IamA creator of cryptographic challenges for the worlds best hackers, AMA!

What exactly is the point of the AMA if most of your answers are 'I can't comment' and you stay anonymous? Are you selling something or do you have an agenda? Isn't this better suited on /r/casualiama

P.S. I'm a half-dinosaur/martian/robot. AMA

Most of my answers are direct responses. In fact all but this one thus far-

As far as anonymity, I think I've been pretty open with information.

Or half troll? :)

Cicada 3301. Any comment on what that's about?

You are not the first to ask me about this.

Same answer: no comment.

Some of your challenges feel like they have a Masonic influence. Is this by design?

If you read about the badge designs I did for Defcon 21, you'll see the clock-work mechanisms that were part of the Uber badges- that was an homage to my grandfather, who was a jeweler and a watchmaker- an as a jeweler he used to make the rings and other things for local Masons....

Jeweler/Watchmaker here

Wish i knew how to code :)

Watchmaking skills are dying. Please try to keep that skill tree alive - teach someone- anyone...

I'm super willing to learn how to make nice jewelery and watchmaking! I love looking at how watches/clocks work and would love to learn how to make and repair them and eventually do that for a living, but I don't know where to learn how to become a jeweler/watchmaker =(

There are very few watchmaking schools left. Some of them will even pay for you to learn the trade...Google is your friend here...

How did you get "involved" in defcon?

I was a math dork with coding skills and a soldering iron. I went to my first Defcon alone. I still feel like that math dork, now I'm just really involved :)

I got involved because I wasn't afraid to talk to people, and I wasn't afraid to fail. I knew there were people at Defcon who were way more intelligent that I am, but I didn't let that stop me from participating and talking to people...

I was fishing for your to tell your "Building robots on the floor" story.

Hehe- ok fine-

The story HighWiz is talking about is actually how the Hardware Hacking Village was created:

Many years back I had gotten Parallax to donate a bunch of robot hobby kits- like 50 of them- so that year at Defcon I started at one end of the conference, and like the Pied Piper walked through the crowds of people shouting "Who wants to learn to build a robot"- by the time I had gotten across the entire conference space I had a line of people behind me- since we didn't really have anywhere to go, we made a big circle in the middle of the contest area floor. Everyone sat and I taught an impromptu class on basic servo hacking, subsumption embedded systems programming and basic electronics- people had a really good time- but we were literally sitting on the floor in the midst of 14,000 people at the conference- so the following year Russ Rogers and I formed the Hardware Hacking Village, so that we wouldn't have to sit on the floor anymore...

Do the winners get recruited by the security services?

It reminds me of the Times crossword challenge that they used in WW2 to recruit people to crack the enigma machines.

I know of many people who put winning an Uber/black badge from Defcon on their resume- certain employers, who have an appreciation and understanding of what that really means will take it as a bullet point worthy of note--- (in roughly 16,000 people at the con each year only approximately 15 uber badges are awarded/earned)

Kinda like the last Starfighter eh?

Can you solve the challenges you create?

I get asked that often. I always base what I include each year on things that I'm studying or interested in that year, so I'd like to think I'd find the solutions-

That being said, teams OFTEN find means to solutions that I had not thought of- and that's actually one of the most enjoyable parts of the entire process for me.

Each puzzle has multiple stages, and often multiple paths to a solution. There are also quite a few red herrings...

Thanks a lot.

No problem. Have you been to Defcon?

I've heard about it in movies. But no, I haven't been to the convention.

Yeah, we were even in an episode of the X-Files, although they said that we were a government conference- lolz-

If you're interested in these subjects, you should check it out !

By the way, we had a documentary made a few years back: https://www.youtube.com/watch?v=rVwaIe6CiHw

IMO DefCon and the other security conferences present an opportunity to conduct HUMINT against the infosec commuity. Nobody in their right mind can believe the participants in these conferences are not deeply profiled by the powers that be. Individuals serious about the politics of infosec and anonymity should probably avoid the conferences altogether.

A. What is your opinion of the above statements.

B. What countermeasures do these conferences undertake to make profiling more difficult, and anonymity possible?

Thanks.

It's a mixed bag. The same statements can be made of your traffic/packets, your ISP, your SSN, social networking sites, etc...

