Bathroom Bacon PAX (photo)

PAX Prime, 2010, Seattle, WA

It's blurry.  It says "See the bacon.  Catch the bacon."

DEFCON 20: The Coming Of Age

My first DEFCON began five summers ago, right after I met Roland.  He told me in three weeks he'd be flying down to Vegas.  I immediately knew what con he was talking about.  I'd dreamed of attending since I'd first heard about it in the late 90s.  I hadn't gone for two reasons: as a penny-pincher, I didn't like wasting my money on plane tickets, and... I didn't think I had any right to be there.

Awesome Track 1 Stage. Each bit is hanging in 3D.
A projector makes this interesting throughout the con.

I couldn't have been more wrong on both counts.  That was 2008, DEFCON 16.  I flew down and I had a blast.

Now it's 2012, and the 20th DEFCON known to mankind.  To put history into perspective, the first Defcon began right about the time the World Wide Web was being invented.  It was before Yahoo, before Amazon, before blogs.  It started during a time when terms like "email" and "download" were known only to a small minority of people, an extremely niche subculture.  I remember that time, even if I do not remember the first Defcon.

Like every year, this con was bigger.  Way bigger.  I would estimate, based on badge sales rumors, that there were roughly 16-19,000 people total.  (There were thankfully plenty of badges -- no one went home with a paper badge).  And not only did I feel like I belonged, I felt like a veteran.

Almost everyone I talked to said this was their first Defcon. When speakers asked for shows of hands, about 40% of the hands went up. This was a Defcon of newbies. Welcome n00bs.

The theme for me this year is a lesson that has been slowly dawning on me for the past half-decade.  It's a lesson that applies to all areas of life: Hacking is Doing.  The winners, leaders, experts, and elite in life are those who simply DO.  Life isn't High Fantasy.  No one is born The Chosen One.  Magic powers aren't something you're born with.

Destiny is guided by doers.  Not even by people who decide they want to be good at something -- but people who decide they want to learn.  People who want to play.  People who take a little time to do more than simply consume.  Those who make something.  There is no certification for cool.  There is no pay-wall, and all l33tist clique-barriers are social illusions -- merely games played by doers.

Fun facts: They let anyone into Defcon.  And you can be a hacker, too.

Want to be an expert at crypto?  Go solve some puzzles.  Want to learn about application security hands-on?  There's an app for that.  Want to play at being a hacker, or even become an expert?  If you have a mind for wiggling through cracks -- and if you're interested, it means you have a mind for it -- then go get it. Any other related field: hardware, programming, lockpicking, Morse code. Go learn it just because. There are some links, and you've got Google.  No time has ever been easier. (A shout-out to two more hacking-related games: Telehack and Uplink.)

The field is wide open.  I don't work in IT anymore, but if I did, I'd head straight for a job in infosec.  Unemployment is less than one percent.  You do not have to be Uber to be useful in this field.  Pen Testing is about finding low-hanging fruit -- the obvious numb-headed simple security flaws that anyone could find, if organizations gave a crap and bothered to hire you.  If I wasn't focusing on this writing career, I'd go immediately into that field.  And I'd be damn good at it.  Even though I'm a newb.  All it takes is a driving curiosity and an passion for peering inside closed boxes.

Did I mention Defcon is inspiring?  It was especially inspiring this year.

Lost preached the "Just Do Things" message every time he had a mic in front of him. As I said, it's a lesson life has been slowly teaching me, and Lost is a perfect example of this. As he tells it, he came to Defcon not that long ago as a newbie and immediately involved himself.  He started up a robot building party in one of the rooms and gathered lots of people.  He made himself official.  Simply by doing.  Now he's one of the "Elite", and his point, which he drove home over and over is: You should just go do things, too.

All DEFCON Badges Designers are born with a special birthmark,
proving their magical birthright from the gods.
(Not really.)

