It turns out that this is not a .jpg embedded in the .png, as it does not include a complete signature. Oh well; worth a shot!
Friday, August 29, 2014
Possible .JPG Image Hex Buried Within .PNG Image On BMRF.us
It turns out that this is not a .jpg embedded in the .png, as it does not include a complete signature. Oh well; worth a shot!
Monday, August 25, 2014
Update Part 2 of 2: Concept Map
You can now open or save the concept map simply by clicking the link below. You can also click the embedded picture to open it in a separate screen for closer examination. Keep in mind that the picture is fuzzy here, but opening the link provides the full, high-resolution version.
Open/save the Concept Map
Open/save the Concept Map
Update Part 1 of 2: Timeline
I will be updating the blog and the Wiki pages to reflect two entities that I believe will aid us in our quest to solve the 752-character Hex Code. The first, which I've included here, is a timeline of hints/solutions that began after IRC Clue #1 and prior to Code D being solved. I am also constructing a concept map to identify key ideas that are reflected throughout multiple parts of the ARG--my hope is that this will aid us in determining possible relationships between clues, whilst also potentially excluding red herrings.
Final Timeline - Codes A-D Onward
(Events begin after IRC Clue #1 and before Code D solution)
- October 4, 2012
- IRC Clue #2 - “Note Welsh”
- “N38°57'8.05" W77°8'44.82".
Solution two ignore loc data N32°52'50.77" W106°20'49.40" not buried at initial loc, fly here.
Travel 14.16 miles east we transferred the niobium there.
Await further instructions.” - Capital letters in initial solution spell out “NOTE WELSH”
- October 5, 2012
- IRC Clue #3 - “X01/X02”
- “INCOMING TRANSMISSION - LOC 2 LAYER 2 SUBSTRATA 3 X01/X02 HALOS PROJECT INITIATED
41Nb recovered. HAFB Compromised.
Transfer to site complete, project HALOS underway. Further INFO [Classified].
CODE BASE 64 compromised, switch to old code talker.
They are watching, assume leaker on site.
WSMR No longer viable location, move to main site, check external sources.” - November 4, 2012
- SECOM cipher solved
- Grilled Pizza image on site
- Message hidden at bottom of page:
- ‘They stole the lie, as if that matters to me, HALOS is far too complete to stop now. They can't hide there, not now, not now I have this, this holds the key to all things... they CAN'T hide from me. I will follow them, I'll set up a link and this to remind me. Perhaps I should hide it on the secure site, perhaps that would be best. I'll find them though and they will pay, they will definitely pay. Dr Marcel was right when he said, "When you're building a cage for Satan, you don't ask him to wait around whilst you put the doors on." Welsh is probably behind this, but he won't get away with it.’
- Decoded image message:
- “congratulationsyouwonthePIZZA”
- November 4, 2012
- IRC Clue #4 - “Prime Site Compromised”
- Base64 decoding: “Proxyhost@-84-9-123-164.dslgb.com//closed.proxy.accepted//?OTR,1,3,?OTR:[I---MI-G TR--SMI---ON - UN---WN S##RCE]Access detected to personal site.
Security compromised.
