DEF CON 28 – Badge Challenges

By @AstralVx. The badge for 2020 was a cassette, but the challenges were split over 3 items – the cassette badge (sides A and B), the lanyard, and the liner (front and back) as seen in the images below.

DEFCON 28 badge – cassette badge, lanyard, cassette case liner
Liner back

In summary the challenges consisted of ciphers from rot n, Vignere, one time pads, alphabetic index, b64, font identification, audio processing, spectrograms, dial tones, oscilloscopes, C64 Ghostbuster’s game cheat, trivia from pop culture to scifi movies and lots of falling down rabbit holes.

Table of contents

Liner challenge 1 – Character colours

Liner title

You should notice how Fig 3 “DEF CON SAFE MODE” could correlate to the coloured squares above, where ‘D’ could be red, ‘O’ could be cyan/green and so forth. Looking mid way down the liner you will also come across Fig 4 using mostly the same colours with an extra.

Liner challenge 1

Cross analyzing the letters to colours, you can create a system to link both. We chose: Orange=Or, Cyan=Cy, Pink=Pi, Violet=Vi, Green=Gr, Blue=Bl, Yellow=Ye. Once you notice the colours are the letter index (i.e. Gr = 1), then you can interpret Cy Gr == 1 5 == ‘O’. Resulting in the table below.

Letter, ColourCode, ColourIndex
A       Gr           1
B       Ye           2
C       Vi           3
D       Or           4
E       Cy           5
F       Pi           6
G                    7
H                    8
I       Bl           9
J                   12
K       GrGr        11
L       YeGr        12
M       ViGr        13
N       OrGr        14
O       CyGr        15
P       PiGr        16
Q                   17
R                   18
S       BlGr        19
T                   20
U       GrYe        21
V       YeYe        22
W       PuYe        23
X       OrYe        24
Y       CyYe        25
Z       PiYe        26

Bringing this together and looking back at Fig 4, where it’s:

Ye, CyGr, CyGr, *, Vi, CyGr, YeYe, Cy, Or
B,  O,    O,    *, C,  O,    V,    I,  D

BOO COVID

Liner challenge 2 – Route transposition cipher

Liner challenge 2
tIstFCOnRFoofFioumYrgureoohrDOuntIon

Here is where you can go ghetto and just throw it every common classic cipher, an excellent site for these sorts of challenges is https://www.boxentriq.com/code-breaking and eventually you find something useful with a route transposition cipher at column 6. Notice the columns are read downwards and from right-to-left.

tIstFC
OnRFoo
fFioum
Yrgure
oohrDO
untIon

ComeOn FourDo tFourI sRight InFron tofYou

Come On Four Dot Four Is Right In Front Of You

Liner challenge 3 – Vignere cipher

Liner challenge 3
Xbaw maek wzme pgty zvxy izwk iwhk lnhy 
agrl rrlp fsis xadh uflx dsqh rzrg qegu 
itwb wveq aslo moii xmzx mvea rtil yekd 
lvks jrbo arvy nmjz wodi gcxe tkrr cyir 
xbsu rwyf slwr ixyk lrwz sbzr zbpg rrrw 
hjsi alXX 1o57

Once you have done a few Lostboy challenges you will quickly notice he has a few favourite ciphers. In particular if you notice the XX at the end, that indicates padding, and also the fact that all existing characters are polyalphabetic, it seems like substitution, and a Vignere cipher would fit. If you’re smart you could intelligently brute force, or you can just throw it into an online brute forcer and hope it finds relevant chars/words. If the plaintext and key are long there is a higher probability of auto cracking the plaintext and finding readable words. In this case using https://www.boxentriq.com/code-breaking/vigenere-cipher and giving it a large keylen (>30) to autosolve with yields:

Key: nomatterwhereyougothereyouare
Plaintext: know that as in life there is much that many have looked upon but few have seen because as my father told me and his father told him you will come to learn a great deal if you study the insignificant in depth gtq

Lanyard challenge 1 – Rune decoding

Lanyard

You will go down a lot of rabbit holes with the runes from – rotation, flipping, counting sides, substituting with real characters, reading unrelated hints, and many more, until Lost reveals some key hints.

