 That's all welcome our next speaker Nox is going to be speaking to us today about cicada what the puzzles can teach us about Cryptography and privacy take the way So it was about call it seven years ago Particularly stormy night in spring and I received a message online from that one friend Everyone kind of seems to have who finds these strangest things online and sends them to you And it was this online radio station It was an online radio station it Played this sort of Blair of sound which any of you who are radio enthusiasts might know as a copy of UVV said in 76 and Then the stern female voice began reading out numbers of course a few of us sat down to Try and work out some sort of meaning from these numbers We thought despite the fact the message was obviously not intended for us We might try something out and it was after all of my own attempts had failed miserably and I was watching the successes people were having with Getting a word at a time and then full phrases out of these that I kind of understood How much deeper crypto was then the sort of like children's puzzles and meant to challenges I'd done as a kid sort of thing and That's one of my favorite things about cryptography one of the things I really love is how varied the stories are from either the bizarre like my own to the mundane of why you started looking into crypto seriously and For an increasing number of people these days Cicada is actually one of those It was an enormous media thing a few years after it came out. It's Been just a ridiculous number of people that have come at least through our community looking into it It was called things like the hardest puzzle on the internet and the greatest internet mystery and things like that So I'd like to talk a little bit about What was the draw like what did they do so successfully that it became? Something that most crypto puzzles online and there are many never really got which was this notoriety Unfortunately before I get into that I realize there's a lot of people who probably know a thing or two about cicada But really superficially you may have heard the name you may have heard these Comments about it and might not know actually know that much about what it is So I'm gonna do a bit of overview first Cicada ran for three years once a year. It started quite simply There was an image posted online that would lead you through step after step of these different puzzles They lasted roughly I would say two months each time and then they had a distinct finish before they would carry on a New puzzle the next year Now all of these were there wasn't a particular website for cicada There wasn't any one source you were going to each image each puzzle was a distinct thing Posted on one place. It was a brand new user account with no history There was no context given no source for these images which kind of added to the mystery about it a little bit It started with this image which meant many of you may be familiar with This this image on its own It doesn't tell you really anything it has some unverifiable claims about looking for people But despite how empty kind of this image is this was actually the first step in the puzzle there was an Appended like string of text at the end of the data for this image Which would lead you on to the next steps and that's how it carried forward Each image each file would lead you to one website It had was often a major social media or file hosting websites that sort of thing And each one would have a singular image or file which would be your next puzzle to move forward It began incredibly simply actually the for example this one the Appended text was just a Caesar cipher They would move on into other very simple classical cryptography There was book codes and Column or transposition that sort of thing so it there was a lot of First timers that were able to keep up with it for the first little while Which let them kind of get really into it before the difficulty hit it would eventually get to Doing things like more modern cryptography. It was cracking a little bit RSA keys There was one point where you had to implement your own implementation of Diffie helman on a TCP server through Tor There's a whole bunch of more complicated things like that One of the things that carried through the entire time was this very efficient puzzle design these singular images and singular files Gave you an awful lot for how simple they looked. I'm going to use this one as an example actually which is This was actually this image nothing else about it nothing about the user or anything like that This was the solution to I think three or four puzzles throughout the first year It was just you kept having to come back and use this image that originally you thought had nothing going on in at all It had its appended text at the end of it It came out later that there was steganographically hidden information using soft percaled out gas in it and Way later on they were calling for a certain number of associated prime numbers Which this had if you looked into the data for it in the dimensions and that sort of thing That sort of very efficient puzzle design would carry on to a frankly ridiculous degree. There's Steps later on. I think I have yeah, I do Well, you started getting into things like this Already just the image looks like a pretty hard puzzle, right? It's not English tech So there's going to be some sort of substitution into English before you're even doing the Cryptography step to figure out what all of this means, but it turned out that that wasn't really enough So as you can tell the hacks underneath they kind of abused One feature of how JPEG files are read that after the FFD 9 it doesn't care what else is there So they just got kept depending new JPEGs at the end of these this one itself actually has three separate images in it Later on they would take that a step further and they would start appending full text files between the FFD 9 and the FFD 8 of the Next one and you would just like start unpacking you get this one image and unpack six seven files each with their own puzzle all of these different steps it got ridiculously complicated in this horrendously efficient package