HALOS project under threat. Site offline as response. Switching to new protocols.[********] ~[OTR//2.0]Q0FZRUlMVEhEWkVIVEhBTlpJRVRLSU5OQUFTVFNPU
0lCSVNPRElIVEhBTlpJRURaRUhUS0lOV09MTEFDSEVFRElCRUhUSEFOWklFQ0FZRUlMVEhEWkVIRElCRUhUSEFOWklFTkFBU1RTT1NJTk9EQUlIVEhBTlpJRU1BRU5BQVNUU09TSUdBSFRLSU5ORUFTSEpTTlRIQU5aSUUKRElCRUhZQVpaSUxJTlNIVVNIRFpFSEtMSVpaSUVORVNIQ0hFRUNBWUVJTFRIS0xJWlpJRVlBWlpJR0FIU0hVU0hCRURJQk
VIWUFaWklTSFVTSEJJU09ESUhOT0RBSUg=[/]~
[Transmission Ends]” - Navajo Code + Playfair (Key: “Terminal”) decryption of inner portion:
“PRIMESITECOMPROMISEDRETURNBMRFLOGINHALOS” - November 5, 2012
- IRC Clue #5 - “BENALOHPAILLIER”
- Base64 decode #1:
“[[Proxyhost@-84-9-123-155.dslgb.com//closed.proxy.accepted//?OTR,1,3,?OTR:[INCOMING TRANSMISSION UNKNOWN SOURCE]LEAK SOURCE DETECTED. TRIANGULATING...MIX CASCADE
HOP DETECTED...ATTEMPTING TIMING ATTACK...[TERMINATED] CANNOT CONNECT TO HOST...ATTEMPTING CONNECT TO USER H... SENDING DATA. SECURITY LEVEL 7 ALPHA.[OTR//3.0]
QkFRS1ggSk9BSkcgWEFIRUQgSUZHSVogRlpEUEIgVVNYTEcgR1hIRkEgVUFVV00gSEJRQU0gV0FYVlkgTFFRUlkgV1JVV1YgRVRRT0sgQkFDQkUgSldITVMgSFZPTlogSUFIUEEgU09XQ00gTEdBVFggVUVYT1EgRFJ
RRUogQlZMQk8gREpJSEUgQ1pUSE0gWktISUUgTk9NTFMgQVhWVlcKRVRXSVMgRVRJR00gUlhFVkYgUVlBVUIgVkZDRUIgUFdCVUsgRU1OT0wgVw==[/][End Transmission]|¬[Terminal.] ~~ [Transmission Ends]]” - Base64 and running key decode #2 (inner portion):
"This is a message left for Dr. Horn. Just to remind you in case of emergencies that the password to the HALOS files is BENALOHPAILLIER. I have programmed HALOS to send in level seven cases. You should bring pizzas." - November 7, 2012
- IRC Clue #6 - “HALOS.TXT”
- Reminder to check website which led to discovery of HALOS.txt:
“[[ProxyhoSt@-84-9-I23-345.dslgb.com//closed.proxy.accepTEd//?OTR,3,4,?OTR:[INCOMING TRANSMISSION]ThEpIzZaIsaLiE...HALOS[Transmission Ends]]” - Not mentioned on Wiki (I have since updated to reflect this), but the capital letters after the first “p” spell out: “SITE”
- This is obviously just a hint to return to the site
- CURRENT
- 752-character hex code retrieved from HALOS.txt . . . .
Saturday, August 2, 2014
Feedback For Writers • Index page
My latest pet project:
Feedback For Writers • Index page
Check it out if you have a knack for writing, need a critique on an essay or other written work, or just like giving constructive criticism! Even if you don't, do me a favor and sign up. Your registration helps improve the numbers!
Feedback For Writers • Index page
Check it out if you have a knack for writing, need a critique on an essay or other written work, or just like giving constructive criticism! Even if you don't, do me a favor and sign up. Your registration helps improve the numbers!
Saturday, July 12, 2014
Two Notable Things On the "Tempus" Page
There are two things I recently noticed on the "Tempus" Wiki page; one seems more crucial than the other, but they both bear mentioning.
1.
The primary examination is on this part of the Wiki page:
INTERCEPT 099.00//a
Report{BMRF-HALOS-AITR-0001,
author = {HALOS AUTOMATED},
title = INTERCEPT DATA,
year = 20xx,
month = OCT,
institution = {Black Mesa Research Facility - HALOS DEPT},
number = {099.00//a}
}
I have no idea why I didn't notice this before, but that looks exactly like programming language. At first it looked like a mix of simply HTML and CSS, seeing as how there are no called functions, but there are tons of programming languages that I don't know--Python, for instance. Perhaps someone else would have a much easier time noting trends or key indicators that point toward one language.
2.
