Breaking Badge - The DEFCON Crazy 8s

**Author Note: At the bottom of this article are useful links and downloadable firmware provided by Crazy 8 for those interested in solving the badge challenge. 

WEDNESDAY

Monsoon season in Las Vegas during DEF CON last week was prominent. Which meant more humidity than the previous year. Weather hardly mattered though. The hackers in attendance were too busy breaking open their DEF CON badges to notice, or care.

flamingo.jpg

The wait started Wednesday night. A zigzagged line outside registration. Tents and pizza and scores of humans wanting to get their proof-of-entrance into DEF CON 26 early as possible. I looked around for a bit but eventually called it a night. 

 

THURSDAY

The real Linecon started on Thursday morning. Those who waited all night were first to get their hands on the human badge: a rectangular white circuitboard. They popped their 4 AA batteries in and watched a miniature world come to life. 

Inside the design was a homebrew garage, ramen shop, subway station and whole host of other little nooks and crannies. The DEFCON logo glowed green and red. Orange LED lights blasted out of windows. Two humans (again, one green one red) stood inside the little ecosphere. The badge included a D pad, two buttons, connection port and a USB port, not that it was obvious from the start.

A pair of individuals, Nolan and Hannah, were attending DEF CON for the first time (on a paid internship no less). They got their human badges and almost immediately began breaking into them.

Also hidden in Caesar's Palace was Tymkrs, a duo who (working with a third individual) put the entire badge game together.

Before noon I managed to pick up a human badge from an organizer of QUEER CON, the open space for LGBTQ hackers. The organizer also ran the DC Short Story contest, which had led to getting the badge. We met up near the Forum tower elevators at Caesar’s. I gave the human badge to Dead Dialect’s content creator, ParenthesisX, and headed to the second floor for press registration.

The press room didn’t open until four hours later. Eventually I made it in, paid my $280 (no complimentary press credentials, props to DEF CON for treating reporters the same as everyone else) and walked back into the fray.

Attendees swarmed me almost immediately.

“Is that a GREEN badge?” someone yelled. 

Hackers with human badges wanted to link up to my press badge, a green brick designed to look like a broadcast station.

My tunnel vision kept me from noticing what soon became obvious. The badges were connected to a game. A text-based adventure in “DEF CON City”.

Someone plugged my badge into a laptop via PuTTY and showed the whole 1980’s-themed text adventure. 

IMG_20180810_004755_529.jpg
press.jpg

As Tymkrs would later tell me, the badges comprised a “web of decisions” with hexadecimal-encoded clues. Each link up created different changes with each other badge. Each choice in the text adventure game followed a similar cascading effect.

The idea was, you had to work with the eight types of attendees (Humans, Contest runners, Goons [DEF CON staff], Artists, Press, Vendors, Speakers, Call For Papers officials). The lettering DEFCON on the badge would change from red to green as you progressed. Red letters represented a choice leading to a dystopian future. Green meant you’re making pro-hacker decisions. Get all green letters and you win.

I spent the next few hours feeling a strange mixture of satisfaction and mild annoyance as people stopped me every five feet to link up. I had gone from being “press” to being a participant.

“Who do you write for?” they would ask. “Where are you coming from? Is this your first DEF CON?”

I slid my own interview questions in-between theirs. It was a two-way street.  

Of the 25,000 to 30,000 people who attended DEF CON 26, the vast majority had human badges. Goons made up the next largest group. About 200 in attendance were press, and most either locked themselves in the press room, the voting hacking village, or disappeared as soon as they got whatever story their editor sent them for.

The rest, artists, speakers, vendors and contest runners, were a strange mixture. Some were easy to find due to geography. You knew where the vendors room was after all. Others were tucked away. The Call for Papers (CFP) officals’ badges were likely the rarest, with maybe 30 in existence.

badges together.jpg

DEF CON founder Dark Tangent, AKA Jeff Moss, chose a “1983” theme for DEF CON 26, which he mixed with the idea of teamwork, an interesting concept for a group which has a large percentage of introverts.

