 Hello and welcome to Cracking Cicada 3301, the future of collaborative puzzle solving. I'm Puck and today we're going to be giving you a brief introduction to the Cicada 3301 puzzles and then we're going to be talking about how our community, Cicada Solvers, about 7,000 people on Discord is working together to solve this. So to get the obvious question out of the way, what is Cicada 3301 and who are we? Cicada 3301 is a pretty like mysterious group. There's a lot of talks about that. So there are basically a mysterious international organization as they have called themselves that has released a, that has released three increasingly difficult cryptographic puzzles. The first one was in 2012 which went solved, 2013 solved and 2014 which the current step of a 58 page book of runes called Liber Primus which has gone unsolved. Only two pages of which have been solved which is right away and the 56 other ones have stumped solvers for nine years now. And for who those solvers are, we tend to flock to like this main hub called Cicada Solvers. It's a Discord server and it expands elsewhere into like reddits and stuff like that. But the main hub is the Cicada solvers Discord server. It's got about 7,000 people and it's the main group of people interested in the Cicada 3301 puzzles. All of us are from this group. I am Puck. I kind of take the role of the community organizer. I've been here since about 2019 and like been organizing these things called voice sessions which we'll touch on later since 2020. And I'll hand it over to Taiwo here. Hi, I'm Taiwo. I take more of a technical role in the community. I do things like tool creation of tools but also kind of server administration technical things like that. And also kind of like a higher level role of sort of community direction. Things along those lines. I have been in the community since 2013. So since kind of before the most recent stage but not really since the beginning but still for a considerable length of time. And it definitely feels like it. I found great inspiration from these puzzles. I've grown significantly constantly humbled by them even after solutions were coming out. And that's kind of my main motivation to sort of introduce the puzzles to new people and to have others grow and just grow as I have grown. That's kind of my primary inspiration. Also if we manage to solve the unsolved step, that'd be just a sweet bonus. I'm handing it over to Clockwork. Hello, I am the Clockwork Bird. My job is community engagement. Part of what I do is I am almost like a tour guide of the interactive museum that is solvers. What I like to do is I like to host those voice sessions. I also, in addition to hosting things like technical solving sessions, I like to talk about the art, literature, and the philosophy that have been utilized throughout the puzzle. My background is in anthropology. Specifically I have an interest in ethnographic work. So Cicada has been an opportunity to see a digital community and see ways that we can build engagement and bring together people with different technical skill sets and different skill levels and all have to collaborate in the same place on the same thing and have the same level of fun. I'm going to pass it off to my buddy, Ari. What's up, nerds? I hope everybody is enjoying and is very excited for DEF CON 31. I know that we all are. My name is Artorius. Thank you, thank you. My name is Artorius. I consider myself something of an archivist of the Cicada 3301 phenomenon. I created a website called cicadasolvers.com, which is essentially intended to be an improvement upon the uncovering Cicada wikia. Additionally, along with my co-speakers here, we run a podcast called Cicada Cast. This is intended to be an educational exploration of all things Cicada 3301. I also moderate the R Cicada subreddit, which has 30,000 members. In addition to the Cicada Solvers Discord, which has about 7,000 members. That's about it for my introduction. So now back to Puck. All right. So what a lot of people have heard about Cicada 3301 is just a matter of misconception. So we figured might as well just clear all that out of the way in case any of you guys have heard anything. So on social media, especially YouTube, you see a lot of fake puzzles, which might sound quite strange because 3301, the group behind these, has literally given PGP like you can verify that something is from them and people still make fake puzzles and like try to, I don't really know why people just like try to like game jack Cicada 3301 and like they do cryptocurrency scams. So if you see that, do not fall for it. They are not Cicada. And also the news where you guys see that especially back in like 2012 when the puzzles were really popping off. There's a lot of click bait like yellow journalism. They really focus on like Cicada 3301 is a mystery. Like the Wikipedia page will call it like it seems like a cult and stuff like that. And in reality, they're just a group that I'll hand over to Tywo here to actually show who they are in a little bit. Sorry. My bad. And also there is a kind of like the perfect example of this is this movie Dark Web Cicada 