BG - Puzzle Competitions & You - Christopher Lytle

check check sound good all right cool I think we're gonna get started yeah it's 401 let's do this all right so uh welcome to puzzle competitions and you so who am I my name is Chris I'm a security researcher at varic code since a few of you guys asked already what team I'm competing on for stuff this year I'm a mobile I'm a puzzle off Fado I've been doing competitions for a few years now I organized the uh louder let me see louder louder louder louder that better Okay cool so yeah uh what I just said I'm a security researcher at veric code my name's Chris uh I compete on the mobile Disco team I'm a puzzle of

Fado uh all these by the way they asked this before all these slides are going up after the talk so don't bother taking notes like I'd like this to be super casual if you have any questions just throw your hand up and we can go at uh I'm Mr Toof on Twitter so yes oh quite all right so why am I doing this talk uh I gave a talk about a classical cryptography suite for python that I wrote at Bon this year and people kept asking me why would you use this why do you need to be able to do this faster and I kept going back to stories that about times I had used this or needed

this in a puzzle competition also it's kind of getting to the point where there is some sort of puzzle competition at every conference be it a badge challenge I mean how many people have gone to a conference opened up the pr and seen Cipher text in there somewhere or you know some crazy encrypted puzzle crap it's it's at every single one nowadays uh I think one of the things that bugs me is I was talking with some of the guys who are doing mystery challenge this year out by the pool and there were a few other guys walking by and I mentioned the badge Challenge and they said to me oh yeah that looks really cool but I have no

idea how I would do that and that kind of bugs me because these puzzle competition are great I think they're the epitome of hacking you're sitting down to deconstruct something that's specifically set up to be a fun puzzle that you can deconstruct in a few hours or days and when people are getting intimidated by them there's something wrong with that so what I'm hoping to do is show you guys some tools and techniques that can get you more involved with this so you can get going and so what I just said why am I you know what what am I defining as a puzzle competition things like the badge challenge uh schmoog graphy stuff like

you know I does anyone not know what I'm talking about when I say puzzle competition I'm not talking about building Legos faster than somebody else or putting together like puzzle pieces or something like that no I'm talking about like things like crypto challenges and basically hacker conon puzzle challenges cool all right so real quick my balance when I'm playing I'm going about 50% because I love solving puzzles and 50% because I'm competitive and I want to get things done quickly right there's no point in doing one of these if you're not having fun if you want to get a black badge so you can pretend you're cooler than somebody else go get the one off eBay or go do you know uh go do like

hacker Jeopardy so you can memorize a bunch of port numbers and win three of them cool so also when I'm solving an individual puzzle there are three things that I focus on about equally speed a lot these puzzles are being designed by someone for you to beat in a few hours okay everyone here is smart everyone here can take one of these things home and sit and stare at it for eight hours in their office but that doesn't help you you have to be able to get things done quickly also you have to be able to do them correctly right someone sat down and designed this for you to solve if you get the answer by random happen

stands or brute luck brute forcing it or stealing it from somebody else awesome you get to go on to the next step but when you go up and go I'm I'm here to go to the next step or I'm here because I beat your puzzle and they go cool how'd you do it you go uh I don't know that doesn't really look good A lot of people will score You by how fast you get things done and by how well you get things done and finally some finesse some style you know you got to do things with panach right somebody spent thousands of dollars and hundreds of hours designing something for you to do if you're not

going to have fun with it and make it fun for them too then you know there's no reason to do it so I'm just going to dive right into some skills you should have and some tools and gear you should have right because we've got a whole lot of disperate skill sets to cover and I'm s sorry but if anyone was coming here expecting me to make you into like a crypto ninja or a hardware ninja you can't do it in 40 minutes but I'm going to give you some things that can hopefully get you up to speed so that's my uh that's about 75% of what went into my bag to bring for mystery challenge

this year so full soldering kit uh gorilla mask craft supplies Dremel full set of Dremel stuff all sorts of stuff that we're going to talk about so right off the bat I think one of the most important skill sets you can have is being good at classical cryptography pre mechanical cryptography however you want to Define it right crypto is great as someone who's designed puzzles crypto is great because you can go print out a cipher on a piece of paper for three cents a copy and there's a step that will occupy people for 3 4 hours right also cracking ciphers is is hella fun right and so one thing that we're looking at here though is we're looking

