SE Labs

Special Edition
Computer security testing comment and analysis from SE Labs

DE:CODED – 9 Hollywood Hacker Movies Rated

“How do we make looking at a black screen with code interesting?”

SUBSCRIBE! Use one of the ‘Listen on’ links below to keep updated using your favourite podcast platform.

Listen on Apple Podcasts Listen on Spotify

Series 1 | Series 2

Other ways to listen: YouTube | Google Podcasts | Stitcher | RSS


Show notes for series 1, episode 8

How realistic are hacking scenes in Hollywood movies? Security expert Simon Edwards analyses scenes from nine of the most well-known films about computer hacking.

Hollywood Hacker Movies Rated

Which are the most realistic? Or stupid? And why?

We don’t take a totally nerdy approach to this. Reasonable latitude is given to artistic license. But we take a zero tolerance approach to loud keyboards.

Please subscribe and join the discussions.

Sign up to our newsletter!

Topics

  • Simon and Marc discuss and dissect 9 Hollywood hacker movies from the last 30+ years, including:
Annual Report 2021

Hollywood Hacker Movies Rated

The movie clips

Other resources

Transcription

(Generated automatically)

Marc Briggs 0:01
Welcome to DE:CODED, Series One, Episode Eight – your weekly podcast providing in-depth insight into cyber security. Show notes, including any links mentioned in the show are available at DecodedCyber.com.

Simon Edwards 0:21
I’m Simon Edwards, CEO and founder of SE labs, the world’s leading security testing lab. I’ve been advising on security for over 20 years.

Marc Briggs 0:31
And I’m Marc Briggs with over 10 years experience as a British Army officer, and five years in cyber security. I’m now the COO of SE Labs.

Marc Briggs 0:42
Welcome to the latest and final episode of DE:CODED, our podcast looking into cyber security. Our last one of the series anyway. We’re looking forward to series two already. On this episode of DE:CODED we’re going to do something a little bit more lighthearted. And we’re going to use Simon’s in-depth experience in the cybersecurity industry and ask him about all of those hacking sequences we see coming out of Hollywood on the big budget blockbuster movies.

Marc Briggs 1:19
So we’re gonna have a look at a few clips from some movies that undoubtedly you will have seen. And we’re going to break them down and find out how realistic they really are. And will have a go at ranking some of the Hollywood movies into a great representation to extremely poor and, and, and just mainly for show.

Simon Edwards 1:44
Just keep things realistic I’ve brought snacks.

Marc Briggs 1:47
Oh, yes, yeah. Oh, and you have to have litres of energy drink as well. And it is 2am in the morning.

Simon Edwards 1:55
I didn’t bring a hoodie. I’m in your hands, Marc. What are we going to watch first?

Marc Briggs 2:02
Okay. So the first movie we’re going to go and have a look at is a film called Snowden from 2016. A few of you will have seen this. And the specific clip we’re going to take is during the interview phase, the testing phase for the testing analysts. And in this particular sequence, the wannabe hackers are given a task which is seemingly very difficult to do. And the individual that does it will impress the government agents the most does it in super-quick time.

Marc Briggs 2:05
But this is a real story, isn’t it? So you’d expect this scene to be realistic?

Marc Briggs 2:52
Yeah. Well, you’re led to believe that the Snowden movie is based around true real life events. And therefore what we’re seeing on this clip is a realistic interpretation as best as the film, film writers could portrayed. Based on the knowledge that they had. It’s a bit like The Crown I guess, for those who’ve seen The Crown like it’s the best interpretation that the script writers can write with the knowledge which is public

Simon Edwards 3:23
and presumably trying to make it at least a bit entertaining and not just a fly on the wall boring series of events of people’s normal lives.

Marc Briggs 3:31
Well, I think that’s going to be the theme across the whole of this, the whole of this podcast,

Simon Edwards 3:37
What, drama in the movies?

Marc Briggs 3:39
How do we make looking at a black screen with code interesting?

Simon Edwards 3:43
Every security conference in last 15 years has had to tangle with that one.

Marc Briggs 3:48
Yes. And Hollywood have had a very different interpretation than a lot of those conferences that we’ve been to.

Simon Edwards 3:54
I’m looking forward to this. I want to see how realistic this NSA interview process is. Okay, not that I would know what a real one actually would look like.

Marc Briggs 4:01
So we’re gonna watch, we’re gonna watch the clip now, which we won’t play over the podcast. And then we’ll hear Simon’s thoughts on it. After we’ve watched the clip. I’m ready.

Marc Briggs 4:18
Okay, there we saw the tasks that the government had set, the analysts usually usually takes five hours to complete. But if it takes more than eight hours, then they’re out. And this guy does it in 38 minutes, which is obviously a record based on the the government testers, facial expressions. And, and then the analyst talks about that they didn’t do stuff in sequence. And they they obviously did concurrent work, but they had to build a communications network, break it down and build it back up again. In their hometown. What do we think of it? Simon? What do we think of it? Well, I

Simon Edwards 5:04
think it’s not very clear what they mean by building a covert network. But that’s, you know, they’ve probably been trained in that kind of thing. So, you know, we shouldn’t need to know,

Marc Briggs 5:13
We can give them a bit of leeway there.

Simon Edwards 5:15
Yeah. I think setting up remote infrastructure, you probably would use a Unix based operating system. And that’s clearly what they are using, they’re possibly Linux or something similar. Yeah, they’re all typing fast, you’d expect that

Marc Briggs 5:30
you hear that a lot. Actually, you hear a lot of, and the the scene that we’ve got that we’ve just watched, there was a lot of typing a lot of noisy keyboards. And then, of course, when the analyst is saying how they’ve done their task, they all stop typing, get taught, they that they didn’t get told off, you just hear a lot of that a lot of [drumming sounds] starting up again, everyone typing in very quickly.