Another thing that they really stuck with throughout the design of it was The sort of idea that they always kept consistent with where they started. I said steganographic Using outgrass like it messed using outguess earlier on and that was sort of a thing where they gave that cue quite Simply right at the beginning and that would be because for the three years following every time They wanted to give you just a little bit more you'd be going back to that There was a bunch of things like that my particular favorite example was in 2013 when they gave the substitution for these runic characters actually there was a English character or multiple and English characters Runic symbol associated so you could do the back calculation and then there was a number associated with as well and Once we were starting to look at these were like why is there a number associated? It turned out if you went a year previous and started looking at some of the very distinct Phrases that they were using all of them added up to prime numbers through this thing that they wouldn't release for over a year after the fact Somehow they had designed from the first day all of their messages to be Have something new in them once you got years into the puzzle and found something that was supposed to be unrelated It was just Beautifully designed to be honest so of course one of the ongoing questions for a lot of people with cicada is That's all great. That's that's a fantastic puzzle. What happens next? So eventually you would reach a point in the puzzle where they Decided that you know the the collaboration is wonderful the community is cool But we're trying to look for individual intelligent people So there was a solo round at the end of each year You would get to a point where you had to somehow provide them a unique way to contact you and every individual who got there Actually got their own puzzle that had been designed specifically for them if you took it and compared to anyone else There would be no Kind of consistency there and of course then you would have to work through your own a solo one and getting of course to the end now when you got to the end the kind of current Public knowledge of what that looks like was mostly popularized in an online article From that was a friend of mine was interviewed for his name is Marcus He talked in Rolling Stone about his experiences in 2012 Which was all of these different winners all the people who got to the end were collected up and put together and tasked with working on Code they were told to write software that they felt somehow like they designed it themselves They picked their project, but somehow enhanced the goals of the group 33 oh one that had made these puzzles Now those goals kind of relevant to our theme here at Defcon this year is pretty much the Importance of the right to privacy the right to anonymity as well as the freedom of information within that So that's kind of my overview for what's the kid actually was hopefully that gives a clear enough picture that I can now talk about it there's two Very disparate Elements that I think really went into the the success they had in both popularizing as well as keeping people working on it The first of those that I'd like to talk about is the mystery. I mean, that's the obvious one, right? I'm sure a lot of you here today who know about cicada or are interested in cicada are here because of the question Of who did it? Why did they do it? Why were they looking for intelligent? individuals and the that question really drove the early parts of the puzzle There was a lot of people myself included who The puzzle was kind of enough on its own right like crypto puzzles are all over the internet and a lot of the times are really fun So there's a certain group of people that would just dive into it because it was a new and very complicated crypto puzzle And that was kind of enough. There's this giant group of people and I think it's still increasing now years after cicada was finished Who may or may not have been interested enough in the crypto puzzle part of it? But desperately wanted to know the answer to that question. Why? Why did they do this? Who are they those sorts of things and Despite the fact that they didn't necessarily have that much interest in the actual puzzle They still dove through the steps like all the rest of us. They spent countless hours trying working on this just with that burning question of why Now that idea of the mystery Leading people to put a whole bunch of time into it leading to the focus on your project That's not unique to cicada. There's a lot of other media where they've had a lot of success with that I think What I consider probably the closest example to that is the ARGs or alternate reality games if you're not familiar with that they're usually by major corporations looking to have some sort of Game some sort of challenge or puzzle that will act as Advertising for some media that they're going to put out often to kind of get people to try and be involved With their story before it comes out. Now these often work very much like cicada. They were Puzzles they were challenges you would move forward to sometimes they use crypto and they lived or died often on The question of why the mystery part of it I say live and die because many of them are very successful. There's some fantastic examples of that many of them also Despite the just millions of dollars put in by these big companies all of this effort and time and work Would die out in popularity within the first few steps because they didn't keep the mystery going They were too obvious right at the bat who they were advertising for what the project was I think the most recent example of that was there was a game no man's guy that tried one of these and It was obvious and within two steps of what they were advertising for and everyone I know who does ARGs who loves that sort of community They got to that step and said oh, that's what it is by and the community just tanked it. So There's something so powerful about Maintaining that mystery ARGs while I think of the closest is not by far the only thing to have used that very successfully If you're talking things