By @AstralVx. The badge for 2020 was a cassette, but the challenges were split over 3 items – the cassette badge (sides A and B), the lanyard, and the liner (front and back) as seen in the images below.
In summary the challenges consisted of ciphers from rot n, Vignere, one time pads, alphabetic index, b64, font identification, audio processing, spectrograms, dial tones, oscilloscopes, C64 Ghostbuster’s game cheat, trivia from pop culture to scifi movies and lots of falling down rabbit holes.
Table of contents
Liner challenge 1 – Character colours
You should notice how Fig 3 “DEF CON SAFE MODE” could correlate to the coloured squares above, where ‘D’ could be red, ‘O’ could be cyan/green and so forth. Looking mid way down the liner you will also come across Fig 4 using mostly the same colours with an extra.
Cross analyzing the letters to colours, you can create a system to link both. We chose: Orange=Or, Cyan=Cy, Pink=Pi, Violet=Vi, Green=Gr, Blue=Bl, Yellow=Ye. Once you notice the colours are the letter index (i.e. Gr = 1), then you can interpret Cy Gr == 1 5 == ‘O’. Resulting in the table below.
Letter, ColourCode, ColourIndex A Gr 1 B Ye 2 C Vi 3 D Or 4 E Cy 5 F Pi 6 G 7 H 8 I Bl 9 J 12 K GrGr 11 L YeGr 12 M ViGr 13 N OrGr 14 O CyGr 15 P PiGr 16 Q 17 R 18 S BlGr 19 T 20 U GrYe 21 V YeYe 22 W PuYe 23 X OrYe 24 Y CyYe 25 Z PiYe 26
Bringing this together and looking back at Fig 4, where it’s:
Ye, CyGr, CyGr, *, Vi, CyGr, YeYe, Cy, Or B, O, O, *, C, O, V, I, D
BOO COVID
Liner challenge 2 – Route transposition cipher
tIstFCOnRFoofFioumYrgureoohrDOuntIon
Here is where you can go ghetto and just throw it every common classic cipher, an excellent site for these sorts of challenges is https://www.boxentriq.com/code-breaking and eventually you find something useful with a route transposition cipher at column 6. Notice the columns are read downwards and from right-to-left.
tIstFC OnRFoo fFioum Yrgure oohrDO untIon ComeOn FourDo tFourI sRight InFron tofYou
Come On Four Dot Four Is Right In Front Of You
Liner challenge 3 – Vignere cipher
Xbaw maek wzme pgty zvxy izwk iwhk lnhy agrl rrlp fsis xadh uflx dsqh rzrg qegu itwb wveq aslo moii xmzx mvea rtil yekd lvks jrbo arvy nmjz wodi gcxe tkrr cyir xbsu rwyf slwr ixyk lrwz sbzr zbpg rrrw hjsi alXX 1o57
Once you have done a few Lostboy challenges you will quickly notice he has a few favourite ciphers. In particular if you notice the XX at the end, that indicates padding, and also the fact that all existing characters are polyalphabetic, it seems like substitution, and a Vignere cipher would fit. If you’re smart you could intelligently brute force, or you can just throw it into an online brute forcer and hope it finds relevant chars/words. If the plaintext and key are long there is a higher probability of auto cracking the plaintext and finding readable words. In this case using https://www.boxentriq.com/code-breaking/vigenere-cipher and giving it a large keylen (>30) to autosolve with yields:
Key: nomatterwhereyougothereyouare
Plaintext: know that as in life there is much that many have looked upon but few have seen because as my father told me and his father told him you will come to learn a great deal if you study the insignificant in depth gtq
Lanyard challenge 1 – Rune decoding
You will go down a lot of rabbit holes with the runes from – rotation, flipping, counting sides, substituting with real characters, reading unrelated hints, and many more, until Lost reveals some key hints.
- Thompson Twins – If you were here [Youtube video]
- 4×4 Wins and Fails [Youtube video]
- “…now excuse me while I go read more about French aristocrats fleeing a post 1789 revolution [forum post]”.
