January 18, 2022 |
Born in Israel in 1975, Malicious Life Podcast host Ran studied Electrical Engineering at the Technion Institute of Technology, and worked as an electronics engineer and programmer for several High Tech companies in Israel.
In 2007, created the popular Israeli podcast Making History. He is author of three books (all in Hebrew): Perpetuum Mobile: About the history of Perpetual Motion Machines; The Little University of Science: A book about all of Science (well, the important bits, anyway) in bite-sized chunks; Battle of Minds: About the history of computer malware.
Malicious Life by Cybereason exposes the human and financial powers operating under the surface that make cybercrime what it is today. Malicious Life explores the people and the stories behind the cybersecurity industry and its evolution. Host Ran Levi interviews hackers and industry experts, discussing the hacking culture of the 1970s and 80s, the subsequent rise of viruses in the 1990s and today’s advanced cyber threats.
Malicious Life theme music: ‘Circuits’ by TKMusic, licensed under Creative Commons License. Malicious Life podcast is sponsored and produced by Cybereason. Subscribe and listen on your favorite platform:All Posts by Malicious Life Podcast
It is January 5th 2013.
Around the world, hundreds – maybe thousands of 4Chan users are sitting in front of their computers, waiting for a puzzle. They know it’s coming – or at least they think they know it’s coming – because a similar puzzle was waiting for them at the same 4Chan board exactly one year ago, on January 5th 2012. And then, a message appears…but it’s not the message they were expecting. In fact, it’s a warning.
“I was part of what you call 3301/Cicada for more than a decade, and I’m here to warn you: stay away. This is a dangerous organization. While I agree with many of the goals, their ways are nefarious. In fact, I think it is like a left-hand path religion disguised as a progressive scientific organization. I realize this is a strong statement, but I will provide important evidence to support these claims…”
The author of that mysterious post never made good on their promise, and did not provide the “important evidence” they said they would. Yet the question remains: who or what are Cicada 3301?
Hi, and welcome to Malicious Life. I’m Ran Levi.
It is January 5th, 2012. 15 year old computer wiz Marcus Wanner from Copper Hill, Virginia, is browsing the internet for something to do. He’s bored: his parents are devout Catholics, and are trying their best to keep their son away from any trouble. Marcus is homeschooled, and so has very few real friends. His main activities are Church, piano lessons, the boy scouts and the family computer which is located in the living room, under his parents’ watchful eyes.
But try as they may, they can’t really monitor his computer activities: his parents’ technical skills are no match for Macus’s curiosity. Wanner wound up on 4Chan, the internet’s cesspool – and it is there that he stumbled upon a message board with a lively discussion. The citizens for 4Chan were trying to determine whether the following message, posted as an image of white text on a black background, is for real:
We are looking for highly intelligent individuals. To find them, we have devised a test. There is a message hidden in this image. Find it and it will lead you on the road to finding us. We look forward to meeting the few who will make it all the way through.
It was signed 3301.
Having nothing better to do and feeling as adventurous as only a homeschooled teenager could be, Wanner decides to take a gander. He and several other internet sleuths dig around, and discovered that hiding clues and messages in an image’s data file is a common encryption practice. So they opened the file in a text editing software, and a readable text appeared: TIBERIVS CLAVDIVS CAESAR says followed by a string of seemingly random characters.
They soon find out that this is a Caesar Cipher, a well-known letter substitution encryption technique. They cracked the code, and the random string of characters was transformed into a URL which led to another image – now known as the “Dead-End Duck.” It’s an image of a brown feathered yellow headed duck, with the text:
“WOOPS. Just decoys this way. Looks like you can’t guess how to get the message out. “
This was a clue to use OutGuess, a free steganographic software. Stenography, from the Greek word steganos – to conceal – is a technique for hiding data in pre-existing media, usually image files.
Using the OutGuess software they were able to extract hidden information embedded within the first image: a URL pointing to a reddit post containing 75 pairs of seemingly random numbers, and two more images. Running these new images through OutGuess produced the following message:
“From here on out, we will cryptographically sign all messages with this key. […] Patience is a virtue. The key has always been right in front of your eyes. This isn’t the quest for the Holy Grail. Stop making it more difficult than it is. “
The key the message refers to is a PGP signature. PGP stands for Pretty Good Privacy: it is a free encryption program that encrypts digital messages from sender to receiver with the addition of a unique digital signature, like a fingerprint.
