Tweet
Hey folks,
As you may know, Telephreak hosts a highly influential event on Sunday after DEF CON. We're extremely selective in who is allowed to attend, and as a result, Telephreak is probably the most difficult event around DEF CON to get into. One of the ways to get in, however, is to solve a puzzle. We had three puzzles this year: a puzzle based on POCSAG pages (created by r0dent), a vintage MUD (created by Avi Freedman), and a BBS competition (created by me). This post sums up the BBS competition which was the most elaborate puzzle.
The competition started with a 3.5" floppy disk (archived at https://github.com/dc04thule/telephreak_2016). It was the sort of disk that you might get handed to you at a 2600 meeting back in the early '90s. This consisted of hacker files mostly from the 1992-1994 time frame, taken from the filebase of The Bin BBS. A little history of The Bin, I ran it in the Seattle area at the same time as DT was running A Dark Tangent System - we have been friends since then, and knowing him as a fellow sysop is how I ended up at DEF CON 1. Both of our boards looked completely legit on the surface, but we had "elite areas" with hacker philez, warez, and secret message bases. We even shared message bases between our BBSs at the time via the QWK format (along with another local hacker BBS), and some of this wonderful old vintage content was visible to participants who progressed far enough in the competition.
How did you get a floppy disk? Well, I showed up on Thursday afternoon at DEF CON 101 and on Friday morning at the DEF CON merchandise line. I gave floppies out--with absolutely zero context at all--to people who were at their first DEF CON and were under 25. There was only one exception, and that was for a guy wearing a 2600: The Hacker Quarterly shirt. Think about it: you are at your first DEF CON and some crazy old guy covered in Queercon stuff comes up and demands to know whether you're at your first DEF CON and how old you are. One guy--who I think I later saw on a Korean CTF team--refused to answer. Great opsec, but not friendly, so I didn't give him a floppy. :)
In case you hadn't guessed, there are multiple pieces to the puzzle. One of those pieces is social engineering. You had to let me social engineer you to get a floppy.
Another piece was finding a floppy drive. I made sure Fry's only had two. ;) My friends at UNIXSurplus got in on the game and lent floppy drives to contest participants, removing a massive technical barrier. All they had to do was ask!
Some of the files on the floppy were decoys, some were there just for historical purposes (such as the Hacker Manifesto), and nearly everything was archived in ARJ format. Why ARJ? I was really into more efficient file compression than ZIP at the time--remember, stuff had to fit on floppy disks! So I was always looking for something that could squeeze out another 10%. I helpfully included a copy of ARJ on the floppy, which is likely something I would have done back then because I was really trying to push the format.
There were, however, a few clues embedded on the disk. In the header of the floppy, you could find my actual voice phone number (which actually isn't that hard to find anyway). Some of the files were dated 2016, a big clue--most of the date stamps were the original 1990s ones. I included our actual application package for the CyberCrime International (CCi) echomail network, of which The Bin was a member. However, I changed the phone number to one I set up in Las Vegas with an outgoing message asking for details about voice validation:
- Your REAL name
- Your handle
- The password for voice validation (this was available in another file on the floppy disk)
- To prove you're not a FED, the most illegal thing you'd ever done.
I got a lot of calls but only a few messages. It's a good thing I had caller ID, which would have been a questionable proposition in the 1990s. I gave the callers a pass on this and returned their calls, because not a single one left a phone number to call back.
Some people tried texting me, and I just ignored the texts. For all intents and purposes, SMS didn't exist in the US in the early 1990s. I only paid attention to actual VOICE calls.
I got a wide variety of messages, but was surprised at how well most people rolled with my return calls and some actually tried to social engineer me. I called one guy back who left the wrong password and loudly accused him of being a fed. He rolled with it really well and called back with a plausible excuse so I eventually validated him. I called another person back and asked for more details about an illegal act they had claimed, trying to get enough incriminating stuff that a fed would never say it. Only one hacker refused to give his real name - at the time, most would have refused it (but eventually, even without giving up a name, most hackers back then would agree to meet somewhere so we could scope each other out, which would often then lead to a friendship and evening of digging through dumpsters at central offices).