- “Soon the font of knowledge will crackle with life, overflowing double digits worth of hints and tricks as Defcon 28 springs to life once more….” [forum post]
The hint “read more about French aristocrats fleeing a post 1789 revolution”, they were termed Émigré. And when typing Emigre on Google, you are immediately faced with a font family, and all the stars align. Next you just brute force your way through character sets of every Emigre font looking for that style until you come across Cracky https://www.emigre.com/Fonts/Crackly
With the Crackly font, you get different numbers based on how you orientate the 4×4 grid as hinted by Lost. The correct orientation is with the left-hand side “DEF CON” text being aligned readable and 4×4 from there. With alphabetic chars we try some brute force substitution ciphers, where ROT-23 is the cipher and read left to right, up to down.
4x4 grid --------> A1Z26 -------> ROT-23 17:24:21:14 R Y V O O V S L 05:11:11:05 F L L F C I I C 22:09:15:17 W J P R T G M O 17:07:03:15 R H D P O E A M
OCTOVIGESIMAL.COM
Going to this link before Defcon has started on the 07/AUG just results in a standby page, later down the page we show the challenges that appear once the Con has started.
Tracks info
If you listen through both Side A and B, each 30 mins, you will be auditorily pleased, the tones, the rhymes, all excellent.
N.B. My top 3 tracks to listen to were: “bash explode – import life.flac” (best beat), “Ohm-I – Exes in RAM.flac” (rhymes), “Dual Core – Apex Predator.flac” (rhymes).
Side A – Track timings
- 00:00 – ?? Static noise (Lost Lissajous)
- 03:18 – ?? Dial tones (Obelisk)
- 03:37 – ?? Numbers spoken (Substitution Cipher)
- 04:42 – Archwisp Trouble
- 08:00 – Import life – Base Explode
- 11:50 – ?? Dial tones (NP-Incomplete)
- 12:18 – The Underground – Pronobozo
- 16:02 – Zebbler Encanti Experience – Infinite Absence VIP
- 20:46 – RBM – Massive Infection
- 28:18 – Ohm-I – Exes in RAM
Side B – Track timings
- 00.00 – DJ HMSims – Creepy Ice Cream Truck V1
- 06.04 – Artifact Corruption – Gravity Drive
- 09.37 – Ghostfeeder – Veins
- 14.05 – The Algorithm – Floating Point
- 19.18 – Dual Core – Apex Predator (featuring Tribe One)*
- 24.35 – Skittish and Bus – DEF CON Is Canceled (DC25 Version)
- 28.50 – ?? Static noise
The Side A tracks in violet above, are unknown when you initially listen to it, as it’s not typical music but static noise or dial tones. But as we progress through the challenges, you eventually make the link that there are 4 challenges in the audio tracks and they are named after the purple code word track listings.
Before we jump in, let’s look visually at the entire Side A in Audacity. Again because we’ve already solved it, in purple are the challenge tracks.
Cassette challenge 1 – Side A – Substitution cipher
The numbers spoken are 15 18 6 8 5 18 7 2 17 5 22 1 24 12 2 8 5 2 9 14 25 7 22 1 18. Where you simply apply the A1Z26 cipher, and are given a ciphertext. As usual try the common ciphers, and you get to the typical ROT 13, https://rot13.com/.
15 18 06 08 05 18 07 02 17 05 22 01 24 12 02 08 05 02 09 14 25 07 22 01 18 O R F H E R G B Q E V A X L B H E B I N Y G V A R // ROT13 B E S U R E T O D R I N K Y O U R O V A L T I N E
Be sure to drink your Ovaltine
Cassette challenge 2 – Side A – Obelisk
The Obelisk track produces noticeable phone tones, but you may not know what sound (or frequency) links to what button press. When Googling the phone tones, you come across the actual term Dual Tone Multi Frequency (DTMF) tones, so you download an MP3 of all phone button press tones. Importing that in Audacity and now knowing about frequencies you compare both Obelisk tones (left) and a real phone tone (right). Something looks odd, DTMF tones have those 2 white squares per tone (the sound produced) and we only have 1.
