[ARG] The Pizza Code Mystery


#5441
  • The whiteboard with diagrams of the Tau Cannon.
  • The target name of entities related to the gibs of the scientist who dies in the Tau Cannon overcharge that were named “dr_horn”.
  • The mysterious comment on the 752 Hex Code wiki page.
  • Stormseeker mentioned in an interview (can’t remember which) that it was Dr. Horn who designed/created the Tau Cannon.

There are two terminal pages:

  1. terminal.blackmesasource.com, the content of which can be seen on the wiki. It was discovered through inputting the Konami code on Stormseeker’s website.
  2. terminal.bmrf.us.

At some point (can’t remember exactly when), terminal.blackmesasource.com stopped working and returned a Cloudflare error page. The official wiki page went down at the same time, presumably because it was hosted on the same server. Someone complained on the forums about the wiki being down, and if I remember correctly, Hubi replied that it was going to be fixed shortly. That never happened. Instead, both the wiki and the terminal page were just set up to point to the main site, www.blackmesasource.com.

The domain belonged to the ISP that Storm was using at the time. Customers of this ISP would have had customer IP addresses assigned that would resolve to hostnames in this domain. Apparently, the ISP was later bought by Vodaphone. IIRC, Storm switched ISP sometime in 2013.

We saw this domain show up in the IRC logs whenever Watcher, and incidentally, when Code_ logged in (I wonder why no one got suspicious at the time):

[tt][16:55] * Joins: Watcher__ ([email protected])[/tt]
[tt][23:00] * Code__ ([email protected]) has joined #BMS-ARG[/tt]

A few comments on the wiki that we believe were posted by Storm came from IP adresses that resolved to this domain. Except in the case of the “21 into 1” and the red herring comments. However, these came from UK addresses and they were posted after Storm allegedly switched ISP.

Similar hostnames were also seen in the context of the ARG as part of the actual IRC clue messages:

[tt][email protected]//closed.proxy.accepted//?OTR,1,3,?OTR:[/tt]

IRC clue 6 included an invalid or fake address:

[tt][email protected]//closed.proxy.accepTEd//[/tt]


#5442

I spent some time trying to track down old ips used in the ARG, with hopes of finding another server related to Black Mesa, being that servers were offline and that user activation was required, so looking for the secondary server. Looking at lat longs of servers, hoping one would point to an airfield or location that would tie into the ARG, at first I thought I was on to something because it gave a lat long that was at the middle of a lake/reservoir and had a dam. It pointed right to the middle of “Cheney Reservoir”. Then more information about it, apparently a company called maxmind messed up and moved A LOT of ip geolocations to the middle of Kansas.


#5443

That mysterious comment… must still be relevant! It was meant to link the Tau Cannon back to the still-encrypted HALOS file.
Everybody, drop any other thread or idea about how to decrypt that file, if it doesn’t have anything to the Tau Cannon. And go back to that weapon, the textures, the use, the placement in the story, etc.
Also, remember that the Tau Cannon is used in Half Life 2… Maybe there’s a clue there?


It was the fact that the “as part of the actual IRC clue messages” encrypted text used / included that unnecessary header info, that made me think that it would be important to note. At any time, Storm could’ve chosen to change the hostnames to something like [tt].bmrf.com[/tt] or [tt].halos.net[/tt]… Why reuse the [tt]dslgb[/tt] hostname, unless there were a reason? Or an easter egg? Why encrypt the header of a message into another message, with its own header? Could’ve just been easy to trim the string, send a shorter, more concise message.
If it’s true that HALOS is the one sending these messages, then it’s not doing it quite efficiently, tbh.
If it’s not HALOS, then… they might not be much of an expert in this sort of stuff.


#5444

I’m not sure this was mentioned before, but I was recently going over the IRC clues and figured I’d point it out.