The message also included a string of odd letters and numbers which turned out to be Mayan numerals. This was getting complicated… At first, most solvers worked on the puzzles independently – but Wanner eventually realized that he’ll have a better chance of overcoming Cicada’s challenge – by collaborating with like minded people. And so, he and a few others set up their own communication channel in IRC, calling themselves #decipher.
When Marcus Wanner and his internet pals converted these numerals to English characters, they turned out to be first letters from the Legends of King Arthur, a book published in 1858. This was yet another cryptographic technique: a “Code Book”, where the words and letters in an encrypted message are to be replaced with words or letters from an agreed upon body of text.
It turns out that whoever was behind 3301 wanted the solvers to call a phone number:
“Call us at us telephone numBer two one four three nine oh nine six oh eight.”
The 214-area code is in Dallas, Texas. The phone number itself has since been deactivated – but here is the recorded message:
“Very good. You have done well. There are three prime numbers associated with the original final.jpg image. 3301 is one of them. You will have to find the other two. Multiply all three of these numbers together and add a .com to find the next step. Good luck. Goodbye.”
Final.jpg was the original image that started the hunt on 4Chan, and the two missing prime numbers – it turned out – were its dimensions. The multiplication of these numbers led to the desired URL, and the arrival of the first internet detective at the website started a countdown clock to Monday, January 9th, 2012 at 5 pm.
Wanner, like everyone else who was trying to solve the 3301 challenge, waited eagerly for the countdown to end, refreshing the page as the minutes crept closer to 5 pm. When the finlay clock struck zero, a black and white image of a cicada appeared: a type of winged insect that gave 3301 its moniker – ‘Cicada 3301’. When the image was processed by OutGuess, it produced 14 geographical coordinates of location spread all over the world, from Tokyo to Warsaw.
This posed a new challenge for Marcus Wanner: Being a 15 year old teenager in rural Virginia, with no car privileges – he and his team had to get creative in their global pursuit, such as sending a relative on a retrieval quest. Other competing teams paid curriers to photograph the given locations.
What they found there were flyers taped to various poles and other such objects, bearing the now familiar image of a black and white Cicada – and QR codes. Scanning the QR codes led them to two more hidden messages. The first one was actually a warning.
“You’ve shared too much to this point. We want the best, not the followers. Thus, the first few there (meaning the end of the puzzle) will receive the prize.”
It seems that Cicada was aware of the joint efforts by Wanner’s group and others, and wasn’t too happy about it. Yet despite the warning – the collaboration continues. Competition among the solvers was fierce, and some groups even conspired to send false clues and messages to sidetrack other sleuths.
The other message retrieved from the QR codes led to Encyclopedia Britannica’s Volume 6, to The Legends of King Arthur – and from there to a poem named Agrippa by William Gibson. Agrippa led to a dark web address – ending in a .onion suffix. There, the solvers were asked to create a new email address for themselves and await further instructions.
A few weeks went by, and at last – an acceptance email dropped in the inboxes of all of those that made it so far.
“Congratulations. Your testing has finally come to an end. We hope you have enjoyed the “vacation” over the last few weeks. You will be very busy now should you choose to join us. […]
You have all wondered who we are, and so we shall now tell you: We are an international group. We have no name. We have no symbol. […] We are a group of individuals who have proven ourselves, much like you have by completing this recruitment contest. And we are drawn together by common beliefs. A careful reading of the texts used in the contest would have revealed some of these beliefs: that tyranny and oppression of any kind must end; that censorship is wrong; and that privacy is an inalienable right.
We are not a “hacker” group. Nor are we a “warez” group. We do not engage in illegal activity, nor do our members. If you are engaged in illegal activity, we ask that you cease any and all illegal activities or decline membership at this time. We will not ask questions if you decline; however, if you lie to us we will find out.