specifically at Old School cryptography right no one's going to ask you to by hand crack something that's AES encrypted or you know Dez encrypted it can be done but you have to have really specialized tools set up ahead of time and unless they've warned you that that's what they're doing no one's going to do it so I'm talking about classic ciphers here right Caesar Cipher visionaire onetime pads effing stuff you could do by hand and as I'll show you in a second it behooves you to have that automated because doing them by hand is fun but it ALS you know taking a sentence and converting the letters to what number they are on the alphabet takes a long

ass time you don't have a tool to do that you're not going to get through the speed section you're not going to get the puzzle solved in the amount of time that you have at the conference also history uh frequently there are hints dropped as to what you're dealing with I think one of the best one of the ones that jumps immediately to mind was in the uh dbir uh Puzzle Challenge like two or three years ago there were a bunch of clues about Leif and Theif which uh was a term that was used to describe the visionaire cipher back in the day me the undecipherable Cipher which it wasn't and that's a quote out

of context but there you go right if you know your crypto history you are going to know that how would I recommend getting good at crypto skills in crypto history take a class really go take a class at a university to do this I know some people don't like me suggesting that but I've really not found any free open-source alternative that's better than actually sitting down and having somebody tell you okay you have to crack visionnaire by hand now go here's the history behind it go here's how it works go here are all of these historic attacks that you can use to defeat it you know you you you don't even have to pay for it

anymore Stanford's doing them for free MIT has one for free go grab them off iTunes done now tools I would recommend for doing cryptography one of my favorites the rumkin crypto Suite uh it's a website if you Google rumkin crypto it'll pop up right away it's all nice and ajaxy so as you type you're getting real-time feedback it's one of my favorites for you for uh cracking visionaire uh cryptool another one that's a uh it's one that's written in Java there's a Windows installer and a Linux installer not bad it it handles uh soliter Cipher really well and it does some fantastic uh visualizations of how how ciphers work especially some early mechanical ones like

enigmas uh Israel Tores has two tools called crypto and another one called decoda ring they're fantastic for plowing through a lot of easy ciphers really quickly I love those they're one of my go-to tools to just throw things in right away and see if it's anything simple uh I have my own python crypto Suite that I've released on GitHub uh github.com tph it's up there that's what I'm going to be using for mystery challenge this year feel free to go at it enjoy but honestly the best thing you can do is learn how these ciphers work get a good scripting language and write your own right this this is not anything hard we're talking about converting letters

to numbers where AAL 0 and zal 25 doing Simple Math on them and then converting them back that's the basis of all 27 of the ciphers that I have in there right now it's easy take three hours over a weekend write your own you will gain a tremendous understanding of how they work and that's frankly more useful than me giving you all of these tools so next physical skills uh lockpicking speaks for itself we're hackers we like lockpicking and general Fab and prototyping sometimes you're going to need to drill through something cut through something tear something apart in a way such that you want to make it look like you didn't totally destroy it right all about

finesse so tools I would recommend for this lockpicks so if you can't find lockpicks at a hacker con you've got a problem someone someone you know will have them but as a pro tip find someone who's better than you and bribe them right Five Guys who ran over and grabbed a set of picks from the fail table is useful but having one friend who's a really good picker is a lot more useful than having Five Guys who aren't uh General physical tools always take screwdrivers there will a Torx bit will pop up somewhere whenever you don't have a Torx bit right they're one of the most useful things you can have bring bring as any screwdrivers as you

possibly can and drills and saws power drills are great for taking things apart quick for getting through stubborn locks for modifying things and you know you can go grab a little like piece of bent wire saw from Ace Hardware for like $2 doesn't matter if the TSA confiscates it or you throw it out on the flight back but you know sometimes you need to cut through something and nothing but a saw will do electronics I see a lot of Hardware hacking in competitions nowadays depends which one you're doing get it get to that later but I would really recommend having a knowledge of analog circuits and having soldering skills have know at least one person who's really good at