If you look on the Tempus page on the wiki, this part stood out to me:

“INCOMING DATA…
[email protected]//closed.proxy.accepted//?OTR,1,3,?OTR:[I—MI-G TR–SMI—ON - UN—WN S##RCE] OTR:~’//
Dr///#~` B…Ami ~### ~ Not ##~ami… {interrupt} +&&#//#// KON ,-mi C-de. Dr H–N #~~ Don__### LET HIM __ fi#d…us
. {Dr Wel##}~~ [Terminal.] ~~ [Transmission Ends]
FURTHER ANALYSIS…
TRANSMISSION SOURCE TRIANGULATION NOT POSSIBLE.<|>”

The reason it stood out is because it’s really the only thing on that page that is pointing to a specific clue–granted, the message is repeated, but this is the only actual clue. As you can see, it’s referring to IRC clue #4, which is as follows:

"[email protected]//closed.proxy.accepted//?OTR,1,3,?OTR:[I—MI-G TR–SMI—ON - UN—WN S##RCE]Access detected to personal site.
Security compromised.HALOS project under threat. Site offline as response. Switching to new protocols.[********] ~[OTR//2.0]Q0FZRUlMVEhEWkVIVEhBTlpJRVRLSU5OQUFTVFNPU0lCSVNPRElIVEhBTlpJRURaRUhUS0lOV09MTEFDSEVFRElCRUhUSEFOWklFQ0FZRUlMVEhEWkVIRElCRUhUSEFOWklFTkFBU1RTT1NJTk9EQUlIVEhBTlpJRU1BRU5BQVNUU09TSUdBSFRLSU5ORUFTSEpTTlRI…=[/]~[Transmission Ends]

So, if we break down the Tempus reference, the first part is exactly the same, up to the “OTR:~’//” part. That part is extra, and it also does not include the “Access detected . . .” message.

Then it refers to IRC clue #1:

“INCOMING TRANSMISSION - UNKNOWN SOURCE
Dr BonAmi is Not ami itsKONami Code. Dr HORNDon’t LET HIM find us. Dr Welsh”

The thing that is odd is that on the Tempus version, “Dr. Welsh” is in brackets–why?

Then we have [Terminal.], which was actually the password to IRC #4’s solution. Then it shows the [Transmission Ends] from the part of the IRC #4 clue after the encrypted message: PRIMESITECOMPROMISEDRETURNBMRFLOGINHALOS

The question I have is, why do this? Why would Storm go to the trouble of using only these two clues and combining them the way he did? Furthermore, why mask the letters when we already know what it is, or throw the {interrupt} in there? Aside from the obvious, that it is just drawing our attention back to those clues, what is the point of it?

If I remember correctly, IRC #1 was meant to steer us in the right direction that it was Konami code and not bonami, but I remember Storm saying that he wasn’t sure it wasn’t intentional (when masked as Code_)–we know how careful he’s been this whole time, so I wouldn’t put it past him to create a double entendre on purpose. Furthermore, the message includes “not ami” which indicates the male version of “friend” or “not a male friend”–this was actually already covered, I’m just covering all my bases here.

Also, IRC #4 is the first one we got after solving the first gate puzzle, so we can assume it is here that our next key pieces of information for the gate puzzle would theoretically start. With that in mind, I think we may need to refer back to these clues and not simply think of them as a launching for the HALOS.txt code–because, let’s be frank here, the HALOS.txt file makes no goddamned sense at all, and none of us have been able to do anything with it.

To continue with our examination of the Tempus clue, it then mentions: “FURTHER ANALYSIS…TRANSMISSION SOURCE TRIANGULATION NOT POSSIBLE.<|>”

This could be a reference to IRC #5, primarily this part: "LEAK SOURCE DETECTED. TRIANGULATING…MIX CASCADE HOP DETECTED…ATTEMPTING TIMING ATTACK…[TERMINATED] CANNOT CONNECT TO HOST…ATTEMPTING CONNECT TO USER H… "

So, at some point, triangulating was possible, but now it no longer is, likely because Horn severed the connection. Then we have IRC #6 which doesn’t seem to do much more than point us back to the site for the HALOS.txt file, although it is strange how the capitalization is in: “ThEpIzZaIsaLiE…HALOS”