Of course profiling happens. Happens if you are at Defcon or not. Happens both directions too-

Take the cash only, no pre-registration policy of Defcon. That's for a reason. No paper trail. We also do not allow photographs in public spaces, and force all press to be registered and marked. Take the example of the under cover dateline reporter that we caught and shamed in public, ultimately driving her from the conference: http://arstechnica.com/security/2007/08/only-at-defcon-nbc-dateline-nailed-trying-to-nail-feds-hackers/

I think running HUMINT on someone in a place like DEFCON, where you are MORE likely to be on guard is much more difficult than an SE spear-phish in different settings...

Thanks for your response.

The same statements can be made of your traffic/packets, your ISP, your SSN, social networking sites, etc...

Sure, but DefCon is self-selected for an affinity to all things infosec. So there's a meaningful distinction to be made here. Attending says "watch me" and presenting...

If you don't see Defcon as a vulnerability, it's hard to patch. The measures you mention are necessary but insufficient. For example, if the hotel CCTV is active, as it most certainly is, the rule against public photography is moot, as passive facial recognition attacks can be conducted from the hotel security control room.

It's not enough to say that every conference enjoys the same vulnerability, or that people who attend chose to be public. The question is: is it possible to attend (any) conferences anymore without being profiled, ingested? The answer must be no, especially if we're using the half-way countermeasures you describe. I think it's an interesting problem, fundamental to conferences in general, and not a special topic, or sub-heading. It's the thing itself.

After all, if an organization can conduct passive facial recognition attacks on Defcon, then you guys are being hacked.

For me this is a puzzle worth solving.

Edit: Privacy village, powered by Google. LOL. It's like the smart people gave up.

If you are interested in helping out with this year's Crypto and Privacy Village, feel free to join the Google Group (https://groups.google.com/forum/#!forum/cryptovillage), reach out to us on this forum, or on Twitter at @CryptoVillage (https://twitter.com/CryptoVillage).

One of the badge hacks a few years back was using the processor on the badge to drive LEDs attached to a hat to defeat facial recognition...

All your arguments are true of public places in general at this point..

Japanese hacker cons are often attended by hackers in disguises (no kidding)

The use of handles, cash, and other SE misdirection are part of some people's standard OPSEC posturing...

Really you are talking about privacy in general- and with certain current tech (do you have a burner phone?) the discussion becomes less about conferences and more about just "public spaces"....

Sorry for asking another question, but how did end up doing what you do? What did you study, and on another unrelated note, how do you think the advances of artificial intelligence will affect your job in the future?

No problem.
I actually am very interested in communication and linguistics (if you read any of the articles you'll see I often use ancient, dead, or strange languages into part of the puzzle game- try googling for something you can't type in or even recognize)- as such I studied mathematics, the "language" of science, as well as computer science (speaking to a compiler is no different than speaking to a person at the heart of the issue)-

If you're interested on how I wound up specifically doing these challenges for DEFCON, Wired did a bit of an expose on me last year that you can read here: http://www.wired.com/2014/08/defcon-2014-badges-revealed/ That article gives a bit of my history and background-

As far as AI, machine learning (ML) is more en vogue these days in security research than "AI"- and it's far from operational as you see in the movies- more powerful than that right now is big data analysis; finding correlation in huge data sets is big business- look at all the data mining taking place with social media information (hint: in any service that is "free", YOU are the commodity...)

I just read that article. What you do sounds really cool as fuck. Congratulations, and keep up the great work. Hope you stay ahead of your competition :D

I tend to re-invent myself every three to five years, and as long as things stay fun I'll keep doing them- the Mystery Challenge was orders of magnitude more difficult that the badge challenges tend to be, but we wanted to open the games to a wider audience- that being said, I'm working on some cryptographic/puzzle side projects that will be ongoing....

And thanks for the kind words..

Two questions:

Many of your challenges involve foreign languages: What kind of references do you suggest a n00b linguist should use to start building familiarity (online? old-school text?)

Can we look forward to another post-defcon black badge cipher treat a la defcon 20? :)

The single best advice I can give as far as linguistics goes- (and this goes for coders as well)- you HAVE to have an interest in what you are studying- honestly, if something is boring or uninteresting to you what's the point??? There are now great heaps of language resources online for darn near everything on the planet- I find joy in trying to find the things that haven't yet made it online-

Consider: I have to make my stuff "Google-Proof" or it's lame and boring...as the corpus of knowledge by giants like Google grows, that becomes an increasingly difficult task- but it can be done with altering your though process...