For now we record our relative values: 1.1=1100hz, 1.3=1300hz, 1.5=1500hz
Frequency pattern: 1.3 1.5 1.5 1.5 1.5 1.5 1.1 1.5 1.1 1.5 1.5 1.5 1.1 1.5
Cassette challenge 3 – Side A -NP-Incomplete
Another track with dial tones, looking at Audacity Spectrograph again.
This time the frequencies are different: .75=750hz, .80=800hz, .85=850hz
Frequency pattern: .75 .80 .75 .75 .85 .80 .85 .75 .85 .85 .85 .85 .80 .85
Combining Obelisk and NP-Incomplete
Now overlay the high frequency (Obelisk) and low frequency (NP-Incomplete) we have a valid DTMF tone.1.3 1.5 1.5 1.5 1.5 1.5 1.1 1.5 1.1 1.5 1.5 1.5 1.1 1.5 (Obelisk, high group Hz)
.75 .80 .75 .75 .85 .80 .85 .75 .85 .85 .85 .85 .80 .85 (NPIncomplete, low group Hz)
1100hz | 1300hz | 1500hz | |
750hz | 1 | 2 ABC | 3 DEF |
800hz | 4 | 5 | 6 MNO |
850hz | 7 | 8 | 9 WXYZ |
The combined tones being a valid DTMF tone generates the phone number presses:
2633 9673 799949
And using https://www.mobilefish.com/services/phonenumber_words/phonenumber_words.php to convert phonenumbers to words gives us 2633=CODE 9673=WORD. And with manual text solvers we can find valid words, of which 799949=SYZYGY (defined as alignment of stars) seems the most likely.
CODE WORD SYZYGY
Cassette challenge 4 – Side A – Lost Lissajous
Heard from 00:00 – 03:18. Whilst it is mostly static like noise, a voice mentions a number of times around “ground” problems and interference. And if you google “Lissajous” you come across a number of articles and videos viewing Lissajous curves on oscilloscopes, further googling and you come across auditory Lissajous and visual animations. Reading about how Lissajous curves work with and left and right audio channels being mapped as X and Y coords on a graph, and sampling the audio over time produces the Lissajous curve animation.
Whilst there were tools online to view oscilloscopes from audio files such as https://dood.al/oscilloscope/ and one can eventually read a message.
FIND A KEY AT LOSTBOY.NET SLASH PALEBLUEDOT
It was originally thought there were more secret messages in the animation, as the tracks were sample rate 44100 Hz, meaning if you map L/R channels as X/Y that’s 44100 FPS. Surely you could miss data if only appeared for a fraction of a section, so you can find a Lissajous viewer source code online and modified it <mygithub> to play frames at controlled points of 10/100/1000/10000/100000, allowing to precisely view all frames. But turns out it was a rabbit hole and the PaleBlueDot link above was it.
Going to the link https://lostboy.net/PaleBlueDot before the con had started, presented the message: “Defcon hasn’t started yet…..”. A couple sections down and we show what happens when it did start and the new puzzle that appeared.
Side B no challenges
Whilst you search for challenges on Side B and sink a lot of time into rabbit holes, it turns out there is none. At the end is a bunch of static and can be viewed with your oscilloscope viewer. A nice visual animation of the Flash Gordan (1980) movie space shuttle lift of scene, where you see the rocket, a bunch of shapes (which looks like a challenge) and then a Butterfly curve fractal.
Def Con 28 starts
The following puzzles only become available when DEF CON 28 starts on 07/AUG. All of the above challenges were available and solvable 2 weeks before the Con started, but all the links found pointed to “stand by” pages. At this point you will have found:
- https://lostboy.net/PaleBlueDot/
- https://octovigesimal.com/
And going to https://octovigesimal.com/ gives you a new link https://base-28.com/ and once the Con starts lets proceed to the links.
Base-28 – Identify the contents
Ofn yxc qmt eugfe sm iydj?
Another poly alphabetic cipher, lets try the common ciphers, and keys, which eventually lead you to (remember CODE WORD SYZYGY). Apply SYZYGY key to the Vignere cipher gives:
Who are you going to call?
The answer is obviously Ghost Busters, but we’re not sure how to apply it yet. As for for the arcade console in the middle and all the people staring at it. The people are the Commodores copied over and over, and if you carefully count them there are 64. Commodore 64 anyone? For now we keep the answers in mind, and move to the other 2 links.