Now, the reason I bring all this up, is because I think it’s pretty clear that almost nothing else matters except the BMRF website. Storm mentioned at least once that he would have an umbrella site, and almost everything we are seeing is referring to a site. Now, I’m not convinced that the terminal.bmrf.us page isn’t important somehow. We have all of these messages coming from a terminal, not to mention it was even the password for one of the IRC solutions. Now, the Terminal page on the bmrf.us website states that it is a Remote Terminal Module, and is owned by Black Mesa–isn’t it quite possible that Horn was using this very terminal to send messages. or that someone else was? Is it possible we can do something more with this website? I’m not familiar with how UNIX terminals and the like operate, but I am familiar with website coding, and although I don’t see a direct way the Terminal page itself could be manipulated, is it possible we can visit another hidden page that can be? I guess I’m just trying to spark some thought here, as we are still rather stuck on this.

Thoughts?


#5445

Soo, after some who.is lookup, I found that bmrf.us has 2 links (Internal: 2, Outbound: 0). Now, does that mean there are 2 subpages like terminal.bmrf or I’m I completely off the trail here?


#5446

Pentest Tools indicates there are these three directories
[table]
[tr]
[td] Directories
[/td]
[td] HTTP Code
[/td]
[td] HTTP Reason
[/td]
[/tr]
[tr]
[td] /img/
[/td]
[td] 403
[/td]
[td] Forbidden
[/td]
[/tr]
[tr]
[td] /terminal/
[/td]
[td] 200
[/td]
[td] OK
[/td]
[/tr]
[tr]
[td] /js/
[/td]
[td] 403
[/td]
[td] Forbidden
[/td]
[/tr]
[/table]


#5447

So terminal is “ok”? What is there?


#5448

/terminal/


#5449

I noticed that its nginx which can be used as a reversed proxy, anyone know how something like that might operate?


#5450

It’s accessible via http://terminal.bmrf.us/ or via http://www.bmrf.us/terminal/

Wikipedia says:
…a reverse proxy is a type of proxy server that retrieves resources on behalf of a client from one or more servers. These resources are then returned to the client as if they originated from the Web server itself. Unlike a forward proxy, which is an intermediary for its associated clients to contact any server, a reverse proxy is an intermediary for its associated servers to be contacted by any client. Quite often, popular web servers use reverse-proxying functionality, shielding application frameworks of weaker HTTP capabilities.


#5451

Yes, even though those are forbidden, I managed to stumble across the images that were hidden within them about a year and a half ago: Images

We are missing something big. Why hide these?


#5452

Hmmm, I have a couple of thoughts on this. This would seem to imply that Black Mesa Source could be canon in some form or another. Linking it to HL2, further doing the mambo on the timeline that we know. We have been told before that it was not canon, but on the other side of the coin with the potential for time travel this way and the other way, over and over, who knows what direction the CC could take us.


#5453

There is no such thing as canon.
As for the issue of Half Life canon, Canon does not exist because there is no such thing.

http://half-life.wikia.com/wiki/Half-Life_Wiki:Canon
http://combineoverwiki.net/wiki/Canon


#5454

So, technically, Transmissions: Element 120 could also be canon?

Actually, Mark Laidlaw most likely said that in order to not let the Gearbox expansions - Blue Shift and Opposing Force - be suddenly downgraded due to a fandom schism.

But may I just point out this little tidbit that might expose Storm’s views on the subject:

L#### O####### L######## Can#### might also be jokingly interpreted as [tt]LOL, “canon”[/tt].


Just discovered one other thing.

(Emphasis added to above quote)

What if we’re reading that wrong? What if, like we’ve been assuming with HALOS, that it’s supposed to be CRYPTOS? As in, Crypt-OS, “Crypt” Operating System? Another parallel or pointer to Hal-OS?


#5455

Some of the context used with Halos, “, “Halos project”, “Halos musn’t see this, password to its area”…, “Halos files” “Halos automated”,“BMRF-HALOS-AITR-0001”,”[INCOMING TRANSMISSION]ThEpIzZaIsaLiE…HALOS[Transmission Ends]" .

