sort of puzzle like this.

------
aaronsnoswell
I can't believe someone solved this. Champion effort.

------
alexsilver
This made my head spin. Fun ride! I'm always in awe of crypto guys. Truly,
their mind works in a different way!

------
Squarel
I loved this article.

Unfortunately I now have a burning urge to rejoin TBW ARG which I thought I
had escaped from :(

------
tbolse
Very impressive.

------
pgl
Holy shit.