PaleBlueDot – Ghost busters game cheat
At this point Lost has given a new hint
- @defcon #HackerHints Lanyard destination and LostboY pages are dependent. One helps solve the other. Consider numbers as separate pieces.
- Sometimes leading into a puzzle with zero to start helps you see things differently.
Going to http://lostboy.net/PaleBlueDot/ gives us a new challenge:
Trying common ciphers as usual, and then applying 0 at the start of every string as suggested reveals the simply alphabet to index
1057.27710104 dptymgrlaxhpce.45647604 dzfykvosr.40542606 ford.30542001 uetyswr.31642011 nicdpandlbzt.11146300 qwanwfa.24542601 qqkki.05506400 qwelbcpzicv.10701510 hcx.01042101 dppphwgk.05140610 cmpc.00440006
Left side looks like it needs decoding again. After spending ages and frustrated applying ciphers and keys, you will answer the question on the top of the image. (Q) How many Sagans does it take to change a lightbulb? (A) Billions and billions
Then applying that answer and variations as keys you eventually get to a OneTimePad (OTP), with a key of of “billionsandbillions’” https://www.boxentriq.com/code-breaking/one-time-pad
1057.27710104 CHINESETAKEOUT.45647604 CRUNCHBAR.40542606 EGGS.30542001 TWINKIE.31642011 MARSHMALLOWS.11146300 POPCORN.24542601 PIZZA.05506400 POTATOCHIPS.10701510 GUM.01042101 CHEEZITS.05140610 BEER.00440006
At this point someone in your team will link the GhostBuster and Commode64 hints to this challenge. This table above is a scoreboard for GhostBusters. The left side is the player name, and the right side appears to be the player balance. If you have played the game before, once you complete it once you get an account number which stores the amount of money you have. So the challenge seems to imply, whilst we have player name, player balance, we need player account number.
Fortunately people have already reverse engineered the game and figured out the algorithm, so we can modify an existing one and add our brute force parts in. Running my modifications below, takes a few seconds and finds valid account numbers, with some manual modifications.
<todo git push mygithub>
Ignoring the last 00 bytes on the account numbers, and also ignoring the first 1057 entry. Since all 2byte vals are less then 26, we get what looks like the typical A1Z26 cipher.
1057.27710104 105700 CHINESETAKEOUT.45647604 132500 == MY CRUNCHBAR.40542606 192000 == ST EGGS.30542001 051800 == ER TWINKIE.31642011 251900 == YS MARSHMALLOWS.11146300 030900 == CI POPCORN.24542601 051400 == EN PIZZA.05506400 030500 == CE POTATOCHIPS.10701510 200800 == TH GUM.01042101 050100 == EA CHEEZITS.05140610 200500 == TE BEER.00440006 180000 == R
MYSTERYSCIENCETHEATER
Lost also released another hint, important one for our stage is in bold.
- Recap: Pick up pieces of information from the tape, and from the lanyard.
- Discover two web destinations.
- Discern information from each page, combine to form Voltron, find new page.
- Welcome to today.
(Sounds simple, no?) - While you’re waiting I hear there are some cool old skool emulators for old games you can run in your browser. I hear there’s one at the Internet Archive, and a few others. Some fun old Z80 and C64 games for sure…
So MysteryScienceTheatre is a link, I wrote a script to add every TLD (.com .org .net .io .xxx etc) but of the few non-404 pages nothing looked like a Lost page. Until we started breaking up the MysteryScienceTheatre and adding punctuation we find https://mysteryscience.theater/
At this point we have solved http://lostboy.net/PaleBlueDot/ and https://base-28.com/ but https://octovigesimal.com/ still remains along with this new link https://mysteryscience.theater/
Octovigesimal – Chuck Berry, The Great 28
On https://octovigesimal.com/ as mentioned before we found base-28.com because there it is in the image. This page contains images of Chuck Berry and his album (the great twenty eight) and a Goonie’s Copper Bones key with a summation equation in the middle.
