The probe used multiple SQL injections, but I've yet to find
any compromised files. This is terrible! When I first saw this show, I shut down my TV that very second. Hi, I'm Keren Elazari, a security researcher,
author, and friendly hacker. I've been in the cybersecurity space for more than 25 years. I'm the founder of Israel's
largest hacker community, BSidesTLV, and the Leading Cyber Ladies. Today, we're gonna take a look at some cool hacking clips
from film and television and discuss, how real is it? Yikes! I wouldn't do that. That is bad, bad OPSEC. Bad operational security. The computer might actually
be physically booby-trapped. If I had the computer like that, I was bringing it in for investigation, I might even x-ray it before
I did anything with it. When we bring in a device for a digital forensics investigation, we usually open it up
in a lab environment, not in the middle of our agency office. It's his omega site. I don't know the term "omega site." I think that's just added Hollywood jargon to make it look scary. Most encrypted level he has. It wouldn't be a level. It might be a file or, you know, a segment of the hard drive. There's no levels. It doesn't look like this. There's definitely no 3D, you know, moving animations of
what the file is doing. Q: Looks like obfuscated code
to conceal its true purpose. OK, that bit is real. Yes, you could obfuscate your code, and malware authors often do this. Q: He's using a polymorphic
engine to mutate the code. Whenever I try to gain access, it changes. We have seen polymorphic code, specifically with malware. So, now we finally see a
hex version of the code. Hex stands for hexadecimal. Now, hexadecimal means 16. You typically can see only 16 characters. 0 till 9, A to F. You won't see G. You won't see R. You won't see O. You can do a lot of things with code, and it can be beautiful, but it's not gonna look like a map. It's not gonna have these,
you know, curly lines. This is something completely different. I think this is maybe three out of 10, and I'm just giving them
some points for, you know, putting in some actual, real-world terms, like malware, polymorphism,
and code obfuscation, but that's pretty much
where the realism ends, unfortunately, Mr. Bond. Darlene: They're in the
middle of the final round of the qualifier for a CTF. So, Elliot and Darlene are
visiting a hacker space that is currently hosting a CTF. A CTF is a capture-the-flag competition, and this is a type of hacker game. It might be about decrypting a really unique piece of
code or something like that. So, in this scene, they're in the qualifying
rounds for DEF CON, and DEF CON is a real-world
hacking conference. It's the world's largest
hacking conference. I've been to CTFs at convention centers, university campuses. There's even hackathons and CTFs that take place in Italian farms. Although the one they're at
right now is extra-underground. Elliot: They let you
save and load your game, restoring all the mines you found and all the shells you cleared. That's the weakness. What Elliot is doing could be
even considered quite rude, having somebody
shoulder-surf you like that. Yes, it does happen. However, for Elliot to,
you know, within one second understand what's going on that screen, get all the context of that code, and then tell them how
to win that challenge, I mean, I understand the show, of course, sets him up to be of
above-average intelligence, but he would have to be
like a supercomputer. Elliot: The game trusts
whatever data you give it to recreate the board. Poison the data. You can make it run
whatever code you want. It sounds like the hackers
need to reverse engineer or to take apart a Minesweeper-style game. This sounds quite realistic. It's actually based on the real-world CTF challenge from 2012. So I think it's really cool
the show went to the trouble of getting a real-world hacking challenge. [crowd cheering] A CTF room can get loud, it can get sweaty, it can get smelly. It can be electric. Elliot: All I have to
do is hack the registrar and change the name server configs. What he's doing right
now is very realistic, and it would have taken him
a lot longer than it did. One does not hack a
registrar in two seconds. Elliot needs to get in touch with the backdoor that they planted inside E Corp in the past season. In order to do that, he's utilizing the fact that backdoor, which is basically a computer software, has a hard-coded C2 domain. C2 in this context means
command and control. And it's oftentimes where hackers or malicious criminals
create a piece of code that's going to run inside
an organizational network, but in order to be in a position to communicate with the backdoor, Elliot first needs to
take over the domain. And the next thing he does, and we see him do it, is issue the command "shred." Shred is a Unix command
to not just delete files, but also rewrite them so
that the files would be much more difficult to recover, even with specialized forensic software. I'm gonna rate this
scene at nine out of 10. I'm only deducting the one point just because of how
fast everything happened and how quickly those hackers let Elliot jump into their CTF game. Well, we can tell she's a hacker. She's got all those
stickers on her laptop. Nine Ball, Rihanna, is using
open-source intelligence, which is a fancy term for the internet. This is what's called a
spear-phishing attack. She's not just going on
a phishing expedition; she is spear phishing. She's targeting this particular individual with an email with a topic, something that he's