If I was sufficiently social engineered to thinking that you should have elite access, I'd tell you that the BBS had been raided and had moved to the Alexis Park. I gave the extension, which was actually the suite number the BBS was in! Astonishingly, nobody tried to break into the room. If they had, they'd have found a very pissed off r1x0n, a DEF CON goon, and would have had the full fury of Gooncon raining down on them. Instead, people were met with a challenge: the Alexis Park and the PBX filter.
You see, Bally's, in their infinite wisdom, decided at some point that too many people were calling AOL on the hotel phones. They put in a filter to block modem connections and this applied to all connections on Bally's hotel phones, including internal! That's why I put the BBS at the Alexis Park. So if you managed to social engineer the Alexis Park into connecting you to an extension without knowing the name of the guest who was staying there (a tough call during DEF CON week), you'd run into the filter. The only way around this was to go to the Alexis Park and try to find a house phone you could dial up over.
And it's the Alexis Park. They're used to shenanigans during DEF CON and they know what hackers look like. They practically have a sixth sense. There is only one place at the AP that is friendly territory, and that is the bar (who actually loves us). They have a phone line, and it could be used to dial extensions.
The contest technically required creating an account, getting validated, and either making a post or uploading a file to The Bin BBS. However, given the difficulty people had physically getting to the Alexis Park (it was a $20 round-trip Uber ride) I didn't want to make people pay for multiple trips, so I relaxed the requirements. Anyone who successfully social engineered me into getting validated, got the number, and created an account won.
In one of the files, I also seeded my Twitter handle. People who followed me on Twitter found my account to be a great source of hints. I answered some questions, giving very specific direction in some cases, vague answers in others, and some questions I ignored. However, almost every winner engaged with me on Twitter and used hints I dropped.
Some key lessons I wanted to help new hackers learn (although many older hackers could also benefit):
- Many extremely effective hacks don't involve a computer.
- As a hacker you need to be prepared to deal with older technologies in order to get valuable data.
- Working together and talking to each other can be a net plus. This competition rewarded collaboration, it didn't penalize it like other competitions do.
In the end, we had 9 BBS competition winners for Telephreak 9. All but one were first-time DEF CON attendees and all were aged 25 and under. And they all received an invitation to Telephreak. For my part, I had a massive amount of fun doing this. Next year we'll do another competition, although the technologies will likely change and the complexity may be higher.
As you may know, Telephreak hosts a highly influential event on Sunday after DEF CON. We're extremely selective in who is allowed to attend, and as a result, Telephreak is probably the most difficult event around DEF CON to get into. One of the ways to get in, however, is to solve a puzzle. We had three puzzles this year: a puzzle based on POCSAG pages (created by r0dent), a vintage MUD (created by Avi Freedman), and a BBS competition (created by me). This post sums up the BBS competition which was the most elaborate puzzle.
The competition started with a 3.5" floppy disk (archived at https://github.com/dc04thule/telephreak_2016). It was the sort of disk that you might get handed to you at a 2600 meeting back in the early '90s. This consisted of hacker files mostly from the 1992-1994 time frame, taken from the filebase of The Bin BBS. A little history of The Bin, I ran it in the Seattle area at the same time as DT was running A Dark Tangent System - we have been friends since then, and knowing him as a fellow sysop is how I ended up at DEF CON 1. Both of our boards looked completely legit on the surface, but we had "elite areas" with hacker philez, warez, and secret message bases. We even shared message bases between our BBSs at the time via the QWK format (along with another local hacker BBS), and some of this wonderful old vintage content was visible to participants who progressed far enough in the competition.
How did you get a floppy disk? Well, I showed up on Thursday afternoon at DEF CON 101 and on Friday morning at the DEF CON merchandise line. I gave floppies out--with absolutely zero context at all--to people who were at their first DEF CON and were under 25. There was only one exception, and that was for a guy wearing a 2600: The Hacker Quarterly shirt. Think about it: you are at your first DEF CON and some crazy old guy covered in Queercon stuff comes up and demands to know whether you're at your first DEF CON and how old you are. One guy--who I think I later saw on a Korean CTF team--refused to answer. Great opsec, but not friendly, so I didn't give him a floppy. :)
In case you hadn't guessed, there are multiple pieces to the puzzle. One of those pieces is social engineering. You had to let me social engineer you to get a floppy.
Another piece was finding a floppy drive. I made sure Fry's only had two. ;) My friends at UNIXSurplus got in on the game and lent floppy drives to contest participants, removing a massive technical barrier. All they had to do was ask!