You are undoubtedly wondering what it is that we do. We are much like a “Think Tank” in that our primary focus is on researching and developing techniques to aid the ideas we advocate: liberty, privacy, security.”
At the bottom of the email was a short questionnaire: Do you believe that every human being has a right to privacy and anonymity? Do you believe that information should be free? And, Do you believe that censorship harms humanity? Wanner says he answered all of these questions with a resounding Yes. In a YouTube video created by one of his teammates, he tells what happened next.
“The goal of the puzzles at least seemed to be to join 3301 when you won, but instead, the winners were mostly put in touch with each other and tasked to work on cryptographic [software] together.”
That software was named CAKES: Cicada Anonymous Key Escrow System. Its function was to trigger the automatic publication of sensitive data online if a whistle-blower, like Edward Snoden, was murdered or incarcerated.
Ciphers, decoys, steganographic messages hidden in images and Mayan numerals… It was obvious that 3301 was determined to make the lives of those who wished to solve the puzzle as difficult as possible. After all, as 3301 stated – it was a test whose purpose was to help 3301 find highly intelligent individuals, in order to offer them some kind of a job.
3301 were not the first to use puzzles as a way to attract and test possible candidates. In 1942, the Government Code and Cypher School – better known as ‘Bletchley Park’, the UK’s principal code-breaking center during WWII – realized that they needed fresh minds to fight the war against German ciphers. They devised a contest: a cryptic crossword puzzle, published by the The Daily Telegraph, whose solvers were approached by the government to help with the war efforts. The logic behind this idea was that by solving the puzzle, the potential candidates demonstrate lateral thinking and an indirect and creative approach to solving problems – essential traits in successful code breakers. The NSA, FBI and the UK’s GCHQ also uses puzzles in its screening process for new employees.
It’s likely that 3301 was also looking for creative, curious people who were also technologically proficient. But the real question is – does it work? Do puzzles and riddles really help organizations recruit the best employees?
Well, It’s a tricky question. Whereas in the case of Bletchley Park’s cryptic crossword puzzle it surely did – we must also remember that this happened in a time when people were motivated by strong feelings of vocation and patriotism. Which leads us to the crux of the story, which is Employee Retention. While recruiting people through games and puzzles brings a company the most competitive and passionate people – and some good publicity, probably – it cannot measure social, psychological and emotional suitability for a job. In other words, having lateral thinking does not guarantee that the potential candidate will be a good fit for the organization in the long run.
Wanner and his fellow solvers were definitely highly motivated. In a Rolling Stone interview from 2015, Wanner attests that he was so invested in solving the 3301 mystery that he became obsessed with it:
Yet, as it turned out, that motivation was only temporary. As the work on CAKES went on and on, the magic started to wear off. After a few months, as the novelty of being part of Cicada became less and less alluring, Wanner’s teammates started to realize that internet mystery aside – they were basically unpaid developers. So as time went by, the people in Wanner’s cell started dropping off.
Wanner himself, being homeschooled and having lots of free time on his hands, kept working…until one day, he was the only one left. He continued to work on the software alone, until one day he discovered that the darknet site they were all working on went offline. That’s when he realized he was basically fired.
A year had passed since Cicada’s first message appeared on 4chan: a full year in which numerous people – most of them very internet-savvy, motivated and curious – tried to find any information they could about Cicada. Yet for all their searching, Cicada’s identity remained a mystery.
There were speculations that the puzzles were a part of a publicity stunt for a video game: Microsoft did something similar for Halo 2 some years prior. Some people thought it was an NSA or GCHQ recruiting scheme – but in most cases, the recruiting agency does not hide it’s identity from the solvers, and in any case why would the world’s top spy agencies search for would be spies amongst the ranks of 4Chan’s bored youths? There was also the thought that it’s just a run of the mill tech job advertisement. But of all the theories that have been formulated over the years, the most convincing one is this.
In the early 90s, when the commercial internet was just starting to take off in the United States, staff members from the Computer Science Department at the University of California, Berkeley, became concerned about the potential threats to privacy, anonymity and freedom of speech posed to individuals by governments, via the internet – threats that seem obvious for us today, but were almost never discussed 30 years ago.