While I made a lengthy critique of the badge puzzle this year, the lasting message is that there was a badge puzzle this year.  Because Lost went and did it.  Not only that, but even though I made no progress on solving it, it rekindled my interest in puzzles for the second year in a row.  Three weeks after Defcon I'm still rabidly chasing puzzles.  I'm playing The Secret World because it has puzzles (and we are introducing two of our kids to the same joy).  I'm casually poking at TryThis0ne when I get time.  And I've started playing text adventures again, something I've not seriously done since I was 12.  (A Scott Adams girl here.)  My mind is filling with ideas for puzzle games that I could write, and even though I know I won't have time to actually do them, the energy is spilling into my other work.

Everything cool at Defcon exists because someone just up and did it.  From the electronic badges to the lockpicking village to each of the talks to the contest winners.  To the existence of Defcon itself.  People who are cool at Defcon are people who do.  There is no certification program, no minimum level of knowledge, and even the most expert black-badge CTF winner uber hacker still doesn't know some of the things you know, and is missing talents you possess.  It took me five Defcons to truly figure this out, so listen up.

Your brain is awesome, and it will grow to fill the requests you make of it.  A positive action is a butterfly wing-flap.  Not only can it cause awesome weather all over the world in places you never would have expected, but the workout builds the muscles in your wings until you become a mighty dragon.  Yeah, it's a cheesy metaphor, but I'm the one writing it... If you don't like it, go write your own metaphor.  That's the whole point of this rant.

I'd like to especially stress this message to women, who are more likely to wait to be given permission.  Don't wait till you're in your 30's to learn this lesson like I did, and if you're in or past your 30s?  Now is the best time to start doing.  If you need permission, here you go.  Permission granted, achievement unlocked, go do something.

This authentic WWII Enigma Machine was made by doers! Go make something!

So this year I'm going to focus more on doing.  I'm not going to worry about whether I'm qualified, or whether it will be cool.  I won't worry who the gatekeepers are, or if I'm smart enough to get very far, or if I might get tired and give up at some point.  I will not worry about any end-game.  I will just do what I find interesting and what will make me feel smarter when I'm finished.

DEFCON 20 was far more diverse.  As I said, lots of first-timers.  Sadly, accessibility comes at a cost.  The past two Defcons have been far more tame.  My first couple of Defcons, the twitter stream and rumor mills were full of exciting stories, and it was a bit of a game to anticipate hearing about the next antic.  The next prank, the next rumor of an arrest, the next hacked hotel facility, the next killer bee attack.  Of course every other story left us wondering if Defcon would be kicked out of the Riv.

This year?  I can't think of much that happened.  Not much at all, actually.  At least last year Sabu and the J3st3r were chasing each other around, and the phones got man-in-the-middled.

The downside of course is less excitement.  But less excitement equals less fear, and that's a beautiful upside!  The amazing feats this year seemed to be constructive, and that is something I can get behind.  Most notable, Ninja Networks built their own phone network and distributed special smart phones for those deemed l33t enough.  That's a trend I can support, and I'll just have to be grateful I got to experience the last few years of the wild-west-style DEFCON.

The Goons did an excellent job of Line Management this year.  Though I got in line at peak hours, I only had to stand there for about an hour.  I'd guess there were at least 3,000 people ahead of me.  And the line didn't block the hall.  For the most part, (with one exception), I did not find myself stuck in a between-panel hallway traffic jam.  I was allowed to sit in the same track across multiple talks, and there was (almost) always enough seating.  So very huge kudos to all those who pulled off that amazing social engineering hack.

Goon attitudes were definitely awesome this year.  It's not like the Goons ever sucked... I can't quite put my finger on it, but the Goons seemed more upbeat, and less... bossy?  More fun-loving?  Less oppressive?  Dunno what you guys did, but it was a joy to be ordered around by you guys this year.

On that same token, Defcon seemed like a better experience for women this year.  I've heard some pretty horrific stories, and like many geek cons, DEFCON has a reputation.  Personally, I've been protected from a lot of it since I attend every year with Roland.  But I've seen my share of sexist remarks in talks, and there was one incident last year involving Goons I thought worthy of filing a complaint over.