soldering someone who was an electrical engineer someone who is a dedicated Hardware hacker not someone who bought a basically you know a solder by numbers kit and put it together once because if somewhat if you're doing a competition they give you a kit to put together you have a kit to put together if they think that they're good because they put together like an LED clock one time and they end up frying your microcontroller you are hosed uh and finally have some uh have some microcontroller programming skills I would really recommend to looking at who you're dealing with right so if you're oh say I don't know competing in a competition where the guy running it

worked at Parallax at one point you should be familiar with Parallax products right if you're dealing with someone who hates arduinos go pull up their GitHub Page look look at what they've worked on look at things they've done in the past and figure out what you're going to be facing and you know even if it's something simple like downloading the IDE ahead of time holy crap have you tried pulling an fpga Dev environment at Defcon anyone about 8 gig worth of isos it sucks so tools I would recommend uh I bring all my soldering gear my strippers uh pretty much everything I need to solder or desolder or modify any IC that any circuit that I'm given uh

multimeters prove frequently use useful uh I have friends who bring bus Pirates logic analyzers stuff like that uh OC Scopes I bring my osciloscope I've got it in my bag now but uh you know I've seen them used but you're St to get into the realm of here stuff that's way too hard to get done over a weekend but if you know how to use them sometimes you can get some useful visualizations out of them uh I always bring a small collection of common ic's you know common common parts that I would need resistors I got a huge ass bag of resistors of diodes of common ic's like 555s 450s stuff like that that you just

need all the time right uh and my Pro tip for this plan around Hardware hacking Villages but also be ready for them not to be there right if there's a hardware if you don't know anyone who has a good soldering iron you can bet there's going to be a pretty decent one at the hardware hacking village now Murphy's Law is going to dictate that the second you need a good soldering iron the guy who didn't come with anyone who just wants to sit there and talk to the hardware hacking Village staff is going to be squatting on the only available one but that's the way it goes so I would say you can use them to your

advantage but do so cautiously also be warned that Hardware hacking Villages are out in common areas and if you're ahead of someone or if you're putting together a circuit that other people aren't supposed to be seeing yet you're going to have other teams spying on you math skills so I kind of split math into two sets of math tra math I'm just defining as traditional math right the math that everyone here got in high school BAS basically basic algebra up through calculus it's useful but also recreational mathematics it's super fun and you run into it all the time but not a lot of hackers are good at for a field where everyone has engineer in their

title A lot of people don't do any math it's true yes you mean by recreational maths recreational mathematics I consider things like knowing about odd number groups like one one from last year that popped up on the badge challenge do you know a no e sequence is I know we do now yeah we do now but like something like that so for everyone else a no e sequence is numbers that in their English spelling don't have the letter E in their name so one isn't there two is three no four is there because there's no e in four right stuff like that it's kind of mathematical era stuff that's fun to play with but stuff

that has almost almost no practical application so you don't really get taught much in school in that way and I have a solution for that on the next slide because that's a really tricky one to learn uh and you know numerology not the religious aspect of numerology but the kind of you know being able to spot people doing numbers with patterns in different funky ways uh which really I should have just said there have good pattern recognition skills but that's not really yeah so tools I would highly highly highly recommend oeis is one of my favorite things ever it's the open or it's the online encyclopedia of integer sequences you take a comma separated list of integers throw it into that

website and it will tell you all of the possible things that this could be it will tell you all of the weird number sets this could be and it's just the most amazingly useful thing because there are so many bizarre ass number groups out there that almost no one knows about and that will find them for you right quick uh positive integer. org is another one of my favorites because you can very quickly just whip a number at it and it will tell you all the information you need to know about that number it will give you common sets that it's in it will give you all the divisors factors multipliers things like that uh and tell you other interesting

information about that single number sounds kind of sounds kind of single use but sometimes you just really got to know if something's prime or not right and that's easier than looking finding a prime list hitting contr F searching if it's in no screw it just throw it in there and finally wolf from alpha the savior of people who don't actually want to do math or pay $700 for a mathematical license right you got a big equation you need figured it out whip it into wolf from alpha you'll get all your output showing you it did all of the math it's an absolutely fantastic search engine if you haven't played with it I would highly recommend it and also