really passionate about. There are definitely attacks out there that would give an attacker
control of your webcam, and they could even turn on your webcam and you wouldn't know that it's on. But it typically takes
a little bit more time and a tiny little bit more interaction on the side of the victim. They would maybe run an
application, install something. It will take a little bit extra. These types of physical boxes that would allow you
to unlock any passwords don't really exist for computer passwords. Many of you have a phone that if you put in the four-digit PIN or a seven-digit PIN and you get it wrong, the phone will get wiped after
five or 10 wrong attempts. So those physical boxes in the real world, used mostly by law enforcement, would bypass that using all
kinds of different tricks, but they would require physical access to be connected with a cable to their target device, to the phone. It makes sense that they
require an additional password just to get access to
that particular software. That's cool. That makes sense. However, this looks like
a 12-character password, and it's got not just
numbers, but also upper case, lower case, and special characters. For a password of that length, it would have about 94 to the power of 12 different possible combinations. That's a number so big that
I can't even spell it out. You'd have to use the whole screen just to write it down, right here. There is no way an electronic
box could crack that. And if Nine Ball has a box like that, it's more valuable than whatever it is they're gonna steal from
The Metropolitan Museum. I would probably say the first part, about the spear phishing,
is extremely realistic, but then it kind of loses the realness. So I'm gonna average
it at seven out of 10. I think it was the turning point, where Hollywood started
showing realistic hacking. So, what we're seeing here is that Trinity is using Nmap, which is a legit network
scanning and mapping tool that hackers use all the time. We also see her using
something called SSH Nuke. So, SSH Nuke refers to "secure shell." And SSH Nuke is, according to the movie, basically an attack
against the SSH service, where she's taking advantage
of a specific vulnerability. And it's even telling us it's attempting to exploit
SSH version one, CRC 32. So, this was a real-world vulnerability in SSH that was only discovered maybe about a month before
this film went to set. So as somebody was working
on the screenwrite, as they were in preproduction, this vulnerability in that
piece of code was discovered, and they already featured it in the movie, which I think is extremely
timely, extremely accurate. The only tiny element here
that isn't that realistic is that she is resetting the password. If she successfully
exploits that vulnerability, the exploit would give
her root privileges. She wouldn't necessarily
have to reset the password. There is no way she could hack like that and not make a ton of typos. All the hackers know you need fingerless gloves to type fast. I'm gonna rate this
scene at 9.5 out of 10. And I'm taking away half a point just because of the gloves, girl. [keypad beeping] [door buzzing] So, Lisbeth here is doing the groundwork. She is casing her target. What she's doing is basically hanging out and catching, hearing the code as it's being touched in the keypad. And it sounded like one, two, one, two, which looks like what she's pressing. So, in the real world, it's not that difficult to understand what the different digits sound like if you train your ear to it. She's not gonna mess around with it. She's not gonna plug her computer and be seen doing all
kinds of nefarious things. She's gonna take photos, get out of there, and then analyze those photos to see exactly what the hardware setup is, what the router is, what the type of communication setup is in that apartment building. And then she procures a specific device from one of her fellow hackers. I think that's very realistic. Looks like a, you know, a hacker space. Looks like a lot of places
I've visited, definitely. The device itself, it's hard
to say exactly what it is. We see that it's a Nokia. This might be in reference to something called the Nokia N900, which used to be known in
hacker circles as the pwn phone. And it was a phone that was used primarily for wireless-network hacking. However, it didn't look exactly like this, so this might be a specialized device. It might be a tablet that's got both a cellular connection
and a network interface. It might be something similar to this. The device she's using in the movie is a little bit dramatized. It's a device that you can
plug into the ethernet. That's where you put in
the network connection. And it also has room for a SIM card. So, you put in a SIM card, it's got a cellular uplink, and you plug it into the wall. It's actually designed to
look like an air freshener. And if I was doing a security assessment, I would sneak in, just like Lisbeth does, I would plug this into the
electricity, into the network, and then I would use this other connection to, basically, from my
remote hacker hideout, to plug in, call up this bad boy, and run some network assessments, see what I can sniff, see what I can capture on that network. So, based on what we just saw, I'm gonna give it 10 out of 10. It's a very realistic scene. Mark: Billy Olson's sitting
here and had the idea of putting some of the pictures next to pictures of farm animals and have people vote on who's hotter. So, apparently Mark Zuckerberg indeed live blogged everything