  • Thompson Twins – If you were here [Youtube video]
  • 4×4 Wins and Fails [Youtube video]
  • “…now excuse me while I go read more about French aristocrats fleeing a post 1789 revolution [forum post]”.
  • “Soon the font of knowledge will crackle with life, overflowing double digits worth of hints and tricks as Defcon 28 springs to life once more….” [forum post]

The hint “read more about French aristocrats fleeing a post 1789 revolution”, they were termed Émigré. And when typing Emigre on Google, you are immediately faced with a font family, and all the stars align. Next you just brute force your way through character sets of every Emigre font looking for that style until you come across Cracky https://www.emigre.com/Fonts/Crackly

Emigre, Crackly font

With the Crackly font, you get different numbers based on how you orientate the 4×4 grid as hinted by Lost. The correct orientation is with the left-hand side “DEF CON” text being aligned readable and 4×4 from there. With alphabetic chars we try some brute force substitution ciphers, where ROT-23 is the cipher and read left to right, up to down.

Lanyard 4×4
4x4 grid --------> A1Z26 -------> ROT-23
							      
17:24:21:14        R Y V O        O V S L
05:11:11:05        F L L F        C I I C
22:09:15:17        W J P R        T G M O
17:07:03:15        R H D P        O E A M

OCTOVIGESIMAL.COM

Going to this link before Defcon has started on the 07/AUG just results in a standby page, later down the page we show the challenges that appear once the Con has started.

Tracks info

If you listen through both Side A and B, each 30 mins, you will be auditorily pleased, the tones, the rhymes, all excellent.

N.B. My top 3 tracks to listen to were: “bash explode – import life.flac” (best beat), “Ohm-I – Exes in RAM.flac” (rhymes), “Dual Core – Apex Predator.flac” (rhymes).

Side A – Track timings

  1. 00:00 – ?? Static noise (Lost Lissajous) 
  2. 03:18 – ?? Dial tones (Obelisk) 
  3. 03:37 – ?? Numbers spoken (Substitution Cipher) 
  4. 04:42 – Archwisp Trouble
  5. 08:00 – Import life – Base Explode
  6. 11:50 – ?? Dial tones (NP-Incomplete) 
  7. 12:18 – The Underground – Pronobozo 
  8. 16:02 – Zebbler Encanti Experience – Infinite Absence VIP
  9. 20:46 – RBM – Massive Infection  
  10. 28:18 – Ohm-I – Exes in RAM

Side B – Track timings

  1. 00.00 – DJ HMSims – Creepy Ice Cream Truck V1
  2. 06.04 – Artifact Corruption – Gravity Drive
  3. 09.37 – Ghostfeeder – Veins
  4. 14.05 – The Algorithm – Floating Point
  5. 19.18 – Dual Core – Apex Predator (featuring Tribe One)*
  6. 24.35 – Skittish and Bus – DEF CON Is Canceled (DC25 Version)
  7. 28.50 – ?? Static noise

The Side A tracks in violet above, are unknown when you initially listen to it, as it’s not typical music but static noise or dial tones. But as we progress through the challenges, you eventually make the link that there are 4 challenges in the audio tracks and they are named after the purple code word track listings.

Before we jump in, let’s look visually at the entire Side A in Audacity. Again because we’ve already solved it, in purple are the challenge tracks.

Side A – Audacity

Cassette challenge 1 – Side A – Substitution cipher

The numbers spoken are 15 18 6 8 5 18 7 2 17 5 22 1 24 12 2 8 5 2 9 14 25 7 22 1 18. Where you simply apply the A1Z26 cipher, and are given a ciphertext. As usual try the common ciphers, and you get to the typical ROT 13, https://rot13.com/.

15 18 06 08 05 18 07 02 17 05 22 01 24 12 02 08 05 02 09 14 25 07 22 01 18 
O  R  F  H  E  R  G  B  Q  E  V  A  X  L  B  H  E  B  I  N  Y  G  V  A  R

// ROT13
B  E  S  U  R  E  T  O  D  R  I  N  K  Y  O  U  R  O  V  A  L  T  I  N  E

Be sure to drink your Ovaltine

Cassette challenge 2 – Side A – Obelisk

The Obelisk track produces noticeable phone tones, but you may not know what sound (or frequency) links to what button press. When Googling the phone tones, you come across the actual term Dual Tone Multi Frequency (DTMF) tones, so you download an MP3 of all phone button press tones. Importing that in Audacity and now knowing about frequencies you compare both Obelisk tones (left) and a real phone tone (right). Something looks odd, DTMF tones have those 2 white squares per tone (the sound produced) and we only have 1.