The year before 1984. The view from dystopia’s edge. “It would be a year before full control of information, disinformation, false history narratives, your loss of personal agency and identity,” the guide book to DEF CON 26 read.

By Thursday night I began running into teams trying to finish the badge game.

“The badges this year force you to work along with one another, they force you to collaborate,” a teenage hacker told me. “This year the organizers have done an excellent job of bringing everyone together for the challenge.”

He was one of about a dozen or more people sitting outside a chillout room. The ringleader, an 18-year-old by the name of Neil, had managed to locate a few wooden pallets. He placed a soldering iron and a volt meter on them. Someone brought more batteries. Someone else brought magnets after it was discovered the subway station needed to be physically unlocked. Someone brought bags of potato chips.

Like the “stone soup” story, they had cobbled together a badge hacking village – completely by accident.

IMG_0067.JPG

Upon locating them, I asked what all they’d figured out regarding the storyline.

“I don’t know man, whatever you publish is already going to be on Reddit,” someone said.

A late-20’s hacker turned to me.

“Hey, you have a press badge right?” they asked. “Do you mind if we . . . “

“ROBOT SEX,” someone yelled.

We plugged the badge into their laptop.

“Good research is hard to come by, sometimes it’s good to hit the books,” he read from the built-in game. “If you’re lucky the towers work but what kind of a message are you sending?”

“Why solve the puzzle when you can just solve the problem?” Neil asked him. “Dump the firmware and replace it with ALL LIGHTS ARE GREEN.”

It was the quintessential definition of hacking: making something do what it wasn’t designed to do.

The conference always has a theme. Last year was the silver anniversary, a look back at 25 years. But this year Dark Tangent challenged attendees to understand how close things are to a techno-dystopian future, and what everyone’s role is to prevent that from happening.

DEF CON’s guide book noted that the hacker community encompasses more than those with programming or hardware hacking skills, something the badge competition was trying to emphasize.

“This year I wanted to make sure that the artists, the journalists, the folks that there aren’t as many of, that they were appreciated too,” Tymkrs later told me. “They have a job in society. Their decisions affect our decisions.”

Teamwork aside, it’s an interesting time for the Orwellian theme, given the current US presidential administration. It’s also been five years since Edward Snowden leaked classified documents from the National Security Administration, and almost 17 years since 9/11 escalated the US government’s mass surveillance programs. It seemed like the idea was either a long time coming, or well overdue.

While I watched Neil’s group try to get the badge game done, he brought up one of the problems we’re facing in this pseudo-Orwellian world: public safety and personal security, two sides of a spectrum.

“Public safety can’t exist without sacrificing personal security,” he said. “But people are for the first time saying, ‘I don’t want that.’”

It was a particular topic of interest for him. He grew up in the part of the US near where the 9/11 terrorists took flight lessons.

“It’s weird growing up in that area,” he said. “People undoubtedly interacted with them. Saw them at the grocery store. The FBI knew about those terrorists, knew about the threat before 9/11. It’s a little bit of everyone’s fault.”

After getting swarmed by people asking to link up to my press badge, I rendezvoused with ParenthesisX. We began hitting up various room parties, and managed to locate several Houston hackers hanging outside Queercon.

“Where are you guys headed?” asked djdead, one of the organizers of Houston’s local DEF CON meetup. He had finished a 2:30am-4am music set earlier in the day at Security BSides, an offshoot convention that happens between Black Hat and DEF CON.

IMG_20180813_171358_577.jpg

“Queercon,” I said.

“Alright, I’m going to go eat,” he said. “Hold on - I can get you some swag.”

He handed me a handful of stickers before disappearing in an elevators.

Queercon, a U-shaped lounge halfway up the Forum towers, was also meant to encourage interaction and inclusion. Its schedule had started with an open mixer followed by the kickoff party. Talks, ranging from social media safety to diversity discourse, would begin on Friday, like most villages at the conference. Their group had their own set of badges – most groups and villages do – and as such my press badge was largely ignored.

We left around midnight, headed to the Flamingo, where (along with the LINQ hotel) DEF CON has expanded several villages, workshops and parties due to increased growth. One last hacker caught me on the way back.

