There has been a lot of specultation the last couple of years about who is behind the mysterious and quite difficult competition called Cicada 3301. There are websites and wikis dedicated to the hunt, but there is no hard evidence of what the competition really is about. Many believe it is a way to recruit programmers with extra good skills in security and cryptography. This is what the mysterious people behind the competition have been hinting at, but there has never been any identified winners.
My hypothesis is a bit different. I believe the whole thing is a way to test vulnerabilities in different ways to communicate secretly and to find new methods to reveal such communication. There are always many different types of clues, and the arrangers will be able to see how many are able to make use of each of them and how fast they progress.
This year somebody even discovered something which probably was not meant to be a clue:
- Cicada use Apache server, Apache server offers a server-status page available only from localhost for local use only, and not normal Internet user. This page give various information about apache status for administrator.
- In Cicada case, to configure a hidden service with Tor and Apache, usually you add TOR as a proxy, so all the request between TOR network and apache are made through localhost address. Best pratice in security is don’t use Apache with TOR, if you do it, reconfigure it. It was not the case here. The page changed some hours after, it was clearly a unplanned security vulnerability, and Taiiwo found it.
It is interesting to see how those guys approach the problem. I am, however, surprised at how relatively similar the problems are and how few tools it takes to solve them. It is also strange that nobody goes into what I find very interesting: A couple of the puzzles are presented very slowly, with one character at a time and variable intervals. To me, that just cries out that information is coded in the time intervals. Possibly in conjunction with the transmitted content, possibly not. There might actually be a branching in each of the puzzles, with one or more trails leading in different directions from different solutions. And – if I were making such a set of puzzles, I would use results from the most diverse methods for the “high-value” trail.