There are strong links to 28, but there appears a hint in the middle of the page Record your answer~. After falling down rabbit holes, the suggestion is literally a “record”. And with the album above, you can check out the Wikipedia page about the record, in particular noticing the tracks.
Side one No. Title Chess source Length 1. "Maybellene" Chess 1604 A (1955) 2:18 2. "Thirty Days" Chess 1610 A (1955) 2:24 3. "You Can't Catch Me" Chess 1645 A (1956) 2:42 4. "Too Much Monkey Business" Chess 1635 B (1956) 2:53 5. "Brown Eyed Handsome Man" Chess 1635 A (1956) 2:17 6. "Roll Over Beethoven" Chess 1626 A (1956) 2:23 7. "Havana Moon" Chess 1645 B (1956) 3:05 Side two No. Title Chess source Length 1. "School Days" Chess 1653 A (1957) 2:40 2. "Rock and Roll Music" Chess 1671 A (1957) 2:30 3. "Oh Baby Doll" Chess 1664 A (1957) 2:33 4. "Reelin' and Rockin'" Chess 1683 B (1958) 3:14 5. "Sweet Little Sixteen" Chess 1683 A (1958) 2:55 6. "Johnny B. Goode" Chess 1691 A (1958) 2:38 7. "Around and Around" Chess 1691 B (1958) 2:35 Side three No. Title Chess source Length 1. "Carol" Chess 1700 A (1958) 2:46 2. "Beautiful Delilah" Chess 1697 A (1958) 2:08 3. "Memphis" Chess 1729 B (1959) 2:12 4. "Sweet Little Rock and Roller" Chess 1709 A (1958) 2:20 5. "Little Queenie" Chess 1722 B (1959) 2:38 6. "Almost Grown" Chess 1722 A (1959) 2:19 7. "Back in the U.S.A." Chess 1729 A (1959) 2:25 Side four No. Title Chess source Length 1. "Let It Rock" Chess 1747 A (1960) 1:50 2. "Bye Bye Johnny" Chess 1754 A (1960) 2:03 3. "I'm Talking About You" Chess 1779 A (1961) 1:48 4. "Come On" Chess 1799 A (1961) 1:50 5. "Nadine (Is It You?)" Chess 1883 A (1964) 2:30 6. "No Particular Place to Go" Chess 1898 A (1964) 2:44 7. "I Want to Be Your Driver" Chuck Berry in London (1965) 2:15
Suddenly you will notice the track “Come on”, and if you recall there was a hint with this term in very early on in the liner challenge route transposition cipher giving “Come On Four Dot Four Is Right In Front Of You”. Then you notice the track is at Side 4, Track 4.
After a bit more falling through rabbit holes, you will then remember the key and it’s summation equation. Falling down more rabbit holes trying to calculate a valid value.
You may initially try the mathematical calculation 1.1 + 2.2 + 3.3 + 4.4 = 11 and then fail to apply that anywhere. Then looking back at previous solutions you will again remember route transposition cipher had a skull in the middle, and this key is also a skull. Then you will link 4.4 in this summation equation was the “Come on” track. Then you look up 1.1, 2.2, and 3.3.
- 1.1 Maybellene
- 2.2 Rock and Roll Music
- 3.3 Memphis
- 4.4 Come On
Now you may fall down some XOR related rabbit holes but then realize, it’s not summation in the arithmetic sense, but a summation equation (concatenation) of strings giving “MaybelleneRockandRollMusicMemphisComeOn“, now to find where this key may be used.
Mystery Science Theater – A maze of mini challenges
We will now encounter trap after trap laid by Lost, so strap in as things start moving faster.
An y QewpFyyvRqd,
WehjhwpIclpVtme:
Ioqfig oloage.
At this point you’ve probably already visited the mysteryscience.theater site and noticed the cipher text and youtube video of Pump Up The Volume movie.
You will already have fallen down many rabbit holes trying to decipher that cipher text early on, but then gave up and moved onto https://octovigesimal.com/ as we did above. But once you solved that we obtained quite literally a key MaybelleneRockandRollMusicMemphisComeOn and then applying the classic Vignere with the key results in:
On a PaleBlueDot,
WrestleWithThis:
Things change.