does a pretty decent job at some crypto stuff too so General skills this is my catchall uh Google Fu you know just just be really good at searching for stuff on crypto because I guarantee you if someone's designing a puzzle they're going to spend a lot of hours trying to find something really bizarre and obscure to base their puzzle around that you've probably never heard of I I can see who's done like mystery challenge in the audience because I can see you all shaking your head going yeah I had no idea about uh about like last year with the uh the eye of Raod divisor thing or stuff like that right yeah all of us are

smarter than this is like the sum is greater than the whole also familiarity with simple stego right stuff like Jafar and stuff like uh spectrograms just you know be familiar with stego that can be solved rapidly uh the Jafar thing is you can stick a zip file you can append a zip file onto the end of an image if you haven't seen that it's because the uh an image file will start reading at the top and read till it hits the uh footer saying here's the end and a zip file it starts at the bottom of the file and reads up till it hits the thing saying here's the end of the file so literally if you take a zip

and Cat append it to an image file boom you've just stenographically hidden a whole bunch of crap in an image file really easy I've seen that pop up in more competitions than I can count uh the other one spectrogram it is possible to pipe a bitmap in bit map into an audio file so that when you view the Spectrum you can see the image I've seen that pop up maybe like six or seven times uh but it's something you should be familiar with have audacity on hand General tools audacity done uh you just I hate to say this but this is basically the have common sense slide bring your own internet access you need internet

access all the time for this thing for communicating with people you're working on to Googling stuff if you haven't brought brought your own little mobile AP you're in deep sorry it's the truth that is probably the single most important thing you can have on you uh we always bring scissors hot GL glue Sharpies flashlights bonus points if you bring filters or have a UV flashlight right cuz UV is Insidious like how many people noticed the UV writing in the program like two years ago it's one year ago or two years ago right like stuff like that it's it's one of those things you just have to have that on hand to find stuff like that and

trying to find UV flashlight at 2 a.m. in Vegas is not fun so yeah so those are a few things that I would highly recommend you have some knowledge on train up on them outside of the con use some of those tools when you're at the con to help speed up your uh your process and that's a lot of crap that is way too much person too much stuff for one person to remember so my solution is easy I have a team right and I love the picture from uh leverage because that that is exactly what you need you need a lot of you need a few people who are experts at what they do right one person who's good at

really good at crypto is better than five people who don't know how to decrypt anything one person who can pick really good locks is better than five people who can pick a three pin quick set right specialize division of labor is a magical thing and if you don't have a team find one right you can either form your own or find an existing team and ask if you can join a lot of teams will be skeptical about new players joining but we've probably added like five or seven people who we've just for mobile disco we've added like I'd say a good seven people who we just ran into at the con who were like what you're working on is

cool and I think I know what that is can I come help you with it yeah by all means do that what's the clock look like okay cool making a good time uh Pro tips for your team uh inner Team Dynamics for these things can be a little tricky right we've got a lot of type A personalities who are all very clever don't like being given orders and you're all trying to work together to get something done it wouldn't be a puzzle challenge if you didn't have at least one good fight right uh one thing I would highly recommend is limiting your team size based on who's actually helping right because when you're working on one of these things everybody

sees it and goes wow that's really cool can I help you with it and there's a point where you say yeah that yeah come on with and there's a point where you realize you have 20 to 30 people following you around and every time you get to the next step it takes you 20 minutes to brief everyone on what you got in the envelope and you're slowing down so yeah I hate to sound like an elitist but sometimes you need to call the herd of who's helping you uh some sort of a secured chat and or file distribution system sneaker Nets really really suck and sometimes you end up getting oh I don't know I think the biggest I got

was maybe four gigs worth of files that we had to plow through and try to find stuff handing a flash drive around the room waiting for each person to copy 4 gig when everyone's going I need it now I need it now we got got to be fast we got to be fast we got to find the next thing it becomes a pain in the ass have a small dedicated server at least have one person that you guys have all agreed not to try to hack whose laptop can act as a file server for you guys and for God's sake get a room right uh it's a con anyone can go anywhere they want right so if you all decide we're going

to meet in this corner and work on stuff if someone from another team wants to wander over and watch you work on it there is not a damn thing you can do about that right you need to get you need a base of operations right we always have at least one person staying in the con hotel that we can use their room for a spot to meet up where we can speak freely work on whatever we're doing uh get people up to speed just somewhere where we can exchange answers face to face without having to worry about every single person that's walking by right and it's it really pays off I mean one year we were working on mystery