Simon Edwards 5:55
And that actually might be one of the least realistic parts of that sequence is that providing a room for people with mechanical keyboards rather than the quieter ones is a pretty anti-social thing to do. If you’re going to work in an open plan environment, at least give people quiet keyboards to play with.

Marc Briggs 6:13
So he’s saying from but from a hacking point of view, what do we see on the screen there? Like what was what was on what was on that

Simon Edwards 6:18
you can see people running scripts, which they would be, what generally happens online is after a sequence like that, the nodes come out in force and pick holes and say, well, there’s no such thing as that script, which is not true, because you can anyone can make a script and call it what they want.

Simon Edwards 6:34
And they’ll analyze every piece of a command line command that’s typed out with all the switches. And say, “Well, I don’t know what kind of version of nmap they’re running there, but that wouldn’t work!” But I think, quite reasonably, you can’t assume that the NSA is using exactly the same tools as us. So to pick holes in the small details of the commands is pretty petty, I would say. Yeah.

Simon Edwards 6:56
So I think that’s quite a reasonable, realistic show of how people would set up a site of some sort be it a website or a messaging infrastructure, that kind of thing. Yeah, I’ve got I’ve got no complaints about that.

Simon Edwards 7:11
Okay, so we liked Snowden. The film? Yeah. Yeah. I mean, yes.

Marc Briggs 7:17
Okay. That’s a good start. That’s a good start.

Marc Briggs 7:22
Okay, so we just watched a scene from Blackhat, which I think came out 2014. And in this sequence, we’ve seen the hacker attack the target

Simon Edwards 7:33
with a heavily amplified keyboard again oh, yes, yes, yeah, so the 80s

Marc Briggs 7:37
a lot of heavy typing, but not a lot of hearing on the screen. But you hear that all the chitter chatter of keyboard keys slamming. But this attack was carried out by asking the target to change their password, and supplying the what looks like the company’s password policy, as a PDF attachment to the email that the target received, the target opens the PDF, which has a key logger attached to it. The key logger is used to by the hacker to identify what the new password is. And then with that password, the hacker is able to get free run within the the constraints that that user has within the system. So Simon what did we think of Blackhat?

Simon Edwards 8:34
Well, that particular scene was very realistic. In fact, it reminds me of the way we do a lot of testing. So the way they described it wasn’t entirely accurate. And some of the graphics involved were Hollywood, you know, sort of colored lines shooting off across screens and things. But essentially, what happened there was they sent him a PDF that had an exploit in it, I would guess, that’s probably how it works. And the exploit would then allow them to upload a keylogger. And they wouldn’t, the movie wouldn’t want to walk you through every single step. But the keylogger might have been downloaded automatically to that’s definitely possible.

Simon Edwards 9:11
And so what happens then as he runs the PDF, or it could be a Word document or a spreadsheet. And then essentially, malware is loaded onto the system, using a vulnerability in the PDF application or Word or Excel or whatever. This is really common tactic for many advanced attack groups. We’ve been seeing it for at least a decade. And I would say that not only was that scene, completely realistic, but actually most of the movie was too

Simon Edwards 9:40
I hadn’t actually seen it till a couple of weeks ago when he said we were going to be doing this. But what struck me was it was the most realistic hacking movie I’ve ever seen, but also one of the least interesting and gripping.

Marc Briggs 9:54
Do you there’s a link?

Simon Edwards 9:55
Yeah, I think that maybe maybe it’s just for me, because I’m a nerd. So I’m not are focused on the technical details. And I’m not engaged in the drama of the thing. Sure. But yeah, I think maybe they got quite obsessed with getting it right. I usually like quite like Michael Mann movies, because they’re a bit dumb. And this wasn’t. But it’s also no surprise, when I looked up later that they had employed a couple of quite well known people, one of whom I actually know, as consultants to make sure that the hacking was right.

Simon Edwards 10:31
And what was also quite good as it seems, they will probably stand the test of time because those techniques have been around for ages. And I think we’ll continue to be around for ages were one of the other movies that we are going to look at a bit later, is quite dated now. It was realistic for the time, but WarGames, one of my favorites, I don’t think quite stands up today, as it would have in the 80s. Sure,

Marc Briggs 10:54
let’s have let’s have a little bit of chat about the first phase of that attack that we saw in Blackhat. There. And that was the fact that the target had been asked to change their password. Now in order to do that realistically, than the hacker would have had to replicate the internal policies of the organization, the targets working and you wouldn’t just get an email from an external source and follow it as blindly as he did. So we are. So it’s likely that we’re seeing some sort of, we’re seeing social engineering, and business email compromise, potentially, in to enable the real enough realism for the target to open that PDF. Because you can see on the scene that he was, he was unsure about whether to click on it or not.

Simon Edwards 11:48
Yeah, I think social engineering is, it’s one of the least interesting in terms of movies, because what you want what people want from hackers is this magical ability to turn up and hack a system and get access, like a magic trick. But the truth is, is slightly dirtier than that. And you do genuinely have to trick people into doing things.

Simon Edwards 12:08
You can hack systems, you can scan for vulnerabilities and remotely exploit them. But in the hacking world, those are kind of seen as a bit of a Holy Grail, if you’ve got a remote exploits, which requires no user interaction, Happy Days! if you’re a bad guy, generally speaking, you have to convince someone to do something at some point.

Simon Edwards 12:27
And if you think back to some of the really popular when I by which I mean very successful worms of the 90s and early 2000s. Where the code would go through systems and take people’s addresses out of their contacts and resend themselves and say, “Hey, Marc, this is Simon, open this” is still requires social engineering not only right at the beginning of that attack for the first few victims, but actually everybody else as well. Because if you just got an email that said click on this, you wouldn’t.

Simon Edwards 12:54
So the fact that it’s coming from me might make you more inclined to click on it.

