(If you grok git you can go straight to the source: github.com/mscheel/firebass)

Animated GIF frame grab from the Firebass challenge

Wednesday May 25, 2016 — Phase 3

In a computer science lab at a University near Boston some students are analyzing a spectrogram. North of there a traveler on a 100 country tour is studying internet cat images. And West of there a heated conversation about leading zeroes is dominating a room of Android developers that just met.

Disconnected geographically but connected virtually, all of them are hunting together. For a bass. That time travels and has a quirky sense of humor.

They are the Amazing Anglers.

And right now stress levels are high. At stake is a coveted ticket to Google I/O 2017. If faked business cards, twitter accounts, a voicemail and an email auto-responder can be believed, the firebase.foo challenge is giving away 100 of them. Almost $100,000 in treasure.

The fiction goes like this. A Firebase employee, Alex Meddleton (@alexmeddleton) has lost a fish. The fish has hacked a website and is on the loose. Through a hilarious tour of 80’s and 90’s pop culture we roam, decoding base64 strings, unpacking animated gifs, and processing stereographic images. Hold onto your butts! Jurassic Park, Back To The Future, and late 90’s internet jokes abound. Fish puns are like waves in the ocean. The @realfirebass twitter follows one account: Lance Bass.

Through the course of the challenge the fish goes from a present day website, firebase.foo to probassfinders.foo set in 2008 and then travels through time again to an earlier version of probassfinders.foo set in 1997.

Through each time portal we chase, and now we are at the final stage. We hackers are in Boston, Denver, San Francisco and Canada tonight, joined by a Slack channel (firebass.slack.com of course) and a shared Google Doc. Over two other phases we have honed our collaborative craft and grown our team. The clan is ready to go fish!

We all stumbled into this mysterious contest in varying ways, and though we share an interest in Google technology, that is where our similarities end. We are American and International. Front end and back end. One of us graduated from college in 1997. Another was born that same year! With only two exceptions the eight of us were total strangers a week ago. A mixture of students and professionals, we work for some of the biggest brands on your smartphone with millions of downloads: iTriage, Lyft, PayPal, and Coffee Meets Bagel. Despite our differences, tonight we have a common interest, a shared goal, and that is to catch us one slippery bass.

A Week Ago

I first found Alex Meddleton’s business card while walking away from a code lab at Google I/O 2016. A hand written scrawl on the business card said “Help! I lost my fish. Plz help me find it. Last seen at firebase.foo”. It seemed like something out of Ernest Cline’s Ready Player One. I was immediately hooked. I spent the next several hours engrossed in this “game”.

When I found the @realfirebass Twitter account I followed it. @5280mark was the 8th follower. Less than 24 hours later that number would exceed 100. Days after that, 300. I moved from the Code Lab to the Firebase demo tent to be closer to the action and commandeered a computer meant for demo’s.

What happened next followed a consistent pattern. Someone would wander into the Firebase demo area and shyly ask about a fish. A firebase developer relations employee would point them towards me. At first they would be reluctant to come chat to another competitor, then I would ask where they were stuck. I would demonstrate that I had already passed that point using a mysterious phrase or description that only bass hunters would understand, and much like a secret handshake these words engendered trust. Soon we were bouncing ideas off each other excitedly.

First there was Tom, the programmer on a year long 100 country tour of the world who came back to the states just for I/O. Then there was Ian, a designer from of all places Denver, Colorado. We live a few miles apart it turns out. A talented indie app developer from Kentucky was next, and then a javascript genius from the Netherlands. Within a couple hours the five of us had collaboratively finished the first phase. Phase 2 would not start until the Sunday after I/O was over so we set up a Github repo to continue our collaboration in upcoming phases and went off to enjoy the rest of I/O.

We lost and added teammates over the next week. Kentucky got busy and never again participated. Despite adding “chees” to our shared Github repo we never could get a hold of him again (we miss you, if you read this reach out!).

The team expands

Flash back to the night before Google I/O when a kind of “Fight Club” meeting for Android developers took place. It was an invitation only party held at the Quora office in silicon valley, with pretty much only one rule. No recruiters.

I work on an app with 7 million Play Store downloads, yet I felt like the least impressive developer in the room. Assembled were a great group of warm folks who shared a passion for Android and just happened to work at very successful companies. It was an honor to be there and one that soon would pay an unexpected benefit.

One of the developers I met there, Evelio, reached out to me online a couple days later. He had seen on Twitter that I had a new found enthusiasm for bass. Evelio recommended another Android engineer Flavius I had also met at the Quora party. For phase 2 we would now be a team of five again.