Wrestle With This – HTML source
Now we get to http://lostboy.net/PaleBlueDot/WrestleWithThis/
And looking around the page for the end or continuation, you come across the HTML source code
<!DOCTYPE html> <html> <head> <title>Wrestle With This y6nk3z9y</title> </head> <body> <center><br><br><br> <iframe width="560" height="315" src="https://www.youtube.com/embed/bb68owdlxl8" frameborder="0" allow="accelerometer; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe> </center> It's only a tiny problem... </body> </html> <!- bFNhZ2FuQExv ->
And you notice 2 ciphers. Base64 is often obvious when seen:
bFNhZ2FuQExv == lSagan@Lo
But y6nk3z9y does not appear to be it, then you will notice the wording on the main page “It’s only a tiny problem…”. And apply it as a tinyurl, which leads to:
https://tinyurl.com/y6nk3z9y –> http://lostboy.net/PaleBlueDot/EverythingWasFineWithOurSystem.jpg
Everything Was Fine With Our System – Base64
The car is the 58 Lincoln Continental (AKA Maybellene), one is fooled it may link to previous challenges. Looking closely at the tailights you will notice the ciphertext and it looks like good old base64, on decoding it gives:
TG9zdGJvWSBkb3Qgc2xhc2ggSEhI == LostboY dot slash HHH
At the same time if you look even closer at the image there is another cipher, difficult to see but just below the front windshield on the blue car metal. Base64 again.
U2VuZCBDb3Nt == Send Cosm
HHH – Trivia
Visiting the LostboY dot slash HHH interpreted as http://lostboy.net/HHH/ gives:
Now we are being trolled with the “Close but no cigar” song https://www.youtube.com/watch?v=Mp_ilSL-J_0
At this point you may be stumped but enough Googling leads to a linkage between that video “Concrete blonde” and “Pump Up the Volume” as that’s one of the bands he plays on his radio station, and if you recall we’ve already seen a movie clip of “Pump Up the Volume” back on https://mysteryscience.theater/
Falling down rabbit holes trying new links, you will remember “HHH” above and the main character of Pump Up the Volume’s secret identity is “Happy Harry HardOn”. Trying that as a link https://lostboy.net/HappyHarryHardOn moves us onwards and down further into the maze.
Happy Harry HardOn – Trivia
Visiting https://lostboy.net/HappyHarryHardOn/
Then you will notice F1LZuQ9E4JQ, unfortunately not a base64 string this time. After trying some basic ciphers, and making no progress you just throw it into Google and it turns out to be Youtube link, maybe a puzzle or maybe not. https://www.youtube.com/watch?v=F1LZuQ9E4JQ (Tina Turner & Chuck Berry – Rock n roll music)
You will notice the message “What a singer! LostboY.net/PaleBlueDot/?”, is another link to figure out, something related to the Ghostbuster song. After enough Googling or just knowing, it turns out that the Ghostbuster theme was actually stolen and Columbia Pictures/Ray Parker Jr. were sued by Huey Lewis (notice that resemblance https://www.youtube.com/watch?v=N6uEMOeDZsA). So the correlation is eventually correct and we make it to https://lostboy.net/PaleBlueDot/HueyLewis/
Huey Lewis – Base64
Another base64 string:
c3Rib1kubmV0 == stboY.net
The End
Solving all the puzzles from the theater, we can bring together the 3x decoded base64 strings. However 1 seems to be missing.
- Send Cosm
- ???
- lSagan@Lo
- stboY.net
But one can guess the message “Send Cosm”os to Car”lSagan@Lo”stboY.net”. And when submitting it before the deadline you get a congratulations message as a response.
Update to the end
At email completion we never found the 4th Base64 string. However at the end of DEF CON some others who completed it on Discord pointed out it was in fact on the last Youtube.
Visiting that Youtube video https://www.youtube.com/watch?v=F1LZuQ9E4JQ on harryhardon again and looking at descriptions and comments, if you look at the most recent comments you see “b3MgdG8gQ2Fy”.
b3MgdG8gQ2Fy == os to Car
And there we have it, the challenge is at last truly complete – Send Cosmos to CarlSagan@LostboY.net