Spectogram view of Obelisk

For now we record our relative values: 1.1=1100hz, 1.3=1300hz, 1.5=1500hz 
Frequency pattern: 1.3 1.5 1.5 1.5 1.5 1.5 1.1 1.5 1.1 1.5 1.5 1.5 1.1 1.5

Cassette challenge 3 – Side A -NP-Incomplete

Another track with dial tones, looking at Audacity Spectrograph again.

Spectogram view of NP-Incomplete

This time the frequencies are different: .75=750hz, .80=800hz, .85=850hz
Frequency pattern: .75 .80 .75 .75 .85 .80 .85 .75 .85 .85 .85 .85 .80 .85

Combining Obelisk and NP-Incomplete

Now overlay the high frequency (Obelisk) and low frequency (NP-Incomplete) we have a valid DTMF tone.
1.3 1.5 1.5 1.5 1.5 1.5 1.1 1.5 1.1 1.5 1.5 1.5 1.1 1.5 (Obelisk, high group Hz)
.75 .80 .75 .75 .85 .80 .85 .75 .85 .85 .85 .85 .80 .85 (NPIncomplete, low group Hz)

1100hz

1300hz

1500hz

750hz

1

2

ABC

3

DEF

800hz


GHI


JKL 


MNO 

850hz

7
PQRS

8
TUV

WXYZ 

The combined tones being a valid DTMF tone generates the phone number presses:
2633 9673 799949

And using https://www.mobilefish.com/services/phonenumber_words/phonenumber_words.php to convert phonenumbers to words gives us 2633=CODE 9673=WORD. And with manual text solvers we can find valid words, of which 799949=SYZYGY (defined as alignment of stars) seems the most likely.

CODE WORD SYZYGY

Cassette challenge 4 – Side A – Lost Lissajous

Heard from 00:00 – 03:18. Whilst it is mostly static like noise, a voice mentions a number of times around “ground” problems and interference. And if you google “Lissajous” you come across a number of articles and videos viewing Lissajous curves on oscilloscopes, further googling and you come across auditory Lissajous and visual animations. Reading about how Lissajous curves work with and left and right audio channels being mapped as X and Y coords on a graph, and sampling the audio over time produces the Lissajous curve animation.

Whilst there were tools online to view oscilloscopes from audio files such as https://dood.al/oscilloscope/ and one can eventually read a message.

FIND A KEY AT LOSTBOY.NET SLASH PALEBLUEDOT

Lost Lissajous – Video/Audio oscilloscope – Copyright 2020 AstralVx

It was originally thought there were more secret messages in the animation, as the tracks were sample rate 44100 Hz, meaning if you map L/R channels as X/Y that’s 44100 FPS. Surely you could miss data if only appeared for a fraction of a section, so you can find a Lissajous viewer source code online and modified it <mygithub> to play frames at controlled points of 10/100/1000/10000/100000, allowing to precisely view all frames. But turns out it was a rabbit hole and the PaleBlueDot link above was it.

Going to the link https://lostboy.net/PaleBlueDot before the con had started, presented the message: “Defcon hasn’t started yet…..”. A couple sections down and we show what happens when it did start and the new puzzle that appeared.

Side B no challenges

Whilst you search for challenges on Side B and sink a lot of time into rabbit holes, it turns out there is none. At the end is a bunch of static and can be viewed with your oscilloscope viewer. A nice visual animation of the Flash Gordan (1980) movie space shuttle lift of scene, where you see the rocket, a bunch of shapes (which looks like a challenge) and then a Butterfly curve fractal.

Flash Gordan liftoff scene – Video/Audio oscilloscope – Copyright 2020 AstralVx

Def Con 28 starts

The following puzzles only become available when DEF CON 28 starts on 07/AUG. All of the above challenges were available and solvable 2 weeks before the Con started, but all the links found pointed to “stand by” pages. At this point you will have found:

  • https://lostboy.net/PaleBlueDot/
  • https://octovigesimal.com/

And going to https://octovigesimal.com/ gives you a new link https://base-28.com/ and once the Con starts lets proceed to the links.

Base-28 – Identify the contents

Ofn yxc qmt eugfe sm iydj?

Another poly alphabetic cipher, lets try the common ciphers, and keys, which eventually lead you to (remember CODE WORD SYZYGY). Apply SYZYGY key to the Vignere cipher gives:

Who are you going to call?