Marc Briggs 13:00
Yeah. So Blackhat with a thumbs up. So we’ve had two thumbs up so far and

Simon Edwards 13:05
really realistic. Both both movies are from, I would say the last 10 years. Yes.

Marc Briggs 13:10
Yes, 2016 2014.

Simon Edwards 13:12
And I wonder if Snowden actually is responsible for some of this, because I would say 10 years ago, very few people were aware of what nation states were capable of doing in terms of hacking, or even non-nation state attackers. And so they just go “well, the guy turns up with a hoodie on and presses some buttons and bad stuff happens.” Great, but now we know how it works. I think the directors do have to be a bit more realistic, or they’ll just get laughed at.

Marc Briggs 13:38
Yes, yeah. And I think that the there’s a lot more knowledge, just generally in society about computers and how they’re working. It isn’t. It isn’t like it was 20 years ago, when you might just be able to send an email or something like that. There’s a lot more understanding now. And you get taught at school, we were sending never taught this stuff at school. So you’ve got a generation of schoolchildren coming up now that know how to code they know how to do a number of these techniques that we are we’re seeing on the TV.

Simon Edwards 14:11
Well, when you go back to the 70s and 80s. When people talked about hacking, they were really talking about enthusiasts who were exploring maybe the the ideas caused some damage, but mostly it was about finding a way through these exciting digital or electric at least networks. Whereas what we saw in around the late 90s, mid to late 90s was crime getting involved. So it took a little while but the criminal started to realize they could make money from doing this.

Simon Edwards 14:38
And I don’t know if you remember but when people use modems in the old days, there was a special kind of malware that came out called a dialer. And what that would do is when you’re at bed at night, not looking at your computer, this code would turn on the modem or at least connect it to the the phone line and make calls to premium numbers. And so your phone bill when it comes a month later would be very high. So you’ve had money stolen from me. And that was the kind of beginning of what we see now with ransomware and other kinds of threats, where there is a financial impact on normal people.

Simon Edwards 15:11
So 10, 15, 20 years ago, normal people didn’t care or know about computer security. But it’s a lot more relevant to your average Joe these days, because you can lose a lot of money. And if your ISP or your phone company doesn’t recognize that you’ve been hacked, then you’re on the hook for maybe, you know, many 1000s of pounds or dollars worth of phone bill.

Marc Briggs 15:31
Yes. Yeah. It’s as a criminal. Now you can attack people and extract valuable information or [inaudible]. While you’re while you’re sat? in your own home?

Simon Edwards 15:46
Yeah. And it’s not just statistics in the papers, you know, probably you and I both know multiple people who have either been defrauded by online criminals or know someone that has been

Marc Briggs 15:57
absolutely. Okay, let’s look at the next movie. Okay, we’ve just watched a clip from Die Hard 4. And in this clip, what are the main characters not john himself. The Hacker is in his bedroom. Classic. At the 2am in the morning was a huge fan of energy drink, and he is hacking, I’m doing inverted commas in the air. Well, that’s what we’re led to believe he is doing. And he’s got chat windows open. So he’s, he’s asking advice from someone on a chat window.

Marc Briggs 16:40
And the bad guys are outside of his flat in a van on the street outside there, we watch them. infiltrate his computer, his network, upload a virus with a with a bar or like a, like a percentage upload bar. And then what the virus is obviously meant to do is just freeze his system, which encourages him to press Ctrl-Delete, which I think is the signal for the C4 explosives that have been strapped to the back of his hard drive to blow up. What do we think of this?

Simon Edwards 17:21
The first question that occurs, I had all sorts of ideas about Die Hard 4 that I was gonna say just now. But just watching it again made me think and actually no, just you saying repeating what happens the sequence of events? If they’ve got physical access to his computer to put loads of explosives inside the case? Why are they uploading a virus? Why is that?

Marc Briggs 17:39
They can do it. Yeah. Why didn’t they just just press because if you think about the post explosion investigation, the police are going to find that it’s a C4 explosive is not going to be it’s not a natural sort of accelerant or anything like that. It’s definitely the fragments of C4 that will be visible to the forensics teams. And so if they’re going to be as blatant as that, why use the individual as the trigger, why don’t they just use the guys on the ground as a surveillance team and press?

Simon Edwards 18:13
Well they were surveilling him as well weren’t watching him so why make him press the button?

Marc Briggs 18:18
Exactly. Exactly. So there’s there’s a little Well, I guess this is a we’ve got rock music going on in the background. And we need as a Hollywood producer, we need a bit of tension that we need

Simon Edwards 18:28
moody lighting. Yeah. I think Die Hard 4 is an interesting film because it is where Hollywood starts to move from complete fiction to some realism. I remember being asked about this film, and it came out by film magazine called Total Film. And they had a column called “Is It Total Bollocks?” And they said is it is this a realistic representation.

Simon Edwards 18:51
And that particular scene I was I was talking more about the main themes in that scene. The main themes were that the hackers were able to control traffic lights, vault doors, all sorts of different parts of the city, in a thing they called a ‘fire sale’. And what I pointed out at the time was every single hack that they detailed in that film has happened in real life before.

Simon Edwards 19:16
So someone has hacked traffic lights in a US city. Someone has done all these other things. It just hadn’t been done in a coordinated manner. So technically, it is a realistic scenario. It’s just as with any hack, lining up all your ducks is really the the challenging thing rather than doing one small attack.

Simon Edwards 19:37
But in that particular scene, you know his when his screen freezes, it doesn’t actually freeze it kind of wobbles and that looks dramatic, but I wish my screen wobbled when I had a crash because usually what happens is it just freezes completely. And you’re not sure what is going on. And I’d like to say that him stabbing his keyboard in frustration is not realistic, but I I spoke to our CTO Stefan about this last week and he and I, we both smash our keyboards regularly when things go wrong. So from that perspective, it was realistic.