Yes, there were sexist remarks this year in talks and in hall-conversations.  But the culture made a definite shift in a positive direction.  Partly I'm sure due to official efforts, but also due to attendees taking action.  (See above about "doing".)  An attendee named KC distributed creeper cards, which brought awareness to the whole concept of sexual harassment, which seemed to have a huge overall effect.  In one talk, one of the Core Goons said something rather inappropriate to a woman asking a question at the microphone.  Instead of laughing, the audience groaned, and someone suggested he get a creeper card.

In general, sexist remarks (like tired jokes about being surprised there are any women in the room) met with very little reward.  So I expect next years Defcon to be a much more friendly environment for women.  Which is a good thing, because I saw more women as a percentage at Defcon this year than ever before. It helps that there are a number of female Core Goons, including Nikita, who can give a female voice in the upper echelons.  I am grateful for their hard work.

DEFCON Kids was growing up this year, too.  It makes me wish I could be a Defcon kid.  One of the most impressive things is that they have a Zero Day contest, in which kids find actual zero days in actual live systems, like online games.  I didn't write down the number, but this year they collectively found dozens of zero days.  We're talking twelve-year-olds here.  Just like it was in the late 80's, only now the adults are teaching them how to do it.  So awesome.

This year was the second at the Rio, and I think I missed the Riviera more than ever.  Every time I had a Defcon memory, it was set at the Riv, and I looked around to find myself in a different place.

I got to see way more talks this year than last.  The talks seemed to lean more technical, and since I'm not in the field anymore, I'm more interested in higher-level talks.  Things like theory and the state of global cyberwarfare and lock picking exploits and biohacking.  Talks on the five newly discovered SQL Injection Techniques with play-by-play how-tos aren't really useful to me.  So in a sense, the talks weren't much for me to write home about.  I probably managed to miss some really good talks, but there you go.  I'll highlight the ones that stood out.

Obviously the keynote by General Alexander, Commander, U.S. Cyber Command, Director, National Security Agency, is worth commenting on.  I had mixed feelings about his talk.

I love the fact that the NSA and hacker communities are finally on speaking terms.  I've read Crypto: How The Rebels Beat the Government Saving Privacy in the Digital Age, and understand the historical context.  The NSA fought every effort to bring encryption technology to the private sector, where it was sorely needed.  Remember when you couldn't export Netscape because of SSL?  Thank the NSA for that.  A lot of our core technologies like email and DNS are fundamentally non-secure for lots of reasons, but a big one is that the private and academic sectors had no access to cryptography, on threat of arrest.

So to see the NSA finally "getting it" on some level was amazing.  And to hear the head of the NSA agreeing with the hacker community on many levels was like Javert telling Jean Valjean that maybe the system was a little corrupt, and perhaps Valjean should be pardoned.

On the flip side, some other things he said made it very clear that the fundamental philosophies of the NSA are still quintessentially opposed to the philosophies of the hacker community.  So while the two groups are agreeing on a lot of the higher concepts, their root reasoning is still at odds.  For instance, after acknowledging that many things which shouldn't have been illegal are now legal thanks to hackers, he then made it very clear that all attempts to improve security should only be done above ground, within the legal sphere.

At its core, the Feds are still Javert.  They don't get that sometimes the law is fundamentally flawed, and that the only way to change those laws is to continually act against them to prove how flawed they are.  If it weren't for lawbreakers, we'd still be at 1980's level security, and encryption and the internet would be owned by true criminals.  (One could argue that this is actually the case.)

So his talk really rubbed me the wrong way.  The Feds are still the Feds.  Don't get me wrong -- hackers should absolutely go work for the NSA.  For starters, your country needs you.  For seconders, their philosophies aren't going to change without more of our culture on the inside.  Like last year, I still hold that the community should take advantage of these olive branches.  Get to work.

I also got to see an unscheduled talk by Kevin Mitnick in the Social Engineering room.  I'd always wanted to watch the Social Engineering contest, so when I had a moment, I wandered over.  Nothing much was going on, so I parked, waiting for the next round to start.  Soon it was announced that Mitnick would be there, and the room filled right up.  I had third-row seats, and got to listen to a lot of stories about Back In The Day.

