During the 2012 puzzle, 3301 offered a second chance for those who did not manage submit an email to the Onion site.
The puzzle authors announced it in a PGP-signed message:
There is a second chance to get your own RSA message and key. Follow the "Numbers dot TK" hint to find it.
To know more about the discovery of the second chance, read this page. 3301 reportedly closed the first submission onion the second day it was up as it became widely known on 4chan's /b/ board, causing the form to be flooded with submissions. Later, the second chance was organized with new puzzles[1].
The whitespace message[]
On January 12th, 845145127.com's content changed from coordinates to whitespace: archive
<html><head><title>845145127</title></head><body><pre> </pre></body></html>
which when interpreting this as tabs/spaces for binary yielded a PGP-verified message:
The numbers were found to correspond to image URLs on the website (http://845145127.com/<number>.jpg), which when OutGuessed, would provide the same messages as the QR codes gained previously from real-world coordinates. This list include the previous known URLs obtained through QR codes.
Numbers dot TK[]
Some time after emails were sent out to participants who put in their emails on the first Onion, a user posted the domain 1853143003544.tk in a chat room on n0v4, although there is no direct indication this website was created by 3301.
This URL was the sum of the largest picture name for each bookcode:
29-vol: 162667212858, 316744223127, 414974253863, 427566844663, 598852142735, 889296759263 fading death: 644169769482, 876873892385, 935691396441, 963846244281
The TXT record for the website said “go to my largest part”. The largest prime factor of the number in the URL was 33091839349, so solvers went to 33091839349.tk.
DNS record of 1853143003544.tk
This second website contained another TXT record: “http://i.imgur.com/NHYLD.jpg”. It's unclear whether it hosted a webpage, according to some sources[2] it was an HTML page with a black background and the previous picture.
33091839349.tk
The image, when outguessed, provided the following PGP-verified message from Cicada:
William Blake's "The Marriage of Heaven and Hell" as cropped by Cicada
The image link (Archive) referred to in the message is related to William Blake's The Marriage of Heaven and Hell[3], which is the book used in this book code.
Solving this bookcode (using this page as a source) led to another Onion similar to the first one where participants were asked to enter their email addresses: cginiziglyaobyph.onion.
The Onion[]
Users who either submitted their email through either sq6wmgv2zcsrix6t.onion (as seen previously) or cginiziglyaobyph.onion (from this path) would eventually receive the same RSA-encrypted message[4].
Please see Part 2 for that message and what happened after this.
References[]
- ↑ IRC logs from #33012013 (A and B are confirmed 2012 solvers):
[2013-01-08 03:36:34] <B> you just have to do a little work to get it [2013-01-08 03:37:05] <B> last year the url went viral and 3301 shut down the submission site the 2nd day it was up [2013-01-08 03:37:20] <B> and had to make a 2nd chance contest [2013-01-08 03:37:25] <B> for those that missed it ----- [2013-01-06 05:40:20] <B> then the individual puzzles started [2013-01-06 05:40:26] <A> yes [2013-01-06 05:40:33] <B> iirc [2013-01-06 05:40:43] <B> there was also a 2nd chance for those that missed the first [2013-01-06 05:40:49] <B> due to /b/ swamping them with emails [2013-01-06 05:40:52] <A> but firts onion adress got public (well too public) they got to many emails and they took adress down [2013-01-06 05:40:53] <B> once the url was found [2013-01-06 05:41:05] <A> and organize 2nd chance with new puzzle
That's also why "The Second Chance" is less documented than its counterpart, as solvers were fearing the new resulting onion address would also get abused. - ↑ https://www.allmystery.de/themen/it83189-9#id7167089, https://web.archive.org/web/20121226064303/http://bernsteinbear.com/cicada
- ↑ http://www.gailgastfield.com/mhh/mhh4.jpg
- ↑ These two onion addresses were hosted on the same server, according to a confirmed solver from 2012:
[2013-01-08 07:48:09] <B> anyway, eventually it lead to the second chance onion [2013-01-08 07:48:22] <B> which was the same machine as the first chance, just on another onion address [2013-01-08 07:50:37] <B> i doxed the machine that was hosting the cicada pics server last year [2013-01-08 07:50:54] <B> the address everyone was accessing was a proxy to the actual machine last year
| |||||||||||