3301, which is not affiliated with Cicada 3301. They just, this image in the bottom right, I don't know who those people are but somehow that's who they think Cicada is. And in reality they're just... Those babies are not PGP verified. Yeah. Like I don't know. I'll hand it over to Tywo to explain who they actually are. Thanks, Puck. That was plenty about who Cicada aren't, isn't. But I want to talk a little bit about who they are or at least... Oh, thanks. At least what we know about them. So basically they're not supernatural. They're not some kind of religious cult or anything out of this world. But they're somewhere... One thing is true. They clearly have a ability to produce consistently high quality, high complexity puzzles with clear themes and very successful motives to bring people into privacy and cryptography and also areas such as literature and esoterica as well. So to put it into kind of rules of thumb it's somewhere above like a bunch of neckbeards, somewhere below a new world order, someone with enough money to purchase infrastructure and disseminate materials across the globe but someone probably or a group less capable or willing to put probably months into planning something with no clear financial incentive or corporate affiliation. They are clearly well-intentioned. They're incredibly skilled. They have basically very good privacy practice. Their ability to remain anonymous is second to none. And they do so whilst also informing the solvers of the puzzle how to follow in their footsteps and communicate anonymously, retain privacy online and the significance and importance of doing those things. The puzzles contain many references to esoterica and it becomes a strong theme throughout the puzzles as a whole but although esoterica does play this core role to who they kind of personify themselves as of current although the usage of the esoteric themes have been used in the solutions of the puzzles to an extent. They've never been used in a way that is exclusively, that couldn't have otherwise come about through intense kind of factual analysis, things like frequency analysis and things like that. Yeah, so that's a little bit about what we really know. I kind of skipped a point about they're not criminal organization and they've come out multiple times to say that they're not interested in criminal activity but also to denounce others who claim to be them committing crimes. It's happened in the past. How do we know this? I defer to my good pal, Clockwork, he's going to tell you a little bit more. You know, we don't have to guess about who, you know, who Siketa is, what they're about and why they're doing it. You know, we've heard this straight from the bug's mouth. In 2012, the round finalists were invited to participate in collaboration with Siketa and they received PGP verified emails that discussed the who, the what, the why. If you guys would like, that QR code leads to our nice little leaked email on our wiki. Now here's the key points. We are an international group. We are drawn together by common beliefs that censorship is wrong, that tyranny and oppression of any kind must end and that privacy is an inalienable right. We are much like a think tank in the ideas that we advocate are liberty, privacy and security. Excuse me. We are much like a think tank in the idea, in the ways that they research and develop tools that forward liberty, privacy and security. What's interesting to know about the, about the state of goals of enhancing liberty, privacy, security is that this seems to be inspired with or align with cipherpunk philosophies. And it's important to know. We are not saying who they are. This is not a who. We're saying this seems to be what they might have been inspired by. If we look at the, if we look at the cipherpunk manifesto, you know, privacy is a necessary, it's necessary for an open society in the electronic age. Frame of speech even more than privacy is fundamental to an open society. Cipherpunks deplore regulations on cryptography for encryption is fundamentally a private act. That in this context it would appear as though cicada is indeed inspired by and gels with this idea of empowering people to secure their privacy. There's a part at the end of the cipherpunk manifesto that says for privacy to be widespread, it must be part of a social contract. People must come together and deploy these systems for the common good. Privacy only extends so far as the operation of one's fellows in society. And cicada is raising awareness of the deploying of privacy to the person to your left and right. It makes people more aware of what, what is the, what are the threats to their privacy and what are the tools they can use to secure it. I'm going to pass this off to my good buddy Artorias to give us a little bit more context for what happened after the 2012 leaked e-mail. Thank you clock word. So in this speech so far we've talked a little bit about who cicada 3301 is or more accurately who they are not. But let's get down to the, to the meat and potatoes of the whole Internet's hard mystery thing. What has cicada 3301 done to justify that moniker? Well, let's