The answer is obviously Ghost Busters, but we’re not sure how to apply it yet. As for for the arcade console in the middle and all the people staring at it. The people are the Commodores copied over and over, and if you carefully count them there are 64. Commodore 64 anyone? For now we keep the answers in mind, and move to the other 2 links.

PaleBlueDot – Ghost busters game cheat

At this point Lost has given a new hint

  • @defcon #HackerHints Lanyard destination and LostboY pages are dependent. One helps solve the other. Consider numbers as separate pieces.
  • Sometimes leading into a puzzle with zero to start helps you see things differently.

Going to http://lostboy.net/PaleBlueDot/ gives us a new challenge:

Trying common ciphers as usual, and then applying 0 at the start of every string as suggested reveals the simply alphabet to index

          1057.27710104 
dptymgrlaxhpce.45647604 
     dzfykvosr.40542606
          ford.30542001
       uetyswr.31642011
  nicdpandlbzt.11146300
       qwanwfa.24542601
         qqkki.05506400
   qwelbcpzicv.10701510
           hcx.01042101
      dppphwgk.05140610
          cmpc.00440006

Left side looks like it needs decoding again. After spending ages and frustrated applying ciphers and keys, you will answer the question on the top of the image. (Q) How many Sagans does it take to change a lightbulb? (A) Billions and billions

Then applying that answer and variations as keys you eventually get to a OneTimePad (OTP), with a key of of “billionsandbillions’” https://www.boxentriq.com/code-breaking/one-time-pad

          1057.27710104 
CHINESETAKEOUT.45647604 
     CRUNCHBAR.40542606
          EGGS.30542001
       TWINKIE.31642011
  MARSHMALLOWS.11146300
       POPCORN.24542601
         PIZZA.05506400
   POTATOCHIPS.10701510
           GUM.01042101
      CHEEZITS.05140610
          BEER.00440006

At this point someone in your team will link the GhostBuster and Commode64 hints to this challenge. This table above is a scoreboard for GhostBusters. The left side is the player name, and the right side appears to be the player balance. If you have played the game before, once you complete it once you get an account number which stores the amount of money you have. So the challenge seems to imply, whilst we have player name, player balance, we need player account number.

Fortunately people have already reverse engineered the game and figured out the algorithm, so we can modify an existing one and add our brute force parts in. Running my modifications below, takes a few seconds and finds valid account numbers, with some manual modifications.

<todo git push mygithub>

Ignoring the last 00 bytes on the account numbers, and also ignoring the first 1057 entry. Since all 2byte vals are less then 26, we get what looks like the typical A1Z26 cipher.

          1057.27710104  105700
CHINESETAKEOUT.45647604  132500 == MY
     CRUNCHBAR.40542606  192000 == ST
          EGGS.30542001  051800 == ER
       TWINKIE.31642011  251900 == YS
  MARSHMALLOWS.11146300  030900 == CI
       POPCORN.24542601  051400 == EN
         PIZZA.05506400  030500 == CE
   POTATOCHIPS.10701510  200800 == TH
           GUM.01042101  050100 == EA
      CHEEZITS.05140610  200500 == TE
          BEER.00440006  180000 == R

MYSTERYSCIENCETHEATER

Lost also released another hint, important one for our stage is in bold.

  • Recap: Pick up pieces of information from the tape, and from the lanyard.
  • Discover two web destinations.
  • Discern information from each page, combine to form Voltron, find new page.
  • Welcome to today.
    (Sounds simple, no?)
  • While you’re waiting I hear there are some cool old skool emulators for old games you can run in your browser. I hear there’s one at the Internet Archive, and a few others. Some fun old Z80 and C64 games for sure…

So MysteryScienceTheatre is a link, I wrote a script to add every TLD (.com .org .net .io .xxx etc) but of the few non-404 pages nothing looked like a Lost page. Until we started breaking up the MysteryScienceTheatre and adding punctuation we find https://mysteryscience.theater/

At this point we have solved http://lostboy.net/PaleBlueDot/ and https://base-28.com/ but https://octovigesimal.com/ still remains along with this new link https://mysteryscience.theater/

Octovigesimal – Chuck Berry, The Great 28

On https://octovigesimal.com/ as mentioned before we found base-28.com because there it is in the image. This page contains images of Chuck Berry and his album (the great twenty eight) and a Goonie’s Copper Bones key with a summation equation in the middle.

