Hollywood hacks impress experts

[InfoSec News <isn () c4i org>]

http://www.bayarea.com/mld/mercurynews/business/6800620.htm

By Tamara Chuang
Orange County Register
Sept. 18, 2003

IRVINE - In the sequel to the movie ``The Matrix,'' the svelte 
heroine's return to the futuristic world had a group of security 
consultants from Irvine's Rainbow Technologies ogling the raven-haired 
computer whiz.

But not just because Trinity looked hot in skin-tight black leather.

Trinity, played by actor Carrie-Anne Moss, uses genuine hacking tools 
to help Neo, played by Keanu Reeves, rescue humankind -- she uses 
``Nmap'' software to scan the computer ports, finds the electrical 
control system's Internet protocol address and, voila, zaps the power.

``We were actually impressed,'' said Bernie Cowens, Rainbow's vice 
president of security services, who took his staff of ``fairly jaded'' 
technologists to a matinee on opening day.

``They are pretty hard to please when it comes to realism in the 
movies,'' he said. ``They all commented favorably.''

In the past, Hollywood's depiction of computer breaches left most 
security experts groaning in disbelief. Cracking a password in 60 
seconds?

Impossible, they say. Computer screens covered with animated images of 
spreading viruses? Never happens. Zooming in on video recorded by a 
generic security camera? Ha!

But now, although Hollywood continues to exaggerate technology to make 
movies more exciting, hacking in films is becoming more realistic, 
computer experts say.

For example, this summer's ``The Italian Job'' showed a credible 
situation of how hackers might get into the Los Angeles transportation 
computer system to create the city's largest traffic jam.

And, while movie critics have panned ``The Matrix Reloaded,'' many 
computer-security professionals loved it and are eagerly awaiting the 
November release of the next movie in the Matrix trilogy, ``The Matrix 
Revolutions.''

``There's a new generation of filmmakers growing up with technology,'' 
Cowens said. ``They're acknowledging that the public is more 
(computer) savvy. It makes it more believable.''

At home, many people have learned not to open e-mail attachments from 
people they don't know. They know that, if they ignore that warning, 
the computer could stop working or slow down because a computer virus 
is sending itself to everyone in their address book.

They know that colorful images of viruses eating files don't really 
appear on the computer screen, as in the 1995 movie ``Hackers.'' They 
know, and were reminded by the Blaster worm attack on Windows XP and 
Windows 2000 systems, that breaking into a computer isn't as tricky as 
somersaulting across a pressure-sensitive floor to install a snooping 
device, as in ``Charlie's Angels 2000.''

``What seemed like science-fiction 10 years ago, people now know it 
exists,'' said Steve Gibson, head of the security consultants Gibson 
Research in Laguna Hills. ``Hollywood can now have someone lament 
about a computer having a virus. . . . You don't have to explain it 
anymore.''

Close to the hearts of many a security expert is ``WarGames,'' from 
1983. ``That was one of the turning points (in hacker movies),'' said 
Riley Hassell, a security researcher with eEye Digital Security, an 
Aliso Viejo security-software company.

In that movie, Matthew Broderick, who plays a teenage hacker trying to 
access unreleased computer games, skips school for a week to research 
the life of a man who designed the ultimate computer game. His goal is 
to discover a secret password that will get him through the 
``backdoor,'' a shortcut that programmers often add to software code 
so they can bypass security.

``That was pretty realistic,'' said Barnaby Jack, also a security 
researcher at eEye. `` `WarGames' was what got a lot of people into 
the hacking scene.''

Another highly rated movie among security-industry professionals was 
``Sneakers,'' which was written by the same folks who wrote 
``WarGames.'' The movie revolves around a ragtag team of hackers who 
were once on the other side of the law but are now in business to help 
companies find flaws in their security.

``That's what I wanted to do,'' Hassell said.

And that's what he does.

Hollywood enjoys the drama of hackers guessing passwords quickly and 
at the very last second, as in the 2001 movie ``Swordfish,'' which is 
about a hacker who double-crosses a crime lord by adding super-strong 
encryption to a bank's computer system. Of course, he's forced to 
break back in -- in less than 60 seconds.

`` `Swordfish' is a horrible, horrible example,'' said Chris Prosise, 
vice president of professional services with security firm Foundstone 
in Mission Viejo. ``The guy supposedly cracked the algorithm within a 
few seconds. But that's impossible.''

In reality, cracking passwords takes at least a few minutes, and much 
more if the word isn't in the dictionary, said Steve ``Rex'' Frank, 
chief technology officer of Alvaka Networks in Huntington Beach.

``If there's a dollar sign or something else, it could take a hundred 
hours,'' said Frank, a professional ``white hat'' hacker, which means 
he uses his computer skills for good.

Hacking a password is usually slow and methodical, he said.

``The password-cracking programs I use -- it literally will try A, A1, 
A2. Eventually, it will get any password.''

Sometimes Hollywood's knack for exaggeration misleads the movie-going 
public, Gibson said.

``I actually had one of my field agent contacts tell me that FBI 
management is upset because they can't track down hackers like they do 
in the movies,'' Gibson said.

Perhaps the biggest flaw in Hollywood's depiction of hackers is the 
portrayal of their lifestyle.

In ``Hackers,'' for example, the troupe of teenage computer geeks -- 
which included sexy Angelina Jolie -- go clubbing at night, in-line 
skate and throw parties attended by crowds of hipsters.

Hassell says he can attest that the hackers he knows aren't the most 
sociable or fashionable creatures.

``None of them are attractive people,'' Hassell said. ``These guys are 
big `Star Trek' fans. They eat chips and drink beer.''

Gibson tries not to think about inaccuracies in movies. He goes to be 
entertained.

``There is definitely a trade-off between accuracy and 
entertainment,'' he said. ``This isn't a computer seminar.''



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.