start in, let's start in 2012. In 2012 the unassuming Caesar shifted final dot JPG image which was found on 4-chance paranormal board X set off a cacophony. It led us on a journey of introductory cryptographic challenges that included things like myonumerals, anagrams, autostereograms, PGP, and other things like the RSA, basically anything that you can think of. In 2012 cicada 3301 upped the anti a little bit. They departed from the world of the purely digital and ventured into real life rather than just making a step that was only confined to the Internet in 2012 across four continents, more than a dozen major cities across the world. Posters, posters containing cicada 3301's logo and a QR code that could be scanned to lead to the next step were found flabbergasting the solving community worldwide. Somehow in 2013 they won up themselves again. They started introducing thematic elements and philosophical stylings into these cryptographic challenges. They really defined for themselves how the world would view them in 2013. They created their own operating system. They wrote, produced and released various pieces of encrypted music. And to top it off, in 2013 they gave us the gametria primus. If anybody here does not know what a gametria is, it's essentially just an easy way to correlate numerical values to a given character set or in our case a set of 29 food dark runes. This gametria primus was then used in 2014 when the release, the slow release throughout the 2014 year of 17 pages of what could only be described as a digital illuminated manuscript complete with rubrication, delimiters, marginalia, anything that you could want from an illuminated manuscript. We also had to brute force an RSA key multiple times. But even this, despite those monumental achievements, despite those monumental achievements, that was not even the culmination of the difficulty of Cicada 3301's challenges. To tell you a little bit more about what's considered possibly 3301's masterpiece, a deviously fiendishly difficult thing, I'll let Taiwo come speak about it. Thanks all. So, yeah, after these three years of incredibly well crafted puzzle steps, we find ourselves at the most recent, as we mentioned earlier, unsolved stage of the puzzle. You can see that the previous stages were nothing to kind of joke about, but I want to talk a little bit about the level of complexity we're talking about with why it's been, what, nine years now since the release of the pages and we still haven't made, well, very much progress. I'll go over that. So basically, at the end of the 2014 puzzles, a, oh, at the end of 2014, a set of 58 runic pages were released. The complexity of which were very clearly and obviously to solvers at the time significantly greater than what had came up until that point. The puzzle was attacked from every angle, obviously the attempt at decrypting the contents of the runes, but also investigating the contents of the image files themselves and trying to analyze the images contained within the margin area of the pages. You can see some examples here. The last of these 58 pages, up until now, only two of which have been solved, they were almost, they were almost immediately solved after the release of the pages. The ultimate page was solved almost disappointingly with a direct translation into English, but again disappointingly gave no clear instruction as to how to continue. The penultimate page, infamously page 56, the deep web hash page, was solved in a somewhat more complex way. A totent stream of, a totent stream cipher, a running key of consecutive prime numbers using Fs as, using F runes as interrupters. The contents of the page instructs us to search the deep web for a hash, a 512 bit hash, and something that we originally presumed char 512 as many of you may be thinking, but have gone on to establish multiple potential algorithms that could have been used as the definition of the hash remains undefined by the pages themselves. In 2017, the search naturally scoured the dark web as well. The tour network was something they used frequently in the past. In 2017, the search discovered a vulnerability in the tour network, something that basically undermined the anonymity and privacy of the entire protocol to disclose unlisted hidden services the moment that they're broadcasted to the network without being indexed. This search piqued the interest of basically security researchers at the Northeastern University who had an open investigation running multiple honey pot onion services, dubbed onions. I thought that was funny. And they identified the search as a large scale attack on the tour network. However, despite being able to identify and hash approximately 90% of the hidden services available at that time indexed or not, nothing of value or nothing was found that hashed to the aforementioned hash. Since then, broader strokes have been applied going into the more generous definition of deep web searching pages on the clear net that haven't been indexed by search engines. Tools were created to search multiple hashes using tools that were created by the community, a browser extension named 