 Hey, I'm the Dark Tangent. You're at Defcon 22, and I've got Lost Boy with me. Lost Boy is a creator of so much goodness at Defcon that keeps you up at night. You've got the badge mystery challenge. Not to be confused with the original mystery challenge. Hardware hacking. You also helped us out. We had a secret party this year. We left clues around. And if you could find all the clues, you'd end up in a room for one hour. Whereas just the people who solved the puzzle. So it's just a way to split us all off and get the hardcore people. We get to cheat because we know where it is. But it's like, how do you create this community? And it turns out that Lost, you've been fantastic at building a community and getting people problem solvers that maybe sometimes aren't totally extroverts. That's usually my goal in a lot of the design that I do is to drive people together rather than just make puzzles. Yeah, you think puzzle and you're like, oh, they're going to sit in the corner. But no, you've discovered that puzzles are where you're bringing people. I have a weird talent for doing that, I guess. I still don't understand why it works. I've tried to study and analyze that, but people keep coming back. In fact, this year I had a number of people come up and say the only reason they came to Defcon was to spend the entire time doing this challenge because they wanted to win so badly. So now do you think it's people versus Lost Boy? Do they have to defeat your puzzle or is it not personalized like that? It's more like they need to know for themselves that they can. It's two things. It's them versus the other teams. They want to race against the other teams because it's always a race. And it's not really them against me because I'm always there providing assistance when needed. I build in a way to get hints in the program or in the contest. They had to actually, in order to even ask me questions this year, they had to do a certain level of work in order to earn the right to ask questions. Like a question token or something. Yes, exactly, a passphrase that they had to discover. But because they had to do that and now I'm giving them hints, it's more like we're in this together. And so my challenge is how to craft the guidance that I give as they earn the right to ask questions to move forward through the challenge. And then I have to also make sure that the playing field is level amongst everybody because I can't give an unfair advantage to one team over the other. So they're constantly shoulder surfing each other and they often have, it's like old spy craft that will have somebody tail members of the other team if they see them approaching me, they know a question is going to be asked. They want to get it out. And you'll see them on their phones and taking notes and passing through. Well, one year I think a winning team member was actually on two teams. Correct, multiple years that's happened. Right, so whether they impersonated, pretended they were the joined teams and then they've social engineered solutions from each other. They have actually in the end, a lot of times those teams wind up combining together because there'll be a skill set in one team and a skill set in another. And it's different. And so over the years you've changed the disciplines needed, right? Music, language. I have to. If I stay with the same thing, it gets stale. So that forces you to develop. Correct. The year before death, so after I go home after this death, I'll take a week to sleep to get caught up with sleep because it's a funny side tangent story, no pun intended. At one point during the con this year, we were in the 1057 room working on the challenge together. We looked at my watch, it was 5.30 in the morning and all of the conference had left and gone to bed, including goons only, the hotel security staff was out, and only the people working on the challenge were there. And I said congratulations, you've just had death con because you're the only one. Only one's left. Yeah, so I have to prepare all year long and the way I do that is through all the things that I'm studying or interested in during the year. It has to be something new because if I repeat, then they already know the solution. Right. In fact, that foiled a lot of them this year. The badge challenge this year, they thought was similar to the death con 20 where they had to communicate with the other badges and that actually wasn't a key piece to progressing, but a lot of them spent time on that because it had been done before. They were thinking right. So the people who were really advanced knew it's never going to be the same thing twice. Right. So they skipped over that immediately when it went on. So does that make you predictable? Predictable in that I will never do it again? So I do have some... And for those of you watching, if you haven't caught on, he's actually dropping hints about the next challenges we talk. So I do have some standard traditions that I always have. We always have a ROT 13 somewhere embedded. There's always something involving a skull, which is a reference to the competition that I won my very first death con, the TCP IP embedded device competition, which is actually how I met you. The first time I met you was up on stage at the first death con. Right. You had a skull involved. Yes. I had embedded a web server and a skull that did a bunch of other stuff. So all of the Uber badges that I designed too will always in some form or another reference a skull. Right on. So then, so if people are watching this or not at death con, is there any way they can get involved? It's funny you should say that too because during this death con, I had five people submit the solution to the death con 20 badge challenge. And I analyzed it and my theory is is they were doing dictionary attacks on the directory on the death con.org website because a lot of the clues are directly to death con.org slash 1057 something. Right. And so there were people. They proved force. They did a stationary lookup and so they were hitting directories from previous years that we don't delete. And so they were going not knowing if they weren't here, but that was from previous years. Previous years. So they thought it was. So I got the solution to death con 20 like five times this year. And it was amazing. Because they didn't realize. Correct. And a funny side story. The trolling of the contest happened really this year. Oh yeah, maybe you talked about that. Because contestants unfortunately don't know what's a real clue and what's maybe a fake clue. And in the past we've had actors interacting with the audience that were part of the challenge to see either false clues or misdirection or be part of it. But this year in order to facilitate getting hints in maybe because I tend to be hard to find. I spoke like five times this year. Yeah. Is that a record? Yeah. So every single death con. So I actually have a burner phone for this year's death con challenge in one of these pockets. On Google Voice. It's got a Google Voice number and they get the phone number by decoding the crypto that's in the program this year. So once they get that then they can actually call this phone. The step that's involved there is the voicemail messages actually the next piece of the puzzle. However, randomly during the con I would pick the phone up and answer it and just say hello. Just to mess with them. And people would freak out. So we were at dinner with Joe Graham and a couple of other folks the other night. Joe was the creator of the original electronic badges. Yeah. And they passed the phone. I had set it on the table and went to the restroom. They passed the phone around and they answered the phone and gave misdirection to a bunch of the teams and told them that they had to go to Chippendales, find Susan and ask for the package. For the package. Apparently a group of 30 people from DEF CON went up to Chippendales and asked and apparently there actually was a woman named Susan working there. No. There really was. And was like, what the hell? I don't understand what you're talking about. No, the package. So I did these tweets afterwards. They were like, what the hell? And they thought they just didn't have the proper passphrase or whatever because they never know if they have all the information. Right, right. So yeah, that's been great joy. And I've in fact saved all of the voicemails that people have left on this phone and I'm actually going to put them up. Put them up. Oh dude, you got to put them up. And then do you write up the whole process so other people can maybe learn from it? Everyone always asks me to do that. However, I've gotten fortunate in the hardcore people that do this every year have gotten to the point that during the contest now they created GitHub, the wiki, at Google Doc and at the end of the contest now I ask them since you've won usually to the winning team can you share that? And so I don't even have to do that documentation. Oh, awesome. So we're going to post that stuff. Yeah, exactly. So there's write ups from the previous two like really serious competitions. Nice walkthroughs we're referenced in the Wired Magazine article that they just did on the badge. So now that we're winding down how long are you going to keep doing this? Because it sounds, you know, there's always an evolution. Have you been thinking about the future or are you just? I have and it's weird. Every year I get into the process of development and I keep coming up with ideas for the next year. Okay. So it's keeping you excited. So my theory is is that the year that I do the contest and I don't have that queue of information in my head for the following year I don't think I'll be able to do it in time because it really does. It's just like Defconn, right? You get excited for the next one. I guess there'll be some year when you're not excited for the next one. It's not, I don't know but it's doing it long enough now that it's been genetically programmed into us. I think that I'd be more afraid of not being able to top what I did the year before and to stay ahead of so many people because I have to stay ahead of all of them, not just one or two. So it really does push me to grow and to prove what I'm doing. Fantastic. Okay. We're going to see everybody next year and hopefully look for these funny voicemails. Yeah, we'll put those up. Cool.