Although I live in Colorado I was staying in California for another week to attend a music festival. The day Phase 2 went live I worked remotely at Stanford Business School, in Palo Alto. In the Bass Center. Some things you can’t make up.

As phase 2 began we didn’t know it yet, but there was another clan near Boston. Centered around the Northeastern Computer Science department, Alex, Trent and Brandon would soon shock us. They were young and FAST. When Phase 2 went live they solved it in an astounding 15 minutes. They celebrated on Twitter with a message we only knew to be valid proof of work 20 minutes later. Just as in Ready Player One, we became aware of each other through public announcements. They had been tracking us as well and we connected via Twitter.

It’s interesting to note the outsized role that Twitter played in this contest. The fake Firebase employee and bass had Twitter accounts, which participants religiously followed. Competitors kept tabs on each other with the #firebass hashtag and shared their victories and their frustrations through tweets.

Teamed up with the Boston clan, there were now eight of us, and we prepped for the third and final phase of the hunt. Our shared repo was updated. Files were merged. Old puzzles and unused clues were reviewed. When the clock hit zero and then went negative on Tuesday night we were ready.

Google I/O

Google I/O is Google’s annual developer event. This year it took place at Shoreline Amphitheater in Mountain View, across the street from the main Google campus. 7000 people participated. Firebase made a big splash, with a cross platform message as a tool for web, iOS and Android developers. The firebass challenge was one way to build buzz for Firebase and was pushed heavily after day 1, on slides before and after every presentation.

As much as I enjoy puzzles, I like Google I/O. I have since I first attended in 2010. In 2013 I didn’t get a ticket in the raffle, but did that stop this intrepid bass hunter from seeing Billy Idol at the after party? Crudely fashioning a credential from a piece of magazine from my hotel room and with help from friends, I may have slipped past security into Moscone. But if those allegations are true, that’s a story for another time.

This year I organized a 3rd annual Denver viewing party for Google I/O. Held at the University of Colorado Business School it attracted more than 100 local developers. The community made custom t-shirts, hoodies, hats, ordered hundreds of custom crafted cupcakes, enjoyed live speakers, streams from California and more.

Despite my considerable excitement for this year’s I/O it was widely panned. Long lines, lack of giveaways, excessive promises and heat were common complaints. I understand but don’t share this critical view of the event — but what most interests me is what impact this negativity may have had on our bass hunt.

Did the complainers help our hacking crew out? Is an I/O ticket as big a draw post-criticism as it would have been in year’s past? Probably not. In the Billy Idol era and the heyday preceding, a contest to get 100 I/O tickets would have caused an absolute frenzy. It’s unclear to me how many sharks were in the water during each phase of this contest, but I bet five years ago it would have been even more. Which is a long way to ask the question, has I/O jumped the shark? Beep. Bloop. Bop.

ARG isn’t just for pirates

This meticulously planned bass hunt is an event known as an ARG: Alternate Reality Game. I had never heard this term before last week, but found the fake world to be masterfully done. Dozens of websites, hundreds of images. It was engaging, funny and social. This wasn’t hard core like an algorithms coding contest, there was no need for recursion or red-black trees, but you did need general computing knowledge and a firm grasp on some esoteric trivia — semaphore flags anyone?

The ARG had three phases, each made up of individual puzzles. Each phase ended in a time lock, where the bass would time travel through a portal. A web page would show a countdown timer and progress would be blocked. When the next phase began a web link would be revealed as a new start point. The final phase required clues from prior phases to solve, so even if you caught wind of the start point of phase 3 on some Reddit page, you would be lost without knowledge from phase 1 or 2. Our team copiously took notes in case this happened. You can find them at our Github repo.

The ARG was not without glitches and opportunities for improvement. Because the bass was silly and didn’t always tell the truth, you couldn’t know when he was being serious. When Phase 1 ended we didn’t know it was the end and spent almost an hour trying to hack the time portal. Finally a Googler took pity on us and told us no, really, this time you can actually trust the information you are being given. An inevitable challenge with a contest mired in intentional misinformation I guess. Red herrings were everywhere.

Between Phase 1 and 2 the Twitter account for the fish was apparently hacked (“unintentionally phished”) and somebody posted a magazine subscription advertisement. Phase 2 started several hours before it was expected, apparently on East Coast time instead of West Coast. For Phase 3 a well timed tweet helped participants know exactly when the start was.