particularly like cicada, there's a strong kind of correlation to These recruitment puzzles this Ability to get keep people invested to the point that you can pick individuals out with the mystery best examples of this are a Few years after cicada the Navy the US Navy actually released their own puzzle in the style of cicada looking for recruitment My favorite example. I think is Google Google tried one of these a few years ago As you were searching through Google usually if you were doing enough searches that were relevant to what they're looking to hire for right now you'd get this black bar in your search history and It would invite you into this kind of game the one I did it started as This sort of cryptography themed word puzzle thing and then into this It was a like terminal in your browser It gave you a coding challenge and a timer and every time you completed a coding challenge it would double the timer and give you a more complicated coding challenge and This would go on and on and on until that you reach to the end and they finally told you what why are you doing this? Right, and you'd get I don't know if you can read that. That's a little small But it's would you like to share your answers with a recruiter now It's just not hard to Apply to Google you can apply there's recruiters at events So there's sort of the question of why did they feel they needed to do this and It's an interesting thing that they considered this this idea that don't tell the person that you're trying to recruit them all The way until you they have already proven themselves that they found so powerful They actually repeated it two or three times in subsequent years after this they kept coming back to it Despite that it's really it's not that complicated to send an application into Google But they were still finding the people they wanted through something so round about so unrelated like this So there's a bit of a question of why what is the actual power there now? There's a really interesting paper It came out of the University of Toronto that tried to measure levels of excitement in the brain with various things And they found sort of an unintended result They were testing positive they were testing negative and they found that there was this large like certain large group of people for whom The unknown had a higher level of excitement in the brain than either the positive or the negative stimulus It was a sort of interesting unintended thing of like we've all heard the Ridiculous power of the fight-or-flight response, right? You have the the nervous reaction You have the panic that sort of thing and like I don't need to tell anyone the kind of highs you would feel in a positive reaction when you're excited about something like that but There was still all of these people for whom the unknown Was somehow overpowering it that that sort of curiosity and trepidation we feel when we're faced with something that we don't understand Can't overpowered things like the animalistic fight-or-flight response. It's Kind of strangely powerful So Kata, I feel took this even a step further Obviously the unknown has this pull on all of us But there's this sort of I'll say crypto and the unknown crypto and a mystery have this ridiculously long history there are so many times throughout crypto's history that the The sense of an unknown the sense of a mystery in it It felt important, right? I don't need to talk that much about World War two cryptography where Knowing the answer to an unknown could save thousands of lives European history when groups like the Masons were trying not to be interrupted in what they were doing and some of their encrypted Texts are just being decrypted now They worked so hard on it and Cicada really pulls on that they have all of this theming Which is sort of esotericism and sort of trying to evoke this idea of the long History of importance in a mystery in cryptography So we've got this pull from the mystery anyway, and then this historical context of what if this encroachment really matters what if there's something important at the end of this and That went to be just Powerful enough to get all of this media attention so The other side of it that the other strategy they used I think is we're talking about is as far as you can go in the opposite direction And that's the the gamification of cryptography this idea of crypto and crypto challenges as this fun game and again nowhere near unique to cicada long history of crypto as games In here at the crypto village actually one of the best examples was Edgar Allen Poe He ran this contest sort of thing where if you could provide him a cipher He couldn't crack there was a reward and this went on for I think years and would ultimately lead in him writing the Goldbug book which is obviously the name of the puzzle that the crypto village uses now I mean, there's also things like Bach taking his names of his loved ones and second and graphically hiding them in the Notes or his puzzle cannons, which was sort of a game where he'd write two-thirds of a cannon and challenge his students and his Peers to try and figure out what his design was and finish the cannon So let's talk cicada. Let's talk why that's so effective in pulling people in now for new players for new people the cryptography there's this This very simple kind of structure to it, right? It's like a game. It starts Incredibly simplistically it teaches you a few things then it ups the complexity, right? It's almost got a video game style structure of teaching you mechanics and moving up into more complicated things This has this unique effect of getting newer users to Understand the tools that they're going to need to get further This was used. I think at most importantly by cicada in their introduction of PGP I'm sure all of you know what PGP is for a lot of people getting into cicada if they don't know anything about crypto They don't know anything about internet privacy that sort of thing. They may not know what PGP was so very early on cicada taught these people how to use Key servers how to use You know generate their own use public and private keys and that would end up really important not only because cicada would