Puzzles and security - a synergistic relationship?

Apparently, human beings are hard-wired to detect patterns. Sometimes this is good, but sometimes it can be too effective, or misleading, or subject-to-multiple-interpretations... A cynic might rewrite it as:

Humans are hard-wired to detect patterns, even when the patterns aren't there...

Patterns are very important in security, or, to put it another way: the hiding of patterns is often very important in security. Encryption is a good example of a way of hiding the patterns of ASCII-encoded text data and making them look slightly more noise-like. 'Obfuscation' is that wonderful word for hiding something in plain sight. I always remember something that was drilled into me when I worked on audio encoding:

The better the coding scheme, the more the output looks like noise.

And this hooks very nicely into the way that people use entropy as a way to find encoded data - plain program code has low entropy, but encrypted passwords (or other important/valuable data) have high entropy. So scanning code for high entropy sections would seem to be a good way of finding interesting encrypted data...

Unfortunately, one of the obvious things to do when you start to protect data with encryption is to hide it in similar data. Encryption is not the only way to increase the entropy of program code, of course, just applying a simple compression scheme would also work. This 'one action leads to a corresponding follow-up action, which then leads to another action...' is the 'climbing a ladder' escalation analogy that can be used to model all sorts of interchanges. 

Puzzles are interesting because they can train you to look at problems in many different ways, and breaking assumptions - one of the other things that humans are very good at is making assumptions, of course. 

So, let's look at one of the puzzles on the Nullcon 2020 badge (and the answers), and see how it encourages potential puzzle solvers (like security analysts and cryptographers) to think laterally.

Here's what part of the top of the badge looks like:

 (There's something about the look of 'fluorescent green plastic' that makes it appear super-cool!)

Puzzle setters like myself know that there are clues that give away typical encodings that are used for text, so any numbers between 46 and 122 (decimal) would tend to suggest an ASCII encoding (A-z, plus 0-9 plus '.' and '/'), which would be confirmed by having lots of '32's indicating spaces. In this case, the initial number is '00', which is deliberate misdirection, and is based on people initially looking at the beginning and ending of sequences - putting the 32 mid-sequence kind of hides it amongst the other numbers.

So the '00' is hopefully going to cause some people to immediately reject this as being ASCII-encoded text, but then if they look closer, they will see the '32' and note that all the other numbers are between 48 and 122... Which means that it probably is ASCII-encoded text, but that the first character is different or special in some way. One thought at this point might be that this is an index: the first piece of encoded text might be preceded by a zero, and so other encoded text would then be examined to see if the initial numbers were 01, 02 03, etc. But the other number puzzles on the badge do not follow this sequence (so one obfuscation method that a puzzle setter could potentially use would be to deliberately offset ASCII-encoded text so that the first number is an ascending index or offset...) and so there must be something else about the number '00'. Looking it up on an ASCII table quickly reveals the secret: 00 is the decimal number that represents the archaic non-printing 'NULL' character, and given the name of the conference for this badge (Nullcon!), it is obvious that the Null character is being used to replace four ASCII numbers with a single shortcut number!

One can imagine a puzzle setter who exploits this to encode other words with appropriately similar  extensions using the ASCII characters outside of the ./A-z, 0-9 (46-122) range. If the fictional conference called 'DevCan' wanted a badge, then this could be encoded with 127 (character for 'DEL' (delete)), then 08 ('backspace'), then 11 ('VT', the 08 ('backspace'), then 24 (character for 'CAN' (cancel)). Thus giving 127 08 11 08 24 for encoding DevCan. That 127 is a dead giveaway, so I suspect that the hex versions would be used instead: 7F 08 0B 08 18.

For Hex-encoded ASCII, then the numbers that people look for are 2E to 7B (./0-9A-z), so those two 08s and the 18 are good misdirection!

If the puzzle solver approaches things from the opposite end of the sequence (often a good technique to try), then the last four numbers are all inside the 0-9 range of 48-57 (decimal), and so are obviously numbers. Decoding them to '2020' is another strong clue that this is ASCII-encoded text.

