According to Andrew Hay, senior security research lead at OpenDNS, the storyline for Michael Mann’s new film, titled Blackhat, about an international crime ring of evil hacker masterminds was easy to identify. In a post screening interview, Hay commented on Blackhat’s plot by saying, “Mann clearly drew inspiration from real-world events. It’s basically the Fukushima Daiichi nuclear disaster meets Stuxnet.”
While the film may be 2015’s first box-office bomb earning just $4M in its first weekend, its release was highly anticipated by the characteristically skeptical hacker community including Hay and his OpenDNS research colleague, Vinny Lariza. Although early previews reported the movie’s technical details were surprisingly accurate, Hay and Lariza weren’t convinced by the pre-release buzz. What could be more entertaining for a couple of world-class security researchers than an opportunity to weigh-in on the legitimacy of a blockbuster cyber crime thriller starring the former Norse God of Thunder? Last Friday, the film’s opening day, Hay and Lariza set out on a mission to debunk Hollywood’s latest take on modern day hacking.
Blackhat stars Chris Hemsworth (aka Thor) as a talented hacker turned cyber-criminal who evades his 14-year federal prison sentence by helping the FBI prevent world destruction at the hands of genius coders. The plot chronicles ex-con Thor as he reunites with Colonel Chen, his college roommate and an officer in the Chinese military who returned home and now heads up the country’s Cyber Defense Organization. While the world teeters on the brink of disaster as it faces hacker-induced stock market anomalies and a mysterious natural disaster caused by malware in a ‘connected’ cooling system, Thor manages to spark an awkward romance with Chen’s sister, furiously pound-type on abnormally resilient keyboards, write code at a superhuman pace, and (spoiler alert) eliminate evil-doing hackers with his impressive collection of screwdrivers.
How did Blackhat stand up under the scrutiny of real-world security experts who live and breathe hacking on a daily basis? Overall, Blackhat clearly benefitted from knowledgeable security advisors but according to the OpenDNS researchers, there were some scenes where the film misrepresented the realities of coding, forensics, and security in general.
Here are some of their most noteworthy observations:
NSA Phishing and The Black Widow Supercomputer:
A major plot twist in this cyber tale involved a NSA supercomputing service called Black Widow. Black Widow was supposedly a system that, according to Hay and Lariza, would have taken anywhere from hours to months to upload. Thor, however, uploaded the entire system with the ease and speed of an Amazon 1-click purchase. Additionally, in order to access the highly classified and protected Black Widow service, Thor first had to outsmart an NSA agent with an obvious phishing email. The malicious email was sent to the agent “from his boss” and instructed him to change his password. Oddly, before the agent changed his password, he clicked on an attached PDF file named “Policy on Changing Your Password.” After the agent had reviewed the policy, downloaded a keylogger, and changed his password, Thor successfully gained access to the system. From the Web GUI for top secret software to the agent’s remarkable lack of security smarts, Hay and Lariza gave this scenario a zero out of ten in the accuracy category.
TOR Setup Just Isn’t That Hard:
Another favorite scene involved Thor’s love interest explaining how the villain hacker was using DD-WRT firmware combined with TOR to anonymize his identity without an IP address. In reference to TOR, Thor exclaims, “someone must have set it up for him!” Hay and Lariza found this conclusion interesting given Thor, an expert hacker, was seemingly unaware that a very quick Google search would yield directions for this highly technical “setup”:
Miraculous Hard Drive Selection:
Hay and Lariza were also amused at Thor’s hard drive selection skills. Miraculously, when faced with selecting the right hard drive from a rack of over 50 boxes, he easily pulls the exact one that was storing the Jakarta-saving data needed to track down the villain hacker. Hay pointed out, “Random hard drive selection equals the keys to the kingdom” is not realistic, at all.
Sloppy and Meaningless Code:
There were several examples of sample code displayed throughout the film and while most of it appeared accurate, Hay recognized instances of ‘sloppy code’ – the kind computer science professors at Stanford would frown on. For example, “cp source destination” is correct but was written incorrectly in one scene as “cpsource destination” (not everyone is skilled enough to notice a missing space on the big screen). Other issues that put Blackhat’s technical accuracy in a less than legitimate light? In one scene, the malware code in question was displayed as hexadecimal on the left side of the screen with a mix of ridiculous characters and random English phrases on the right. According to Hay and Lariza – and probably most people who have used a hex editor before – this code would not, in fact, mean anything, let alone save the world from bad actors (pun intended).
Overall, the team found Thor unconvincing in his role as a brilliant computer mastermind, but when measured against some other Hollywood attempts to dramatize hacking, Hay and Lariza gave the film a respectable 8 out of 10 for technical accuracy. Although relatively accurate, Blackhat still feeds Hollywood’s ongoing dramatization of hacking as a dark art practiced by modern day super villains.
Hay and Lariza’s Favorite Hacker Movie Picks:
Films about hacking are tough to do well, and according to Hay there hasn’t been a success in the genre since 1992. He recommends John Badham’s Wargames and Phil Alden Robinson’s Sneakers as films that successfully portray computer science on the big screen.