I knew a lot of hackers Back In The Day.  They traded Zero Days and hacked payphones and cracked games and ran elite boards.  When the "Free Mitnick" campaign started, the hardcore hackers criticized Mitnick, saying he was merely a social engineer, and anyone can pick up a phone and steal a password.

I'm sorry, but those guys were wrong.  Mitnick had to know what he was talking about to call up software companies and get copies of source code.  He used a lot of technical hacks to secure social engineering hacks, and to be honest, he was far more hardcore that most of the tech-only hackers I knew.  He wasn't just hacking servers, he was hacking every single system he could get his hands on.  Including social systems.

And frankly, he deserved to get arrested.  Though a lot of the charges against him were trumped up, he committed a number of real crimes.  Nevertheless, his stories were very cool, and he was clearly a pioneer in this field.  If you ever get a chance to hear him speak, go take a listen.  You will learn more about the hows and whys of security than anywhere else.

I watched three social engineering contest rounds.  The contest works like this:  Contestants are give a list of 20 "flags" they have to capture.  Examples: What OS and browser version are you using?  Is it kept updated?  Who is your shipping vendor?  Do you have a cafeteria?

Contestants are placed in a sound-proof booth and are assigned a company to attack.  The moderator does all the dialing, and the audience can listen to the caller and the callee.

I learned so much from watching this.  The first guy called HP Sales, and claimed to be a new art student. He played dumb about computers, which not only made for a hilarious conversation, but he also managed to capture most of the flags.  I started to get an inkling what kind of information is important to a hacker, and combined with Mitnick's talk, I could easily see why.  Why would you want to know their shipping provider?  Well if you wanted physical access to the building, you might want to dress up as the UPS guy.  If you wanted to send a Trojan, you might want to know what exploits would work, so it would be good to know OS version and the type of anti-virus software.

The third guy was also interesting.  They gave him AT&T, which is notoriously difficult to sosh, and I quickly learned why.  He called a local retail store, and used an interesting (and entertaining) meta tactic.  He had done a lot of research ahead of time, which as Mitnick's stories proved, is very important because it makes you appear convincing.  He told her he was from internal security, and that the DEFCON hacker convention was going on, and they were doing social engineering contests, and for some reason, her store was on a list.  As an audience, we had to suppress our reactions to maintain silence, but inside I was dying of laughter.  It really doesn't get much more meta than that.

At first his strategy seemed to be working, but at some point she just clammed up.  She was well-trained, and about the time he started asking about their operating system, her red flags started waving.  She played it really cool and refused to answer his questions, or if she did, she did so vaguely.  I was very impressed.  The contestant's technique was probably too pushy, and he talked too much, but either way, it was obvious AT&T security had done its job on training.

So he tried again, to another store.  The guy he got started out pretty quiet, but after a while, out comes a fair amount of information.  Which goes to prove that security is only as strong as the weakest link.  And there will always be weak links, so the best route is to try to cover every single angle as best as you can.

I also learned about how innocent-seeming information can be leveraged.  If you're attending Defcon in the future, definitely check out this event.

I also saw the talk by Kevin Poulsen.  I remembered the article from Wired in 1999, which I re-read every few years.  Poulsen describes his exit from prison in 1996.  He went in in 1991, when BBSes reigned and the Internet was only available to academics and hackers.  I nearly cried every time I read his description of stepping out of jail and looking up at a billboard with URL printed on it.  When he went in, the web hadn't even been invented, and just five years later, mainstream advertisements were sending people to websites.  If you're interested in computer history at all, it's an article well-worth reading.

Like Mitnick's talk, Poulsen's was entertaining and old school and I learned that Poulsen was arrested for very good reason.  He'd definitely crossed that line from hacker to con man, and stole real money and property using some pretty ingenious schemes.  (As an aside, this Unsolved Mysteries episode made while Poulsen was still a fugitive is a beautiful bit of history.)

The parties were pretty great this year, and the Crystal Method concert totally rocked.  Roland and I danced  ballroom style.  I remember at one point, standing there awash in music and joy and marvel, thinking of my 16 year old Mormon self, with my first modem, logging onto BBSes.  I imagined how I would explain any of this life to her.  She was so very, very different from who I am now.  Although I am just now rediscovering how cool she was, too, and that's the person I'm uncovering as I do all these puzzles.

