Greg - a sample arg

Greg – A sample ARG by Jengibre Interactive

Greg was born as a small in-house research project. The objective: to
find out how people reacts to an Alternate Reality Game (ARG)
The game was sent to different people, half of them were considered
ARG audience and the other half were not. Each of these halves were
also split in two: half were just given the link and be told to beta test
a new "experimental game", whilst the other half also was warned to
look carefully, that not everything is what it looks like (you'll realize
why if you try the game, or at least it's landing page).
The results, while preliminary and non-scientific, were quite good:
them who who got what the game was about (with or without extra
information to look beyond) were really hooked up with the game,
and were eager to finish it (they were playing it even in daytime
working hours!).
The bad part is that very few people were curious enough to keep
looking (effectively starting to play the ARG) if I told them nothing.
So the question here is: how to make a good starting point (the
rabbit hole) that is intriguing to keep looking, but neither too obvious
nor too opaque.
Play Greg at: http://www.jengibre.com.ar/arg2/
Postmortem / walkthrough
The game landing page is what at first sight seems to be a server error (yes, I was inspired by Troy). On a closer look, the first lines below the title are Driver error attempting to access Alternate Reality Game. user: ********, pass: rtp351 So, a web page that somehow provides the user with a password, and on the bottom of it has a user and password field to log in. This to the curious eye should be enough to at least give it a try! Alas, a great majority of the people who where invited to the game thought the error was genuine, and sent e-mail with the description so I can fix it and they could, eventually, beta test the game. So this "error page" approach, even with some hints and clues, may not be the best rabbit hole for an ARG. There is a password, but there is no username, and both are needed
to log in. If the user gives focus to the username field (most likely by
clicking on it), then the two O from a word ROOT highlight for a
couple of seconds. With that hint, the user may be tempted to use
"OO" as a username, and when he starts writing, an autocompleter
field reveals only one choice: ROOT. Similarly, the password field
highlight the plain text password, in case it wasn't seen before.
So, using ROOT / rtp351 the system gives access to a webmail
interface, with one unread e-mail and two other e-mails.
The first e-mail is a receipt that confirms a subscription to a mailing
list.
The second e-mail is a very cryptic one, containing an excerpt of the
children story of the gingerbread man, sent by a misterious Baba
Yaga character.
The third one is a confirmation mail for changing the configuration of
a SPAM filter. Besides the usual technical stuff, the user is informed
of a crucial thing:
Remember that you will not receive any indications when an
incoming message is marked as SPAM.
Please take measures to avoid false positives (when a
legitimate e-mail is not delivered because it's incorrectly
identified as junk mail) and if necessary, adjust your
settings again.
Which may not seem important at the moment, but it is later. Also,
some strange image of a gingerbread man is floating down to the
right, out of the webmail frame, and it seems to be hiding something.
This image is draggable, and when the user moves it, it reveals a link
with the text 1 => 04.
Going down that link: the vault. A weird page with a box with a try
button in the middle and some text on the right, which suspiciously
looks quite like the link name.
The lines of the the box are actually sliders, and when the red dot of
each is moved, the text to the right adjusts, indicating it's position.
So the user drags each one to adjust the values provided on the e-
mails (if he didn't realize it before, all three e-mails have a value
down to the right). But still a fourth number is missing. One approach
would be to try all the possible choices, in a brute force fashion, since
there are only 30 combinations. Or, the text 1 to 3 of 4 Messages
on the mailbox may catch the user attention. There are 4 messages,
where is the fourth? Clicking on the 4 in that text reveals a fourth e-
mail (or just by inputting the URL mail4.html on the browser)
The fourth e-mail wasn't being shown as it seems to be SPAM. It
reveals some stuff (later on it) and the needed fourth code to enter
the vault.
Inside the vault there is a configuration page for the SPAM filter.
There are some technical preferences (which doesn't do anything to
the system/game) and, on the bottom, there is the Secret anti-
spam subject key, whose description reads: "code tag that is to be
added in subject in order to bypass all filters". Also, the textfield is
read only, so this surely is something to remember.
Back into to the mailbox.
The third e-mail has some unusual content at the end, grayed out
and with a smaller font. On closer inspection it says "DSPAM MD5
checksum" and has a text with the first hundred digits of the number
PI, which is actually a red herring, since it's totally useless in the
game.
The fourth e-mail also had some information that was skipped (the
user was eager to get to the vault!), so let's get to it.
The content of this e-mail seems to be a poem. Close enough, it's an
excerpt of William Shakespeare's A midsummer night's dream.
Searching for it will reveal this fact, and the fact that the verses are
in the wrong order. They can be sorted by dragging them with the
mouse. Once they are in the right order. nothing happens. But, the
first letter of each verse is capitalized and red, putting them together
they form IAMIAIWDMADU, which is also something good to write
down.
Having explored the four e-mails and the vault, the mailbox reveals
two other pages accesible.
The compose e-mail screen is one of them, reachable either by
clicking on any of the names on the From field on the e-mails or by
hitting New Message. What the user tries to send an e-mail, the most
likely thing to happen is that the server replies "Address was not
found on server", or, if he inputs the address
lysander@athens.acro, then it will reply "Wrong PGP key" unless the PGP key is correctly supplied. This Lysander guy, besides being a character of A midsummer night's dream, also is the sender of the fourth, mysterious e-mail. So the next step clearly is to get that PGP key. On the address book (accesible via the link on the top of the mailbox) there are some people listed (yes, they are all characters of the Shakespeare play!). None of the supplies a PGP public key except, yes, Lysander. As everything is difficult on this webmail, a password is asked to supply the PGP public key, inputting IAMIAIWDMADU opens it, revealing Lysander's PGP key: --PGP 57183906167128560161257 Almost everything is set. Going to the compose screen, we can send an e-mail to Lysander, and provide the PGP key (which is 57183906167128560161257, the first characters have to be removed). Most likely, the e-mail server will reply "Your message was blocked by SPAM filter" when the user tries to send an e-mail to Lysander, so providing the super secret anti-spam subject key (remember? it was [MMDC]) does the trick. The subject must contain that tag, somewhere. Assuming the user entered a valid e-mail in the Identity field, a real e-mail will arrive at his real mailbox, with the text: You've sent an e-mail to Lysander <lysander@athens.acro> Jengibre Interactive SPAM filter requires you to confirm the message Please copy and paste the following URL into the browser's address bar: http://www.jengibre.com.ar/arg/confirm.html?msg_id=<some random number here> Regards Jengibre Interactive SPAM filter v 1.0.2-2 spam@jengibre.com.ar Finally, on the given address there is a congratulations message, some feedback request, and the end of the Greg ARG. In the end
Greg ARG is a tiny ARG, it can be played in just a couple of hours (even a couple of minutes). It was designed to introduce people to the concept of ARGs. With that in mind, it's duration. Also, it was meant to be non-lineal. While there is a unique way of solving it, the user may reach it through very different ways, solving the puzzles in different order. For comments, suggestions, questions and feedback, reach me at andres@jengibre.com.ar

Source: http://www.jengibre.com.ar/arg2/sample_arg.pdf