Taken from the 7Gates preamble.
on the topic of clues
ARGs are based on clues, so it might be good to have some idea on how clues work. Clues come in a lot of forms, and explaining all of them would take too many pages. In general though, there’s a few rules to follow:
First, clues are usually only used once. Embedding multiple messages in one string of numbers or mishmash of ciphertext is basically impossible. After finding an explanation for a clue or advancing to the next stage, it would be wise to not waste time on it further.
When in the world of an ARG, a whisper is almost always louder than a bang. Look for subtle changes in things that shouldn’t be there. If something is big and obvious, there’s a high likelihood that it’s a red herring. Subtlety also means that patience is almost always rewarded.
Clues are always obviously clues, and they are also obviously valid. You shouldn’t have to think “oh what if this is actually made by somebody else”. For example, a YouTube video uploaded after the ARG had started is probably a fake, but one that was private before and uploaded a month before the ARG started is probably real. The same applies to websites. Check when websites were registered or when assets were created.
In any good ARG, every clue will be freely available. Anyone asking for money is scamming you.
on the topic of “anyone-can-edit” clues
There are numerous sources online that anybody can edit. The most famous example of this is Wikipedia. However, there are a plethora of online editable websites, including all Wikia-based wikis and YouTube subtitles. User-curated content is amazing for websites, but not so great for ARGs. If a clue cannot be proven to be published by the puppet masters, it should not be taken seriously. Do not trust subtitles, wikis, or otherwise editable websites.
on the topic of legality
Phone numbers have often been used in ARGs to deliver clues, specifically with some sort of steganographic audio recording. However, due to the sensitive nature of phone numbers and their innate difference from websites (where accessing a website causes no harm to the owner), it is heavily discouraged to perform any sort of testing using phone numbers.
Repeatedly calling a phone number or directing others to call that number without explicit permission from its owner is considered criminal harassment in many, if not all, jurisdictions.
Likewise, performing “hacking” attacks (DDoSing, attempting to login to password-protected pages) without a clear and explicitly provided prompt is also very illegal. Port scanning and similar techniques are okay, but treat every server as if it is completely unrelated to the ARG until you get a clue from it. Please note that using the INSPECT tool is not considered hacking. The only thing that it does is change your LOCAL view, so it does nothing to the servers or anyone else’s view.