I always try to leave a hook to the following years on the Ubers-

This year will plant seeds for next year actually....

Would you be willing to / or have you already solved the Zodiac Killers cyphers? The famous 340 character - Unsolved cypher

I've looked at many unsolved ciphers, both professionally and privately....

Have you ever hacked the Gibson?

Only when I had a spinning phone booth...

Not sure if you saw one of my last tweets. But I bought a phonebooth and it will be at Thotcon for that exact purpose.

Nice - we thought about doing that a few times, offering photo opportunities for EFF donations or something...

Complete novice that would like to get into pentesting and/or consulting, any suggestions on where I should start?

Start reading. Find what aspect of red teaming interests you. Find a local hacker space in your area, or DC group.

Attend conferences.

Any advice for a cs student that's interested in cryptography but doesn't know how to get into it?

take all the math you can stand Programming languages come and go- math doesn't.

do puzzles. Specifically logic puzzles where you have to be VERY open minded in getting the solution. I'd also work on pattern matching, it's a very great skill for solving puzzles.

what kind of puzzles? where can i find these puzzles?

Or you can come to Defcon and try my puzzles :)

Do you need help with anything? I wanna goon this year!

Hehe- I get asked this quite a bit too- if you're interested in gooning, you should find an area you think you could help out with, and find the goons in those areas and simply offer to give a hand- that's generally how we get new goons...

Tried that a few years, no luck

Sorry to hear that- if you make it Defcon this year, stop by the 1o57 room on the conference floor and introduce yourself...

Have you tried getting involved with some of the villages? Just getting yourself involved and giving back to the community makes you much more desirable when people look for goons.

I'm getting involved with the biohacking village this year! Really excited!

Excellent. Always welcome new people!

Who IS the best hacker you've encountered?!

That's subjective. I'm surrounded by some very intelligent people at Defcon who make me feel humbled. Too many to name.

Any details for this year's mystery badge puzzle?

Are you making the black badges again?

Can't give anything away before the contest officially gets underway- many people take this competition very seriously :)

Yes, I'm hand assembling the black badges, like I do every year that I do the badge designs...

I've said a few things via my twitter feed, but I also tend to 'hide' clues out in the open...that's part of the fun for me...

This'll be my first DefCon, and i'm bouncing off the walls with excitement. I understand the badges switch between electronic and non-electronic each year. Can you confirm if this year will NOT have electronic badges?

That is correct- we try to do an on-off cycle for the electronic badges- it forces our creativity and keeps the whole thing from getting stale- every security conference on the planet now has electronic badges- so we try to keep mixing it up...

I hope you enjoy the con- this will be our first year at this new venue, so things should get interesting...

Thanks. Yeah, it's gonna be an experience for sure. Hopefully i'll try and have a crack at your mystery challenge too.

Strictly speaking the badge puzzle and crypto challenges are not the Mystery Challenge- the official Mystery Challenge ran for 5 years and was then retired- just getting into that game required teams to find out and solve even how to register and compete-
The Mystery Challenge was brought out of retirement for 1 additional year for the Defcon 20 year celebration-

The badge challenges have little parts that are for the 'casual' gamer type, as well as difficult synthesis of other cryptographic, physical, and various other puzzles, riddles etc- so hopefully there's something for everyone...if you get a chance stop by the 1o57 room on the conference floor and say hello.

Non-electronic. Tick-Tock.

Highwiz is completely correct. For those new to Defcon HighWiz is an integral part of the community, and responsible for Defcon 101 tracks...

Are you going to make a "special" badge for the media again?

Be sure to find a member of the press this year and look at the back of their badge...

Take the meaning for what you will... :)

(For those wondering, I tend to not be very positive as far as the press is concerned- when they attend a hacker con they are looking for sound bytes or shock bits to run in their stories- translation: at a hacker con the PRESS ISNT YOUR FRIEND. The year I did the playing card badges there was reason the press was a "duce")

what is the reason?

As a guess... a duece is a 2, so it'd be calling them shit.

Exactly.

Also the lowest card in the deck.

All the other non-human badges were face cards with detailed art-work...

Or blackhat attendees :)

So that is due to the fact that the registration line for Defcon is something of legend- some people wait in line for hours, if not days, because of the problems we had with running out of particular badges each year- well when folks who don't stand in line get their badges AT Blackhat, it kinda pisses me off- so the year of the cards we sent ONLY deuce cards to BlackHat....