Like last year, I entered the Short Story Contest this year.  And I was given an opportunity to do a reading at the Forum Meetup.  I read my entry, "Where the Eye Lacks Message", to a small crowd of about ten people.  I hadn't prepared, other than a couple of practice readings in the room, and I didn't have a handy printout with underlines like I did at my Wayward Reading.  But I found reading from my smart phone to be almost as good, and perhaps in some ways, better.  Someone else decided to do a reading as well, and I really enjoyed it.  I wouldn't mind if DEFCON made this a "thing", but even if it just stays a small impromptu deal in a side-room, I would totally repeat the experience.

My story was a paranoid conspiracy adventure based on last year's badge contest.  So it was really thrilling when Lost bumped into me in the hall and said he liked it.  As I said, recognition is all about the doing.

DEFCON always makes me look at the world in a different way, and on the last day, we saw this at the Carnival World Buffet:

Defcon 20 is closed.
This ATM is WIDE OPEN.

This is an ATM.  It accepts money.  Including cash.  If you're new to computer security, you might wonder why this is interesting... after all, there is no keyboard attached.  But even a little vague information is necessary for a good hack, and here I learned lots of specific information.  Including what kind of financial processing software it uses (which would tell me what ports to scan on a network to find this machine), and something even more damning: It's running VNC, which could allow an attacker to remotely connect to the full desktop.  I hope they got that thing fixed... but probably they didn't.

This year was the best DEFCON I've attended.  It's a great place for learning and doing and meeting, I'm looking forward to seeing you there next year, when DEFCON turns 21 and will finally be old enough to drink!

A Hint of Emerald City Hunter (photo)

The below photo is from one of the settings in my work in progress, Emerald City Hunter.  Can you guess where in Seattle it is?

Somewhere in Seattle, WA

PAX Beholder (photo)

PAX Prime, 2008, Seattle, WA

When your head is in the mouth of the Beholder.

DEFCON 20: The Badge Contest

DEFCON 20 = Best Defcon Evar.  For me at least.

This post is about the Badge Contest.  I have also written about the rest of the con, like how my reading went, the amazing parties, and the surprise talk by Kevin Mitnick I was lucky enough to catch.

Last year Roland and I spent a lot of time distracted by the first annual badge challenge.  I wrote about it here.  This year, I knew there would be another contest, and I debated whether I wanted to obsess over clues and miss a lot of talks.  I figured I'd play it by ear.

We did end up playing around with the badge challenge for a while... and we made zero progress in the first two days.  None.  Not a budge.  We decrypted one very simple newbie puzzle, which was just a clue to a real puzzle, and that's it.

This year's challenge was much, much harder.  Not a casual game, but hardcore mode.  The bar was frankly too high for amateur solvers.  We didn't expect to win this year.  After all, we're newbies.  But we did expect to get past the first level.

So unfortunately, this post is going to be more of a critique than a write-up of puzzle details.  It breaks my heart, because I know Lost puts his soul into giving people a good experience.  He's made it clear that he does not want to overly frustrate and that he wants to encourage everyone to participate.  Lost fills many, many shoes at the con, and I appreciate all he does.  Defcon was truly awesomesauce this year, and I'm sure a lot of that was due to his efforts.

However I'm a big believer in constructive critique, and in transparency, so here is a rundown of the frustrations that we experienced.  For actual detailed write-ups of the clues, there are two: 1o57.wikispaces.com and elegin.com.

The short answer is, there were too many locks, too many keys, and no way to tell which key fit what lock, or even which were keys or locks.  None of the first layer puzzles were easy, so we couldn't start eliminating factors from a huge pile of raw data.  The Mystery Challenge was also going on this year, which added to the confusion for those of us purely working the Badge Challenge.  At least one major clue has now been identified as mC (the circuit rotunda), and I now suspect several other clues we found (and spent time on) were part of the mC because they were not mentioned in the badge write-ups.  As novices, we had no way to distinguish the bC clues from the mC clues.