There are strong links to 28, but there appears a hint in the middle of the page Record your answer~. After falling down rabbit holes, the suggestion is literally a “record”. And with the album above, you can check out the Wikipedia page about the record, in particular noticing the tracks. 

Side one
No.    Title                            Chess source    Length
1.    "Maybellene"                      Chess 1604 A (1955)    2:18
2.    "Thirty Days"                     Chess 1610 A (1955)    2:24
3.    "You Can't Catch Me"              Chess 1645 A (1956)    2:42
4.    "Too Much Monkey Business"        Chess 1635 B (1956)    2:53
5.    "Brown Eyed Handsome Man"         Chess 1635 A (1956)    2:17
6.    "Roll Over Beethoven"             Chess 1626 A (1956)    2:23
7.    "Havana Moon"                     Chess 1645 B (1956)    3:05

Side two
No.    Title                            Chess source    Length
1.    "School Days"                     Chess 1653 A (1957)    2:40
2.    "Rock and Roll Music"             Chess 1671 A (1957)    2:30
3.    "Oh Baby Doll"                    Chess 1664 A (1957)    2:33
4.    "Reelin' and Rockin'"             Chess 1683 B (1958)    3:14
5.    "Sweet Little Sixteen"            Chess 1683 A (1958)    2:55
6.    "Johnny B. Goode"                 Chess 1691 A (1958)    2:38
7.    "Around and Around"               Chess 1691 B (1958)    2:35

Side three
No.    Title                            Chess source    Length
1.    "Carol"                           Chess 1700 A (1958)    2:46
2.    "Beautiful Delilah"               Chess 1697 A (1958)    2:08
3.    "Memphis"                         Chess 1729 B (1959)    2:12
4.    "Sweet Little Rock and Roller"	Chess 1709 A (1958)    2:20
5.    "Little Queenie"                  Chess 1722 B (1959)    2:38
6.    "Almost Grown"                    Chess 1722 A (1959)    2:19
7.    "Back in the U.S.A."              Chess 1729 A (1959)    2:25

Side four
No.    Title                            Chess source    Length
1.    "Let It Rock"                     Chess 1747 A (1960)    1:50
2.    "Bye Bye Johnny"                  Chess 1754 A (1960)    2:03
3.    "I'm Talking About You"           Chess 1779 A (1961)    1:48
4.    "Come On"                         Chess 1799 A (1961)    1:50
5.    "Nadine (Is It You?)"             Chess 1883 A (1964)    2:30
6.    "No Particular Place to Go"       Chess 1898 A (1964)    2:44
7.    "I Want to Be Your Driver"        Chuck Berry in London (1965)    2:15

Suddenly you will notice the track “Come on”, and if you recall there was a hint with this term in very early on in the liner challenge route transposition cipher giving “Come On Four Dot Four Is Right In Front Of You”. Then you notice the track is at Side 4, Track 4.

After a bit more falling through rabbit holes, you will then remember the key and it’s summation equation. Falling down more rabbit holes trying to calculate a valid value.

Sum equation from Copper bones

You may initially try the mathematical calculation 1.1 + 2.2 + 3.3 + 4.4 = 11 and then fail to apply that anywhere. Then looking back at previous solutions you will again remember route transposition cipher had a skull in the middle, and this key is also a skull. Then you will link 4.4 in this summation equation was the “Come on” track. Then you look up 1.1, 2.2, and 3.3.

  • 1.1 Maybellene
  • 2.2 Rock and Roll Music
  • 3.3 Memphis
  • 4.4 Come On

Now you may fall down some XOR related rabbit holes but then realize, it’s not summation in the arithmetic sense, but a summation equation (concatenation) of strings giving “MaybelleneRockandRollMusicMemphisComeOn“, now to find where this key may be used.

Mystery Science Theater – A maze of mini challenges

We will now encounter trap after trap laid by Lost, so strap in as things start moving faster.

An y QewpFyyvRqd,
WehjhwpIclpVtme:
Ioqfig oloage.

At this point you’ve probably already visited the mysteryscience.theater site and noticed the cipher text and youtube video of Pump Up The Volume movie.

You will already have fallen down many rabbit holes trying to decipher that cipher text early on, but then gave up and moved onto https://octovigesimal.com/ as we did above. But once you solved that we obtained quite literally a key MaybelleneRockandRollMusicMemphisComeOn and then applying the classic Vignere with the key results in:

On a PaleBlueDot,
WrestleWithThis:
Things change.

