Tip:
Highlight text to annotate it
X
Hello everybody.
Paul Ducklin here from Sophos, and here's how to solve
the Skyfall James Bond themed #sophospuzzle.
We started out with a simple URL clue.
And we gave you a hint on Twitter - fifteen dice.
Now dice and security together suggest the Diceware Project,
and that takes you to a handy list of numeric codes.
When you look up the numbers you get "OUR SITE NAME",
and when you look up the words in the other direction,
you get a string of fifteen digits.
And that's the URL that takes you to the next stage:
a code based on playing cards.
We've got two packs, four suits; each card stands for a letter
and the cards are all jumbled up.
So really this is just an anagram, and the answer is a name.
We did givea hint, and that was, "Dead French cryptographer."
We'll arrange the cards in order, just for neatness.
And now we have to guess which half of the alphabet
goes with which suits of the pack.
Now there are six combinations, like so. And that gives six possible sets of letters
to work with.
And it turns out that this joker is actually very handy,
You only need it if you've already used up
all four cards for one particular letter.
So it has to be one of these two combinations.
To be honest, a French name with five Rs, two Vs, a Q and no U sounds
pretty unlikely.
So this is going to be the set of letters.
And the name has already appeared in a #sophospuzzle video.
Here he is:
Blaise de Vigenere.
Right. Here's the hard part. Decrypt a stolen file,
discard all the bogus data in it, use what's left to identify a famous person,
find out where he was incarcerated and escaped, and geolocate the prison. Mr Bond.
So let's get started.
Blaise de Vigenere was a hint, so we now we're looking
at a polyalphabetic cipher with a repeating key.
Focusing on the first line, we know that it starts with a Wi-Fi MAC address,
so let's guess it looks like this.
If we're right about the colons, we can already guess at five bytes of the
key, plus the comma separator we assume comes next:
What we've got here is not much use on its own,
but let's see if it helps us take a guess at the key,
which has come out as all letters so far.
The word "Sophos" would fit, wouldn't it?
Actually, that looks plausible because only hexadecimal digits came out in
the MAC address.
So the next step is: let's see if we can get the key to repeat.
And the closest possible repeat point is thirteen characters ahead...
So let's replicate all the possible keybytes every thirteen characters.
And, you know what: we're looking good.
We've ended up with NET in the the network name;
we've got legit-looking characters in the timestamp;
the lat/long looks OK.
And, let's face it: the network name is bound to be "NETGEAR".
Which, by the way, is the second most common network name of
all, after "linksys".
And that gives us three more keybytes, for the E, and the A, in "NETWGEAR",
and the comma which comes after it.
And that's pretty much that. All we're missing is a "B."
BuySophosUTM! (Crassly commercial, isn't it?)
So. Let's decrypt the whole file.
And out next task is: find the one, true, legitimate entry in there.
And that means we've got to find something that's wrong
with every other line in the file.
Well, the dates look OK - we haven't got any 32nds of March;
the lat/longs all look alright, and if you check them they're all over land.
The network names look legit.
But the MAC addresses are all wrong!
The bottom bit of the first byte of a MAC address
should always be zero.
That's because, if the bottom bit is set, it's means we're looking at a broadcast address,
and not an access point.
So there is one and ony one legal MAC address in the whole lot.
And there it is. (It's one of Sophos's, actually.)
"Romeo y Julieta" means we;ve got a lover of Cuban cigars,
and we're getting sent to 51.8 North, 1.3 degrees West.
And that turns out to be Bladon, Oxfordshire. St Martin's Church.
In the graveyard.
The burial place of Sir Winston Churchill.
He was in Africa, in 1899, during the Boer War.
He was captured, he did escape, and he was imprisoned in this building:
the Staats Model School in Pretoria.
And that building is still there today. You can even see
the kink in the dual carriageway they put in
so they didn't have to knock the building down
when the road got doubled.
And the address is: the corner of Nana Sita and Lilian Ngoyi Streets.
And that, my friends, is the answer I required.
27 of you got there in time. The first ten won Naked Security T-shirts
and two randomly-chosen finishers have got their hands on NERF guns.
Those winners are: Jorrit from The Netherlands
and Alexander from Sweden.
Nicely done!
I hope you all had fun.
Please watch out for the next #sophospuzzle, and until next time, BuySophosUTM!
[Computer voice] Ho, ho, ho. Humans are so funny.
He meant, "Until next time, stay secure."