AusSHIRT 2013 – the #sophospuzzle instructions in full

The AusCERT 2013 conference has started, so the AusSHIRT 2013 puzzle is officially live!

In previous years, the puzzles typically had multiple stages, with the shirt decoding to a URL, and the URL taking you to the next level, and so forth.

For example, last year’s Skyfall #sophospuzzle required you to recover a stolen file, decrypt it and wrangle out of it the identity of a famous person.

Then you had to find out where he was incarcerated in the nineteenth century, and work out the twenty-first century location of the prison.

Apart from that, it was really straightforward.

Many of you asked us to make this puzzle a little more self-contained, so you wouldn’t need to spend hours on your computer working your way through it when you should be enjoying the conference.

So, instead of three stages, we’ve given the puzzle three dimensions (OK, technically it’s an isometric projection into two dimensions, but bear with us here), and just one stage.

So you can solve this year’s AusSHIRT #sophospuzzle straight from the shirt, using nothing but pencil, paper and intellect.

Of course, you can still throw some home-hacked scripts at the problem if you want: a little bit of brute force goes a long way, and you can leave your scripts running while you attend the conference parties.

How to get started

The puzzle is a cryptogram, which means that the letters on the cube have been scrambled using an encryption algorithm.

Encryption algorithms usually rely on a mixture of substitution, where one letter is changed into another, though not necessarily always into the same one, and transposition, where two letters are switched around, like an anagram.

The easy part in this puzzle is that the substitution always replaces each decrypted letter with the same encrypted letter.

And the letters in the answer appear in the same left-to-right, top-to-bottom order that they do on the cube.

The only transposition you need to worry about is to put the three faces in the right order, so there are only six possible combinations to worry about.

Usually, a straight letter-for-letter substitution is called a Caesar cipher.

→ The cipher gets its name because it was considered state-of-the-art back in 55BC, when J. Caesar first invaded Britain. He just shifted every letter two places along in the alphabet, writing C for A, D for B and so on. At the end, he wrapped round, so Y became A and Z turned into B.

Caesar ciphers are easy to solve because of repeated letters: the encrypted text shows the same bias (e.g. in English, that ETAOIN are more common than JKXQZ) as normal text.

So we’ve made this slightly harder than that, as follows:

  • Letters appearing more than once in the puzzle are all shifted by the same fixed amount (obviously, the shift is somewhere from 1 to 25).
  • Each letter that appears just once in the puzzle is shifted by a different amount, with one letter shifted by 9, another by 8, and so on down to a shift of 1.

By the way, the Sophos Shield icons are just for decoration – they don’t count as letters in the puzzle.

How to get hints

Follow @SophosANZ on Twitter, and keep your eye on the hashtag #sophospuzzle.

Oh, and bear in mind that a dictionary attack probably wouldn’t hurt, so you might like to start out by trying to guess at text that is likely to appear in the solution.

How to get a prize

If you’re at AusCERT, there are two cool prizes of Transformer construction sets, which you can pretend you are going to give to your children.

The fastest solution will win one prize, and a random draw at the end of the conference will determine who wins the other.

Email your answers to to qualify. (The topmost Received: header will be used to determine the time of submission.)

If you aren’t at AusCERT, there are five DECODEME T-shirts to be won, drawn randomly.

Entries will be accepted until 2013-05-24T14:25+10.

That’s 2.25pm Queensland time on Friday 24 May 2013, five minutes before the final Speed Debating Session at the AusCERT conference.

NB. When emailing your answer, please indicate whether you wish to be identified as a solver, and if so, whether we should use your full name, first name, nickname, Twitter handle, or whatever. By default, you’ll be anonymous.