The second interesting thing is the line: institution = {Black Mesa Research Facility - HALOS DEPT},
I don't think that the HALOS project was a well-known entity within the facility (only a few people were "in on it"), so calling it the HALOS DEPT (HALOS department) seems to indicate that this message is as we originally suspected--a direct message within the systems or makers of HALOS that was not supposed to be "leaked" to the public.
Anyhow, hopefully this will get some gears chugging along again! Any thoughts?
1.
The primary examination is on this part of the Wiki page:
INTERCEPT 099.00//a
Report{BMRF-HALOS-AITR-0001,
author = {HALOS AUTOMATED},
title = INTERCEPT DATA,
year = 20xx,
month = OCT,
institution = {Black Mesa Research Facility - HALOS DEPT},
number = {099.00//a}
}
I have no idea why I didn't notice this before, but that looks exactly like programming language. At first it looked like a mix of simply HTML and CSS, seeing as how there are no called functions, but there are tons of programming languages that I don't know--Python, for instance. Perhaps someone else would have a much easier time noting trends or key indicators that point toward one language.
2.
The second interesting thing is the line: institution = {Black Mesa Research Facility - HALOS DEPT},
I don't think that the HALOS project was a well-known entity within the facility (only a few people were "in on it"), so calling it the HALOS DEPT (HALOS department) seems to indicate that this message is as we originally suspected--a direct message within the systems or makers of HALOS that was not supposed to be "leaked" to the public.
Anyhow, hopefully this will get some gears chugging along again! Any thoughts?
Tuesday, February 18, 2014
Where We Currently Stand
Code/Storm's Private Messages
We haven't had much success with the ARG lately, as we're still stuck on the Hex Code puzzle. I recently revealed that Storm had been PMing me directly about the ARG, although his messages revealed little:
"Apologies for the time delay, things have been hell here for the last month or so.
I ran the code through a few programs that analyze entropy via auto-correlation, the n gram results indicate a weak encryption, but one that results in highly entropic data (which I correlated against a similar data set size from a randomness extractor) when decoded via Hex, which I suspect is a secondary encode, as most encrypted data sent via communications is encoded in order to avoid corruption. This may have skewed the block size analysis done previously (resulting in 376bytes or 64bits).
Code:
³+�:5ºÝfW|$ÁOÉCFÑ1§ÅK¸/þà"aWw?$y#Ü!ö,Ô.‘ògµE«Êí¯aQ
Nê‡Í3ÇÇ?q10œÄ(´$=TðDùÏb–Ù¿÷9~C˜æ2Ú
?äx³¥O]Üiuú÷I„žbYZŸc•‘=à>:¬?8ŒEû…þ‘5AÖÀƒ˜òȃ2¨/ß�(büÜOçäj?éQÅÈ´dã:¹,–†.‹À™¸8�Úy¶?ä¢Y›mHǹSŒîc‘D ôaº’äþu$,Ø?QÖ•Q˜‡j|ª½{@I"A0©f̳Á9F:?~š7ª†?²xü—1À œŒy~y“
@eF²Lšb›&Â?Î*KäXš7_ësÄ«"\„Œøž)²q3—6G?J‰(íÖTiŒ^[PgFövZo%Þ¤Ú@þ¶e?E$i6•ˆ=Ë!æûþû¸Z)‘”€6¥+]Thinking in a non linear way, I've tried to classify the OTR message header with its increasing scale as the puzzles moved on.
[CLASSIFIED INFORMATION LEVEL 8][OTR//4.0]
working from that basis and the other messages I have developed this list.
Level 0 - 2 = Non Encrypted or Encoded (similar to private and confidential?)
Level 3 - 4 = OTR 1 - Base 64 or Base 85 encoded
Level 5 - 6 = OTR 2 - Hyper-encrypted (layered) Pen and Paper Ciphers
Level 7 = OTR 3 - Hyper-encrypted (layered) One Time Pad
Level 8 = OTR 4 - ???
Level 9 - ?? = OTR 5 - ???