Some of the files on the floppy were decoys, some were there just for historical purposes (such as the Hacker Manifesto), and nearly everything was archived in ARJ format. Why ARJ? I was really into more efficient file compression than ZIP at the time--remember, stuff had to fit on floppy disks! So I was always looking for something that could squeeze out another 10%. I helpfully included a copy of ARJ on the floppy, which is likely something I would have done back then because I was really trying to push the format.
There were, however, a few clues embedded on the disk. In the header of the floppy, you could find my actual voice phone number (which actually isn't that hard to find anyway). Some of the files were dated 2016, a big clue--most of the date stamps were the original 1990s ones. I included our actual application package for the CyberCrime International (CCi) echomail network, of which The Bin was a member. However, I changed the phone number to one I set up in Las Vegas with an outgoing message asking for details about voice validation:
- Your REAL name
- Your handle
- The password for voice validation (this was available in another file on the floppy disk)
- To prove you're not a FED, the most illegal thing you'd ever done.
I got a lot of calls but only a few messages. It's a good thing I had caller ID, which would have been a questionable proposition in the 1990s. I gave the callers a pass on this and returned their calls, because not a single one left a phone number to call back.
Some people tried texting me, and I just ignored the texts. For all intents and purposes, SMS didn't exist in the US in the early 1990s. I only paid attention to actual VOICE calls.
I got a wide variety of messages, but was surprised at how well most people rolled with my return calls and some actually tried to social engineer me. I called one guy back who left the wrong password and loudly accused him of being a fed. He rolled with it really well and called back with a plausible excuse so I eventually validated him. I called another person back and asked for more details about an illegal act they had claimed, trying to get enough incriminating stuff that a fed would never say it. Only one hacker refused to give his real name - at the time, most would have refused it (but eventually, even without giving up a name, most hackers back then would agree to meet somewhere so we could scope each other out, which would often then lead to a friendship and evening of digging through dumpsters at central offices).
If I was sufficiently social engineered to thinking that you should have elite access, I'd tell you that the BBS had been raided and had moved to the Alexis Park. I gave the extension, which was actually the suite number the BBS was in! Astonishingly, nobody tried to break into the room. If they had, they'd have found a very pissed off r1x0n, a DEF CON goon, and would have had the full fury of Gooncon raining down on them. Instead, people were met with a challenge: the Alexis Park and the PBX filter.
You see, Bally's, in their infinite wisdom, decided at some point that too many people were calling AOL on the hotel phones. They put in a filter to block modem connections and this applied to all connections on Bally's hotel phones, including internal! That's why I put the BBS at the Alexis Park. So if you managed to social engineer the Alexis Park into connecting you to an extension without knowing the name of the guest who was staying there (a tough call during DEF CON week), you'd run into the filter. The only way around this was to go to the Alexis Park and try to find a house phone you could dial up over.
And it's the Alexis Park. They're used to shenanigans during DEF CON and they know what hackers look like. They practically have a sixth sense. There is only one place at the AP that is friendly territory, and that is the bar (who actually loves us). They have a phone line, and it could be used to dial extensions.
The contest technically required creating an account, getting validated, and either making a post or uploading a file to The Bin BBS. However, given the difficulty people had physically getting to the Alexis Park (it was a $20 round-trip Uber ride) I didn't want to make people pay for multiple trips, so I relaxed the requirements. Anyone who successfully social engineered me into getting validated, got the number, and created an account won.
In one of the files, I also seeded my Twitter handle. People who followed me on Twitter found my account to be a great source of hints. I answered some questions, giving very specific direction in some cases, vague answers in others, and some questions I ignored. However, almost every winner engaged with me on Twitter and used hints I dropped.
Some key lessons I wanted to help new hackers learn (although many older hackers could also benefit):
- Many extremely effective hacks don't involve a computer.
- As a hacker you need to be prepared to deal with older technologies in order to get valuable data.
- Working together and talking to each other can be a net plus. This competition rewarded collaboration, it didn't penalize it like other competitions do.
In the end, we had 9 BBS competition winners for Telephreak 9. All but one were first-time DEF CON attendees and all were aged 25 and under. And they all received an invitation to Telephreak. For my part, I had a massive amount of fun doing this. Next year we'll do another competition, although the technologies will likely change and the complexity may be higher.
Comment