We may never know what happened to the “unique code” field that was in the final Google Form. One minute it was there, and the next it was gone, like a time traveling fish gone poof. All of these just small speed bumps in a masterfully organized adventure.

The Answers

So how did we actually solve everything? Teamwork helped. Hive knowledge and distributed processing of puzzles hastened the hunt, for sure, but what did we need to solve? As I have described there were three phases. Each phase had multiple puzzles. At the end of phase 1 and phase 2 further progress was blocked until a timer completed its countdown. At the end of phase 3 there was a form to capture your contact information. A subsequent e-mail informed you of your success.

There are a ton of details in our Github repo, but let’s summarize what you needed to know to succeed. Napoleon Dynamite would approve of all these skills.

In phase 1 you had to be alert for typos and apply that pattern to a mistake that stuck out. You needed to find a binary string, convert it to ASCII and combine it with another hint. Next you needed to find a Base64 string, decode it, and combine it with the result of a HEX to ASCII conversion, the source of which was hidden in plain sight (colored characters in ascii art). A Google search of the result got you a name — we found it via Wikipedia — then you had to recognize a pattern of checkboxes as binary code. This brought you to the end where the raw bits of a PNG were revealed. It appeared to be a stereoscopic image, those things you looked at cross eyed in the 90’s until they were 3 dimensional. It wasn’t, but we sure hurt our eyes figuring that out! That should have been the end but it turned out some manipulation (duplicate and offset the image) revealed a phrase.

In phase 2 the challenge was more structured, you had to find four words to make an acronym of four letters. The first was really hard, it was an ASCII representation of semaphore flags, an old timey communication technique. The second was a Base64 string and had a morse code hint. The third we had to brute force, as we still haven’t found a definitive answer. Our best guess is “Lucy” which involved addition, UNIX time, and a Google search. The fourth was the most fun, it was an animated GIF and one of the frames had the answer. Interestingly the original GIF had four frames but later only two, making it a bit easier. This was not the only time things changed mid-challenge as we raced near the tip of the spear, although the motivations for the changes were not always clear. At the end of this challenge was another stereoscopic image. Laying one image over another from the end of phases 1 and 2 revealed a UNIX command, and inverting the new image revealed a Star Wars reference about the force.

Phase 3 was another structured set of mini puzzles to reveal a URL. This time each puzzle represented a folder (full word instead of letter — much harder to brute force) and there were five of them. The first two were very easy, just a straight number and a string (000147, notafish). The third was a wav file. Using some firebase javascript you could download the wav audio file (how 90’s!). Opening it in a spectrometer application revealed the phrase “MOOD MUSIC”. Number four was another easy one, the string “Alex” and number 5 required you to quickly read an animated page background to get the string “Fin”. Combining all this together led to a terminal with a Zork style game. After hacking around UNIX — you know this — you finally entered the magic incantation “mv firebass firebase — force” which revealed the congratulations form.

We signed off of our Slack room after sharing pictures with online bass trophy’s. We had caught the bass! Confusion abounded about the unique code and there was no way to know if we had actually won and were in the top 100. Contest rules stated that we would hear no later than June 15. It was Tuesday May 24!

We got a boost of hope 30 minutes later when the finishing page and contact form went offline. Presumably more than 100 names had been collected. We were reasonably confident we were one of the first to finish, but still didn’t know.

The next afternoon an excited Slack message from Brandon in Boston cinched it. “OMFG you guys!” it started. He had received his golden ticket email. Over the next 30 minutes all of us did.


On Twitter since the contest has ended about 25 winners have revealed themselves. Starting today we are opening firebass.slack.com to successful bass hunters so we can grow our merry group of coders. There are individuals and other small groups including one of women coders we have heard of so far.

We will share war stories and plan an IRL meeting where we will hoist a beverage in the air and cheer that time we helped Alex Meddleton find his fish. Maybe we will hear the definitive answer to the phase 2 “Lucy” mystery too.

And where will that meeting take place? Shirley you can’t be serious if you really don’t know.

Google I/O 2017 of course!




Android, Boarding, Colorado, Denver ...

Love podcasts or audiobooks? Learn on the go with our new app.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Mark S

Mark S

Android, Boarding, Colorado, Denver ...

More from Medium

The privacy settings in the browser

Solving Dojo’s geolocation quiz

SpyWarrior review: can it protect you from malware in 2022?

Secrets To Recovering Your Cloud Environment Rapidly From Ransomware