Considering a flawed OTP (which it was, considering the ability to analyze it), when done properly should be information-theoretically secure, the next level should be either hyper-encryption using random bits (which is unlikely considering the difficulty in making that crackable and for the fact it's usually used on hardware encryption chips), or some form of Block Cipher (from which if we assume the scale of Levels goes up to 10), can be extended into simple block ciphers with small block size, which analysis seems to indicate it is not, up to triple cascaded ciphers with high block sizes, salts and perhaps even key files to add additional strength.
It is just an assumption, but one using the available evidence, OTR 4.0 is either a 128bit or 256bit block cipher with an unknown mode and key length. I would assume AES or Rjindael as candidates to allow for the most commonly used (also as Off the Record encryption uses AES as its base algorithm, that may be a hint). So to modify the list -
Level 0 - 2 = Non Encrypted or Encoded (similar to private and confidential?)
Level 3 - 4 = OTR 1 - Base 64 or Base 85 encoded
Level 5 - 6 = OTR 2 - Hyper-encrypted (layered) Pen and Paper Ciphers
Level 7 = OTR 3 - Hyper-encrypted (layered) One Time Pad
Level 8 = OTR 4 - 128bit/256bit block cipher (AES or Rjindael or Twofish or Serpent)
Level 9 = OTR 5 - Cascaded Block Ciphers with salt (SHA 512 or Whirlpool etc)
Level 10 = OTR 6 - Cascaded Block Ciphers with salt and possible key file additions (to increase password strength)
For the moment therefore, I will continue to try and analyze the non Hex code and work out the block size, algorithm basis, key length etc.
If it is a block cipher, then algorithm cracking is pointless, and as such key forcing may be necessary.
If I were a betting man, I would say this is a 256bit encryption, probably of the AES or Rjindael cipher algorithm (not that you can tell from the code, but its pretty common) .
The password will probably be hinted at, perhaps in a less than obvious way. We can assume this much as it is almost impossible to analyze a cipher text with only one message and nothing to confirm patterns. Once I've got a rough estimate of what mode/algorithm it uses, I can dedicate some run time to rainbow table attacks on the key. I have a feeling this is a holding puzzle, designed to allow time to construct further aspects of the ARG or work on whatever is behind their NDA.
Recently there was a problem with the computer systems at work, so I may not have access to all the analytical machinery I usually do, it may take a bit longer to get more information, if i find anything interesting I'll let you know. I may have access to some more specialist equipment at a later date, so more progress will likely be made then. I think we can rule out SSH or OTP though."
Latest Message from Storm
Another thing to note is that we have received another message on the ARG's main Wiki site, in the comments section of the "Tempus omnia revelant" page. The message is as follows:
"Aug 09
--------------
W### has been p########## well on the L#### O####### L######## Can####, other#### kn### as the T## Cann##. My t##### to the #####etic
induction coil have reduced the likelyhood of overcharge by 200%! I still cannot fathom why the fuse we introduced continues to fail
however, perhaps the leptons have a mi7s6d0976)(&^A)S()F ()A^SF) A()&^ ^)(AS&^ (^6097^)(76)(*"_)"_)(*")(*!")(*!")(!"*)(.................................. ........ .........................................."
It is believed by some that the different symbols may be converted to numbers--the resulting "code" is:
7609760976090906090766097696609760976098202098209812098120912809
It's important to note, however, that this code is probably just produced by random keystrokes.
My Prediction
Below is something I recently posted on the forums about the ARG, and I currently stand by it:
"I have pretty much concluded at this point that we're dealing with 3DES. The Lucifer cipher is directly connected to DES. Furthermore, we have things happening in groups of threes:
In the image with red writing, the word "lies" is written three times--there may be a fourth, but it looks like something else.
The first "lies" is also underlined three times.
We have three instances of Satan/Lucifer being mentioned:
* Once on the grilledpizza page: "When you're building a cage for Satan, you don't ask him to wait around whilst you put the doors on."
