ELI40

Who is Cicada 3301?

Page 3: Decoy - The art of steganography

cicada 3301 duck decoy
Does this duck have a secret message?

The first thing I noticed is that Whoops is spelled oddly and a clue with a misspelling is usually a strong indicator that the misspelling means something. Being all capitalized makes it look even more suspicious, like maybe an abbreviation. If it is a clue, I have no idea what the abbreviation would mean and neither does Google. Spelling it without the h is odd but acceptable, using all capitals is also odd but acceptable, so maybe this means nothing.

Checking all the same things we did with the previous clue reveals nothing. There's nothing in the Exif data, Photoshop doesn't reveal anything obvious, and there are no obvious messages in the hex dump this time. The text on this image sure does make it sound like the clue we found in the original image was a decoy and we're on the wrong path. The first clue did seem a little too easy, maybe we missed something.

Before giving up, let's investigate a little further. That part about getting the message out implies that there might be something hidden in the pixel data, either in this image or the original one. The idea is that digital images are often stored with 24-bits per pixel. 224 = 64 million colors which is more than what most humans can perceive. If an image used only 22 bits instead of 24, it would look nearly identical while leaving 2 extra bits per pixel unused.

JPEG compression is based on the same concept, it uses some elaborate math to figure out which color information is unnecessary and therefore can be discarded. Throwing out unnecessary bits makes the image smaller, i.e. compressed.

Instead of discarding the unnecessary bits, they could be used to embed invisible information. Think of it like writing white text on a white background but with pixels instead of letters. The fancy name for this is steganography which simply means hiding messages. This technique of finding the unused bits can work with images, movies, sound, databases, anything.

Many years ago I used steganography in a computer game I was working on. I needed to add lip-sync data to some animated artwork in a way that the lip-sync data was invisible to the user but could be used by the computer. To accomplish this, I carefully "stole" some lower bits from the artwork. It worked great, the artists were happy that the lip-syncing worked correctly and never noticed that their original masterpieces had been modified slightly. I never told them what I had done. If they're reading this now, I hope it doesn't make them angry.

The lip-sync animations used a proprietary, lossless compression scheme similar to .gif files. By contrast, .jpg files use lossy compression which means some of the original data is lost. That's no big deal if the lost data wasn't needed anyways but it is a problem if the lost data was the lip-sync information or a secret message. Since the picture of the duck decoy uses lossy JPEG compression, I doubted the pixels contained a secret message.

JPEG compression, like many file formats, is extensible. This means new versions can add new data types as long as the old data types don't change. Old versions continue to work because they quietly ignore any unrecognized data. If I were hiding a secret message in a JPEG, I would simply create a new data type that nobody used except me. My unrecognized data would be silently ignored by any software that didn't know what to do with it but would be easy to find if you knew where to look. Security through obscurity.

I thought for sure that the duck image used a trick like this. All I would have to do is go through the JPEG file looking for unusual blocks of data. I could do this by hand with a hex editor if I had to but that would require some effort and by the time I discovered Cicada 3301, plenty of others had already solved this clue. My original goal was to solve everything myself but I was impatient and the temptation was too great so I looked up the answer.

Click for Tarth's advice.

I was wrong, apparently the image doesn't store a message the way I though it would. In fact, this duck decoy doesn't have a hidden message at all but the original image does. The message we found was indeed a decoy, the real message is embedded directly in the pixel data. This means that extracting it requires special software that understands the JPEG compression scheme and that involves some complex math. That is not something I wanted to try writing from scratch.

The Internet said the secret message could be extracted with a program called Outguess. Apparently that was supposed to be obvious by the phrase "... guess how to get the message out." It didn't seem obvious to me because I had never heard of Outguess but whatever, I asked Google about Outguess.

And that's where I stopped.