Challenge and somebody said that to another person on our team don't work on it Chris has got the answer and he's cracking the he's decrypting the rest of whatever someone from another team came up and pushed me and tried to literally grab my laptop out of my hands right there's no good way to respond to that other than just pull your laptop yeah well even if I backhand them right if some goons walking by and see me collapsing the douchebags Airway like I should have there's there's no good way to respond to that I'm sorry that might have been a little bit strong but that's what I wanted to do at the time there's really no good way to respond to that if

someone wants to try to do something like that pushing them away trying to try to you know box them out using other people on your team there's no real good solution for it so just have somewhere that you can Retreat to where you can work in private without having to worry about other people enough said uh if you have teams you are going to have social engineering right I I'm not really sure how much Social Engineering actually goes on based on the fact that it's Defcon and if you aren't suspicious of every single person who talks to you you're doing it wrong but people try it right there are I can probably pull up for mystery challenges coming up I can

probably pull up four or five fake lost Twitter accounts right I can find you another four or five fake websites pretending to be him posting all sorts of interesting stuff that's just red herrings are undry garbage uh feel free to engage in it but don't be malicious right so another one that I that comes to mind was uh there are plenty of ways to Doss some of this stuff one year there was a radio hidden under a table it wasn't a very strong transmitter and anybody who had pretty much a standard ham radio could have played another signal over it so much so that no one else would have had a receiver capable of reading it and

everyone would have been stuck on that step till the end of the con if you pull something like that and the people organizing that find out you're in for a world of hurt and also you're a horrible person I'm putting that out there uh you know be willing to trade info with other teams right there's a there is a whole social engineering aspect to information trading here but you should engage in it right it's a at the end of the day it's a puzzle but it's a game right it's a competition but it's a game if you're not having fun with it like I said before there's really no reason to be doing it sometimes you get stuck

sometimes you're not looking at something in the right way you don't have the right tools whatever you should be willing to go talk with other teams and trade information with them to try to get yourself unstuck because if you're stuck you're not having fun you're getting frustrated and you paid a whole bunch of money to fly out to Vegas to sit in a hotel room and be angry no no doesn't make sense uh the at the very least one thing I would recommend is trying to monitor what other teams are doing right if you know some teams doing well have somebody watch them have somebody stay in wherever the contest area is if there's some place where you know you need to

turn in answers physically having someone there watching it so that you can at least say okay cool we saw team X went up and turned this in and got the next step it's a big black box or something like that having somebody just running some really basic Recon on the other teams is the very least you should be doing so some additional tips that I would like to give you guys uh always thank the guy running it right like I said before somebody took a whole lot of their money even if it was conference money and a whole hell of a lot of their time to make a game for you a one-time use non-recyclable game for you to come

and play and have a good time right right just go say thank you just be a a decent human being right uh know your enemy I'd say this applies to both teams and whoever you're competing against like I said before when I made the uh The Parallax comparison look at what someone does in their free time what they've done in past challenges if they are a Serial puzzle competition Runner uh and know what they're going to be bringing to the table know what their favorite ciphers are to use know what their favorite obscure pop culture references are that you're going to be getting thrown at you all day also no other teams no which team has a bunch of

jerks on it so you can not have your laptop grabbed from you uh know which teams are going to come over and go oh hey here's some random crap Hardware that I bought at the dollar store lost told me to give this to you or the guy running the puzzle competition asked me to give you this envelope with some Neato information about emailing some random you know whatever it's all stuff we've that I've had happen before and just know who you're dealing with also know the people who are going to smile and lie straight to your face it happens all the time there's I wouldn't call it social engineering so much as some people will