* The picture with the red writing
* Indirect suggestion with the Dante's Inferno references: "Raphèl maí amèche zabí almi"
Other than that, I think it's just a feeling. I found this page randomly tonight: It details how someone solved a hex code for a contest to win tickets. The first round of the code actually mentioned Lucifer, and the gentleman used DES to solve it. His hex code was extremely similar to ours."
Other Possibly Relevant Material
Lastly, here is some other information pulled from the Wiki that may or may not be helpful or even relevant:
We haven't had much success with the ARG lately, as we're still stuck on the Hex Code puzzle. I recently revealed that Storm had been PMing me directly about the ARG, although his messages revealed little:
"Apologies for the time delay, things have been hell here for the last month or so.
I ran the code through a few programs that analyze entropy via auto-correlation, the n gram results indicate a weak encryption, but one that results in highly entropic data (which I correlated against a similar data set size from a randomness extractor) when decoded via Hex, which I suspect is a secondary encode, as most encrypted data sent via communications is encoded in order to avoid corruption. This may have skewed the block size analysis done previously (resulting in 376bytes or 64bits).
Code:
³+�:5ºÝfW|$ÁOÉCFÑ1§ÅK¸/þà"aWw?$y#Ü!ö,Ô.‘ògµE«Êí¯aQ
Nê‡Í3ÇÇ?q10œÄ(´$=TðDùÏb–Ù¿÷9~C˜æ2Ú
?äx³¥O]Üiuú÷I„žbYZŸc•‘=à>:¬?8ŒEû…þ‘5AÖÀƒ˜òȃ2¨/ß�(büÜOçäj?éQÅÈ´dã:¹,–†.‹À™¸8�Úy¶?ä¢Y›mHǹSŒîc‘D ôaº’äþu$,Ø?QÖ•Q˜‡j|ª½{@I"A0©f̳Á9F:?~š7ª†?²xü—1À œŒy~y“
@eF²Lšb›&Â?Î*KäXš7_ësÄ«"\„Œøž)²q3—6G?J‰(íÖTiŒ^[PgFövZo%Þ¤Ú@þ¶e?E$i6•ˆ=Ë!æûþû¸Z)‘”€6¥+]Thinking in a non linear way, I've tried to classify the OTR message header with its increasing scale as the puzzles moved on.
[CLASSIFIED INFORMATION LEVEL 8][OTR//4.0]
working from that basis and the other messages I have developed this list.
Level 0 - 2 = Non Encrypted or Encoded (similar to private and confidential?)
Level 3 - 4 = OTR 1 - Base 64 or Base 85 encoded
Level 5 - 6 = OTR 2 - Hyper-encrypted (layered) Pen and Paper Ciphers
Level 7 = OTR 3 - Hyper-encrypted (layered) One Time Pad
Level 8 = OTR 4 - ???
Level 9 - ?? = OTR 5 - ???
Considering a flawed OTP (which it was, considering the ability to analyze it), when done properly should be information-theoretically secure, the next level should be either hyper-encryption using random bits (which is unlikely considering the difficulty in making that crackable and for the fact it's usually used on hardware encryption chips), or some form of Block Cipher (from which if we assume the scale of Levels goes up to 10), can be extended into simple block ciphers with small block size, which analysis seems to indicate it is not, up to triple cascaded ciphers with high block sizes, salts and perhaps even key files to add additional strength.
It is just an assumption, but one using the available evidence, OTR 4.0 is either a 128bit or 256bit block cipher with an unknown mode and key length. I would assume AES or Rjindael as candidates to allow for the most commonly used (also as Off the Record encryption uses AES as its base algorithm, that may be a hint). So to modify the list -
Level 0 - 2 = Non Encrypted or Encoded (similar to private and confidential?)