For that goal, three men – Eric Hughes, a mathematician and computer programmer, Timothy C. May, a scientist, writer and electronics engineer and John Gilmore, a tech entrepreneur and a social activist – founded a small group that met once a month in the San Francisco Bay Area. They called themselves Cypherpunks.
In a Manifesto written by Eric Huges in 1993, the group declared that –
“We the Cypherpunks are dedicated to building anonymous systems. We are defending our privacy with cryptography, with anonymous mail forwarding systems, with digital signatures, and with electronic money.”
The Cypherpunks started an encrypted mailing list that, at its peak, had 2000 subscribers. Note that this mailing list is not the same as the e-mail based mailing lists we’re used to today: a mailing list back then was more of a discussion board, where participants posted messages and held enthusiastic conversations about varying topics ranging from cryptography, computer science and politics to government monitoring and philosophy. Among those participants were some of the most influential people in the Internet’s history, such as Marc Andreessen, co-founder of Netscape, Julian Assange of WikiLeaks, Bruce Schneier – the well known security author, and even Bram Choen, the inventor of Bittorrent.
The Cypherpunks mailing list was a place where people could share their thoughts and ideas – but the Cypherpunk movement was more than just about talking. As Huges stated in his manifesto: “Cypherpunks write code”. That is, in order for ideas to have substantial impact on the real world – they should be implemented in software. And indeed, the Cypherpunks were involved in creating many important software tools, such as PGP, TOR, Stenography software and more.
Which brings us to the possible connections between the Cypherpunks and Cicada 3301. It’s almost obvious that Cicada, whoever they are, shared the ideals and goals of the Cypherpunk movement, as stated in their Manifesto – including, as evident by the work they were doing on CAKES, the necessity of implementing these ideas in software. Note that Cicada was also using some of the very same tools developed and used by the Cypherpunks, such as PGP and TOR.
But the most crucial and important bit of information tieing the Cypherpunks to 3301 was their mailing list address: @cicada.berkeley.edu
The Cypherpunks mailing list is now defunct: as the use of the internet spread, digital activists found new ways to communicate and spread ideas, and the concept of the mailing list became less popular. Yet the people who were part of that movement are still with us – and many of them probably still hold the same views they held back then.
Can we be sure that a member or some members of the Cypherpunks movement are behind Cicada 3301? Of course not. It’s just as likely that whoever is behind Cicada used that name as a sort of a tribute to these early pioneers of privacy and cryptography, or simply as a false clue – to mislead anyone looking for his or her true identity. Still, of all the various theories about Cicada’s real identity – this one holds the most weight.
It is now, January 5th 2013 – a full year after the first Cicada message popped up. 4Chan’s users, undeterred by the mysterious warning accusing Cicada of being a dangerous cult – are waiting, hoping that a new puzzle will be posted.
They were not disappointed.
“Hello again. Our search for intelligent individuals now continues.
The first clue is hidden within this image. Find it and it will lead you on the road to finding us. We look forward to meeting the few that will make it all the way through.”
The 2nd iteration of the Cicada contest was roughly similar to the first one, just with different puzzles and different code books. There’s no real point to delving into the details: if you’re interested, there are plenty of websites that keep detailed descriptions of all the riddles. There were images to be processed with OutGuess, a book from 1904, metadata hidden inside an mp3 audio file, a mysterious twitter user who twitted random-looking bytes of hex code, and more.
Apparently, someone did manage to crack the puzzles, because about a month after the 2nd contest began, a new email landed in the finalists’ mailboxes, congratulating this year’s winners. This time, however, we don’t know who it was that managed to crack the Cicada code, because nobody leaked anything from the newly recruited Cicada 3301 cells. It could be a result of the mysterious warning on IRC, or even Cicada’s own warning – ‘if you lie to us we will find out’ – that scared any potential leakers. Some solvers became paranoid, afraid that Cicada will try to assassinate them if they reveal too much sensitive information. In fact, Marcus Wanner is one of the relatively very few people who were willing to speak with journalists about Cicada – and the only one, amongst those who solved the puzzle – who was willing to reveal his true identity. Most of the others insisted on using handles and keeping their geographical location a secret.
