Movie hacking - Telnet my SSH via BIOS ... or something

Updated: October 24, 2008

Movie hacking, well ... sucks ass. I'm sorry to be so blunt, but it simply does. Almost every single movie (that I have seen) involving some sort of hacking turns the craft of network security and cryptology into a l33t script-kiddie game for the masses.

Hacker's profile

Serious hackers are mathematicians and signal processing specialists, often with respectable university degrees. Take Richard Stallman and Gordon Lyon, for example. Hackers are quite often pioneers in the technology revolution that encapsulates us, whatever the moral spirit of the story might be. Hackers are often employed by security companies as consultants and analysts.

So, why do the movies always have to portray hackers as rebellious kids with disheveled hair? Why do hackers always have to live in a basement, surrounded by tons of senseless gadgets? Why can't they be people like you and me? What's the cardinal difference? It seems rather dull that an entire world of computer users should be congested into a single, bland stereotype.

Hacker's tools

If the movies are even a remote reflection of the reality, then hackers seem to prefer clunky, small laptops over comfortable, hi-end desktops, since it is well known the weaker the processor is the more quickly it can brute-force crack cyphers. Most hackers will also use pseudo-techno desktop wallpapers with lots of icons haphazardly arranged all over the place, listen to rave music - and most importantly of all - use black terminals with glowing green fonts! Yes! Here's a classic example of this holiest of stereotypes:

Movie hacking leet terminal
Yes, green neon-like fonts, black background, combined with a stylish biohazard sign; this is all a real hacker needs to crack down the Internet in just a few quick key strokes; actual commands are not important, as long as the colors are sweet ...

I do realize that the fluorescent green looks nice on the camera - and it gives off such a nice tinge of foreboding and fear, for it is the favorite color to portray anything bad, be it radioactive waste, biohazard, zombies, or hackers. But it's hardly the color of the month in the hackers' editorial. Human eyes do not cope well with striking contrasts - both in color and intensity. The only thing worse than the black terminal and a green font is probably a pink terminal and a green font.

Then, there's the typical hacker's workspace. Ah, the beauty of it. A semi-ruined, fungus-eaten sofa, the throne of the hacker, surrounded by discarded junk food wraps and energy drink cans, tens of flat panels glued to the wall somewhere in front of the hacker, lots and lots of wires running around - for we all know that the longer the cable the better the signal at the far end - and the inconspicious Achilles' Heel, THE device that can bring the hacker down, a web camera or something of a sort. All of these merely set the atmosphere for the hacking action that's about to take place in the movie. For it is the actual hacking that makes the difference. Let's see some shiny examples ...

Independence Day

I really liked this movie. Lots of cliches, tear-inspiring speeches, shooting, and blowing things up. Brent Spiner's performance, no matter how short, was a refreshing bit of nostalgia for the Star Trek (TNG) fans. But the hacking that took place ... well, it was simply lame.

Dr. Brackish Okun (Brent's character) claims that they have not been able to replicate the alien power source technology for the fifty years the Rosewell craft has been in their possession - and yet, somehow, magically, David Levinson (Jeff Goldblum) manages to write a "virus" that infects and subverts the entire alien defense infrastructure.

Let's give the Area 51 guys a credit and say they're using UNIX or BSD, at the very least. Should we also assume that the evil aliens also run UNIX? If not, the question of how David manages to interface a basically human-written language into the operating system of a far advanced alien race becomes a mystery. If we also take into consideration that the "first" alien ship crashed in Rosewell in the late 40s, well before UNIX was created, the remote chance the aliens might be using this phenomenal operating system to power up their gadgets seems somewhat unlikely.

Finally, the downed spacecraft has no problem connecting to the mother ship - via the alien USB 666.0. Apparently, aliens have not heard of "firmware upgrade" - nor used one in the fifty years the downed spacecraft was on earth, for it manages to plug in without any problems. Or better yet, they have extraordinary backward compatibility.


Hacker in action
I'm currently arping the entire LAN 'hood, after that I'm going to nmap the hosts and finally Wireshark the tcpdump logs. Ah, not quite what you imagined, is it? No secret basement, no random electronic equipment strewn about. Here's me, hacking at my leisure, seated on me new sofa, gently basking in mid-afternoon sunlight ... The laptop is not even on, I'm just pretending to be a big naughty boy!

This is probably the holy bible of movie hacking nonsense. Not only is the terminology completely useless - let's face it, some movies at the very least pretend to use words that hackers might consider in their lexicon - the simplicity with which the systems are overcome borders with supernova implausible. In this movie, the hacking is a matter of hitting the "laptop" keyboard as quickly and randomly as possible, while being threatened by guns and lovely looking ladies in a backroom of a night club or something. Enough said.

Die Hard 4

You must give them credit, they did try hard to make it look real. But they messed up the few critical details that actually build the entire premise of the movie. Well, for one thing, hacking into government institutions databases is quite impossible, for one simple reason - they are not available online! It is theoretically possible to hack a few websites here and there, but the critical information is kept on very secure internal networks completely isolated from the outside world. Computers containing very sensitive information do not even have any peripherals to begin with, making any attempts to install software or milk information rather difficult.

They did introduce this most basic security mechanism in the movie, but only as a premise for more ass-kicking by John McClain. And naturally, the security facilities supposed to contain the most sensitive data upon which the entire country relies are protected by WalMart guards.

The threat to the entire financial infrastructure of the country really evaporates when one considers that most banks are churning along happily running 50s-era COBOL monsters and have only recently been merging to the ultra-state-of-the-art OS/2, tons of backup tapes and disks, and the most marvelous of all, paper, on which things are printed and which cannot be hacked.

Then, there was the matter of eliminating all hackers that participated in the creation of the "mutating" algorithm. They all had explosive charges built into their computers - and they were triggered by a "virus" uploaded to their computers. Why bother? If you can penetrate the safety of someone's home, install a booby trap inside his/her computer no less, why bother with a complex mechanism that is triggered by a very specific sequences of keyboard strokes AFTER a malicious software is uploaded and installed in the victim's machine - provided the victim, who is supposed to be a top-notch hacker, turns out to be so gullible to fall for something like that?

Do you realize how tiny and cramped computer cases are? There's no place for explosive charges. And what about the so-called virus? If we're going to be leet, it should be called a Trojan at the very least, for the purpose of the virus is to infect - not control. And then there's no reason for the uploaded file to be actually called "virus." Something simple like script_4 would work as well. Using a remote control to blow the hackers would also work equally well.

In another instance in the movie, a local IP address popped on one of the screens as the IP address of the victim's computer. No problem, except the attacker was located several hundred kilometers away, possibly on a completely different LAN segment, making access to the particular route extremely unlikely. What more, the father-of-all-hackers is brought down within seconds and his web camera, no less, is operated remotely by the all-knowing, omnipotent villain. Oh, lastly, the villain turns off the electricity across the entire USA, yet the Internet magically continues to work. Go figure.


All in all, I liked the three movies mentioned, and many others introducing no less spectacular and ridiculous concepts of IT security. But there's a limit to how exaggerated things can be. Real-life hacking is rather tedious. You have the port scanning, reverse engineering of executables, debugging kernel calls, and pure brute force attacks. Often, hundreds and thousands of CPU hours go by without a single moment of thrill.

The way I see it, the purpose of action movies is to stir us with near-possible scenarios, so that we can relish in the fear and rejoice in the great victory of the good guys at the end. When you push the limits of reality too far, you take away the thrill and the hope. And we don't want that. Kudos to movie The Matrix for portraying the hacking in such simple, real terms. If you don't know what I'm talking about, watch the movie and see what happens... up to a point, that is.