Level 3 - 4 = OTR 1 - Base 64 or Base 85 encoded
Level 5 - 6 = OTR 2 - Hyper-encrypted (layered) Pen and Paper Ciphers
Level 7 = OTR 3 - Hyper-encrypted (layered) One Time Pad
Level 8 = OTR 4 - 128bit/256bit block cipher (AES or Rjindael or Twofish or Serpent)
Level 9 = OTR 5 - Cascaded Block Ciphers with salt (SHA 512 or Whirlpool etc)
Level 10 = OTR 6 - Cascaded Block Ciphers with salt and possible key file additions (to increase password strength)
For the moment therefore, I will continue to try and analyze the non Hex code and work out the block size, algorithm basis, key length etc.
If it is a block cipher, then algorithm cracking is pointless, and as such key forcing may be necessary.
If I were a betting man, I would say this is a 256bit encryption, probably of the AES or Rjindael cipher algorithm (not that you can tell from the code, but its pretty common) .
The password will probably be hinted at, perhaps in a less than obvious way. We can assume this much as it is almost impossible to analyze a cipher text with only one message and nothing to confirm patterns. Once I've got a rough estimate of what mode/algorithm it uses, I can dedicate some run time to rainbow table attacks on the key. I have a feeling this is a holding puzzle, designed to allow time to construct further aspects of the ARG or work on whatever is behind their NDA.
Recently there was a problem with the computer systems at work, so I may not have access to all the analytical machinery I usually do, it may take a bit longer to get more information, if i find anything interesting I'll let you know. I may have access to some more specialist equipment at a later date, so more progress will likely be made then. I think we can rule out SSH or OTP though."
Latest Message from Storm
Another thing to note is that we have received another message on the ARG's main Wiki site, in the comments section of the "Tempus omnia revelant" page. The message is as follows:
"Aug 09
--------------
W### has been p########## well on the L#### O####### L######## Can####, other#### kn### as the T## Cann##. My t##### to the #####etic
induction coil have reduced the likelyhood of overcharge by 200%! I still cannot fathom why the fuse we introduced continues to fail
however, perhaps the leptons have a mi7s6d0976)(&^A)S()F ()A^SF) A()&^ ^)(AS&^ (^6097^)(76)(*"_)"_)(*")(*!")(*!")(!"*)(.................................. ........ .........................................."
It is believed by some that the different symbols may be converted to numbers--the resulting "code" is:
7609760976090906090766097696609760976098202098209812098120912809
It's important to note, however, that this code is probably just produced by random keystrokes.
My Prediction
Below is something I recently posted on the forums about the ARG, and I currently stand by it:
"I have pretty much concluded at this point that we're dealing with 3DES. The Lucifer cipher is directly connected to DES. Furthermore, we have things happening in groups of threes:
In the image with red writing, the word "lies" is written three times--there may be a fourth, but it looks like something else.
The first "lies" is also underlined three times.
We have three instances of Satan/Lucifer being mentioned:
* Once on the grilledpizza page: "When you're building a cage for Satan, you don't ask him to wait around whilst you put the doors on."
* The picture with the red writing
* Indirect suggestion with the Dante's Inferno references: "Raphèl maí amèche zabí almi"
Other than that, I think it's just a feeling. I found this page randomly tonight: It details how someone solved a hex code for a contest to win tickets. The first round of the code actually mentioned Lucifer, and the gentleman used DES to solve it. His hex code was extremely similar to ours."
Other Possibly Relevant Material
Lastly, here is some other information pulled from the Wiki that may or may not be helpful or even relevant:
- User:Dr_Horn created the page Tempus omnia revelant (Time reveals all) after the trail on this problem went cold. Stormseeker then updated the forum thread's original post, adding the text 'tempus omnia revelant'. This seems to confirm that the Wikia account for Dr Horn is indeed Stormseeker.
- Stormseeker later says on his Steam Profile:
- "If it's about the ARG, I've not set up or had any sites setup for hacking, so no. There is an answer, but you can't brute force it, the CIA couldn't brute force it. Someone is already close."
- Stormseeker teased encryption may not be the right idea. "How do you know solving this has anything to do with encryption?"
Subscribe to:
Posts (Atom)