Finally, there's the 32, which is like a waving red flag to anyone who is looking for ASCII-encoded text! One approach that a puzzler might take would be to replace this with another character: 00 (Null) being one candidate. But in this case, 00 is already used, so another character would be used. Using 00 (Null) as a replacement character for 'Space' might be something that a specific puzzle setter has used previously, of course, and so knowing who set the puzzle might be useful. Conversely, puzzle setters might strive to avoid using the same obfuscation methods more than once.

One difference between a puzzle and real world decoding is that puzzle setters like to give clues. The 32 in the middle of this sequence is one example, but for a conference called Nullcon, with a badge that has the word 'Nullconium' as well as 'Nullcon' written in a weird 'falling-over' books font, then there are lots of pointers to 'Nullcon' being a likely candidate for some encoded text on the badge - especially given the 'Periodic Table tile' / 'Top Trumps card' metaphor of the badge design.

If you have read this far, then you should now have had a glimpse of how puzzles like the Nullcon badge can encourage you to take an oblique look at problems, and thus may help you to solve your next challenge in an inventive and unusual way. And the world definitely needs novel solutions!

---

If you find my writing helpful, informative or entertaining, then please consider visiting the following  link for my Synthesizerwriter alias (I write several blogs, but it makes sense to only have one 'Coffee' donation link!):

Buy me a coffee

Nullcon 2020 Conference Badge Answers

The Nullcon Goa 2020 Conference Badge is a meta-puzzle. There is lots of data all over it, and it obviously has some meaning, but it isn't the usual 'little bit of manufacturer metadata in the corner' stuff, or even a Verhoeff checksum. At a security conference, then there is almost no need to have any further instructions - the badge is intrinsically a challenge to people whose modus operandi is to question everything.

Of course, it might all mean nothing. Unless someone published the answers. If you don't want to know what all that data means, then stop reading now and click away ( Try this as a distraction! ). If you carry on reading, then welcome down the rabbit hole!

The badge was laser etched onto clear plastic (Now this is tricky - I'm not sure if that gorgeous green/orange plastic is 'clear' or 'transparent' - language is an impressively imprecise communication medium!) The design was produced as a DXF file, and has two slots for the lanyard, plus three other holes/circles (manufacturing detail!) There are more than twenty interconnected puzzles (hence the word: meta-puzzle) on the badge, and it looks very cool!  

(In the graphics that follow, I have deliberately left room around the central area so that when you print out this blog, there is plenty of room for notes and calculations...)

The first thing that you probably notice is the central 'tile', which looks like an entry in an alternative Periodic Table - or maybe one from a different universe (paywall) in the multiverse (not paywalled), where the elements are slightly different... A Google search for Nullconium doesn't reveal much, and assuming that it is a Latin word is satisfyingly self-referential. 'Nu' isn't an abbreviation for any element, either. ( Link to useful list for puzzle designers )  Atomic numbers as high as 2000 are way beyond current physics, and 2000+ fails as an atomic number because it isn't unique. The mass number of 20.167 is all wrong as well - it should be larger than the atomic number! At this point, it should be clear that this isn't a tile for an element - but an eye-catching device to gab your attention. 

Warning: if you don't want to know, stop reading now!

The Answers!

The 2000+ is a reference to one of the many year numbering systems that are in use around the world. In the Gregorian Calendar, the current year is 2020, the 20th year of the 21st century. So the 2000 is a hint, and the 20.167 is 20 years, plus .167 of a year, which is meant to be the elapsed part of the year to the beginning of March when Nullcon Goa 2020 started. The 1st of March is day 54 out of 365, which is 0.147, so Nullcon obviously started after that... Day 61 is the 8th of March, which is the day after the last day of the conference. Nullconium thus appears to have the unusual property that the mass number of its most stable isotope increases over the course of a year, then resets, increments and continues to rise: two concatenated sawtooth waveforms...

