The US Cyber Command has released a series of ten Valentine’s Day “Cryptography Challenge Puzzles.”
Slashdot thread. Reddit thread. (And here’s the archived link, in case Cyber Command takes the page down.)
Clive Robinson • February 15, 2021 6:12 PM
@ Bruce, ALL,
Valentine’s Day “Cryptography Challenge Puzzles.”
Hmmm…
I take it that US Cyber Command has assumed that we are all so nerdy that we didn’t have anything better to do over a Valentine’s weekend…
Well I’ve news for them, this nerd even though long in the tooth, certainly did 😉
And to all out there I hope your weekend went well considering the state of play currently.
Kas • February 16, 2021 1:05 AM
@Bruce,
Hi, this is my first comment here while i have been following your blog for years.
This one really made my day, when i reached puzzle 7, it took less than a second to figure out the answer, and the answer did really put me in great mood and i laughed hard.
Did you solve puzzle 7 ?
Tatütata • February 16, 2021 6:05 AM
Re: puzzle #7
I didn’t really spend any time on any of them, but it occurred to me that I could easily access the content of file puzzle-7.bmp without having to write a program or transcribe stuff by hand. (Know your tools…)
Just two statement suffice in Matlab/Octave:
a=imread(‘puzzle-7.bmp’)
char(flipud(a(:,:,2)))
The red and blue channels contain the shape of the heart and cannot possibly convey any hidden information.
The green channel (and not the red one as initially surmised, I failed to edit that out, as usual) contains the text. Here it is, without the line breaks:
SOLUTION RIDDLE :
###################
[This person] can see SHA-256 collisions by holding a hash up to a mirror and crossing his eyes[This person] once decrypted a box of AlphaBits
[This person] writes his books and essays by generating random alphanumeric text of an appropriate length and then decrypting it
###################
ANSWER is this person’s name? [13 char]
##########################
So it’s just a guessing game, and the hints are tongue-in-cheek.
I note that “Bruce Schneier” is a fit…
For puzzle #9, I notice that there is a large bunch of cr*p after the PNG IEND chunk, which appears to be UTF-8. Definitively contains emojis, which would explain the presence of the associated file puzzle-9-key.jpg . Some sort of simple substitution cipher, with probably an added twist, as the text is rather long.
puzzle-9.png is 386010 (0x5e3da) bytes long, and the appended text begins at offset 328510 (0x5033e) with $f0 $9f $92 $98 (💘). As the “text” contains mostly 4-byte utf8 sequences, it would be about 15k long. Should be easy to extract and display using “tail”.
At least one of the images contains the signature of the Python Matlabplot package.
xcv • February 16, 2021 6:24 AM
@Clive Robinson
long in the tooth
The only possible meaning to that phrase is a dental appointment to have all 32 of them yanked out professionally by established best practices and standards of care.
Plenty of tomfoolery with laughing gas, fluorides, gold, quicksilver, novocaine, crack, and nightclub blacklights to go around. Dish of fine Swiss confectionery in the waiting room for the children.
eTuitionClasses • February 16, 2021 9:28 AM
this is very helpful information for everyone…..
Freezing_in_Brazil • February 17, 2021 11:38 AM
It’s a trap!
xcv • February 17, 2021 8:26 PM
archived link, in case Cyber Command takes the page down
That’s a PDF file with a list of links. Useless. All the links in the file still point to documents at
https:\\www.cybercom.mil\portals\56\Documents\*
Each puzzle solution should be verified using the following syntax:
puzzle-solution-test-string value is replaced in the url, only lowercase characters, dash “-” character used for spaces, followed by .png file extension Each puzzle solution should be verified using the following example: If a puzzles solution is Saint Valentine’s Day, the url would be https:\\www.cybercom.mil\portals\56\Documents\saint-valentines-day.png
You will want to keep the verification image for later.
So you are supposed to guess the “slug” URL from the solution to the puzzle you wish to verify, and then attempt to fetch the URL you have constructed from your solution in order to verify your answer.
Wholly aside from the puzzle of course, the general theme coming from that level of military rank regarding Valentine’s Day etc. is that of heavy prostitution and human trafficking activity affecting enlisted men of the U.S. military.
Bad news from my former hometown in that regard:
https:\\www.kptv.com\news\protesters-trigger-lockdown-at-legacy-salmon-creek-in-vancouver\article_b1efdb70-62cc-11eb-ab01-8fcc2081d8ab.html
VANCOUVER, WA (KPTV) – A Vancouver hospital was placed on lockdown Friday after a group of protesters gathered outside the emergency department demanding the release of a patient allegedly being held against their will.
At 4:48 p.m., a 911 caller requested the presence of a deputy to Legacy Salmon Creek Hospital, according to Clark County Sheriff’s Office. The caller said her mother had been admitted the previous day for medical reasons, was being held against her will at the hospital. The woman stated she also had medical Power of Attorney and was not allowed to see her mother.