So yeah, that’s a lot of “Halos”…


#5456

I think I may have finally made some headway with this, and I’m now thinking that we may be dealing with homophonic encryption. Now, I thought this might be the case before, but I never fully pursued it because, although the reasoning was sound, the puzzle I referred to didn’t necessarily have to do with our puzzle (although the similarities were uncanny). However, now I think I may have solid reasons to believe this is still the case. Here is why I think this:

I visited the wiki page for the Kryptos statue, as I was going through some of the IRC clues and looking for loose ends. At the bottom of that page, as a “See also” is the Copiale cipher. As a brief summary, this cipher was recently cracked in 2011, and the reason it was so damn hard is because it used homophonic encryption–or, as the wiki puts it: " . . . each ciphertext character stands for a particular plaintext character, but several ciphertext characters may encode the same plaintext character." This in and of itself isn’t important–what is important is how that cipher was eventually cracked. The only plaintext in that cipher was “Copiales 3” at the end of it. Furthermore: “Seven ciphertext characters encode the single letter “e”. In addition, some ciphertext characters stand for several characters or even a word. One ciphertext character (”†") encodes “sch”, and another encodes the secret society’s name."

It’s that last part that stuck out to me, as well as the “Copiales 3.” In our cipher, there is also a “+” symbol, and it is used only twice–once at the beginning, and once at the end. How is that possible, unless it actually is hand-encrypted with substitution? To show you what I mean, here is the plaintext converted from the hex:

³+�:5ºÝfW|$ÁOÉCFÑ1§ÅK¸/þà"aWw?$y#Ü!ö,Ô.‘ògµE«Êí¯aQ
Nê‡Í3ÇÇ?q10œÄ(´$=TðDùÏb–Ù¿÷9~C˜æ2Ú
?äx³¥O]Üiuú÷I„žbYZŸc•‘=à>:¬?8ŒEû…þ‘5AÖÀƒ˜òȃ2¨/ß�(büÜOçäj?éQÅÈ´dã:¹,–†.‹À™¸8�Úy¶?ä¢Y›mHǹSŒîc‘Dôaº’äþu$,Ø?QÖ•Q˜‡j|ª½{@I"A0©f̳Á9F:?~š7ª†?²xü—1ÀœŒy~y“
@eF²Lšb›&Â?Î*KäXš7_ësÄ«"\„Œøž)²q3—6G?J‰(í֏TiŒ^[PgFövZo%Þ¤Ú@þ¶e?E$i6•ˆ=Ë!æûþû¸Z)‘”€6¥+]

Notice the green–see that? Our 3 is there (maybe signifying Copiales 3?) but the + sign is at the end and the beginning, with only one other symbol on either side. Is that really possible with actual encryption?

I’m quite convinced at this point that we are dealing with this type of cipher, and honestly the only way around it is to simply plug things in and hope for the best, or maybe look to see if there are symbols hidden throughout the messages Storm gave us that can help us start to decrypt it. Maybe this is what “time reveals all” means, too–that we will simply have to spend some time doing this. I also recall him saying in his message to me the following: “the n gram results indicate a weak encryption, but one that results in highly entropic data.”

So, yes, we are getting a lot of randomness, but the actual encryption is a simple substitution, therefore not that complicated and quite easy to break once we get the ball rolling.

On a final note, the Copiale cipher does fit our “Latin” theme as we’ve discussed many times before: “The Copiale cipher includes abstract symbols, as well as letters from Greek and most of the Roman alphabet.”

You guys that are a lot smarter than me, any of you think we could create a simple program that would help us with this? I can start going at it by hand, but it could take some time. I’m only hoping that Storm did us the favor of making each symbol a direct substitution and not like the Copiale cipher wherein one symbol can be multiple letters–like † = “sch.”


#5457

The null terminator happens so frequently inside that HEX code…

This would interrupt a lot of programs, since null-termination usually signals the end of a string.

Maybe that’s where the HEX code block could be broken up?