be on your team and then lie to take information elsewhere and screw you over not really social engineering so much is just straight out lying so yeah be warned people will do whatever uh and finally no one to walk away right a lot of game designers don't know anything about security and a lot of security people don't know anything about game design uh I was doing a puzzle a while back and we're trying to get to the next step and we had an envelope full of just cutout paper and every piece had a number on it and a letter and and we couldn't solve it for like 2 days this was just a kind of ongoing however

however long it takes you to solve it takes you to solve thing uh after like two days of looking at it I we were just like you know what we can't solve this screw it we'll just give up I ran into the guy who was running it like who was kind of put it together later and asked him like what the deal with it was he's like oh uh I had this whole like 108 character sentence so I printed it out and I chopped it all up and put all the letters in there so it's like an an you had to solve it but I figured that would be too easy so I put an additional 108

letters in there and the numbers have nothing to do with anything that was just another red herring and I cut all all the edges to be random shapes so you couldn't try to piece it back together right that is a crappy crappy crappy puzzle that there's no way to solve you can brute force it and get a million different answers for that know when to say you know what this isn't a very well-designed puzzle I've seen a few things that show that you have no idea what you're doing so just walk away do you have a question oh sorry I thought I saw a hand up uh so that being said if you find this

interesting or you would like to see this from the point of view of someone who has built a lot more puzzles than me lost himself is giving a talk tomorrow at uh 4:00 called hacking the hackers How firm is your foundation and right after after uh I read the description of it it sounds like it's going to be the same thing as this but with a little more focus on individual skills I would highly recommend that anyone who finds this interesting attend and if you're wondering oh hey this sounds interesting I'd I haven't done any of this before and I'd like to get involved take a crack at the badge challenge this year right the B There is a badge challenge

again this year it's been confirmed and yeah if anyone's doing mystery challenge solving the badge challenge will get you past a step apparently so yeah I know it was cake right yeah but yeah by all means if you're looking for something to do there's going to be all kinds of stuff hidden in the badge that you can take a crack at last year uh there were all sorts of teams of people who just met in the hallway popping up and trying to work on these so yeah take a peek around you'll be able to find someone working on it if you don't have a team already uh so that being said any questions anyone yeah it's it can be kind of

daunting but in the end it's usually something that's pretty simple right a lot of a lot of the challenges I've done have been things where you look at you go I have no idea how to do this and then when you get to the next step you're like oh man that was really easy we should have seen that all along but yeah it's it's definitely a lot of stuff to take in um I hope those tool recommendations will at least help people who are interested in doing like the badge challenge or any other thing this year uh question how much of the con it entirely depends on the puzzle who's running it and how much free time

they want you to have right uh there are plenty of that a lot of the time times the people running it will start dropping hints so that they can move you along at a speed that they like right they know how much stuff has to get done in a set amount of time and so they're going to start handing you more and more revealing hints as the you know as you get towards the time when they think you should be done with a given step or a given puzzle um in the case of something like the badge challenge you can maybe beat it in a few hours it's with something like mystery challenge that's what I'm going to be

spending most of the conference on aside from a few parties at night that's what I'm going to be doing so yes how long have I been doing them uh yeah that's more or less forever for competitive ones it conferences literally the first year that I showed up at a conference which was maybe 5 years ago the people who I uh hang out with in Chicago do just do competitive puzzles so right from the first con I went to they're like by the way everybody you know here is doing this so you know why not jump in uh as for how many I've done done shoogy two or three times I've been on the team for mystery challenge

four times times uh I've done a a number of badge challenges a number of uh gmarks crypto contests I think I worked on one or two of them that were at Defcon and a few of the other ones that he did maybe three of them that he did at shukan uh and that's just the stuff that Springs to mind I'm on level 50s something on not prawn if you've done that uh even though that doesn't really count as much and I've beat all the m games through four when they just started getting crappy yes how much are we seen the one where was like taking every saw

one uh some of these I guess for for malware obfuscation yeah some of these techniques are really simple and really lightweight so you could apply them to disguise code very easily uh I I don't do malware analysis myself so any numbers I could give you would be speculation I would assume people are doing it because it's so simple and lightweight it's a lot easier than trying to haul in some heavy duty encryption algorithm and hide a key somewhere but yeah I see a question in the back somewhere no all right well I believe that is it for what I have uh thank you everyone for

attending