“Can I take a picture of you two doing this strange ritual?” someone asked as a vendor with a purple badge linked up with mine. “I want to know what the baby is going to come out like.”

PicsArt_08-11-04.09.24.jpg

FRIDAY

The badges had very few official instructions, which led to people doing everything conceivable.

“In a puzzle where you don’t have official confirmation, it’s difficult to know what’s going on,” Nolan told me.

While I had been running between the Flamingo and Caesar’s, ParenthesisX had run into Nolan and Hannah. By Friday they had managed not only to sync up with most badges, but had gone so far as to get their hands on a few non-human ones.

Nolan, Hannah, ParenthesisX and a few others were dead-set on solving the game. Through face-to-face talks, some social media outreach and a bit of luck, they created a group of about 20 people, and named it Crazy 8s.

 Crazy 8s Hacker Selfie

Crazy 8s Hacker Selfie

To Crazy 8s (arguably so) the badge game was a competition between the thousands of other attendees, meaning the usual spirit of collaboration and sharing needed to happen in-group-only, as far as the badges were concerned.

If it was a competition, it was one with very few rules, regulations or feedback.

By Friday night most everyone at DEF CON had figured out the badge’s DEF CON Jolly Roger was the D-pad, with the “26” insignia being A and B control buttons respectively. But that was about it. There was no indicator for a successful link. There was no audio to tell you if you were progressing. If you didn’t plug your badge into a terminal, you were basically messing around.

Plugged in, some game text had plain clues of what needed to be done. Others were a bit more cryptic.

Each badge also needed physical augmentations, such as the magnetic component the dovetailed badge hacking village discovered the night before. Paying a visit to the hardware hacking village was almost mandatory.

The situation was exacerbated by the fact that Caesar’s Palace hotel staff were performing “wellness checks” in rooms, confiscating items including soldering irons, another necessary component for completing the game.

20180812_155129.jpg

But magnets and soldering weren’t the only physical augmentations needed. Sneaking, the act of connecting two chips on the board together via a wire, was also required.

Among all the real tricks were plenty of rumors, myths and red herrings, which Tymkrs told me was somewhat unexpected but humorous. The battery pack was thought to be hiding extra components underneath. Not so. But it didn’t stop people from disassembling them. Some turned to using power banks, which lowered the brightness of the badge’s LEDs somewhat (though it wasn’t a real issue). Some people assumed you had to press down on the D pad during link up. Others linked up with a “five-second rule”.

With the dearth of misinformation (ironic considering DEF CON 26’s theme) combined with the constant dead-ends, Nolan’s compatriot Hannah went and tracked down the Tymkrs.

They spoke with the trio about five times by Day 2, and eventually managed to get a grasp on what was and was not working.

all 8.jpg

Crazy 8s eventually lodged themselves into a disused telephone booth hallway hidden in a second-floor corner of Caesar’s. It was right next to a central node for the Goons, who didn’t seem to mind. The group’s resident artist, Merin MC, needed to leave for her DEF CON radio set, but luckily djdead lent his badge as she departed.

20180811_223301.jpg
nolan movement.jpg

Someone got in contact with Amanda Rousseau, AKA Malwareunicorn, the malware researcher for Endgame Incorporated. She lent her speaker badge and went so far as to engage in some reverse engineering for the group.

The team of hackers stayed packed in the booth for hours. Some were busy doing hardware stuff. Some were advancing through each badge’s game, hitting walls and trying creative things to get around, or through them. Others were jumping back and forth keeping everyone on the same page.

“I love this,” someone walking by said as they saw it. “This is what old-school DEF CON was about.”

It was 2 am before the group came to terms with the fact that they would have to reconvene the next day. With exception of a HAK5 vendor, pretty much everyone could.

SATURDAY

There were a handful of groups and individuals making similar progress to Crazy 8s. One person had already gone to the hardware hacking village and flipped their badge’s 8-pin chip. Using a heat gun, they melted the solder off. Then they soldered it back on upside down. Word spread quickly.

Later on, Crazy 8s realized all the badges, not just the human badge, needed to get flipped.

contest.jpg
contest1.jpg
20180811_113439.jpg

It was around that time a flow popped up.