[code]B32B NULL

3A35BADD 66577C24 C14FC919 064346D1 31A7C54B B82FFE03 E0226157 77247923 DC21F62C D4182E91 C3B267B5 45ABCAED AF026151 0D4EEA1E 87CD33C7 C7713130 9CC4280E B4243D11 54F044F9 CF6296D9 BFF7397E 4390987F E63203DA 0DE40278 B3A54F5D DC6975FA 04F74984 9E1A6259 5A9F630B 0795913D E0153E3A AC388C45 FB9D850C FE913541 D6C08398 F2C88332 A82FDF NULL

281D62FC DC4FE7E4 6AE90C51 C5C806B4 1164E33A B92C9686 2E068B0C 16C09990 B8381A NULL

DA7915B6 7FE4A20F 599B0F1B 6D481913 C7B9538C EE639144 F41561BA 92E4FE75 1D1E242C D88F51D6 95519887 136A7C15 AABD7B40 04492201 4130A91F 170F66CC B3C13946 3A7E909A 37AA863F B27805FC 9731C09C 8C79067E 79930A40 6546B24C 9A629B26 C2CE2A4B E48F589A 375FEB73 1FC4AB22 5C11848C F89E291F B2713397 0C063618 474A8928 01EDD68F 54698C5E 5B506746 F6765A6F 7F1225DE A4DA1140 FEB60F65 0745241C 69369588 3DCB21E6 FBFEFBB8 5A299194 8036A5 2B5D[/code]If the homophonic cipher is the right way to go, then be advised… that there are 255 different hexadecimal numbers. Matching them all up to - for example - the 26 capital letters of the English alphabet would be a huge undertaking. Not to mention what if punctuation marks exist (which the original Copiale did not have within, only for some logographs and necessary word breakages), numbers, foreign numbers, scrambled hex values via bad connections (as are shown in several clues given to us), etc.

In short, we need a key. Some way to actually translate the HEX Code characters into the original text.

. . .
What if the key was a template for a chart to do just that? To keep a key for the translation? I bet that if we just all sat down and ate some grilled pizza, we could figure out a solution…


Reread some of the Wiki. Storm said at one point, that we already had what we needed to solve this, but that it’d still be challenging. And yet here we are, two years + later, thinking up newer ideas about what it could be. Yikes.
I would not feel ashamed in bowing to the master and saying “welp, this was a toughie. Maybe knock down the difficulty a little bit and help us through this one?” just so we can see what else he’s conjured up for us on this little field trip through Black Mesa.


#5458

Why do I keep reading that as homophobic.

Sorry. Carry on.


#5459

Has anyone tried using the binary version of the hex code to create a grilled pizza image the same way Storm did? I created a small diagram with 21 rows (21 into 1), and that turns out to be a LOT of triangles, and I started shading in the 1s and leaving the 0s blank, but my drawing sucks and I will need to pick up some graph paper to do it with any sense of consistency. I’m wondering if this will somehow spell something out or perhaps create a picture? Anyway, before I go ham on it, I want to ensure no one else has already done this–otherwise, I’ll cramp my hand up for no reason. I’m sure I could do this with some of the programs I have on my desktop, but it’s still currently defunct due to the move (still using my "crap"top).

Anybody able to verify this? If no one’s tried it, I’m happy to be the guinea pig–I’ve got a long weekend due to the holiday, anyway. I’m sure Storm created his in 2 minutes, but I have no shame.


#5460

That’s 21[sup]2[/sup] = 441 triangles, to be exact. The number of triangles in the bottom row is 2*21 - 1 = 41.

In order to use all the bits of the HALOS code, you’ll need to draw 3008 / 441 ≈ 6.82 sets of triangles (or grilled pizzas).

The 3008 bits of the HALOS code won’t fill a complete grilled pizza, or a whole multiple of grilled pizzas, except in the cases where the number of rows are 1, 2, 4 or 8 (1, 4, 16, or 64 data triangles/bits, respectively). If you include the single red padding triangle (the forbidden fruit?) at the top, like in the original grilled pizza, the only case where you’ll be able to fill a complete set is when the number of rows are 3. In this case each triangle set will contain 8 data triangles/bits, which means one triangle set / grilled pizza for each byte of the code.

I haven’t considered cases where the number of padding triangles is > 1.

The question is, if we are supposed to make grilled pizzas out of the HALOS code, would or would not Stormseeker have made it so that the code would completely fill a grilled pizza, or a whole multiple of grilled pizzas?