Wrestle With This – HTML source

Now we get to http://lostboy.net/PaleBlueDot/WrestleWithThis/

And looking around the page for the end or continuation, you come across the HTML source code

<!DOCTYPE html>
<html>
   <head>
      <title>Wrestle With This y6nk3z9y</title> 
      
   </head>
   <body>
       <center><br><br><br>
      <iframe width="560" height="315" src="https://www.youtube.com/embed/bb68owdlxl8" frameborder="0" allow="accelerometer;  encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe>
      </center>
      It's only a tiny problem...
   </body>
</html>

<!- bFNhZ2FuQExv ->

And you notice 2 ciphers. Base64 is often obvious when seen:

bFNhZ2FuQExv == lSagan@Lo

But y6nk3z9y does not appear to be it, then you will notice the wording on the main page “It’s only a tiny problem…”. And apply it as a tinyurl, which leads to:
https://tinyurl.com/y6nk3z9y –> http://lostboy.net/PaleBlueDot/EverythingWasFineWithOurSystem.jpg

Everything Was Fine With Our System – Base64

The car is the 58 Lincoln Continental (AKA Maybellene), one is fooled it may link to previous challenges. Looking closely at the tailights you will notice the ciphertext and it looks like good old base64, on decoding it gives:

TG9zdGJvWSBkb3Qgc2xhc2ggSEhI == LostboY dot slash HHH

At the same time if you look even closer at the image there is another cipher, difficult to see but just below the front windshield on the blue car metal. Base64 again.

U2VuZCBDb3Nt == Send Cosm

HHH – Trivia

Visiting the LostboY dot slash HHH interpreted as http://lostboy.net/HHH/ gives:

Now we are being trolled with the “Close but no cigar” song https://www.youtube.com/watch?v=Mp_ilSL-J_0

At this point you may be stumped but enough Googling leads to a linkage between that video “Concrete blonde” and “Pump Up the Volume” as that’s one of the bands he plays on his radio station, and if you recall we’ve already seen a movie clip of “Pump Up the Volume” back on https://mysteryscience.theater/

Falling down rabbit holes trying new links, you will remember “HHH” above and the main character of Pump Up the Volume’s secret identity is “Happy Harry HardOn”. Trying that as a link https://lostboy.net/HappyHarryHardOn moves us onwards and down further into the maze.

Happy Harry HardOn – Trivia

Visiting https://lostboy.net/HappyHarryHardOn/

Then you will notice F1LZuQ9E4JQ, unfortunately not a base64 string this time. After trying some basic ciphers, and making no progress you just throw it into Google and it turns out to be Youtube link, maybe a puzzle or maybe not. https://www.youtube.com/watch?v=F1LZuQ9E4JQ (Tina Turner & Chuck Berry – Rock n roll music)

You will notice the message “What a singer! LostboY.net/PaleBlueDot/?”, is another link to figure out, something related to the Ghostbuster song. After enough Googling or just knowing, it turns out that the Ghostbuster theme was actually stolen and Columbia Pictures/Ray Parker Jr. were sued by Huey Lewis (notice that resemblance https://www.youtube.com/watch?v=N6uEMOeDZsA). So the correlation is eventually correct and we make it to https://lostboy.net/PaleBlueDot/HueyLewis/

Huey Lewis – Base64

Another base64 string:

c3Rib1kubmV0 == stboY.net

The End

Solving all the puzzles from the theater, we can bring together the 3x decoded base64 strings. However 1 seems to be missing.

  • Send Cosm
  • ???
  • lSagan@Lo
  • stboY.net

But one can guess the message “Send Cosm”os to Car”lSagan@Lo”stboY.net”. And when submitting it before the deadline you get a congratulations message as a response.

Update to the end

At email completion we never found the 4th Base64 string. However at the end of DEF CON some others who completed it on Discord pointed out it was in fact on the last Youtube.

Visiting that Youtube video https://www.youtube.com/watch?v=F1LZuQ9E4JQ on harryhardon again and looking at descriptions and comments, if you look at the most recent comments you see “b3MgdG8gQ2Fy”.

b3MgdG8gQ2Fy == os to Car

And there we have it, the challenge is at last truly complete – Send Cosmos to CarlSagan@LostboY.net