that's going on in this scene, when he created his Facemash. So everything that he's writing I'm gonna assume the screenwriters grabbed from his actual blogs. Mark: A number to represent
each person's hotness like they do on hotornot.com. A website called Am I
Hot or Not was around. It was very popular. Mark: Unfortunately, Harvard
doesn't keep a public centralized facebook, so I'm going to have to get all the images from the individual
houses that people are in. So, he has to tweak his script or has to tweak his process to match the specific houses,
which is very realistic. Even today, academic
institutions' internal webpages are a spaghetti of different
types of code bases and servers. Mark: They require a username/password. For one of the houses, he is required to provide a username and password. And the movie shows us for a split second that he's got the mzuckerberg login, but then we see he logs in with another username, called bolson. This is a hack. This is a moment where he
uses somebody else's access. And that would be, you know, probably against the
Computer Fraud and Abuse Act. Certainly against the
Harvard rules of engagement. Mark: Dunster is intense. Gonna be difficult. I'll come back later. This is very realistic. If there's one that
poses an additional layer or additional challenge, we won't spend too much time on it. We will circle back and get back to it. And this is also what the criminals do. They go for the low-hanging fruits. They go for the easier
targets first, and only later or if they're trying to
achieve a very specific goal, they would go for the target
that's even marginally harder. You want to have that
additional layer of effort for the bad guys to get in. Mark: To break out Emacs
and modify that Perl script. And the movie represents it as if it all took place
over one drunken evening, where in the real world it took him at least a couple of nights. He was obviously very capable
with what he was doing, but these are no zero-day exploits. These are not novel, innovative attacks that we've never seen before. Basically, he is automating the process of grabbing images from web servers. So, something quite simple. I would give it nine out of 10. I think the only unrealistic elements here is basically the
fast-forward that they did to make everything happen
within one dramatic evening. Hack them all. [keyboard clicking] [engine starting] This hack is actually
based on a real-world hack that was demonstrated about a year before this movie came out. So, back in 2015, Charlie
Miller and Chris Valasek demonstrated that they can remotely hack a 2014 Jeep Cherokee using the infotainment system. [tires screeching] I don't think it would have
been realistic in 2016. It might not even be realistic today for a hacker to be able to get into a lot of different
makes and models of cars. Even the best
automotive-security researchers would struggle with remotely
turning on the ignition for a car that doesn't already have a feature like that built in. However, in the future,
we are gonna see cars that are much more
connected than ever before. This could be a very
scary, realistic scenario. They are using, I guess,
unlimited computing power to coordinate the movements of all of these vehicles. If you think about it, even if you have remote control
of a vehicle's steering, you would still need to
have a satellite view of where all the cars were going and to somehow coordinate all of them to make them all go the same direction or where you want them to hit. So let's go for seven out of 10. I'm taking away points for
how easy everything is. Cipher already has everything set up, all she has to do is click on a tablet. I have definitely done that in the past. So, looking for a note,
looking for a piece of paper that's gonna have the password for the system that you want to access. People write down their passwords, but even further than that, people recycle their passwords. I just have to go to some of the many databases of leaked passwords, and I can easily find that you had five or six different accounts where you used the same password, so I'm gonna bet that you're gonna use that same password or a
very close variation of it for a lot of your other online services. And hackers do this all the time. It's called credential stuffing, and we're just going to stuff them and try and see if any account,
any system lets us log in. It's super easy for hackers to look over your social-media posts, or maybe even when you're on a Zoom call, and you've got that Post-it with a password just behind you there. So you want to enable things like two-factor or
multifactor authentication. And sometimes that
additional layer of security could also be biometrics. Good scene. Gets 10 out of 10 for accuracy. I've done it myself. Airiam, how we are doing
on that data core audit? Airiam: The probe used
multiple SQL injections, but I've yet to find
any compromised files. This is terrible! This is horrendous. So, I gotta tell you, when
I first saw this show, I shut down my TV that very second. To think that a space probe in the future, in space somewhere, would use something like an SQL injection to attack a Federation spaceship. So, SQL injections are something that hackers use nowadays. You're banking on the
fact that the SQL server is going to run whatever you input. And this is ironic because SQL was first created in the 1960s or 1970s, so maybe the writers of the show are basically telling us that we're stuck with SQL