”While were flipping chips, in the downtime in-between, I got my Goon’s N to turn green,” Nolan said. “The creators had said during an official meeting that if you connect a Goon with a green N, your Goons wouldn’t harass you anymore. And that didn’t happen.”

The Tymkrs were brought to Crazy 8s’ phone booth headquarters on Saturday night. Whisker and Addie were the duo, with their compatriot wireengineer being the third member in the creation of the badges. 

“We had to do a little bit of forensics for the last few hours,” Addie told me. “We had to go back in to make sure it (the badge) was solvable.” 

I took the chance to pick their brains, and started by asking Addie’s thoughts on the guy running around with a wifi-enabled pith helmet who was fuzzing badges (essentially dumping code telling the badge to go crazy). By the end of DEF CON he claimed to have fuzzed over 70 badges.

 The pith helmet-wearing fuzzer, known as  jrwr  on Twitter.

The pith helmet-wearing fuzzer, known as jrwr on Twitter.

“More power to him,” Addie said. 

She gave me the crash course on what did or didn’t work when interacting with the badges. There were points which had become obvious. The green human was your avatar. The red human was a Goon. But within that were subtle intricacies. 

Addie shed some insight. The little red Goon made choices independent of you. But the little Goon could be influenced by a pro-hacker Goon badge if you linked up with one.

“Just as the choices you make affect your alignment, anyone you pair up with changes,” Addie said.

There were scores of people, for whatever reason, who chose not to interact with their badge and never changed any letter green. Linking with them was a major mistake.

“If you have other people running around with red Ns, it doesn’t matter how many you connect to,” Addie said. “They’re not pro-hacker.”

In the midst of the chaos were small episodes of goodwill however. Addie was asked for assistance by a girl whose badge whose lettering was basically Christmas-colored. Her group consisted of three people.

“She had a weird combination of red and green. The other two had a green Ns. I said ‘You might want to still connect with these guys.’

One person in her group decided to take the hit and link up, then re-link with the other in an attempt to get his lettering back.

“They were taking hits for each other,” Addie said. “And that’s the point.”

When I asked about the press badge and its communication tower, I got a surprise moral dilemma.

“The press badge is a bit funky. You have to do a little bad to do good,” Addie said. “I didn’t have a specific philosophy on that. But sometimes you have to do a few things that tweak the rules to get the truth out.”

Essentially some lettering was going to have to turn red, thus necessitating pro-dystopian decisions.

“We all have goals. We all have decisions to make,” Addie said. “And if that’s how truth needs to get out, f*ck the man.”

While I was busy interviewing Tymkrs and while Crazy 8s tried to finish what they started, a sandstorm blew its was in through Las Vegas.

 Speaker badge was provided by  @MalwareUnicorn

Speaker badge was provided by @MalwareUnicorn

Malwareunicorn was caught in traffic in the storm, slowly making her way back to Caesar’s to lend her badge to the group for the second time.

While Crazy 8s waited for the speaker badge, they conversed with Tymkrs about the wall that had been hit.

“They told us ‘You were right, there was a bug in the system and we have tried to patch that,’” Nolan said. 

Tymkers said pretty much everyone who wanted to complete the game needed to update their badge’s firmware, but at a cost: it was a hard reset.

“It would erase everything off the memory and put in new data,” Nolan added. “It was like getting a new badge.”

20180812_155848.jpg
PicsArt_08-11-11.17.02.jpg

Just before midnight the team bit the bullet. Malwareunicorn with her Speaker and CFP badges made it in. They spent the rest of the night disassembling. But eventually people in the group had prior engagements. It was a Saturday night at DEF CON after all.

“We lost two of our eight badges,” Nolan said. “It became apparent that we didn’t have enough time to solve it legitimately.”

One person in the group asked whether winning data could be written into the badge’s hex. It would require brute forcing an intel hex data format.

“I decided that was currently the only way it was going to happen in time.” Nolan said. “At that point we dipped and broke off. I was up until 5 am, just brute forcing.”