Authorities said the patient had refused to submit to a COVID test upon arrival and was placed under a 24-hour quarantine while receiving medical treatment. Hospital staff said the daughter refused to wear a mask upon entering the hospital and was denied access to see her mother, who was in quarantine.
CCSO said a deputy assigned to the call spoke to the patient and determined she could make her own decisions after a few basic questions. She told the deputy that she wanted to remain in the hospital to receive treatment.
The options, of course, with respect to making one’s own decisions, are to remain in the hospital as ordered or go to jail. Being a mental hospital, any medical care offered, such as it is, has long been on an involuntary basis only, under court-ordered Civil Commitment. Straight out of historic Officer’s Row downtown Vancouver.
Which is why they call Vancouver a “bedroom community” of shithole stumptown Portland.
https:\\www.stumptownsfxtherapy.com\
Change the backslashes for forwards slashes, and swap out the “f” for an “e” in this last URL. No, it’s not “just” a porno site. These people are actually licensed clinical sfx therapists, who actually make house calls in the area, with the full collaboration, support, and backup of local law enforcement on both sides of the Columbia River at federal, state, county, and city levels.
xcv • February 17, 2021 9:03 PM
More of the same:
https:\fm.kuac.org\post\love-letter-fairbanks-goes-viral
With 9,000 square feet, his staff has spaced eating tables very far apart so he can continue to be open with a quarter of the customer capacity during the pandemic. Besides the coffee and food, the place is filled with local artwork, Fairbanks t-shirts and bumperstickers, … “To think about Fairbanks as a relationship. Just like any friendship, partnership, relationship, it can be challenging. And I think to put yourself in a situation where you’re like, you know, it’s not all about me, I have to meet Fairbanks halfway.” … one of the folks Mangum had sit on a stool in the back of the coffee shop last week. … “You’re so beautiful, but it is not always easy to be here. I think at the end of one of your winters, we all feel a little bit proud of ourselves for making it through.” … “This idea was to kickstart some civic pride. Maybe inspire us. Remind us that our community is worth our love.”
It’s a coffee shop. But these people are too self-important and way too full of themselves. Can a human being drink a cup of coffee and read the newspaper, or even have a polite, civil conversation (no more than 2–3 minutes) about the weather or something without being pickpocketed, accosted, girlfriended, boyfriended, and broken up with, whatever, by customers at the next table? What are people drinking? Is this regular coffee, espresso, black, cream or sugar, steamed milk? Flavor syrups, liqueur flavor, or is it time to get off the property in your own car and out of town before the cops have to take a Breathalyzer test in the back seat of their car on the way to jail?
SpaceLifeForm • February 19, 2021 6:03 PM
@ ALL
Did you notice that many many people that know something about infosec did not bite on this story?
And were intelligent enough to not follow the link?
Did you notice?
Clive Robinson • February 19, 2021 10:53 PM
@ SpaceLifeForm,
And were intelligent enough to not follow the link?
I don’t know about “intelligent” in my case, I’m just way to suspicious of such “contests”, as others have noted about social media “It’s not free if you are the product they get to sell” (down the river).
As I’ve indicated in the past, a long time ago, my suspicious nature, which comes from a sixth sense for “Hinky”, along with my habit of digging my heals in when I sense cajoling, once saved me from becoming a sacrificial goat… For the then UK Prime Minister “Mad Maggie” Thatcher in her quest to sell off public assets on the cheap to the people that already owned them.
Anyway, as I indicated I have always had better things to be doing on a Valentines weekend than being “nerdy”.
Any way for those that probably not noticed Feb 11 was Lunar New Year’s Eve and the traditional celebrations go on for about a week to the 17th this year, so we are now in the year of the OX… My traditional plans would normally involve a visit to here,
But due to Lockdown it did not happen. Hopefully when the lockdown lifts I can get up there and have the blowout meal and do a little shoping etc.
Subscribe to comments on this entry
Sidebar photo of Bruce Schneier by Joe MacInnis.
Tatütata • February 15, 2021 3:40 PM
Nice to see that there are people with some time to spare…
These puzzles are rather unusual and tech oriented, as opposed to crossword or sudoku paper problems.
The audio puzzles are interesting.
In puzzle 2, the information (amplitude, phase) is very different on either channel, much more than on a typical stereo recording. The pulsed nature of the music suggests the use of amplitude for coding, especially considering that the scheme would have to survive the MP3 coding.
For puzzle 3, my hunch is that the message is coded in the hushing and barking sound in the background, possibly using Morse code.
In puzzle 7, I found the use of a BMP format quite unusual for 2021, probably a 24 bit RGB file without transparency (TBC). The small image size (20×20) is also somewhat strange in comparison with the other pictures. A PNG file would have done it just as well, so I had a look at the guts of the with an hex editor, I discovered a rather long text apparently coded in one of the RGB colour channels the Red channel (“[This person] can see SHA-256 collisions by holding a hash up to a mirror…”, etc.), and the two other RGB colour channels seem to hold the information, as it contains apparently only 0x00 and 0xff bytes.
Puzzle 9 could be some sort of rébus. Is that one of the Queen’s Corgi’s?