3301 hash alarm. You may download that yourselves. To help the effort with no input from yourself, it automatically hashes every page you visit and privately informs you whether or not you found the deep web hash and instructs you on how to notify us of that. I'll hand it over to Artorius to talk a little bit more about the community that we constructed to create such tools that help the search for the deep web hash. Thank you. Thank you, Ty. We are currently going through these slides a small amount too slowly so this one's going to be a little quicker. It's just an introduction to our community. Basically, the cicada solvers community is the largest, most organized, most well-known group of individuals still actively trying to make progress in 3301's current step, Libre Primus. Despite tens of thousands of failed solving attempts by the same number of previously enthusiastic solvers, very little progress has been made. A decade of stagnation can be difficult, yet we are still actively pursuing what can be considered an impossible task or at least extremely difficult. To talk a little bit more about how the cicada solvers community came into being and a little bit about the evolution throughout the years of this community, I'll hand it right back to Ty. Hello again. So just let me tell you, apparently really quickly, about how this community came to be. So as mentioned earlier, the puzzle began on 4chan, already a discussion forum, but not exactly the best place for constructive progress to be made. So we quickly garnered the attention, the complexity and intricacy of the puzzles garnered the attention of the active ARG solving community inhabiting the 3 node IRC. Soon thereafter, an IRC channel was created of our own dubbed cicada solvers. This naturally became the central hub of solving attempts, gaining the reputation for a public approach to solving where all information was shared. And if you weren't sharing information, well then what are you doing here? However, as the IRC channel was started in 2012, the release of the LP in 2014 is mentioned previously, gave solvers such a humbling that the fairly active for 3 node IRC 400 members around its peak was decimated over the years to around 5 to 10 active users. At the time, the operators and moderators of the cicada solvers IRC came together to stop the community from dying out. There were many things considered, but at the time Discord was becoming very popular and also very controversial in the privacy and security community. The irony of Discord being a proprietary platform that makes money predominantly by selling all of your information is not lost on us. However, the free and scalable nature of the platform, the set of convenient tools that it provides and also the, I can't remember the last one, Discord was what we ended up going with, but with years of experience managing the community, we knew what would stick and what wouldn't, how people could succeed and what led people to fail. So we set to construct a set of guidelines that we should follow to create a community that is constructed specifically towards the successful accomplishment of an almost impossible task with very little definition of progress over the years. To describe a little bit more about what sets us apart, I'm going to hand you over to probably Clockwork. There it is. Probably me indeed. So what makes us different from, you know, what makes us stand out from the total solving community is that we are dedicated to sharing everything. That, you know, whatever, whatever someone does, you know, it's all about a community of sharing of collaborating. Gatekeeping is the death of collaboration. So ensuring that we can create a community where people feel open and engaged and really have fun with it is one of our goals. And as was mentioned earlier, what differentiates us from fake puzzle communities is that no PGP, no cicada. It's that simple. And, you know, there are people who have had, you know, that might say, oh, you're gatekeeping. No. I mean, you saw that book of 58, you know, cryptid pages. We have enough to worry about. I don't have anything to go about following some weird goose chase versus a decoy duck chase. So what's also important is that we have clear guidelines, clear rules, clear rules of conduct, not only for our users before our staff members. You know, ways that we want people to engage with users in order to educate them, to help them grow. Productive ways of giving feedback, that's the style of workshopping versus critique and saying someone is wrong. Something else is that, as I said, we guide. You know, that it's, that we've all been in a place that it's incredibly overwhelming to be faced with that much information and have to learn it all. Something else is that we try to document what worked and what didn't work. And that's important. We, you know, you look in other communities and we don't, we don't see that same level of documentation. And that's the nice thing about cicada solvers, is that if you want to know, all right, what has someone done about crypt analysis regarding, you know, key like auto key or, you know, visionary