I arrived at Defcon on Thursday while Roland was still at BlackHat at Caesars Palace.  The news came pretty fast that we'd have to do some electronic badge hacks in order to solve the puzzle.  That intimidated me, and I almost decided to enjoy Defcon without the added distraction...

Then I found myself in the greater rotunda, staring at the numbers and the symbols, and I was hooked.  As with last year, I whipped out the notebook and started writing everything down.  Started taking pictures.  Started basic cryptanalysis.  For example, I immediately noticed the numbers in the greater rotunda were 1-26, so it was some kind of substitution cipher.  So far so good.

Then Roland arrived and we went at it for a few hours.  We had piles of crypto and clues, from the program, from the lanyards, from the badges, from the Defcon DVD, from other attendees, from around the con.  And...

We got nowhere.

Lost's Twitter hints weren't helpful.  Some of them were things we'd already gathered from the Badge Talk or other sources.  Like that we needed all three lanyards.  That we needed to use Quick Fox (the pangram clue already told us that).  Other tweets only added to the pile of data we had, with no arrows as to how to apply any of it.  At one point, based on a Tweet, we started trying to apply Rail Fence to all the codes, which was another big time waster.

Lost hinted at the hall signs, but I saw nothing.  Part of the problem was my mistaken assumption, based on last year's example, that all the signs were the same (so I only checked a couple of signs).  The other issue is that the special signs were stolen at some point, so it would have been impossible to notice them.  We had one of the sign codes from the DVD, but not the other two.

From a game design perspective, the first layer of puzzles was too hard and gave no encouraging breakthroughs.  Had we managed to unlock the second layer, it would have been easier, with lots of carrots.  The write-ups describe several URLs (unlocked by solving the difficult first layer puzzles) containing simple reversed-letter strings.  Easy-sauce.  Accessible.  (What to do with them would have been the challenging part.)

If the goal of the game is to get everyone involved, you have to make the first levels easy and rewarding.  On the first day, groups of random strangers were forming in the halls to examine the clues.  We were sharing, we were playing with the badges, we were taking pictures of each other's notes.  By Friday afternoon, the groups had dwindled to a few lone souls, and by Saturday, all but the most hardcore had given up.  The winner of the contest was a Mystery Challenge team.  I'm sure that wasn't the point.

It would have worked better had there been multiple easy first-layer ciphers all vaguely pointing to a deduction.  Some examples of "easy" ciphers might be: a brute-forceable cryptogram, clues hidden in the source of an HTML page, image steganography, an obvious OTP, ROT13, binary or hex.  Instead, there was a single Atbash code with a specific URL, which in and of itself might have been easy without the overwhelming distractions.

Atbash was totally fair.  It's simple enough, and listed at the top of the list on the Rumkin cipher reference  page.  But our chances of guessing or brute forcing this were reduced by all the other distractions and time wasters we tried based on other clues and obvious suspects, like multiple pangram cypher types, OTPs, Rail Fence...

Like rats (or polar bears) whacking at the food button, we eventually gave up when no pellets came out.

I have a few suggestions, from a game design perspective, which could help next years challenge be more fun and accessible.

First, have some method of separating the bC from the mC.  That may not be a problem next year since the rumor is that this year's mC was truly (and sadly) the last.  But if both are going on, maybe a "#bC" and "#mC" signature next to clues from each (as is done in Twitter).  Or create fictional characters who are leaving the clues, and include signatures (initials, a name, a symbol like a rose or Kanji character or the Eye of Horus).  Make it clear those are the rules, so that any beginner can quickly pattern-match and easily figure out, "This clue is not for me."  Of course this method will make it harder to place intentional red herrings, and it throws many forms of steganography right out, but ... maybe it doesn't have to. :)

Another thing would be to give hints as to which clue goes to what puzzle.  I'm not asking for dead giveaways, and I still want to be able to sort some things out.  I don't want to be applying all three forms of Quick Brown Fox (plus the Wizard's Pangram, et. al), to every single crypto at the con.  (To be fair, the pangram clue was right next to the puzzle it belonged to, but also to be fair, not all clues this year and last were so closely associated.)  So perhaps a color scheme - puzzles printed in green match clues printed in green.  Or some other scheme.. again, it could leverage fictional characters: this key has Agent X's signature, but this puzzle has Horus's Eye, so they don't go together.  Or some indicator of when you'll need each piece of information.  If from the start we're being given bits of a later puzzle, there should be some indicator that we don't know enough to work that one.

