Making progress with the BH2013 #sophospuzzle – some early questions answered

Regular Naked Security readers will be familiar with our #sophospuzzles, which have become something of an institution at security conferences and trade shows around the world.

From tracking Sir Winston Churchill across the African veld to working out how to read pink text on a pink background, we try to include something for everyone, usually with multiple stages to solve in sequence.

But last time, at the AusCERT 2013 conference in Australia, we slimmed down the #sophospuzzle to a single stage: there was just a Rubik’s cube containing a single curious cryptogram.

The single stage was a matter of popular demand: doing the puzzle wouldn’t get too much in the way of the conference itself.

Everyone enjoyed the new-format #sophospuzzle, but – wouldn’t you know it! – popular demand was that, next time, we should make it a bit more involved.

So we’re back, at BlackHat 2013, with a multi-stage #sophospuzzle that is straightforward enough not to interfere too much with the event, yet requires (we hope) enough lateral thinking that it’s good fun.

Two people have solved it so far, making very good time: the first to do so is a malware researcher, so he’s good at unravelling programmatic mysteries!

That means it can be done, so why not try yourself?

You’ve got until 3.30pm Las Vegas time on Thursday of this week (01 August 2013), and you could win a 3D printer or an R/C tank.

There’s a crossword to solve, then an algorithm to analyse, and finally some program code to unravel and decrypt.

(There’s also a tiny twist in the tail, but only if you were, ahem, cheating in the earlier stages.)

I’ll try not to give away too much at this point, but for those of you trying the puzzle, here are some answers to questions that have been asked more than once each already:

1. In the FORTRAN-like algorithm in stage 2, there’s a loop in which a variable called Q is first used as an exponent (10**Q in FORTRAN) and then multiplied by 10 (Q=Q*10) before the loop repeats. Can that be right? Doesn’t that send the value of 10Q rocketing upwards, out of control?

Yes, but only in practice, if you try to run the algorithm as it stands.

In theory, of course, exponents can get as big as you like. So just ask yourself what the code would do if it were able to run without time or memory limits.

Hint→ 10Q is 1 followed by Q zeros. So if you multiply a number by 10Q, you’re effectively shifting its decimal point Q places to the right.

2. The code in stage 3 is written in Lua. Why is that? Isn’t that just because Lua is your favourite language?

Yes. But that’s a pretty good reason, wouldn’t you say?

Hint→ Lua is pretty straightforward and worth learning, at least if you’re a security professional. It’s lean, elegant, and free. It’s also used as a scripting language in many important security tools, including Nmap, Wireshark and Angry Birds. So there is a pedagogical purpose in choosing it here.

3. The file e.9 in stage 3 runs for ages, and then gives attempt to call a nil value. Isn’t there something wrong with it?

Yes. It wouldn’t really be a puzzle if you could just execute it and solve everything automatically in one go.

Hint→ You don’t have to run the Lua code as it stands. You can just treat it as a specification, and recode in another language, or edit the Lua to optimise it so things go faster, or shorten the loop and see what happens. As I mentioned on Twitter, if the key doesn’t seem to work, then the algorithm could be wrong, or the ciphertext, or…the key itself.

Hope that helps you a little, or at least gets you thinking about how to think about the problem.

Remember, you can follow #sophospuzzle on Twitter, or email me directly ( if you want hints in private.

Good luck!