or this, that and the other thing, you can find it easily. And it's important because, you know, even if you're not going to be active, you don't have to be active in the community. But if you just want to know, if you just want that material, you can find it. So I am going to pass it off to our main art, to discuss our main challenges. To our art, yes, there you go. So some of our main challenges as a community. You can see up here, documentation, fake puzzles, and the revolving door culture of new solvers coming in, getting exhausted with failed attempts, leaving, rejoining, wondering if there's been any progress, there hasn't, so they leave again. I want to talk a little bit about why documentation is so hard. First of all, documenting a failed attempt at anything is not something that many people are, are very willing or enthusiastic to do. Not only failed attempts, but even successful attempts, if you do not document them properly, if they're not reproducible, if the methods used are not very well explained, then it's going to snowball into people thinking, okay, well, you say that this worked. Can you prove it? Can you show us? As far as documentation platforms go, we've tried pretty much everything. If any of you have been to the Uncovering Cicada Wikia slash fandom, you'll know that it's a bit of a mess. It's a little bit of a mess. I can say from personal experience, experience trying to create the website cicadasolvers.com, which is like, not necessarily a replacement, but it was meant to be an improvement upon the Uncovering Cicada Wikia. It's very hard, and we've tried pretty much every platform that you could think of. We've had GitHub's, GitLabs, Weekends, Trello's, forum, address everything. Nothing sticks. I mentioned the revolving door lifecycle of a solver, so if you can imagine, if you can imagine, somebody who has just heard about Cicada 3301, they might not necessarily be the most technologically inclined. They might not even know anything about cryptography, but they hear about it. They think it's interesting. They join the community. They try what they can, and inevitably they get humbled. We've all been there. None of us are as smart as we want to think we are. And after your attempts that you have tried so hard, concocting, keep failing and keep failing for a decade straight, you might eventually get a little bit worn out of trying. You leave, and then eventually you get bored of normal life. You hop back into the server. You say, hey guys, I haven't been around here in a while. Has there been any progress? No? I'll see you in another few years. That's the life cycle of a solver. So to make a small departure from our challenges, I'm going to let Puck here discuss some of our advantages as a community. So we've kind of, over the years, we've learned a lot, and we've kind of been able to capitalize on that. First thing, something we didn't really have to do, too much work about. We kind of just have a lot of people through different documentaries over the years. They kind of just filter in as it gets popular. So with literally over 7,000 people, a lot of people means there's going to be a lot of attempts. It's just simple math. And as a result of that, we obviously have a lot of solving attempts, and we have to kind of organize that, which is this main thing, organization of manpower. We do these things called voice sessions, which I'll touch on in a bit. And also, something Tyra will touch on in a bit, is active tool development. We have a very big open source, like kind of an open source culture. Like if you're going to solve it, you're going to need other people as well. So we definitely promote that. So for our community size, generally, more people, the better. It's going to be a positive feedback loop, because more solvers, you're going to have more ideas. And as a result of that, you're going to say I'm a solver. There's a higher chance that there's an idea that I like, and I want to solve it. That's very important because as we are all hobbyists, it's not really like we have any incentive just to go out and try something. There needs to be that what's in it for us, and that's the enjoyment factor. And so the more ideas there are, the more likely you are to find something that you like, and you're going to have more motivation. And generally, that could turn somebody who's a non-solver into a solver, and then it'll just kind of keep going as a result of that. And now this is kind of the main thing we've developed over the past couple of years. In like December 2019, there was like a message in the Discord server kind of just saying like, can we all basically just get into like a voice channel and just talk about like where we should do or where we should go next, like what solving attempts we should run and how can we work on them together. And I kind of took it upon myself. I had free time. I was still in high school. I didn't really have anything too important going on. And I was like, sure, I'll just like kind of organize it. We'll do some like weekly events. We'll do some monthly events. We'll all get together. We'll schedule it. Everybody can