Some misdirection and confusion is fun.  Too much is overwhelming.

If there are going to be interactive badges, have them spit our some kind of content out early on.  Anyone who tries even a little bit should get some kind of, "Nice try, keep going".  The method of getting that should lead logically to the more difficult and meaningful answer.  Like if you sync with one other badge type, it flashes SOS in Morse Code or "MISS!" in binary or says "GAME OVER" when you wave the LEDS back and forth.  Then we'd know when we're barking up the right tree.

My last suggestion: Give some low hanging fruit.  Make a couple early of puzzles so ridiculously easy that any Defcon attendee will realize this game actually is for them.  TryThis0ne's first puzzle is one such example.  You have to solve it before you can even access the other puzzles.  Anyone who's ever done a newspaper cryptogram can solve it.  Feel free to taunt those who crack them, like, "I was just testing to make sure you were awake, but my dog could solve that puzzle."  After that, ramp it up.  Steeply.  Terribly.  Painfully.

Parenthetically, DEFCON 20's contest, a few easy attempts rewarded you with a taunt, like, "Did you really think it would be that easy?"  If I recall, they were things like guessing Lost's name in the URL, and messages hidden in same-color text on the HTML page.  Those messages were actually encouraging.  They sent a clear subtext: "Hey, you're smart enough to try the obvious things, and you found something.. not something useful, but something.  You can do this."

Now for the good points:

In the badge talk, Lost mentioned a goal that he successfully accomplished: He wanted the game to be more social.  That definitely worked.  I found myself talking to more people on the first day than I've talked to for entire cons.  People were excited to share and help and try to beat the challenge.  We were holding up badges, talking about them, trying to figure out what made them tick.  We were looking at each other's lanyards, trying to figure out why we needed all three...

He also continued the backstory mythology from last year, of the Brotherhood of Horus and secret societies.  There was mention of a comic book, and I'm looking forward to that.  I wrote a story for this year's short story contest based on the clues from last year's badge contest, so I'm looking forward to see how next year's mythology develops.

The contest was also inspiring.  Lost did a great job both years of making us curious.  These puzzles remind me that I'm smart, and they bring back the feeling I had as a kid, when I'd excitedly try the brainteaser every Friday at school, and I'd usually win.  It helps me remember that I love puzzles, and that just because I've aged and experienced failures and forgotten how to do grade school math doesn't make me any less capable than I was as an eight year old.

The hands-on aspects of the Badge Challenge is essential and awesome and inspiring.  It lets me participate in Defcon in a way that makes me feel I could participate in "higher-level" contests, if I wanted.  The badge challenges have made me feel like I belong at Defcon and I'm not just a poser or a tag-along.

After DEFCON 19, Roland and I were inspired to do more puzzles during the year, but we didn't follow up.  This year, we did.  We found TryThis0ne.com, which is a site full of puzzles and hacking challenges.  And we started playing a new MMORPG, The Secret World, based on its inclusion of real puzzles and crypto that you have to actually solve before you can complete quests.  My brain cells are grateful for the exercise.

A questioner at the badge talk Q&A asked about online resources for doing more puzzles, and he was directed to Martin Gardener (possibly these sites, Puzzle Playground and Math Puzzle) and Notpron.  I haven't checked those out, but if I tire of TryThis0ne and TSW, I have a fallback plan.

Most of all, I look forward to the badge challenge at DEFCON 21!  Maybe with some practice, we'll get a little further next year.

Institute for Advanced Psychenergetic Studies (photo)

Las Vegas, NV 2008

This is on a door at one of the mega-hotels in Las Vegas.  I think it was the New York -New York Hotel.  Like so many things in Vegas, this doorway is false.  ... or is it?