for the foreseeable future. I give it one out of 10. So, they log on to our boxes, and our boxes log on to the real WiFi? Between everyone's device -- The scenario that's described in the scene is very realistic, and they're using a real-world device, a WiFi Pineapple made by Hak5. What I got over here is
the WiFi Pineapple Nano, which is a much smaller version of the routers that they used in the show. And it's designed to be very sleek, so you could walk around with something like this in your backpack, and nobody would be the wiser. So any phones or computers walking around the vicinity
of a device like this would be logging on to this instead of the legitimate access point that they think they are logged on to. And they wouldn't be able
to tell the difference. So we show them a fake landing page and force everyone to
download a doctored version of the Hooli-Con app. The second part of the
hack is also realistic. They're using their control of the WiFi to point people to a website they control made up to look like the
Hooli Conference website. I would rate this at 10 out of 10. I highly doubt that the CIA would have servers that
would be accessible over the internet. While she's on that server, all the files are organized really neatly in cool folders with all of
the covert projects' names. Now, this may seem unrealistic, but actually, a year
after this film came out, we actually saw something called Vault 7, which was featured by WikiLeaks, which was an actual leak from the CIA. And they did have a lot of
their covert operations, including their hacking tools, organized in files and folders like that. It doesn't look like any security-monitoring tool that I know. However, what's probably happening here is that Nicky is using a backdoor that somebody has already
set up from inside the CIA. So, basically, Nicky's
computer is sending packets to specific ports on the CIA's computer, and after a specific sequence, so a packet's sent,
let's say, to port 7,000, port 8,000, port 9,000, the CIA's computer accepts
that as a secret handshake and opens up a connection
from inside the CIA to Nicky's computer. This is a realistic capability. Agent: Where's that trace -- Agent: Unknown user. Again, they're using a basic capability. Traceroute is something that even your Windows computer could do, any Unix computer could do, but the CIA has that added
extra stuff they put in there that's gonna correlate it not just to a physical location
somewhere in the world, but also to the accurate GPS coordinates. Sakov's hacking camp. So, it's remarkable the CIA
instantly knows that location, they know it's a hacker space, they know all the hackers in the world, and they know where they live. Kill the power to the building. You know, this is not a capability that an intelligence
agency is gonna flaunt, if they have such a capability, to remotely kill the power
to a specific building. When hackers hacked the
electricity system in Kiev in the Ukraine in 2015,
and then again in 2017, they took down the power
for chunks of the city, and it took them months
to set up that hack. I don't know if this is something that could be realistically done in such a targeted manner,
to one house in particular. We see IP addresses that
are simply impossible. For example, an IP address
that begins with 300. So, IP addresses are made up of four octets, four segments. Each octet has three digits. The digits, of course, could be zero. So it could be anything from zero to 255. Anytime in the movies
you see an IP address that starts with -- you know, that's, like, 257, it's bogus. It doesn't exist in the real world. [computer beeping] If I'm hacking, I will
probably have some tools that are gonna alert me if my computer is being
scanned or tracked, but it would not look like this. I'm gonna give it a six out of 10 rating. They did include some
very realistic things, but bogus IP addresses,
that's not gonna fly. OK, so "Hackers" is my ultimate, all-time-favorite hacker movie. It's the reason I chose to become a hacker in the first place. This is what it looks like when somebody is
analyzing a piece of code. An entire night goes by. A montage passes us by. He needs all that time,
and he's got friends, and they're, you know, eating cold pizza, drinking warm energy drinks. That's the hacker menu I grew up on. Dade: This is every financial transaction Ellingson conducts, yeah? Now we actually see
hexadecimal on the left, and to the right, the ASCII characters, or the financial transactions that the hex code would actually represent in the Ellingson Corporation's
computer systems. So this is fairly realistic. The antagonist is using
the Da Vinci virus. They basically created
a very disruptive virus that's threatening to capsize the Ellingson Mineral
Corporation's oil tankers if it's not paid a million dollars. Mind you, this is the
first case of ransomware that Hollywood has ever depicted, before ransomware became
a thing in the real world. Nowadays, we have a lot
of attacks like this, where criminals take
over your computer system and request a payment in
order to decrypt the files and give you back access to your systems. So while it wasn't accurate back when the film took
place, in the '90s, I think it really predicted the future. I would love to give this 10 out of 10. I'm gonna take away two points, a couple of points, just because we don't actually see any of the software code. Stop recycling your passwords! It's not a good kind of recycling. Don't do it. In fact, I got a T-shirt somewhere that says, "Hackers don't
break in. We log in." And that's fairly accurate.
the section about Mr.Robot is around timestamp 2:47 to 5:56