The green holes/circles allow a 20-sided regular icosagon to be drawn, which is unlikely to be very useful in most security-related areas, but it is interesting that it is another occurrence of '20'... This also highlights an interesting security consideration: The green layer has been interpreted by the badge manufacturer as the 'holes/drill layer' and so they have cut or drilled holes at those points (and probably wondered why I didn't put targets instead of circles! But I forgot this, and so added the screen '+' sign to the middle hole as a extra clue (as it says in the diagram above). I should have moved the green cross to another layer so that it got laser-etched and would be visible...

Of course, a security-minded person quickly realises that this is a classic potential vulnerability - the designer made a mistake that is subtle and hard to spot, but which may have consequences that the designer wasn't anticipating. In my case, a clue was missing and the diagram above highlights this! This type of vulnerability is not restricted to DXF files, of course: any place where two things are affected when only one was supposed to be, or when the coder assumes that two things are related when they shouldn't be, crops up in all sorts of coding situations. A bug like this is very hard to spot because people are very good at seeing patterns and associating things as groups - and in this case, this is exactly wrong - the hole and the '+' symbol should definitely be on two different layers. For a security analyst, this gives a clue to how to find this type of potential vulnerability: look for things that are out of context, exceptions or variations, or where multiple similar things happen at once - you can almost guarantee that a copy/paste/modify will have been done wrong, or that one or more references or paths or pointers will be wrong. people are very good at king this type of mistake, and very bad at spotting their mistake. Hiding in plain sight!

On the lowest edge of the badge are what look like books on a book-shelf, with some them falling over. You either see it immediately, or else you suddenly can see it when it is pointed out to you - a binary visual interpretation. once seen, you can't un-see it! These spell 'Nullcon' in a rather arcane way, but serve as a clue to some of the other numbers around the edge... I always try to include hints and pointers to things to get people started...

Having said this about leaving clues: the two holes for the lanyard do not have any significance (and 'lanyard-puzzles' are another related class of meta-puzzle!). This is probably the most difficult challenge on the badge. As in many security-related investigations, the hardest problem to solve is one that is not a problem with an answer!

The 'book-shelf' clue leads nicely into the data around the top edges. From the left, clockwise, these get gradually more difficult. CLLNNOU is just the letters in 'Nullcon' sorted alphabetically, which leads to 3522143, which is just the alphabetical positions in CLLNNOU (1223345) undone by forming NULLCON (3522143) and then reversing the order. Over on the right hand side, the 1876^2 + 2767 gives a result of 3,522,143, which is the non-reversed order of the letters of a sorted Nullcon. 

The long row of two digit numbers at the top of the badge is just Nullcon 2020 in 'ASCII', but using character 00 with its meaning of 'Null' instead of spelling out 'NULL' as 78,  85, 76, 76. So not quite normal ASCII... But the inclusion of 2020 is also a clue for the other two sets of numbers. 04 08 04 00 is meant to look like ASCII, but is actually a number: 4,080,400, which is 2020^2, and 4080400 is the same 2020^2 again, but this time shown without commas. At this point, you are probably thinking that 'Nullcon' and '2020' seem to be the answers to the challenges, but this is not true for all of the challenges... 

Underneath the 'tile', there are four rows of numbers and symbols. In general, the numbers are numbers, whilst the symbols are used to indicate the number base that has been used to express the number. So the top left number of 3744 is to the left of an octagon, and turns out to be 2020 in octal (base 8), even with a typo in the diagram! (The missing '4' - which is not missing for any reason other than a typo!) The 011 111 100 100 to the right is also in octal, but binary octal (which is octal expressed in binary form!): '011' is 3, '111' is 7, etc. 

The next row has what looks like binary again, because it is! The '\' symbol indicates binary just as the octagon indicates base 8. I did consider using Unary (base 1), where no symbol at all indicates zero, a single 1 represents 1, 11 is 2, 111 is 3, 1111 is 4, and so on, but decided that having 2020 1's in a row was going to be difficult to count! By using the '\' symbol as a clue that the base changes, the four pentagons indicate base 20, which is slightly outside most people's experience. Anyway, 510 is 2020 in base 20, which looks like there's some interesting patterning going on, and I'm sure that Numberphile et al on YouTube have covered this... (I'm reasonably sure, but didn't search too hard for it...) 

