Meghan Trainor’s voice on the other end of the line was the first sign of real progress.
Matt Johansen, the winner of this year’s annual Verizon Data Breach Investigations Report (DBIR) Cover Challenge, nervously dialed the 800 number, hoping he wasn’t waking up an innocent bystander. He had pieced together the phone number from a puzzle he printed and cut into pieces and assembled on his kitchen counter.
“I called at 11 pm, hoping I got it right. Then I heard the voicemail [greeting] with Meghan Trainor singing that ‘All About That Bass’ song,” he says. “I had spent how many hours [on the puzzle] and now I was listening to that song.”
The song confirmed the key code he had needed to solve this one of four different puzzles required for the contest: “allaboutthebase,” a reference to the base rate in statistics parlance.
“I was getting a good laugh at how far I was going, my wife and I standing in the kitchen and messing with pieces of paper cut out, and rotating [the pieces] in different positions to try to figure out the puzzle,” says Johansen, who also drew from a couple of hints provided on the puzzler website.
That was just about the time that Verizon’s cover contest -- a combination puzzle, cipher, and virtual scavenger hunt -- got a lot harder to solve. Johansen, who is director of security for Honest Dollar, says he got his first two clues off the DBIR cover, which wasn’t too difficult to decode. “A lot of the early ones were less technical, to get the ball rolling,” he notes. He also gobbled up veiled hints that the Verizon team occasionally tweeted to contestants.
Each year, there are stories of fits and starts with the puzzler, when contestants pursue for hours or days a clue that is actually a dead end. Or like Johansen, they inadvertently waste time by pursuing too many flags: he at first tried to solve all nine puzzles in the game when in fact you only needed to solve four. (A delicate hint via Twitter from the Verizon team got him back on track). Verizon had also placed a red herring on the cover -- a set of phony Roman numerals under the pyramid image that when decoded, basically told the contestant to "go play golf."
“It was a red herring for them...we figured it would be the first place people would go,” says Gabe Bassett, senior information security data scientist, Verizon Enterprise Solutions, a member of the team of 10 puzzle-masters made up of Verizon employees and the two previous puzzle winners, Alex Pinto and David Schuetz.
But a Morse code puzzle on the cover page led Johansen to embedded text on the back page of the report. By putting together extra characters from text on the back page, contestants were led to a “pathogen page” and then ultimately, the were led to the puzzler website, a fictional site called “Global Cyber CDC,” where people “report” so-called “cyber-pathogens” to the satiric Center for Disease Control. The tongue-in-cheek site explains:
WELCOME TO THE GLOBAL CYBER CENTERS
FOR DISEASE CONTROL. TO REPORT AN EMERGING CYBER
PATHOGEN, PLEASE ENTER IT'S CORE AI HERE
THE GLOBAL CYBER CDC WORKS 25/6 TO PROTECT
THE WORLD FROM HEALTH, SAFETY AND SECURITY
THREATS, BOTH INTERPLANETARY AND ON THE EARTH.
There’s also a list of nine “retired cyber pathologists,” which represent the nine core puzzles, including personas such as Colonel Henry J. Haberdasher, Dr. Rob Bootis, Sir Baskart William, and Dr. Pedro Tipton.
‘Cyber Pathology’ For The Win
Verizon’s Bassett says the idea for “cyberpathology” came from a friend’s LinkedIn profile. “One of our friends had ‘cyber pathologist’ on his LinkedIn ... So we wondered what would happen if cyber pathologists” were real and what would their story be? he says.
“So we incorporated other data science people we knew and gave them all roles as cyber pathologists,” he says. The goal was to provide various non-linear paths to solve each step of the puzzle, and to keep it accessible to non-cipher experts as well: one of the first steps is a crossword puzzle, a relatively simple one to solve, he says. There was also a complex dataset puzzle that no one was able to crack.
“We had all different types of puzzles so no single skillset had an advantage,” he says.
“You needed at least four pathologists'” steps completed in order to get to the final solution, he says, and the goal was to make it solvable in about three days.
Verizon also had to ensure the contest wasn’t easily hackable.
Bassett says the puzzler team built the infrastructure with that in mind. “The ‘CDC’ was a static webpage ... and is written in Python and Pelican and saved to Amazon S3 so no dynamic stuff [can occur] and so hackers couldn’t attack and dump the database or anything,” he says. “The .ai site where we got feedback [from contestants] was a bit different in that it had to be dynamic ... Ultimately, if you knew the location of certain files, you could download them, but we monitored” the traffic, he says. That site ran on Heroku’s cloud-based platform.
“If you can beat a puzzle a different way and not be caught, you deserve props for your ingenuity.”
Johansen, who worked on the puzzle after-hours, finished it in about 6 ½ days and won a telescope for his first-place prize. Among other flags, he also cracked a haiku challenge. “I’d never done poem code before,” he says. “I spent an embarrassing amount of time” cracking it, he says. “That was my favorite one.”
The puzzler isn’t for the faint of heart, nor the impatient. In one breath, the finalists were lauding it for the twists and turns and challenges—punctuated by the thrill of getting to the next flag. In the next, they were lamenting the fact that it’s not your father’s crossword puzzle: “It was a giant pain in the ass,” quips Bryan Schuetz, who took home the second-place prize, and blogged about how he cracked the puzzler.
Matthew Keyser, who came in third, also blogged about his experience.