It was a easy problem with a hard solution: one line of code storing all the data on the badges that needed to get reworked.

“It was less simple than that,” he said. “I was never able to get the right combination. I had around maybe 4,000 plus combinations to go through. Each one took two minutes to do.”

Tensions began running. Two people in the group argued that the firmware update from Tymkrs needed to get spread to everyone immediately. Others said that Crazy 8s needed to verify it worked first.

 The back of the badges together made a picture of the program cover.

The back of the badges together made a picture of the program cover.

It was a question of what the goal was: being the first to solve the puzzle, or getting everyone at DEF CON on the same page. It’s a hard question to answer about a game that fostered collaboration and teamwork on individuals who were also trying to one-up each other.

Eventually a duo broke off from Crazy 8s and went to get Tymkers’ update to another group of 30 whom were working late at the Flamingo hotel.

“They didn’t really understand it was a competition,” Nolan said. He didn’t seem bothered by the move after the fact. 

With the firmware update, the badges were all indeed at square one. Nolan and the Crazy 8s started over.

“I sat down and downloaded a f***ton of software, learned how to flash the badges, and once we had all those tools I knew what I had to do,” Nolan said. “And I had to go do it.”

so many badges.jpg
find a way.jpg

SUNDAY

I left the core group of Crazy 8s after trying and failing to locate Skytalks’ pool party (it had been moved well inside the Flamingo, safely away from the sandstorm). After a few hours of meaningless blackjack, I did what most everyone else had already done and passed out.

At noon Sunday several groups were in the larger chill room trying to get to the undefined finish line. No one had made it yet. I lent some electrical tape and a multi-tool to Nolan the night before and had also lent my badge off and on, but there I was one day later helping to straighten out some wires as they tried to seal the deal.

Between checking in with Crazy 8s I checked what was left of DEF CON. Most people were doing the same. As I wandered around doing last-minute interviews, people still wanted to link badges. Most of them had the gist of the game by that point. A few didn’t.

“If someone wants to do this after, they can’t sync with everyone,” Nolan said later. “But they can reprogram their chip.”

 The first completed badge. 

The first completed badge. 

There were already threads online with emulators and other shortcuts that would allow people to link up to a different badge after the fact.

By 4 pm the contest had “officially” ended with maybe one person who had gotten all letters green. The Tymkrs counted it, though it was a questionable work around from the original design. But isn’t that what hacking is about?  

After DEF CON closing ceremonies ParenthesisX and I rendezvoused with Nolan. We shared notes and went over what went right, and wrong.

The teamwork aspect was on point. Whether the competition mattered was up for question. There was no lifetime entry black badge waiting for anyone at the end of this particular endeavor. Still, it was a success in other ways.  

I sent a message to Malwareunicorn a day or two after the con asking her thoughts. She sent back something that pretty much encapsulated Tymkrs’ and DEF CON’s goal for the badges:

“I felt that there were many folks with different backgrounds, expertise, personalities that enjoyed solving the problem together even if they never met before,” she said. “I thoroughly enjoyed lending my time for a greater cause.”

If nothing else, strangers came together on a project, and more or less managed to work together without killing each other. People picked up new skills, maybe a few new contacts. This, in a world of Twitter drama, paranoia, “us vs. them” mentality and close-minded stubbornness.

Not bad for a group of introverts often seen by mainstream society as “stuck in their basements”.

(Story edited for punctuation, style and clarification)


If you are a badge holder here are some useful links/Downloads/information

About Intel Hex values

Flashing Firmware tools

  • Mplab IDE (used for stripping hex firmware from badge)
    • Device used was PIC32MM0256GPM048
  • Mplab IPE (better for writing data onto badge)

Websites

Attached:

"Technically the makers told us that they were going to review all the software and release a full fix. But that hasn't happened yet. I'm not sure how possible solving the badge as the creators intnded at this moment in time is due to the fact that there could be additional bugs." -Crazy8

 

 

nodyaH has been reporting in Houston since Hurricane Ike. When not conducting journalism, he can be found in dive bars scribbling on cocktail napkins. nodyaH focuses on underground culture.

INSTAGRAM // TWITTER