The next row down has base 5, base 18 (well outside my usual path!) and what looks like it might be an ethernet address... Well, it is, for the Tsinghua University in Beijing, China, but this is base 10: decimal, and those dots are shorthand for 'multiply'. So it means 101 x 5 x 2 x 2 = 2020. I'm very fond of giving you a repeated pattern and then suddenly jumping to something entirely different. Lulling you into a false sense of security, as they say!

Now that the context switch has happened, the final row is in base 10 (decimal), then hex (base 16) and then hex again. 45^2 - 5 = 2020, which is interesting, and 7E4 does look like hex, but it's just a straight conversion from 2020. D^2 - B1 is just hex arithmetic to try and test your agility.  

At this point, you might think you were finished. But there is one final puzzle - the numbers on the right hand side...

26, 20, 9 and 0 aren't ASCII, and they don't seem to be 2020 in any base. So what are they? If you replace the values in the rows with the number bases that are used, then you just get a grid of numbers. But if you add them up (clue is the + in front of the numbers on the right) then you get a very special number: 42. (42 is special in lots of ways !) I didn't use the Catalan 5-significance of 42 in this meta-puzzle - that would be for a maths conference, not a security conference...

Finally, after all of those 'Nullcon's and '2020's, we get to a different special number: '42'. Yay!

(It would have been boring if that was a 2020 as well, wouldn't it? Of course, 48.0952381..... x 42 is 2020, but that's another story.)

I hope you found the 42. If not, you now know how to find it!

And a summary!

---

More...

To find the first part of this post on the Nullcon badge, visit this page...

If you want more depth about one of the challenges above, then please visit this page...

---

I would like to thank the wonderful people at Payatu Technologies, who organise Nullcon, for great conferences (hardware.io, for example), and for asking me to do this badge design for Nullcon Goa 2020. 

---

If you find my writing helpful, informative or entertaining, then please consider visiting this link for my Synthesizerwriter alias (I write several blogs, and it makes sense to only have one donation page!):

Buy me a coffee

   

Nullcon 2020 Conference Badge

One of my many sidelines is creating meta-puzzles, as popularised by Cliff Johnson back in the 1980s. If you have never immersed yourself in an experience like The Fool's Errand, then meta puzzles are hard to describe. Suffice it to say that myself and a colleague spent far too much time trying to solve the inter-related puzzles contained inside.

Since then, I've done my own homages to Cliff in the form of 'Wall Games'. These are puzzles on pieces of A4 paper: blu-tacked to the wall at Christmas parties, conferences like hardware.io, the waiting areas for escape rooms, and various other places. Sometimes the puzzles are hard (some of the hardwear.io wall game puzzles required writing code to solve them!) and sometimes they are easy, and I try to not repeat the same idea twice. But the key concept is that everything is interlinked.

The Nullcon 2020 conference badge is another variation on the same idea. There are a number of hidden references on the badge, and your task is to decode them. Nothing on the badge is there by accident - everything has a meaning. Some of the puzzles are numerical, some are word-related, some are conceptual, and some are graphical. The only clues that you get are the badge, and the conference title.

Oh yes, and I have always loved the way that transparent green and orange plastic looks when laser-printed! For an even more amazing 'spirit level' experience, try putting fluorescein in water...

After the conference has finished, I will post the answers here on this blog, in case you missed the reveal at the conference...

---

I also publish a couple of other blogs. One of them is devoted to detailed technical explorations of hi-tech electronic music. Sometimes it does stray onto other topics - like a very popular post that reveals how to store text on Dropbox using zero bytes from your storage allocation...

---

The title of this blog is a kind of meta puzzle as well. There's a very easy way to remember how to spell it...

---

And the answers to the badge challenges? They are here...

---


If you find my writing helpful, informative or entertaining, then please consider visiting this link:

Buy me a coffee