When you think of alternate reality games (ARGs), things such as Ingress or Pokemon GO probably come to mind. While thinking about ways to use encryption or navigate the Tor network, you most likely wouldn’t think to start by browsing 4chan’s /x/ (paranormal) board. Yet on January 5, 2012 many people found themselves intrigued and began their journey to greater security knowledge, and perhaps to “enlightenment” (as a later puzzle states).
An alternate reality game uses digital and physical media on top of a real-world base to continually test players and often encourages them to work together to solve and shape the game. When an image containing the following text appeared on 4chan’s /x/ board exactly five years ago today, it was widely noticed:
There is a message hidden in this image.
Find it and it will lead you on the road to finding us. We look forward to meeting the few who will make it all the way through.
Some speculated that it was a Central Intelligence Agency (CIA) or National Security Agency (NSA) recruitment program while others assumed it was an alternate reality game. Whether it is one, both, or something else entirely remains to be known by nearly everyone involved in solving the puzzles, as those who have been contacted by Cicada are not vocal about it online. The mysterious post grabbed the attention of many security enthusiasts, ARG lovers, and everyone in between. Soon enough there was a community around solving Cicada 3301’s puzzles that stretched across Reddit, IRC, Wikia, and more.
The original image’s clue was found by opening it in a text editor and discovering a Caesar cipher at the end (denoted by “CAESAR says”). When decrypted, it turned out to be a URL pointing to an image of a wooden duck with the following text:
just decoys this way
Looks like you can’t guess how to get the message out.
While starkly different in appearance and prose style from the first image provided by 3301, it did contain another clue. Solvers pieced together that they were being told to use the program OutGuess — a steganographic tool used to insert hidden information in the redundant bits of data sources. OutGuess supports PPM, PNM, and JPEG image formats and uses the following syntax to retrieve data from an OutGuess’d image:
outguess -r outguessedimage.jpg hiddenmessage.txt
If you were looking to hide data within an image, you would use something like this:
outguess -d messagetohide.txt originalimage.jpg outguessedimage.jpg
After using OutGuess against the “WOOPS” image, players exposed a message referencing a “book code” that included a link to a subreddit. Numerous text posts could (and can) be found on the subreddit, but only a couple of images were present — “Welcome” and “Problems?”— both containing a concealed OutGuess note signed using PGP (Pretty Good Privacy) signatures. “Welcome”’s OutGuess’d message explained that all messages will be signed with the key used, and it could be found on MIT’s PGP key servers. PGP allows users to encrypt and decrypt data so it can be transmitted privately and with assurance that the sender is who they say they are.
Although getting the message “how do I PGP?” again and again from people new to encryption may seem like a huge annoyance, Cicada’s solvers are often quick to point newbies in the right direction (perhaps after poking a little fun at them). For those who do not have Linux as their operating system, the tools often used are GPG4Win and GPG Tools. When a new clue is discovered it is, of course, under mass scrutiny, but the largest red flag would be it not being signed using Cicada’s provided key. As in real life outside of ARGs, you should not trust something you receive from a person if you cannot confirm their identity. (We’ll dive into how to encrypt messages with PGP in a later blog post within this series.)
At the time of writing, there are many seasoned and new solvers seeking clues for the supposed 2017 puzzle, as it is speculated that Cicada will make another announcement on the same date as they did in the original 2012 game. While only fake posts have appeared so far (as revealed by the lack of PGP signatures), there is a varying level of excitement among players as previous years’ puzzles remain unsolved.
In the next installment in this series, we’ll dive deeper into Cicada and explain how it got people out of their homes and searching for answers in real life.
Subscribe to Our Blog
Threat Stack releases new content each week so that you can keep up with the latest on cloud security and more.