ELI40

Who is Cicada 3301?

Page 2: Caesar - Original image from 2012

cicada 3301 original image

Upon seeing this mysterious message, what was your first reaction?

The first thing I did was look at the Exif data. Digital images often have some metadata stored with them that you don't normally see. This is information such as copyright, date taken, camera model, exposure settings, etc. Pictures taken with your phone may even include its GPS location. This can cause problems for people that don't realize the data is there. Don't panic though, this feature is usually off by default and sites like Facebook and Twitter automatically remove Exif data so stalkers can't find your GPS coordinates by looking at your latest Facebook posts.

Windows users can view Exif data by right-clicking on the image (after you've saved a copy) then selecting the Details tab. As you can see, this image has no interesting Exif data. So what's next?

The next thing I tried was loading the image into Photoshop to look for black text on the black background. This is a simple trick that is surprisingly effective. After all, when was the last time you checked photos for hidden messages? The only reason it seems obvious here is because the we were told "There is a message hidden in this image." Unfortunately, adjusting the contrast and brightness reveals nothing obvious.

Years ago, back when the JPEG format was new, I was making a living as a computer game programmer. When this fancy new JPEG format came along, boasting some really great compression performance, I took some time to write a JPEG decoder. I don't remember any of the details now, all I remember is that the file format is flexible enough that it can store more than just image data. So I took the Cicada image and threw it into my favorite hex editor to see what I could see.

Computers talk in binary but instead of an endless stream of 0's and 1's, binary is usually represented as hexadecimal. Any file, whether it's an app on your phone, a text document, spreadsheet or a picture, can be represented in its raw hexadecimal form. It's not something most people do regularly but it's easy to do even if you don't have a hex editor. In this case, if you're a Windows user, simply right-click on the file and select Open With. Don't use an image editor, word processor, Excel, or anything that knows how to display .jpg images, it has to be something that lets you view the raw data. Notepad has no idea how to display a .jpg image so it works fine. Scroll to the end of the file.

TIBERIVS CLAVDIVS CAESAR says "lxxt>33m2mqkyv2gsq3q=w]O2ntk"

That certainly looks like a clue and it's definitely not image data, it's simply some text appended to the end of the file. Now all we have to do is figure out what it means.

If you type the hidden message into Google now you'll get links about Cicada 3301 but back in 2012 the closest match was a Wikipedia page about Roman Emperors. According to Wikipedia, Tiberius Caesar was the 2nd emperor, Claudius Caesar was the 4th emperor, Nero Caesar was the 5th and Julius Caesar wasn't an emperor at all but rather a dictator and the other Caesar's adopted the name Caesar as their title. To make matters worse, Claudius' middle name was Tiberius. Or maybe that was his first name but he went by his middle name. I'm sure the Romans understood all this but I don't. It seems the dude had five different names and it's all very confusing.

For now, let's ignore the confusing bit about which emperor is which and instead look at the encrypted portion of the message. If you stare at it long enough, you might be able to recognize a familiar pattern:

lxxt>33...   ⇔   http://...

The word Caesar has another meaning. If you've ever played with secret codes then you've probably used a Caesar cipher. Basically, it's a really simple way of shifting letters. In this example, h is four letters before l, t is four before x, p is four before t, and so on. Shifting every letter forward four spaces, lxxt becomes http. This Caesar cipher uses a shift of 4, Tiberius Caesar was the 4th emperor... that sure does look like it was supposed to be a clue.

Except do you shift by four when enciphering or deciphering? If they enciphered using a shift of four, that means we need to decipher with a shift of negative four. Getting it wrong is like giving someone directions to your house and saying left when you meant right.

The message also requires an ASCII chart. Think of ASCII like the computer's alphabet that includes letters, numbers and symbols. Traditional Caesar ciphers don't use ASCII but this one does. Using ASCII and shifting by -4 let's us translate the message to a URL:

http://i.imgur.com/m9sYK.jpg

WARNING: For those of you trying to solve the clues yourself, an obvious but important reminder is in order. Do NOT download unfamiliar software from the Internet. It's not always easy to know what is safe and what is not. It is safe to follow the above link to Imgur.com if you want to. Or, you can simply go to the next page and keep reading.