Simon Edwards 20:09
And then you had this chat window as well. This is something that I think Die Hard 4 it’s one of the last ones to do this. You have people using IRC probably it’s like a chat, live chat thing before anyone had conceived of making Slack or any of those other messaging apps, which are essentially IRC. And it just looks weird and not real. So you’ve got icons that fly in and out as people leave the rooms and big chunky text that people in cinemas can read from a distance I guess that’s why they’re doing it.

Simon Edwards 20:38
But that that and The Net with Sandra Bullock, that was a bit off putting because he kind of you focus on that as being stupid and forget about the principles behind it, which are quite valid. So I think I’m gonna give a half thumbs up to Die Hard 4 because that seeing from a hacking perspective wasn’t too bad. Apart from the attackers didn’t need to upload a virus, they could have just pressed a button or called a mobile phone or whatever to explode his laptop

Marc Briggs 21:04
Yeah. Okay, so not too bad. I mean, Die Hard 4 is basically hacking but with, with a lot of imagination.

Simon Edwards 21:15
Yea, yeah. And it’s got Bruce Willis in it. So it’s not ever it’s never gonna be too highbrow.

Marc Briggs 21:19
No, no, no, no. And after Nakatomi Central. I think John McClane can get away with pretty much anything.

Simon Edwards 21:27
Yeah, and they did hacking in in the first Die Hard, didn’t they?

Marc Briggs 21:30
They did.

Simon Edwards 21:31
They literally hacked through telecommunication cables with a big saw.

Marc Briggs 21:35
That’s right. Yeah. with it. Yes. Because they will they needed the to get into the safe at the Nakatomi Central, old man, Hans Gruber. I think his name was, yeah, needed the passwords from the senior guy there. Yeah. And rather than social engineer it they threatened to kill him.

Simon Edwards 21:59
Yeah, I’m pretty sure one of his colleagues got on the phone at one point and socially engineered someone as well to do something. I think it was when they cut the power and they had to tell the police and maybe the fire department. This is a

Marc Briggs 22:10
No, it was the it was the FBI. Because they the terrorists knew that the FBI, the FBI would play the terrorist playbook, which is in a terrorist attack, what you do is you shut down the power grid. And the terrorist knew that and that was the last lock on the safe. It was an electronic or electrical magnetic lock or something like that. And right, yeah. And so they knew what the FBI were going to do. Because the FBI were too predictable.

Simon Edwards 22:41
And so yeah, so there was some social engineering.

Marc Briggs 22:43
Yeah, okay. But you digressed into other Die Hard movies.

Marc Briggs 22:50
Okay, we’ve just watched a clip from Who am I? And the clip opens up with what looks like a load of bad guys looking over the shoulder of some young hacker after they forced him to do something. And what we’re seeing on the screen is loads of windows open with loads of code flying up. And with all these windows opening and closing it, the hacker looks like he’s in control. And all the thug bad guys are behind him. And they all look at each other. Knowingly going, Oh, this guy must know what he’s doing. Because look at all these windows that are open.

Simon Edwards 23:33
The stronger the hacker…

Marc Briggs 23:36
Yeah, that’s the impression that they were given. And then and then later in the scene, we see these I guess a hacktivist. You might want to call them they are on the top of a building,

Simon Edwards 23:47
almost like the Anonymous masks, aren’t they?

Marc Briggs 23:49
That’s right. Yeah, they they break and they break into a what looks like a communications cabinet, the same thing you’ve got down your road. And they plug directly into that, which is how which is presumably the cabinet which the the building’s internet line goes in on. And they upload some sort of code, some hacking, and they they are adjusting the graph, which the TV company that they’re hacking into, is is showing on the TV at that time, and they make it display something Yeah, I

Simon Edwards 24:28
haven’t watched the movie. So I don’t know if they were actually manipulating the stock market or just manipulating the TV’s representation of the stock market. That’s not clear, but they turned into a rude gesture, but the line of the graph

Marc Briggs 24:41
That’s right. What do we think of that hacking though? Do we do we do were we impressed as the the start of that clip with all the windows are open.

Simon Edwards 24:50
I think open windows and scrolling text are always impressive. I’ve got to say that bit was realistic because when you are running attack of some sort, you do often have lots of windows open and you’re monitoring things in real time. So you do have text scrolling past.

Simon Edwards 25:08
Now, I don’t know what they’re supposed to actually been doing. So I can only just go on what I read from the screens. But the first thing they did was run Nmap, which is quite a well known tool for enumerating networks. So if you’re going to attack a network, you kind of know, you have to know what you’re going to be looking at and what are vulnerable systems. So running in Nmap is quite good first stage. And then they run some scripts that I don’t know what they were, but probably were exploits.

Simon Edwards 25:32
So they found a target, they attacked a target and they achieved the goal, which seemed to turn the power off in the building.

Marc Briggs 25:39
That’s right. Yeah. Yeah.

Simon Edwards 25:41
Yeah. So I mean, that’s feasible smart homes, big office buildings, they are all vulnerable to that kind of thing. Even as we saw a few years ago, major power stations have been under attack on a nation state level. So people come for controlling power stations have seen the mouse on their screens moving around as they’ve been remote controlled by by bad guys. So that none of that is crazy.

Simon Edwards 26:04
You do always in these movies have to have exciting music when you attack a comms cabinet because

Marc Briggs 26:10
It’s just a comms cabinet.

Simon Edwards 26:11
It’s like basically watching a BT engineer like repatching your line, you know?

Marc Briggs 26:15
Yeah. That’s exactly what it was. He just didn’t have the high vis jacket on

Simon Edwards 26:20
No, no, I think the least it seemed at that stage that they were then reverse engineering, some programming, because he ran a decompiling command, my guess would be you probably want to do that over a longer period of time. And not on site on top of a building, you might want to get access and take it away and spend a few days looking at it.