I'm an accountant but would love to explore computer science and coding. How in the world would a complete an total novice go about pursuing this?

Points to consider- at some point, everyone was a complete and total novice in this field-

I can also say that some if not most of the best security professionals and hackers I know come from other disciplines first- for some reason hard core CS and CSE folks tend to follow certain paths of thinking (that I guess they learn from school/functioning in those roles) which DOES NOT lend itself to breaking and exploiting the very systems they build (they spend their lives trying to make stuff NOT break)- If you simply want to learn coding, there are loads of online resources - as far as hacking/security, come to Defcon ;)

Can you give me a challenge?

Well, sure.

You're welcome to try the badge challenge this year at Defcon, or to FIND the new mystery project I'm working on. (It's in the same vein as FINDING the registration for the Mystery Challenge in the past) but this will be an ongoing project...

Alright I'll bite and search for it. I guess I'm from the era where walking into a conference full of hackers and intelligence agents keeping tabs on said hackers was not a good idea. I've had friends/acquaintances do presentations but I'll never understand why they put themselves out there like that.

Read through some of the wiki write-ups from past Mystery Challenges- might give you an idea of how things sometimes go...

I am attending Defcon for the first time this year. What are three things that every new attendee should do?

Attend Defcon 101.
Talk to people. Try and participate in something. Anything.

http://www.jk-47.com/2015/06/bsideslv-defcon-2015-conference-tips/ <-along with defcon 101 check this post out

LOL- that post calls badge hacking "solo" - it's far from that every year ;)

While the badges recently have been made to try to increase human networking and interaction, I have also seen many just keep their heads in their laptops and IDE, I was one of them. I updated the post for clarity.

DC18 was a little eye opening for me, spent way too much time thinking "What can I make the led do? What msg is hidden in it?" Missing everything else going on around me. I just wanted to warn people not to get too caught up in that.

People can make DC what they want of it, but from time to time I hope they get off their laptops, and into the human world.

P.S. Utmost respect from me for thinking at a level that I can't begin to understand for the contests ;) Every year I'm amazed.

To be fair, DC 18 was designed by Joe Grand- and for the 4 years previous to that- those were designed for purely a hardware hacking challenge-

I do my designs specifically to require interaction with others in order to find solutions- You can't solve my puzzles without talking to others, because your badge does not contain everything you need...neither does your lanyard....

can you solve the chiliad mystery for us? /r/chiliadmystery

hehe- I'm more of an Elder Scrolls Online guy...

What operating system do you use?

Depends on what I'm doing...with the advent of virtualization it's almost a moot discussion now- but I do enjoy FreeBSD, and lately Mint with Mate...

Mint? I thought as a hacker you would be more inclined to using something like BackBox or Kali.

Like I said, depends on what I am doing- pentests vs RE, etc... And I can't take the ubuntu base on Kali- I lament the loss of backtrack in that regard-

generally for pentests you should roll your own so that you are intimately familiar with your system- lots of people moving to Arch for that- I was using #! for a while, but it's gone now too ;)

I love that you're getting upvotes for listing 2 "hacker" OSes. The things about those OSes is they are great to have around since all the tools are pre-installed and setup for you. But most of us will have our own setup with all the tools we use day to day, in the environment we are most comfortable with.

I'm interested in hacking. Could you please recommend five must-have tools?

netcat, grep, awk, echo and cat.

But seriously there is really no 5 must-have tools. Each job requires a different set of tools or technique and hacking has different areas of focus. What kind of hacking are you interested in?

If listing awk Jakuu, don't forget SED (they go hand in hand)- I would say get shell scripting experience. Learn some Python. Play with nmap, ping (learn more about it), grep goes along with the shell scripting (and regular expressions)- get a good book...

I gave a Defcon 101 talk about basic things to get people started a while back...not sure if that's online anywhere...

Oh, and Jakuu is a smart freakin' dude. Take his advice seriously as well...

Are you a member of any hacker groups or things of that nature?

Sure. The only ones that I will comment about publicly- shout outs to the Tribe, 303, 602 and 949, as well as APG.

There are others that I decline from comment on.

Recently finished reading Ghost in the Wires, the story based on the experiences of Kevin Mitnick. I thoroughly enjoyed the story, but I wonder how much of it is true/plausible. Any thoughts?

Also, thanks for this AMA!

Try getting the story from as many points as you can (have you read Takedown?) And rack and stack. Kevin comes to Defcon most years, as do feds who tracked him....

