Security is no fiction: Infosec on TV, film—and in space

  • Where no password has gone before I predate the modern tech age by just enough that the first time I saw a computer password was on-screen: In Star Trek II: The Wrath of Khan, Admiral Kirk staves off disaster by using a five-digit numeric code to hack into the stolen USS Reliant's computer, ordering it to lower its shields. The idea that a powerful warship's central control computer could be accessed with just a five-number password seems laughable today—though not as laughable as the USS Enterprise's self-destruct password being "000-destruct-0," as we saw in the next film. Has film and TV depiction of IT security gotten any better since the '80s? We quizzed some tech pros hear their favorites and learn about the worst offenders.

  • Would you like to play a game? Dale Drew, chief security officer at Level 3 Communications, sees WarGames as a surprisingly accurate depiction of the state of hacking and cybersecurity in 1983. "When David, the main character of the movie, used his computer connected via dial-up modem to scan for telephone numbers to find other computers, and then brute force those computers for user names and passwords—that was all spot on," he says. "When David was confronted with a mysterious system that was unbreachable without the correct password, but did provide a hint to its owner, he performed pre-Google research to try to get inside the owner's head enough to guess his password. When it worked, it was a great victory for hackers everywhere."

  • You know what's cool? Drew also praises a pivotal scene early in The Social Network. He says it has "the most accurate 'instructional' hacking techniques as its main character uses Perl scripts to break into other universities to steal content for his own Facebook page. The process that highlighted not only the techniques but the internal mental dialogue as he was hacking is entertaining, and highlights the actual process that many go through." Perhaps it was necessary to get this one right: after all, it depicted a real incident, and one that happened relatively recently.

  • Learn from the past Speaking of real events, Morey Haber, vice president of technology at BeyondTrust, is eagerly anticipating a film coming out this fall. "The Snowden movie should be an interesting event," he says. "If it portrays purely factual events, it may spark discussions in other organizations that store sensitive information, and highlight their security weaknesses. It could be a truly eye-opening documentary and have similar effects on information and security technology that Blackfish had on the amusement park industry and animal activists. If the truth is blurred, and any stretch in information technology is used to augment the story, the movie will lose all credibility within the technical community."

  • The basics aren't hard Vadim Kotov, a senior security researcher at Bromium, has a particular beef with the CW TV show Arrow—particularly a security engineer character named Felicity Smoak. "She does things in a typical exaggerated Hollywood hacker style," he says, "but what's really noteworthy here is her vocabulary. Particularly nasty things she said include 'A teraflop of data' (a teraflop is a measure of computer speed, not amount of data!) and 'I just connected the virtual TCP to the open source sensor.' This statement doesn't make sense to the extent where I can't even start explaining what's wrong with it." It's sad when basic vocabulary, which is so easy to check, is butchered like this!

  • Investigate this An almost universally loathed show among the pros we surveyed was CSI and its various spinoffs. Level 3 Communications' Drew says that "nearly every use of a computer is inaccurate, but the one that sticks out in my mind is when they used a computer to 'enhance' a photo to find a suspect by zooming into the victim's eyes to show the reflection of the bad guy." It's particular sad because the franchise has an entire spinoff supposedly dedicated to cybercrime. Christopher Budd, global threat communications manager for Trend Micro, said he tried to watch CSI Cyber but "I couldn't get through more than 15 minutes. There was no grounding in real technology at all."

  • Getting it right Several pros told me that the best depiction of infosec on TV can be found on Mr. Robot. Bromium's Kotov, who admits that "throughout the history of cinema and television, every profession has been butchered," calls the USA Network show "the only exception" to unrealistic depictions of his own field. Greg Foss, security operations lead, Office of the CISO at LogRhythm, calls it "by far the most accurate depicting of real-world hacking I’ve seen. They nailed the personas. Turns out Michael Bazell, the show's tech adviser, spent 18 years as a government computer crime investigator, assigned most of his time to the FBI's cybercrimes taskforce."

  • Real hackers, real details Another film that got it right, according to Level 3 Communications' Drew, was Blackhat. "It's an introduction into cyberterrorism hacking, from a mostly believable perspective," he says. "It shows some really good examples of the depth and breadth of what hacking can do to the interconnected computer world, including turning logical hacking into kinetic effects (à la Stuxnet). The scene where the main character is analyzing the malware RAT and talking about the size of it, its sophistication, and the lack of the callout comments found in most malware code was very compelling and was very close to some of the forensic review of real malware."

  • More prescient than we knew? One film mentioned by several of the pros we talked to was Hackers, which despite its ridiculousness seems to hold a special fascination in the hearts of infosec folks. (CGI skyscrapers of code? Sure, why not!) "You can't call a movie Hackers, knowing that only technology-minded people will likely watch, and then get nearly nothing right on the use of technology," says Level 3 Communications' Drew. "The Cookie Monster virus attack video game is some of the hardest stuff to watch." Still, Trend Micro's Budd says that "in today's world it's actually not totally unrealistic. I still don't like it, but it isn't as much a howler as it once was."

  • A long time ago Most of these examples are earthbound, but security pros love space stuff just as much as the rest of us. BeyondTrust's Haber says that for him, "R2D2 himself is the ultimate hacker. In Star Wars Episode IV, he has allegiance to the Rebels, has Imperial access codes, and hacks the Death Star to show detailed blueprints on how to turn of the tractor beam and run privileged commands to shut down the trash compactors. As far as Imperial security goes, R2D2 owns the death star IT systems in a few minutes and no one is aware of his intention." Having physical access to the systems, plus being a computer yourself, doesn't hurt things, we guess!

  • All of this has happened before... For me, one of the best ever sci-fi security themes came in the Battlestar Galactica reboot, which features the human race fighting against robotic Cylon adversaries. In order to keep out viruses, the humans had to keep the computers on their ships primitive and unnetworked—totally logical within the show's universe, and also an excuse to have production design that mirrored the original version of the show from the 1970s. It's a great example of how it's important to get the tech details at least semi-plausible—but even more important to have them make sense in the context of the story you're trying to tell.

Show Comments