then Sign with their PGP key everything may ever said again after that point for years But also they felt it was a important enough Idea that they wanted anyone who touched their puzzle to have to understand it And I think that has more to do with their their goals. They're listed anonymity privacy freedom of information ideas than it has to do with actually signing their messages This sort of structure though of starting simply it's not just To teach that right there's there's going to be a point it increases in difficulty You know you may be able to get away with you come to a new thing You've kind of muddle through it, but every new player will get lost eventually and I think that's an important part of their design as well There's sort of this idea in learning of the known unknowns where until you kind of know what you don't know learning it is quite difficult and I'm going to take an example here of This message This is one where they lost quite a few people even though. It's a fairly simple Classical crypto kind of cipher Now the idea was this was columnar transposition was the solution to this, but What Yes, I'll lose my notes, but I think that's okay I'll do it long enough for everyone to read it if that's all right I'm gonna go back gonna go back because I don't want to lose these notes, but there we go so It's got this interesting thing of You arrive at this you've tried all of your classical ciphers you you know You might try your visionaries your well-known ones and for so many people they got to this and didn't know what to do But cicada had set this up in a way that this provided them enough information that they knew what they had to go learn Right like this almost gave them search terms for going and teaching themselves And that's a theme that would come through all of cicada They always made sure that when you were stumped you were given everything you needed to teach yourself the skills that you would need to move Forward and for a lot of people myself included that was very important for moving forward I did not have all of the skills. I needed when I started it was this fantastic teaching tool I mean this it's got only plain text. It's like only English texts They're capitalized they're in rows and columns and searching those things would lead you to columnar transposition Which would then lead you to teach yourself how to get past that Of course That's all for inexperienced people in cryptography cicada is obviously not really for Inexperienced people in its design right and how they talk about it But there's a lot of benefits to the structure this kind of gamey structure to people who have Been in cryptography for a long time. I'll give an example of myself There was this one piece of the puzzle that was based entirely around the exclusive or function now I knew the exclusive or function. I'd seen it used in You know stream ciphers that sort of thing. I knew of it. I've even used it a few times cicada decided to go a little above and beyond How they used this thing and they were using all of these features that mathematically are part of the function But in my typical uses of it had never Seen it's sort of this Associativity and commutivity that are just intrinsic by the the math of it So what they did is they used the fact that those are the case They had they gave us this file It was about five different files all exclusive or together And then throughout the rest of that year They would give you a piece at a time like one full file from it or two of them exclusive or together and just by like Piecing these together by doing oh well if I exclusive or the two that are together into the four I get two back and then I just need to find one file to get the original and they sort of taught you that sort of math Based way of dealing with exclusive or until you've got all of these files out Which were all very important as you moved along and I personally had never seen anything even sort of like that Teaching yourself something new isn't really the only benefit though of seeing it in a new light I'm going to go with a kind of historical example. I'm not sure how many of you are Aware of the he was a scientist. He was named Mendeleev and he was early early chemistry and Quite famously he had this love for this Russian kind of version of solitaire like cards And while he was working early chemistry He'd made himself a deck of cards that were all of the elements that they discovered so far And one morning he was waiting for a train and decided to play solitaire with his cards of chemistry instead And came to some starting Realizations about how you could lay them out how the structures worked and that actually became the basis for the current A bunch of the current Things that would work out to the periodic table Not only that but it from watching the patterns through it at the time He was able to predict a number of elements that hadn't been Discovered yet just because of the patterns he found through that and that's that I this idea of gamification Forcing us out of the context of how we might professionally use these tools And we have no idea what we might discover from something like that That's one half of it for experienced users I think the other half I'm going to quote. I think it was originally dirante that said we We are what we repeatedly do excellence then is pure habit There's this idea that while it's a game while It's not important in any measure There's something personal to be gained by trying it anyway and cicada obviously is not the only one working on this The nsa puts out A ton of different sort of challenges and puzzles Some of them only internally to their own agents who they already know Are quite practiced at all of these things because they're of the opinion that Forcing this sort of gamified practice of it is important for keeping skills. They do a bi-weekly internal cryptography challenge They do a public online logic and math puzzle and they've been doing this for years and quite happy with the effects of it so That's sort of a thing That I think is important for people to understand about gamified crypto One last thing about the game part of it, which is I think