Do you remember Notpron? I certainly do, although I distinctly remember it being called notpr0n—which I suspect is more a remnant of online culture in the late 2000s when it was originally popular than a Mandela effect. If you’re one of the more than 19 million people who have participated in this online scavenger hunt, it’s likely you have nostalgic feelings about it too. It was the first time I had seen anything like it, a puzzle game that wasn’t confined to the boundaries of a normal game in any of the ways I expected.
For those who aren’t familiar, Notpron has been called the “hardest riddle on the internet”—a worthy title for a 140-level puzzle that has only been solved by 66 people since it was created by David Münnich in 2004. (I want to reiterate that, because 66 out of 19 million is a wild ratio.) Most levels require a username and password combo that you have to figure out from the hints on the page, but some levels also require users to modify the URL of the page in order to progress. (This article won’t contain any major spoilers—Münnich rightfully insists that they’re against the spirit of the game—but as an example, the trick for getting from level 2 to level 3 is literally changing the “2” to a “3” in the URL. It’s sneaky like that right from the beginning!) Nearly all challenges involve taking a peek into the source code of the webpage, where various hints are hidden, and many require a deeper technical knowledge—of file systems and extensions, graphics and audio manipulation, or computer programming.
I came across Notpron for the first time when I was 15 years old and I was totally enchanted by it. There’s something creepy to its aesthetic, with its eerie, howling background music and dark photos containing untold secrets to uncover. I remember waiting for my mom to go to sleep, so I could sneak downstairs in the middle of the night and wrack my brain over these strange puzzles, feeling like I was cracking some kind of mysterious and inscrutable code. At that age, I was just starting to get into computer programming, which I would someday make a career in, and Notpron made me feel like I alone could speak the language of the machine and decode its cryptic messages.
In a lot of ways, I could credit Notpron for the beginning of my technical career. I was drawn to it because I already liked solving puzzles, but Notpron solidified the link in my mind between puzzles and programming and gave me a lifelong appreciation for cryptography and ciphers specifically. It encouraged a specific kind of thought, trying to think outside the confines of what’s expected and find ways to exploit the system. It taught me to always, always look at the source code, and from there, I began to learn some of the methods to look meticulously at files for what could be hidden there. I didn’t realize at the time how these methods might come in useful later in my life: although Notpron was my first time participating in this kind of a puzzle game, it certainly wasn’t the last.
A decade or so passed and I found myself in my mid-twenties, working as a software engineer and traveling around the country to tech conferences to learn about, and subsequently teach, programming principles and tricks. This is how I started getting involved with the hacker community and where I was introduced to their favorite game, Capture the Flag.
It’s higher tech than the game you may remember from summer camp, but actually the concept isn’t that different, especially in its earliest days. Capture the Flag (CTF) contests as a cybersecurity game originated in 1996 at DEF CON, which is one of the world’s biggest hacker conventions. In the original format, which is now known as the “attack/defense” format, teams of hackers compete against each other to take their opponents’ flags while protecting their own, just like in regular Capture the Flag. But these flags are digital, so “taking opponents’ flags” involves exploiting vulnerabilities in their network to gain access, while “protecting your own” means patching any vulnerabilities in your own network to prevent it from being hacked. (It’s worth noting that the DEF CON CTF is also the oldest active CTF, as it has been running annually from DEF CON 4 to this year’s DEF CON 27. It’s now one of the most competitive CTFs out there, with the best teams in the world competing in qualifiers to even earn a spot to play.)
Attack/defense CTFs still exist, but they’re no longer the only, or even the most common, type of CTF contests. It’s now more common to see Jeopardy-style CTFs, which replace the “versus” aspect with puzzle-like challenges, solving which earn you points that contribute to your status on a leaderboard. While Jeopardy CTFs often still have a web security focus, the challenges are presented in a more puzzle-like way. It’s common to be given a link to a website that has some specific vulnerability purposefully programmed into it; exploiting that vulnerability will usually reveal the “flag.” (The flag is represented by a secret code that can be input for points, acting as proof that you’ve solved the puzzle.) But like real Jeopardy, there’s more than one category of puzzle represented and not all puzzles involve traditional hacking. Other common categories are cryptography, file analysis, and steganography, which is when data, images, or files are hidden inside of other images and files.
This is the style of competition that I was introduced to at a tech conference in 2017. I’d heard of Capture the Flag before but it always seemed too intimidating to try myself—I could write code, but I didn’t consider myself a hacker and I didn’t know the first thing about trying to break into a database, even one I knew was insecure. But it wasn’t an extremely competitive event and I was encouraged to give it a try. Knowing that I was a total newbie, some of the other participants graciously helped me learn some of the basic hacking techniques, but I also found that I had more of a knack for the other types of challenges. When given an image, it came naturally to me to open it up in an editing program and start messing around with the levels and color palettes to see if a message would reveal itself. When listening to an audio file of various beeps, I would immediately think, “Is this morse code? Could it be telephone keypad tones? What would happen if I played it backwards or at a different speed?” These are all techniques that transport me back in time to those late nights on my parents’ desktop computer playing Notpron and scouring the web for tips on how to tease secret info out of a .jpg or .wav file.
The more I thought about it, the more I realized how well Notpron had prepared me for CTF competitions. Just being able to slip into the mindset of going straight to the source code and looking for solutions in unexpected places gave me a leg up in my first CTF. Notpron explicitly encourages players to turn to Google for help interpreting clues and learning new skills, which is absolutely necessary for CTFs, especially as a beginner. (Maybe I don’t already know how to attack a database using SQL injection, but I’ll be damned if I can’t learn!) Both games rely on players not ruining it for each other by sharing answers, but have spawned communities that will formulate clever hints to help others get on the right track without outright giving it away. And both games can be played as an individual but are considered better as a team activity. Attack/defense CTFs require teams, but even many of the Jeopardy-format contests encourage players to form teams of people with different specialties so you can take advantage of each other’s strengths and cover for their weaknesses. Münnich feels similarly about Notpron. In an interview with Fast Company in 2014, he said: “I don’t think anyone beat the game all alone, because you need to possess so many different skills, that it’s nearly impossible for a single person. Usually it’s little groups of friends who beat it step by step [with] everyone’s strengths being put to use.”
When I played Notpron, I did it on my own, but I have played CTFs with other people, and it’s one of the major ways it has helped my career. Nobody becomes a great programmer on their own. Through the CTF community, I’ve met really talented programmers to network among, learn from, and cultivate friendships with. Because I don’t work explicitly in infosec, the hacking skills I’ve picked up from doing CTFs haven’t come in particularly handy at my day job (yet!), but they have bolstered my confidence in my work. The single most important skill to succeed at Notpron, CTFs, and programming alike is a sense of confidence in yourself: confidence that even if you don’t know how to do something yet, you have the ability to learn it.
Even if I never beat Notpron—and with a 0.000347368421053% success rate, it’s very likely I never will—it has become a permanent part of my origin story. My interest in cryptography is a part of me now, and I’m sure it will be for the rest of my life. I often think back on it fondly while I’m competing in Capture the Flags, and every time I place well in one, I feel a little closer to those admirable 66 (teams of) puzzle solvers who conquered the hardest riddle on the internet.