Simon Edwards 26:41
And there’s a bit of a theme that we see in movies like this, which we’ll come on to where tasks that should take quite long time for dramatic purposes tend to be quite quick to execute in movies.

Marc Briggs 26:51
Yes, they’re making the assumption that the hacker has seen all the systems that they’re faced with, before they know exactly what to do, or the exploits, or the tools that they’ve got lined up ready for, for deployment are the right ones.

Simon Edwards 27:06
And you know, we’ve seen this in real life where we’ve been asked to do something in massively unrealistic timeframes by someone who doesn’t know what they’re talking about. So we’re currently just do a forensic investigation on that laptop in an afternoon. It’s not really

Marc Briggs 27:18
yeah, I think it will add, it’s probably as a result of seeing the timelines that these movies portray. Yeah, they think we just come in press a few buttons. And and there’s some sort of computer program that spits out reported in three hours time.

Simon Edwards 27:32
And you know what, some penetration testers do that, and they just very low value in terms of what they provide.

Marc Briggs 27:39
But I guess if you’re looking for a tick in the box, have you had your pen test done? Then getting someone in for 50? quid? Yeah, to do just run a

Simon Edwards 27:49
bit more? Yeah. But yeah, I could tell you, boy, you’d be surprised that some pen testers would charge you the full amount and run a Nessus scan.

Marc Briggs 27:55
Oh really? You pay the full amount, and they’ll just run. Yeah

Simon Edwards 27:59
it’s really low value you need people to analyze. It’s like with news, like no one needs any more news reporting these days, it’s the analysis, which is important. So running a scan on a network. Okay, great. Tell me what that means. And what can I do to make things better? Do I need to fix everything? Maybe there are other measures we can take which reduce the vulnerabilities or the risks? Anyway, this is supposed to be about movies, not risk management.

Marc Briggs 27:59
Yes.

Marc Briggs 28:25
So Who Am I? What did we think from what we saw there? of the movie? It didn’t sit. It seemed like we had the right kind of he was doing the right kind of thing.

Simon Edwards 28:35
Yeah. Again, and the interfaces were accurate. So I think we’re still in the modern, last 10 years-worth of making hacking look realistic?

Marc Briggs 28:44
Yeah. Okay, great. All right. Let’s talk about our next movie.

Simon Edwards 28:48
I’m not I’m not so confident about this next one!

Marc Briggs 28:51
All right. Okay, we’ve just watched a clip from Fast and Furious 8. And is a clip which opens up with a control room looking what seems to be looking at images from CCTV cameras and live satellite feed. And the opening line is I want every vehicle with a zero day exploit with a one kilometer range of the target identified and hacked immediately.

Marc Briggs 29:28
And the analyst rather than saying, “well, that’s absolutely ridiculous.” Just goes “well, that’s that’s a few 1000 vehicles. And which ones do you want hacked?” and the woman in charge says “all of them, hack them all”

Simon Edwards 29:45
Charlize Theron in charge.

Marc Briggs 29:47
yes. And then they go on to immediately hacking the vehicles within a number of seconds. And then and then driving every single vehicle independently, but in a sort of Warm to target the the convoy which was, which is what they were looking to achieve physically on the ground through their cyber exploit. So we’re bringing in zero days here, we’re bringing in vulnerabilities of autonomous cars. And we’re bringing in the ability to subsequently then control these cars once they’ve been exploited.

Simon Edwards 30:31
This is the eighth in the Fast and Furious series franchise. I have not watched a single one of those movies. I’m glad to say from this,

Marc Briggs 30:40
based on this scene, will you be watching…

Simon Edwards 30:42
No! But what I do recognize is that if you’d asked me when I was much younger, how realistic is the sacking movie like The Net with Sandra Bullock, I would have said “not at all,” because I arrogantly would have assumed that some of it was just wrong and couldn’t be done.

Simon Edwards 31:00
I’m gonna say that this is partially accurate, because again, like with Die Hard 4. There have been cases where cars have been controlled remotely. They’re not fully autonomous. We don’t have that yet. But that is a matter of time. Even in the UK, we’re looking at within a year, having it’s a legal possibility of having cars driving around. And certainly cars are being built that way.

Simon Edwards 31:25
So the idea of self driving cars is a real thing. The idea of cars, having vulnerabilities that could be remotely exploited is definitely a real thing. A zero day is simply a security vulnerability that the manufacturer doesn’t know about almost certainly and hasn’t patched for sure. So technically, it’s not science fiction.

Marc Briggs 31:51
Okay. But all we will we’re looking at that. We’re looking at that as Okay, there’s been a case in one of the early software packages of cars, which have a degree of, of self control that that has been hacked. And I seem to remember, they the the hackers took off the handbrake on that I mean, that’s as far as it goes,

Simon Edwards 32:15
I think they applied brakes, or change the speed whilst it’s being driven.

Marc Briggs 32:18
Okay, yeah.

Simon Edwards 32:19
So Charlie Miller was one of the researchers involved in that,

Marc Briggs 32:22
okay. But here, what we’re saying is that the zero day exploits still, there’ll be a zero day for each manufacturer shown in this clip, and then likely, a number of different ones needed for different models of vehicles within a manufacturers fleet.

Simon Edwards 32:45
Well, I think that’s a reasonable assumption. But what you could also imagine is that in the future, your Mercedes and your BMWs and so on, they may not all have entirely proprietary systems. So it may be that one or two large American companies or European companies come up with a system, which is then the industry standard. So you might find that you get a zero day in system x. And that’s deployed amongst 50% of all cars, and you might then have one system y, which is the other 50%.