The 3rd Cicada contest began at almost the same date as the earlier two: January 6th 2014. It started, as usual, with an image – this time posted on Twitter – bearing the message:
“Epiphany is upon you. Your pilgrimage has begun. Enlightenment awaits.”
From there came, also as usual, the convoluted stream of clues and puzzles: a dark web website, a painting by Goya, an image of the Russian mystic Rasputin, a segment of Bach’s Trio Sonata in G Major, a painting of an eye by M.C. Escher and more.
But this time around, there was also something different. At some point, the solvers discovered 3 images, which were apparently the first few pages of a book named ‘Libre Primus’ – literally ‘First Book’. What’s unique about this book is that it is not an existing work – but apparently, a book written by Cicada themselves. It’s also written in Runes, like some of Cicada’s previous puzzles.
When the first page was deciphered, its content was revealed to be this cryptic message:
BELIEVE NOTHING FROM THIS BOOK
EXCEPT WHAT YOU KNOW TO BE TRUE
TEST THE KNOWLEDGE
FIND YOUR TRUTH
EXPERIENCE YOUR DEATH
DO NOT EDIT OR CHANGE THIS BOOK
OR THE MESSAGE CONTAINED WITHIN
EITHER THE WORDS OR THEIR NUMBERS
FOR ALL IS SACRED.”
The three images led to several more puzzles, and those who solved the puzzles received 58 image files, which together make up the rest of Libre Primus.
…And it was this, the final piece of the puzzle, that turned out to be the most difficult to crack – because unlike all the other puzzles, it was never solved to this day. As of today, only two pages of The Libre Primus have been definitively deciphered: Page 56 sends the solver to a dark web website which has never been found, and Page 57 contains yet another cryptic and seemingly nonsensical message. And that’s it.
And that is a shame, because it seems that Cicada 3301 – whoever they may be – are very keen on that particular puzzle. On May 2nd 2014, five months are the 3rd puzzle was released, Cicada got impatient with the Libre Primus decryption stalemate and sent a new message, perhaps as a form of encouragement:
“Hello. Your enlightenment awaits you. We look forward to hearing from you.”
And although many curious people eagerly waited until January 5th, 2015 – no new puzzle was released.
In July of 2015, Cicada broke its silence. A group of cyber-vigilantes attacked Planned Parenthood – a nonprofit organization dedicated to sex education – and claimed they were Cicada 3301. The real Cicada sent out a message, saying that it was in no way connected to the attack. This was later confirmed by the authorities who investigated the attack on Planned Parenthood.
The last that was heard from Cicada 3301 was in January 2016:
“The path lies empty; epiphany seeks the devoted. Liber Primus is the way. Its words are the map, their meaning is the road, and their numbers are the direction. Seek and you will be found. Beware false paths.”
Cicada remains silent to this day, its mystery unsolved. We may never know if it’s indeed a secret society of geniuses trying to protect privacy and abolish censorship – or maybe a 4chan troll, giggling at us from the “headquarters” of his mother’s basement…that’s just the nature of the internet, I guess.
But even if Cicada will never reach its utopian goals – or even if it never existed, and this all was just one big joke – it still made a difference, at least for some of the people who took part in the Great Hunt.
For Marcus Wanner, it was an opportunity to step out of his parents’ protective shell, and make a name for himself. As the unofficial “face” of the Cicada Mystery, he is often interviewed by mainstream media outlets, and became somewhat of a celebrity. After getting a degree in Computer Science, he now does network security and is still involved in the Cicada community.
For others, solving the Cicada puzzles was gratifying – but not due to the puzzles themselves, but as a way to meet new people and make new friends. As one member of Wanner’s Cicada Cell aptly puts it:
“I found the solving community at a time where I was very alone. If I didn’t have these people in my life, I would probably have been alone for a lot longer than I would want to be alone. When I found these people, it was like a whole new world of friendship had opened for me. They mean a lot to me, because we can relate to each other on a very intuitive level that I don’t think is very common. I found a really supportive community of friends, and I think I’m happy with that result. Even if we never solve the runes.”
So, who knows – maybe Cicada 3301 was just one big “Tinder” scheme for puzzle nerds?… your guess is as good as mine.