just like set the date in your calendar. Come by if you want. Don't have to say anything. But generally, we had over like 25 people show up at the time, which is pretty crazy because there were like three people talking at a time and it was kind of, it was a pretty big lull in the community at the time. And we kind of just turned these things over time. We now have more hosts because we have this culture again, like this open source culture. Anybody can be a part of it. The more people, the better. So we've emphasized that anybody can do a voice session. Some random person here, if you want to join do a voice session, I'd recommend like reading the Wiki first, but sure, go ahead. But... I still haven't read it. That's a big running joke of us, read the Wiki. And this big teaming up on solving is the big emphasis of it. And for tools, I'll hand it over to Tywo. Hello again. Really quickly, this next slide, previous slide. Quick spoiler there. Really quickly, I wanted to touch on the community's kind of general effort towards focusing on the organization of a community set of tools and resources. As we kind of touched on the cycle of solvers, a common sort of landing place for people who have been in the community for a long time, such as myself, is to focus on the tools that help others to succeed. Sometimes even the combination of resources to help other people to advance their theories or to try out their theories as quickly and as easily as possible, kind of standing on the shoulders of giants kind of thing. Much like you may have heard of a recent breakthrough in the Zodiac 340 cipher solved after 54 years, basically through the creation, the community creation of custom tools used specifically for a custom alphabet. And we take great inspiration from this. One of the main challenges, however, similar to the Zodiac ciphers is the utilization of a separate alphabet as described in the gematria primus. It's 29 runes, but it's more complicated than meets the eye and the vast majority of cryptographic tools just aren't compatible with the types of translations that we have in the Libra primus. Basically we have kind of three main areas of attack. We've got the deep analysis tools, almost infinite levels of configuration. You could probably spend years learning all of the different ways to manipulate these tools in order to implement your ideas and kind of follow through how the process naturally progresses and to come up with basically to inspire yourself to continue with even more further ideas. The second area is more of like a middling area. If you have a quick idea, we work on tools that allow you to rapidly throw things together. Things like discord bots that just let you quickly test out a theory, Python libraries that allow you to just remove all of the context of the different ciphers and ways of using them and just saying, I wonder if it's a vision air shift with this key, but on the runes, but also skipping, interrupting the F characters as frequent in the puzzles. Generally, and then the final area of focus is on the sort of external non-technical area. Tools that are widely adoptable. Things that require basically no input and that we can disseminate amongst large groups of people such as the browser extension that was mentioned previously. It's generally our goal as a community to unify our resources and that's how we plan on kind of moving forward with this. Speaking of moving forward with it, I'm passing it over to Artorius, my guy. Come up here. Speaking of moving forward with it, the theme of this DEF CON is the future will prevail. We believe that the Gate of Solvers community embodies this spirit and the lessons we've learned pursuing a nigh impossible goal can be something extremely valuable to anyone who wants to see a future of digital liberty, privacy, and security rights. I want to add, in our experience over the years we've seen many people be influenced and go into the future and be influenced by this puzzle and it affects their lives. Solving is a learning process. They're learning how to solve people are introduced to the fields of cybersecurity, infosec, cryptography, and computer science. Fields that are actively shaping our future. In trying to solve a bug book, people end up in fields that are solving the problems of the future. As something of a closing comment on this idea, I would like to say that the future will prevail because we are all building it right now. It's not a matter of predicting what may or may not come. It's about taking active steps to ensure a future that is good to live in, not only for yourself, but for the people around you and the people you care about. Look to your left and to your right. That person's understanding and concept of security and privacy is just as important to your safety as your own. One last thing I would like to say is that if you want more detail about how the actual stages throughout 2012, 2013, and 2014 were solved, we will be speaking at Crypto and Privacy Village at the Flamingo 4pm tomorrow. We're going to get very deep into the history of the actual way that these challenges were solved. Thank you.