Marc Briggs 33:16
Okay. And we’ve seen something similar to that, not zero day, but we’ve seen a third party exploitation in the Solar Winds attacks only in the last few months. And that enabled access to a number of systems, which you wouldn’t have necessarily looked to target. head on. But through Solar Winds, they the hackers were able to get to get access,

Simon Edwards 33:42
yeah, and zero days exist all over the place. I mean, the thing is, is it a zero day if it’s not even known about? There is no software that you could say for 100% has got no vulnerabilities in it. The point of zero day is where a researcher has discovered it. It may not even be a reliable zero day. But someone has found an exploit for a vulnerability, and hasn’t told the manufacturer yet. So there is no fix. That’s all a zero day is.

Simon Edwards 34:10
And so if there were one, two or half a dozen autonomous car systems that could be remotely accessed, and I’ll tell you what they all will be. If you look at how Tesla is these days, there are features in that car, which you can buy. You can you can look on your dashboard and actually see that you haven’t got certain features available to subscribe to it.

Simon Edwards 34:33
But how does that car know? It’s connecting to the internet and querying the cloud and accounts somewhere most likely to say “has Simon bought the, I don’t know, airbag add-on” or something like that, and then it won’t deploy deploy the airbag until I’ve bought it. So the minute it starts looking out and asking questions, that’s when things can go wrong.

Simon Edwards 34:52
Like my old Volkswagen Polo didn’t have any kind of radio to talk to anything. So it was pretty unhackable. But even modern cars, you know, might, I might have a car that can talk to the internet through my smartphone, well it does. That’s how it gets its updates. So that is a vulnerability. And I’m sure someone cleverer than me could work out a way to abuse that.

Marc Briggs 35:14
And we’re relying on car manufacturers to provide security, are we

Simon Edwards 35:17
Oh, yeah. And they are terrible at that kind of thing. I mean, you just have to look at the GPS system in a brand new car, it’s like something out of the Ark. They are not ahead of the game, in that respect,

Marc Briggs 35:30
though Fast and Furious eight is unrealistic with the speed and the quantity of which they are able to carry out these attacks. The technically not not impossible,

Simon Edwards 35:45
well, I think it’s just that the cars don’t exist yet. But when they do, assuming that the vulnerabilities, sorry the exploits that they’ve got for the vulnerabilities, are stable, I don’t see why you couldn’t beam out really quickly.

Marc Briggs 35:58
But you need to be to have that level of control. And that level of understanding of all the vehicles you need to be have the this nation state resource.

Simon Edwards 36:13
Yeah, you’re not gonna have a nerd write special software that can take over 1000 cars and say, right, all of you drive effectively to this location or thereabouts, and do what it is I want you to do. Yeah, that’s a that’s a tough one.

Marc Briggs 36:26
Yeah. So we’re looking at a government agency, from a rich nation,

Simon Edwards 36:30
or a James Bond baddie in a castle somewhere. All right, yes. They’re probably better equipped than nation states. Yes.

Marc Briggs 36:41
Okay, we’ve just seen a clip from The Social Network where I guess it’s our man Zuckerberg, up in his bedroom, and he is pulling together all of the information from the different houses at Harvard. And he’s talking about how he’s hacking into the databases from the different houses and pulling all of the personal information together into one place, his place. What do we think about what he’s doing and how he’s doing it?

Simon Edwards 37:16
So Well, there’s a classic Hollywood thing going on here of like, the more realistic the hacking task and basically it’s systems administration, what you have to do is to put on some fast dance music, electronic dance music. And he describes what he’s doing, as he’s doing it. And he’s talking very fast. Partially because that’s what his character would be like, I guess a bit ADH, or whatever. But also, he is talking realistically. But it’s just not very interesting. Who wants to know about Emacs, a kind of text editor?

Marc Briggs 37:43
So is that Do you thi nk that’s why they’re cutting the hacking sequence with pictures of a lot of

Simon Edwards 37:51
really attractive people going to a party? Yeah, like pretty girls taking ecstasy and boys drinking and all the rest of it? Yeah, absolutely. Whilst the nerds are in their room, editing PHP scripts, and Perl scripts and, and talking about wget, which is a tool that you would use to pull down files over a web connection. And issues like, well, maybe the website will only give you a certain number of pictures per search, so rather than sitting there pressing a button 500 times you write a script that will do that for you.

Simon Edwards 38:21
Yeah, I mean, it’s, it’s hacking in as much as I don’t know, if he actually did that in real life. I think I heard he did. He’s stealing personal information without any kind of authority. So that’s hacking, but he’s not really using any what we would recognize as hacking tools he’s doing. He’s doing legitimate, technically, kind of networking tasks. He’s just not doing them with permission. He’s accessing information that he shouldn’t. But it doesn’t sound like that information was particularly well protected. But then the argument is, well, if you go onto someone’s lawn and steal something off, it is still theft, just because they didn’t really protect it properly. Yeah,

Marc Briggs 39:01
just because they didn’t lock it in the shed. Yeah. Doesn’t mean that you’ve got any more right to have it just because it was on the lawn.

Simon Edwards 39:07
I’m sorry if that if that’s a true representation of what he did. I’m surprised he didn’t get into as much trouble as he should have done for stealing all that and getting Facebook on a head start.

Marc Briggs 39:17
Hmm, fair enough. Okay.

Marc Briggs 39:23
Okay, we just watched a scene from Hackers, the movie,

Simon Edwards 39:26
classic movie.

Marc Briggs 39:28
And it’s kind of like we had a red team and blue team there. They both knew each other were in existence. They actually had a live live communication during the hack. And the red team. Were trying to infect the system, the blue team, were trying to defend it with statements such as deploy antivirus now and inject a flu shot and things like that and lot of pressings button There’s a big red button that was pressed at least twice, to

Simon Edwards 40:04
Very loud keyboards as well

Marc Briggs 40:05
to defend the system. And also there was a visual representation of, of the network. And the hacker flying through the network as if it was a cityscape, to try and find the, the vulnerabilities within the system, as if they will be shown up as a big red window or something like that in one of the simulated skyscrapers. And then the blue team, were able to identify physically in the real world, where the hackers were, which were Grand Central Station and send the law enforcement to that location. So quite a lot going on there. It seemed pretty ridiculous to me. How was it from your side Simon?

