Blacklight: The First Encounter
Breaking codes, picking locks and defying surveillance in Siberia
A recap of the DevFest Siberia event that took place in September, written by Tony the Orc, one of the two winners by score. Major spoilers for Siberia, but not for any other event. — ohaithear
It all started with 500 rubles.
One August day of 2017, I found myself registering for a Google Developer conference in the nearby city of Novosibirsk. I have visited that one before, but this year they offered a discount of 500 rubles (which was less than $10, mind you) to everyone who completed some kind of an online quiz, or quest, or something.
Why not, I thought to myself, and logged into Blacklight, not knowing yet what I was doing.
The prologue was understandably easy, but the only ARG element in it brought one open-ended decision: I had to send a cryptic email to a shadowy address to request clandestine instructions.
The game is about hackers and secrets, so the right thing to do would be to use a random, non-traceable e-mail address, but I thought “eh, I’m only in it for the discount” — and used my real one, a decision that had cost me a nice VPN subscription prize in the end.
Having earned my 500 ₽, I closed the game and was on my merry way.
However, in a couple days I got back to help a friend out— and voila, there was an extra chapter. It hardly awarded anything, was completely optional and unrelated to the main storyline that I never even intended to play anyway. I still tried it… and started to learn.
First, I learned about the non-Quake, cybersecurity flavor of Capture the Flag — the main theme of that optional chapter. Then, having sought advice from people further ahead of me, I learned about classical ciphers and modern web technologies.
I got hooked.
I scrolled through Blacklight’s Slack workspace and Twitter feed. I dug out connections to the DarkNet challenge from the DEF CON conference — a whole team of those guys had reportedly finished the chapter by the power of teamwork and by being really cool. They weren’t going to attend the conference itself, so the first place was still unclaimed.
I found DarkNet’s Discord channel and pored over their public posts in search of clues — there were none, except for the flags I had already found.
The game started to have more facets. I got sucked deeper; I couldn’t persuade myself to abandon it. I also couldn’t make myself ask for help, as it would have obliged me to help others — and I didn’t want competitors.
I googled and analyzed, and social-engineered hints out of people. Several lucky tries catapulted me further; I found references to things I knew and was beaming, telling everyone about the game except for those already playing. The further I got, the more tension there was.
Finally, only the last flag remained. No more hints, no more anything. Two days of banging my head against the wall — and a hint from the game master. It was so simple, there was no excuse for not finding it — but damn, the feeling of having finally finished it, even not entirely fairly…
I slipped down into my chair and waved my hands, trying to convey the relief to my coworkers.
Several days later, the conference started. The plot started to unravel, immediately teaching more things.
The orientation package arrived in an encrypted volume, requiring special software to open and use.
Instructions were delivered via the Bitcoin blockchain, with fake wallet addresses making up ciphertext to be decoded using the unbreakable one-time pad technique.
PGP signatures in the encrypted volume were looking fishy, promising more to uncover.
At the venue, those who were playing were given special “agent” lanyards and instructions to “seek help” from each other. There was a strange air of competition-cooperation, like with the CTF chapter—but with real people this time.
I approached a friend who was talking to an unfamiliar “agent”, and with a simple “hi” the guy grabbed my badge and snapped a photo of it. That’s how I’ve learned about the badge challenge — we had to collect all variations of the conference badge and reconstruct another ciphertext from them.
I started a hunt of my own, but a more polite one: I walked up to agents, told them about the cipher, offered my badge and only then asked to photograph theirs.
The game offered hints to those who could not figure things out themselves. I didn’t want hints, but I wanted points — so I hunted down the conference staff, too, asking questions from the in-game world, trying not to seem crazy to those not in the know.
The plot moved slowly, but then events accelerated.
New tasks came in, but the secret Wi-Fi network didn’t appear. Was it possibly just too secret for us to handle?
Information started swirling into rumors and circulated among agents, some code cards unlocking journal entries were given to players with explicit instructions to pass around.
We started to recognize the faces of active players, exchanged short, competent questions. Then a team of around 10 people has invited me, as a strong solo player, to join them — and the competition-cooperation started again for me.
The team made a breakthrough I was nowhere near — they cracked the classical Vigenère cipher the badges were encoded with.
I managed to scrounge a hint for my team by submitting a bug report.
On the second day, conference talks firmly took the back seat.
Early in the morning, players have spotted a strange video feed briefly appearing on a dedicated Blacklight stand at the venue. Someone snapped a photo. Even before any instructions followed, we were Wiresharking the public Wi-Fi and quickly found the IP address of the camera.
Then it was official: we had to break into the room where the revealed surveillance camera was mounted — but first turn the camera off so that the break-in would go unnoticed.
The camera was protected by a 4-digit PIN code and a CAPTCHA, so we had to break the CAPTCHA and brute-force the code.
Things got hot.
I abandoned whatever talk I was at and got together with other agents, trying to fire up a provided Tensorflow model for the CAPTCHA recognition.
Oh, the irony — I have attended a talk about “Practical Tensorflow” just earlier that day. The speaker has literally run the demo live, using all the syntax I needed now, but I haven’t been looking because I had ciphers to break. And who would need to know the exact commands from the demo anyway, right?
It turns out, Python and Tensorflow aren’t exactly self-explanatory when you’re in a high-pressure situation and haven’t touched either before.
The pressure was indeed there — few people were frantically typing, sharing findings and splitting chunks of work between us, while other players darted around, trying to help in other ways or just shoulder surfing.
Our recon teams have returned, having found the target room behind a closed door. Envoys have come back from the game master — who was deanonymized by that point — and brought a UV light (“blacklight”) that we would need for the next step.
The most reckless members of our team have consulted the venue security about our planned heist, but, thankfully, they largely ignored our clearly suspicious activity.
In about two hours, Tensorflow was up and happily munching images. It was now a matter of waiting; even with several laptops, things went slowly. A guy came up and offered his university’s cluster of couple dozen machines — but the camera wasn’t exposed to the internet, so no outside help was possible.
Finally, the camera was off. An “undercover contact” has handed us a real-life set of lock picks, and dozen-and-a-half people stampeded towards the room.
That was the end of the game — the conference was wrapping up, and, while we were picking the lock and searching the room for evidence and hidden UV marks, the game staff was looking at us through the “disabled” camera and tallying the results.
Some 15 people were named finalists and called to the stage.
The prizes included IoT sets, serious books illustrated with XKCD comics, headsets and small stuff like two-year subscriptions for a VPN service — although, as you might remember, only the cool kids got those, not me.
Two winners with the highest score, myself included, got the unique DarkNet electronic badge kits straight from DEF CON 25 — something that requires even more learning and physical training to even assemble. As a memento, I also got to keep that very one-time pad used in several puzzles.
And of course, the game was not over.
Despite the main storyline having been wrapped up, there was — and still is! — a ton of extra-hard codebreaking exercises in that pad, as well as more peculiarities of the Siberia story, undiscovered to this day.
When people ask if there were any hands-on, practical courses at DevFest Siberia 2017, I proudly say that I’ve participated in the most practical and the most hands-on one.
What other developer session would have you running neural networks and picking locks back-to-back, anyway?
Follow @blacklightai on Twitter for news, updates, and even more cryptography fun.