Will do, thanks for the response. It's always awesome to hear from someone in the field.

Thanks for the questions....had more people show up that I thought...

Any tips for someone struggling to pay for a trip to defcon?

Find a ride-share if you're close- hit the Defcon forums and see if you can find crash space- many people come each year and don't even have a room- they find someone to crash with, or get 'creative'-

The Defcon forums will often have caravan listings of people you might be able to get a ride to the con with-

I've seen GoFundMe people trying to get to Defcon as well.

If you're a student try getting your school to sponsor you in return for some type of story or mentor ship when you get back...

One more, What's the best hacking-related prank/joke you have ever performed?

A few come to mind- it's always fun to take a snapshot of someone's desktop, and replace their wall paper with it, then remove all of their icons (so the icons appear in the picture of their wall paper)- that's always good for a laugh

I've gone as far as hiding a system inside of another system, stuff like that...

Simple stuff seems to be the best for pranks-

One time we replaced the firmware on some WAPs so that all images were replaced with Rick Ashley (it was a while ago)-

As far as the crypto challenges go- I've always like that at the very first mystery challenge I gave the teams the answer to the entire cryptographic puzzle right at the start and they didn't realize/know it....

I really want to get into hacking as a profession in the future. Any advice?

Figure out what about hacking you enjoy- social engineering? Reverse Engineering? Red team? Blue team? Penetration tests? Government? Private Industry? Military? Consulting?

Get a bunch of VMs spun up either on virtual box or vmware, and run through some tutorials or books on your own infrastructure- practice, and read...

Was Defcon cancelled this year? I know it was, just wanted you to confirm.

Defcon is always cancelled ;)

What age group do the best hackers come from?

All ages.

Seriously.

Would you rather fuck one horse sized duck or a hundred duck sized horses?

I'm not really into animals, but if I was I guess I'd have to check the type of horse for purposes of scale. And I'd also clarify what radix your numerical references were utilizing, I guess I've seen too many episodes of the Twilight Zone where bargains with the devil often involve trickery...

Are you hacking right now?

Always.

So, you say you are good at crypto challenges?. . . .

What is that?

That is Kryptos, which is at the CIA headquarters.

There are several online groups who work on the Kryptos ciphers....

What's the deal with airline food?

it's a stretch calling it food.

Jerry, is that you?

Hi 1057 - You make the highlight of my DCs and are clearly the most talented person there. Sufficiently buttered up, what news have you on any mystery challenge?

I'm counting the days.

LOLz.

Thanks. Now I'm scared :)

Is what you're asking is if the Mystery Challenge is coming back?

Well yeah - that or any precursor to the badge challenge like @ tribeca ;-) except well, meant for us.

there is something in the works; not defcon related

Are there any defcon-style puzzles online you can share with us here that we can attempt to get an understanding of what the hackers have to try to do?

Yes. Stay tuned for a new project I'm working on :)

[deleted]

I have a job. Do you have openings? :)

Can you milk me Greg?

As long as you've got nipples I would assume so...although it may take a while and not be pleasant for anyone involved...

What are hackers going to do now that PCs are obsolete?

lol. And the backbone infrastructure of all our phones, tablets, and even these reddit servers run on what? ;)

Hacking will never die, it didn't start with PC's anyways. Think of it as manipulation or change, not bound to one field.

Yes- I think of hacking as a mindset- in fact I'm in the camp that you can't teach someone to be a hacker- it's a part of your thought process and means of problem solving- I can teach someone techniques, but not how to craft creative and unique solutions.

Hacking originally referred to radios or trains (depending on who you ask)-

But it's really a mind set. And the damned press usually gets the usage incorrect. I liken hacking to intellectual curiosity...

I think that the mentality can be taught. The problem is that rarely does anyone really talk about hacking in that way aymore. What I really appreciate about Defcon these days is the willingness to promote the mentality and community over false ideals of leet hackerdom. First time I saw the badge challenge I didn't even try, next time solved one puzzle, next year formed a team out of people I met in line and in the hallways and we finished second by minutes, next year we came back solved it again, this year we are coming back to do it again and we are coming for the black badge. Each year the puzzle got harder and I got better at solving puzzles. Did my crypto skills improve? Maybe but really it's the mentality that improved. Don't give up, try everything, and trust your instincts. See you at the con Lost.

Good luck guys ! :)