Simon Edwards 40:51
Well, it’s funny, because when I first saw it, it did seem completely ridiculous. And actually, it makes me think we talk about these things aging badly. In some respects, this is backwards, because at the time this was made, virtual reality was not a thing. Graphics weren’t anywhere near as good as they are today. So when you’ve got Johnny zooming around in his virtual headset, that is something that you could imagine would happen, maybe today or certainly in a couple of years time to navigate a network in a visual way. So back then I think it was this is a movie from the mid-90s. No, not realistic at all. But actually, they were looking forward into the future. I think quite realistically. The egos of individuals concerned definitely realistic.

Marc Briggs 41:37
I’ve met a few people like this….

Simon Edwards 41:38
Oh, yeah. Definitely. But running antivirus has never been as exciting to me as it was in that

Marc Briggs 41:47
It must have been that big button in which were the the implication was that he wasn’t running antivirus until they realized that there was a breach. And they deployed antivirus.

Simon Edwards 41:58
Well Mark, as we all know, at that stage antivirus, it’s a bit late for antivirus, isn’t it? It’s interesting. They mentioned flushot, though, because flushot was the very first antivirus program that I’m aware ever existed. It’s about 40 years old now. I think that was a real thing. But it would have been pretty old even when this movie was made.

Marc Briggs 42:19
And would they have deployed it in the same unrealistic way?

Simon Edwards 42:24
Well, no, because it was a DOS program. So you’d have had to have run off a floppy disk.

Marc Briggs 42:29
Just hope the floppy disk hasn’t been corrupted!

Simon Edwards 42:31
Well, yeah, you’d have to put that little tab to stop it being writeable.

Marc Briggs 42:34
Yeah. Hope no-one’s used it as a coffee coaster!

Simon Edwards 42:38
Yeah, you’re flat used to be littered with those., So yeah, it’s very exciting. Very graphical. Lots of eight-bit sound, making it even more exciting and lots of lighting things. And then you know, it’s like ‘cancer’! “This this virus is like cancer!” Oh, my God.

Marc Briggs 42:53
And then there was someone with a big shocked face like yeah, Cancer? As bad as that?

Simon Edwards 42:57
Yeah. Yeah, it really is. So no it’s a really fun movie. And I don’t want to slam it. But that’s not a very realistic. That’s not what I would say breach looks like today.

Marc Briggs 43:09
Fair enough. Fair enough. Yes. But a good movie. A good movie nonetheless.

Simon Edwards 43:13
Better than black cat. Yes. Is more entertaining than black cat.

Marc Briggs 43:17
Yeah. All right.

Marc Briggs 43:22
Alright. So we’ve just watched a clip from Sneakers. And Robert Redford is there standing behind a couple of guys, which are looking at a display, which just has a load of randomized letters and numbers and symbols on it covering the entire street

Simon Edwards 43:46
apparently randomized

Marc Briggs 43:47
oh, yes, apparently randomized, so it means nothing. And then press a button on a small, small box. Next, the computer. And all of the letters and numbers start to flash and change. And behind the letters and numbers, you get an interface to whatever they’re trying to hack into.

Marc Briggs 44:08
So whether it be and they’re all sort of critical national infrastructure type access, they’re looking at the power grid, looking at air traffic control, and they just pick randomly, I want can you get into air traffic control, they press a few keys, the interface comes up encrypted with all the randomized letters and numbers, they press this button and you get access

Marc Briggs 44:35
and what they’re and the commentary that they are discussing is the fact that the little box next to computer is an decryption chip. And they are implying that every encrypted piece of hardware software is is is hackable if you’ve got a maths that can be done quickly enough. Their chip can do the math quickly enough. So what do we think of this?

Simon Edwards 45:04
I think this one was interesting as this goes back to kind of my era of movies. So we don’t usually see encrypted code being decrypted in that visual way, you don’t see it kind of melting from obscure into a clear text or an interface. But you know, it’s a Hollywood representation of something that’s tangled and scrambled becoming clear. So I think that’s a reasonably good artistic license. It’s just not what you would actually see on a screen.

Simon Edwards 45:31
And it occurred to me watching it, it was being decrypted by an operator who was blind was operating using a special terminal. I guess it’s like Braille. Yeah. So you know how he’s actually seeing the code is completely different to how we’re seeing it. He’s feeling it and seeing it in his own mind. So I thought that was slightly interesting.

Simon Edwards 45:48
The the idea of having a universal decrypter is not very realistic. Because there’s so many different ways to encrypt codes, I think it’d be more realistic, if we imagine that they’re talking about the industry standard codes, so at the time would have been AES something or other probably, or maybe an RSA one. I can’t remember now.

Simon Edwards 46:09
Generally, what happens is, the codes are strong at the time that they’re accepted as being an industry standard. And then, as computing power grows, over time, they have to upgrade the encryption levels to defeat the evermore powerful decryptors. And as people get more powerful computers, it doesn’t matter if the encryption becomes harder, because everything’s faster, you wouldn’t want really hard encryption today, if your computer couldn’t handle it.

Simon Edwards 46:37
And then certainly putting software onto a chip to make it fast, it’s very well known thing to do, you can put almost anything onto a chip, you can have a modem on a chip, if you want to. So that’s realistic. And then hacking infrastructure, certainly in those days is probably going to be easier than today. power stations have been hacked in recent years using special malware and things like that. But I would dread to think that probably it wasn’t that hard to connect them over certain phone lines back in the 80s 90s.

