[We had received a message from Enoch with a building number, a 0-level room number, and 3 two-digit numbers.]
Me: I don’t think this building has a basement.
McLeod: Can’t find a map… this is room 105…
Me: Maybe we’t wrong…
McLeod: … [looking at some nearby lockers]
Me: No way…
[And indeed, our heroes found two decks of cards (labeled Alpha and Beta, with the message “order matters”) inside the locker. Later, that same evening…]
Me: Dude, I think we saw something like this when we were researching the last cypher.
McLeod: Oh yeah?
Me: In Cryptonomicon, they used something called a Solitaire cypher. Maybe that’s it. All I’ve gotta do is pop open Vim and write a Python script to perform the deck operations. Let the hacking begin. [puts on music from The Social Network]
[After some home-cooked burgers, our heroes wrote a simple Solitaire cypher decrypter in Python and decoded the latest message.]
After a rather dismal day, I found myself reading my old blog posts about the White Rabbit and wished that I could figure out the latest cryptic clue he had given. Suddenly, right before midnight, I had an inspiration, and discovered the password for the second phase of slowhiterabbit.org.
Your move, Enoch. I look forward to meeting you someday.
Our mysterious benefactor, Enoch, posted a new mini challenge on the slowhiterabbit.org forums on 2009-12-07. The text is a simple substitution cipher, telling how they’ve been facing delays in creating the next challenge.
As promised, I’m here to report more of the White Rabbit happenings. At the request of my friends, I’ve omitted the actual QR codes and their decoded text for the benefit of the game. However, I will tell the events as they were.
Friday morning, we reconnected to the slowhiterabbit.org SSH account that we had previously deduced. The lovable ASCII rabbit appeared along with a PEM-encoded certificate, a set of GPS coordinates, and the following message:
Bring a camera, the view is beautiful.
The GPS coordinates were in the forest right behind campus, so after class, we all hiked to the coordinates given. Naturally, I brought my camera, and took a couple pictures on the way up.
When we got to the coordinates, we found a tree with the rabbit hanging from a branch and a QR code on the opposite side:
The QR code decoded to the private key for the certificate. We thought about what the certificate could be for, I decided to try going to https://slowhiterabbit.org/ , which requires a client certificate. After some command-line hackery, we created a browser-usable certificate file which allowed us into the website—a forum board. I registered, but just as the confirmation page appeared, my username began to delete itself, as if someone was hitting the backspace key. I freaked out. However, the username then replaced itself with the word “Alpha”. In the rabbit hole, just like in Project Mayhem, no one has names.
After a week of midterms, studying, and stress, we were all excited to find a new White Rabbit message on the board by our classroom. In a strange twist, the rabbit message was not there before our lab, but had popped up an hour later. Freaky!
Anyway, so my previous post was just showing the new flier (in better resolution this time, since I grabbed my 6 megapixel Nikon D70s). The barcode was the same URL as before, but the QR code was (obviously) different. After running it through a QR code scanner, it returned this result:
To most ordinary folks, this looks like unreadable garbage. However, to a programmer, this is an unreadable key. This discovery requires a bit of a lesson in basic cryptography, the study of obscuring—encrypting—data. It’s a wide field, but I’ll try to keep the background brief.
Back in the dawn of cryptography, people used Symmetric-key cryptography, which is what most people think of when they think of encrypting data. You type in a password and your data becomes junk until you type in the same password again. In cryptography circles, this password is called a key. This is all fine and good, but what if you want to give data to someone else? You could agree on a password with the other person and use that same password over and over (which is insecure), or you could keep changing passwords and having to tell that person in a secure manner what the new password is (which is inconvenient). Both of these seem like bad ideas, so what to do?
Then, in 1976, a couple guys discovered Public-key cryptography. In essence, one person can encrypt data with the other’s public key and the recipient can decode it only with their private key. Public keys can be distributed without fear, since only the private key can decrypt it.
The other useful property of this is using the private key for logging into other computers, via a useful protocol called SSH. The server can encrypt data using the user’s public key, and it can only be read by the user’s private key. It was at this point, my friends made an important discovery:
email@example.com is not an email address. It’s a login.
So lo and behold, we copied the private SSH key onto our computers and logged in to slowhiterabbit.org with the username Alice to find this:
A countdown to 2009-10-23T00:00:00-0700. We think that this is when “Alice” will post her next message “through the looking glass” (so to speak) and not resort to fliers anymore.
It’s exciting, but the question is still: why is this happening?
These fliers (Photo 1) popped up all over Cal Poly campus a week ago. I thought it was weird, but went on with my daily routine, thinking it was some concert ad.
I didn’t notice the fliers anymore until I left my computer science lab today, and my friends and I saw another flier that replaced the first one. The flier contained a QR Code (not pictured), the white rabbit, and a barcode at the bottom (Photo 2). Ryan happened to have an iPhone app for scanning QR codes and determined that the QR code was an email address: firstname.lastname@example.org . We weren’t sure what to send to that address, but we figured that the barcode may have something to do with it. I determined—after an hour of trying different scanning software—that the barcode was Code-128 encoded with the following URL:
This ended up leading us to a barcode-reading Java program. Since we already decoded the QR and bar codes, this seemed redundant, so I sent an email to Alice asking “What is the Matrix?” accompanied by the URL for good measure.
Not being satisfied with waiting for a response from Alice, I decided to do some additional research. The domain slowhiterabbit.org yields no results from a browser, but the emails don’t bounce. I checked the DNS information to find that it is a valid domain, but registered under DyDNS, a popular dynamic DNS company, so no dice on the web hosting account. What was bizarre is that there is no WHOIS information, the obligatory public records for any domain name, for slowhiterabbit.org. So who operates it?
I did a trace of the IP traffic to find that the domain is running from the IP address 188.8.131.52. I cross-referenced this with an IP geolocation service to find that the server is a personal computer in Suisun City, CA. From there, I don’t know where to go.
I’m not sure how far the rabbit hole goes, but it’s gone pretty far already. I’ll keep posting this week as I find out more.