Speculation

Outguess is steganography software. It is one of many such tools. I don't know why Cicada chose Outguess, probably because it's freeware. While originally a Linux app, there are also Windows versions. However, unless you know exactly what you're doing, I do not recommend downloading unfamiliar software from the Internet. Most copies of Outguess are legitimate but looks can be deceiving, especially considering that this whole thing originated on 4chan, a place with a well-known propensity for trolling people with intricate pranks.

The best way to proceed would be to use a second computer or maybe just an Ubuntu VM that could be wiped clean later. I considered it. The Cicada 3301 puzzle looked enticing, just not quite enticing enough to justify the extra effort. Installing Linux, wrestling with unknown software, and reformatting my hard drive is not my idea of fun. Instead, I decided to go back to the Internet to see what others had found.

I was disappointed when I learned that finding the hidden message requires steganography software that is only known to a narrow audience. Maybe that was on purpose though, instead of looking for "highly intelligent individuals" like the original message said, maybe what they're really looking for are individuals who are familiar with Ubuntu steganography tools.

Google billboard
{first 10-digit prime found
in consecutive digits of e}.com

The site is no longer active.

The decoy clue was relatively easy. It required some basic computer skills but nothing too esoteric or difficult. This second clue though, it definitely requires some very specialized knowledge. Don't confuse specialized knowledge with intelligence, any script-kiddie can run the Outguess utility. Knowing that Outguess exists is neither a test of intelligence nor a demonstration of skill. Even very experienced network professionals don't normally deal with steganography tools. Knowing about Outguess requires a network technician who specializes not only in data security but also in espionage. Like maybe Edward Snowden.

This immediately makes me think of three-letter agencies such as the NSA, FBI, DOD, DHS, DEA, NRO, CIA, and MI5. They're not the only ones that care about data security though, lots of companies need technicians who specialize in network security. Google, Apple, Amazon, Cisco, Verisign, Bank of America... nearly any company you can think of has to deal with network security at some point. Skilled, experienced IT professionals are always in demand.

Here is a book code. To find the book, and more information, go to http://www.reddit.com/r/a2e7j6ic78h0j/

1:20
2:3
3:5
4:20
5:5
6:53
7:1
8:8
9:2
10:4
11:8
12:4
13:13
14:4
15:8
16:4
17:5
18:14
19:7
20:31
21:12
22:36
23:2
24:3
25:5
26:65
27:5
28:1
29:2
30:18
31:32
32:10
33:3
34:25
35:10
36:7
37:20
38:10
39:32
40:4
41:40
42:11
43:9
44:13
45:6
46:3
47:5
48:43
49:17
50:13
51:4
52:2
53:18
54:4
55:6
56:4
57:24
58:64
59:5
60:37
61:60
62:12
63:6
64:8
65:5
66:18
67:45
68:10
69:2
70:17
71:9
72:20
73:2
74:34
75:13
76:21


Good luck.

3301
Can you decode this book code?

The problem is, I seriously doubt the HR department at any of the above would start their recruiting search on 4chan/b. Google once used a billboard near a busy freeway in Silicon Valley. That was unconventional but still makes more sense than 4chan. Also, when looking for applicants with technical abilities, professional recruiters are more interested in math skills and programming experience than knowledge of Roman emperors or obscure Linux tools. I've been a hiring manager myself and interviewed many, many programmer applicants. If I ever heard colleagues asking about Outguess during an interview I would politely but firmly remind them that it's more important to find applicants with a broad scope of abilities and positive attitudes while specific details such as how to use Outguess can be taught.

At this point, if I had to speculate about who is behind Cicada 3301, my guess would be college sophmores getting their computer science degrees and looking for others to join their secret club. If not college sophomores then maybe a neckbeard living in his mother's basement. But it's really too early to speculate, so far we've only seen one real clue and one fake clue so let's see what's next.

If you go back to the original image and run it through Outguess, it spits out the clue shown to the left. This clue doesn't require downloading any special software so feel free to investigate it yourself. Don't waste too much time on it though, it has been several years so the original clue is a bit jumbled now and more difficult to decipher than it used to be. When you're ready, go to the next page for an explanation.