probably the most important for me And it's the social structures There's something about a game that creates Communities right when you're working through something like cicada you don't You get stumped by something you're you're really excited about something that you solved and you don't want to just keep that to yourself So cicada almost unintentionally create formed these groups of people who all found each other working on it And we're all excited to talk about it and this had all sorts of unintended kind of consequences One of the important ones. I think is the longevity of them cicada has been quiet now for Three or four years and all of these communities all of these thousands of people that have come together are still Present they're still helping each other. They're still there when I joined these communities right at the start I didn't think I had anything to learn and I was very wrong but um All of these experience experience for Cryptographers that were hanging out there taught me all of these things as I tried to move forward And then I reached this point at the end of that where I was like well now I can't leave because some of them might be leaving some of them aren't on around all the time What if they don't new people coming in don't have that which led me to stick around and be that for newer people I've since watched those newer people Get to that point and be that for the next generation and somehow this community despite the game being over is growing and it's had Far reaching consequences. I've seen so many people who started Day one no idea about crypto didn't know what a Caesar cipher is who in those years of six years since cicadas started They've gone to school for computing or math They've got specialization degrees in cryptography and many of them are now out in the world writing cryptography software Which was as you saw from the 2012 that was the goal of cicada originally is get people caring about writing the Privacy software and this community that's lasted forever after they were done Is now becoming that over these years that they've actually been entirely quiet and I think that's Incredibly important and is just an intrinsic feature of games I think that's gamification of crypto makes that kind of naturally So the last kind of thing I would like to get into about cicada. I think is the most important actually for the topic of the convention Which is the idea of 1983 the idea that were We're all being watched is privacy dead so in our Specific community, you know, we've got the a wiki a wiki of all of the different solutions We've got subreddits irc channels that sort of thing the last count I did I think we'd seen about 40 or 50 thousand unique IP addresses just to our little community and we're by no means the only one And I mean I showed you all the media hype about it bbc new york times business insider rolling stone all had these articles but people Really cared about cicada really cared about who had made this now. It's been six years they spent three years pouring stuff onto the internet And in all of that time We still don't know who they are which is interesting um All of these people who in our community have all tried to find figure out who it is all these investigative journalists for their respective newspapers have tried from foyer requests and things like that were reasonably convinced that they major intelligence agencies have taken a look and somehow They're still entirely anonymous So I think that's important to talk about how that is and the answer is disturbingly simple it's There's not some sort of great secret that cicada has and I think that's what's so important about it They made a new user account for every Email every account like a site they were going to do they did all of their connections through some Anonymizing software usually tour and like these probably sound quite familiar if you've ever heard anything from the EFF or any other like the tour group anyone working on privacy software These are the basic strategies that they're telling you you could stick with and I think it's really important that cicada is this example of just following What we have what the strategy we have and more importantly just using the software we already have Is actually enough somehow these adversaries to privacy are actually being defeated by the work We've done right now and that's the opposite of the message you hear so often that privacy is dead That's a hopeful message There's still a lot of work to be done on this kind of software the threats are always increasing in severity and so thus the software must be but I think there's not enough good clear examples of it working I think they're really important for that They've of course had a few unintended side effects there in One of the main ones is that by nobody knowing who they are for so long There are a lot of people who would like to say that they are them. There's imitators coming out of the woodworks In the intervening time since there were cicada puzzles There's now more content online claiming to be cicada and making fake versions than there ever was combined from cicada and so that's sort of an interesting sacrifice for the Privacy that most of us will never have to really interact with most of us wouldn't know that we haven't achieved that level of anonymity That they are and have become public enough that that's An important thing to people that being said they still Have set themselves up their pgp signature right at the start their claim that they're gonna sign everything they ever do That still allowed them to maintain. No, this is our identity though. We're entirely anonymous And I think that's the strength of the software that we've set up right now is you can perfectly Maintain your identity maintain that your words are your own while nobody knows who you are and that's frankly A wonderful thing that that's even possible I think I just get to slide but it was Obvious I think that is for now all I have to say about them actually Um, thank you all very much and I hope you enjoyed it I'll be doing I think a few questions if anyone has any and I'm definitely open to them All right. Thank you Knox