Simon Edwards 47:12
Air Traffic Control, I would guess would be harder to get into. And some of these things like with the the oil tankers, and so on these see in the movies, everyone says “oh, you can control these things.” But generally what happens is, you can read where they are. So if you go online, you can actually track these things. But it’s a read-only thing. You can’t tell it to turn, or collect in the Bermuda Triangle or whatever. So I think that’s quite realistic. It’s just the way they visually represent decryption is a bit of a stretch.

Marc Briggs 47:39
They’ve made a couple of jumps, they’ve made a jump in terms of how the viewer visualizes something being decrypted. And they’ve also made an assumption that every encrypted program is encrypted with the same encryption software.

Simon Edwards 47:58
Yeah, or the same algorithms. Yeah. And as with all these movies, they have to make it interesting. So hence, the dramatic music or making it look cool. Otherwise, with real hacking, you are basically an administrator. So you’re going to be watching a man or woman sat there typing commands into a terminal. And they’re going and having a coffee break, and going to the toilet, and all these other things and having lunch. That’s not very dramatic. But for the movie, it has to be.

Simon Edwards 48:25
And that’s why you tend to see a theme where everything happens faster than it really would in real life. Or it can go really slowly. So when you’re hanging from a cable, trying to steal some data out of a system that’s inaccessible, that small text list can take half an hour to download, it seems, because of ‘drama’. But in other cases, you will see in movies where people download many gigabytes of data in three seconds. You know, at that stage, you just have to suspend your disbelief and go with it.

Marc Briggs 48:56
And I’ve noticed there is a bit of a theme with a lot of these movies in the fact that the hacking skill itself seems to be held by a very small amount of people. And the larger criminal gang involved in the activity is law is largely very ineffectual. Just sat around behind or stood around behind the hacker looking over the shoulder, not understanding at all what’s going on. And looking impressed by the visualization of of hacking. So we have you found this before, like, yeah, sit around the people looking over your shoulder, just like not understanding at all What’s going on?

Simon Edwards 49:38
Yeah, but the unrealistic thing there is that they’ll be impressed. Usually they don’t care and that they’re threatening you to do it. No, no, I’ve never done that. Or been threatened. But organized crime does use hackers. And sometimes those people will be under duress and not being paid according to the money that they’re bringing in.

Simon Edwards 49:59
And I remember way back in the day, this is still hacking, but in Las Vegas, there was a whole thing about pizza deliveries. And the mafia was involved in that. And what they were doing was, let’s say that Marc’s Pizza has got a number that you call, maybe two in 10 of those calls gets automatically routed by the telephone system to Simon’s Pizza. So what I’m doing is I’m creaming off 2% or no, 20%, sorry, of your custom, but you’re still getting calls. So you don’t know anything’s wrong. But the hackers are redirecting those calls to make sure that Simon gets a piece of your advertising action. Yeah, I very much doubt that hacker did it for fun. Some some guy in a pair of sunglasses has held a weapon to him and said “do this, or I’ll hurt you.”

Marc Briggs 50:51
Alright, we are gonna end our film review. And Simon’s insight into hacking from Hollywood, with WarGames from 1983 where Ferris Bueller is hacking into, I think he turns into Ferris Bueller in a later project, is in his bedroom. And this is before he’s in into WOPA. is that? The name of the…

Simon Edwards 51:19
Yes,

Marc Briggs 51:19
yeah. He’s a, he’s had the left home from the girl he ends up with, I think and he is showing off. And he hacks into the school’s database. And he explains that it is password protected, but he knows where they keep the password in the secretary’s office. And the password is ‘pencil’ his pencil, which in itself, we can talk about having like known words from the dictionary as a password, and he then changes his grade. And then he changes the girl’s grade. It isn’t done to heavy rock music, like a lot of the other hacking films where it’s done, it was done more to 80s electronic Pac Man, it’s very sweet, wasn’t it? Yeah. And so he changes the grades. And that’s where that’s where the that that particular clip finishes. And he had lots of equipment around him, I just want to point out and when, when each individual screen came up on his computer, it was had lots of like almost typewriter noise. So let you discuss all of this from the 80s. Simon,

Simon Edwards 52:36
I think it’d be fair to say that this is the movie that made me interested in computer security.

Simon Edwards 52:41
So we’ve got you to blame, we’ve got this film to blame for why we’re here now

Simon Edwards 52:45
It had a really big impact. And I think seeing all that equipment and seeing the terminal window and all that kind of thing was what it was all about. It wasn’t actually about getting the pretty girl It was about the cool computer kit and having a modem he was dialing into systems.

Simon Edwards 52:59
Well, let’s start with the password thing. I say it’s a weak password. It’s short, yeah, but its real weaknesses is it’s in a known location. And I can even think of just before the lockdown that we had, my local leisure center had its passwords written on a whiteboard in the back office, you could clearly see it through the glass door from the desk. So and they were they were sort of quite secure passwords. They had strange characters in them, but they weren’t secured. So therefore. So pretty useless. And yeah, yeah.

Simon Edwards 53:31
The sound effects were really notable when they had the music, like you say the kind of old fashioned computer music blipping along. Yeah. But then every single time he pressed a key on his keyboard and the cursor moved on it made a blip as well. And that would drive me nuts.

Marc Briggs 53:46
For effact, then we’re thinking for effact. Yeah. You remember from your BBC Acorn?

Simon Edwards 53:51
I never had one of those I was a ZX Spectrum rubber key boy.

Marc Briggs 53:55
That’s why you don’t like the heavy tappy noise!

Simon Edwards 53:57
Oh I hate it. But no, I think I think that was for effect. And I think if they’d done much more typing, they might have had to rerethink that sound effect. Yeah. But did you notice that with all that equipment in his room, his room was really quiet. So again, there’s lots of noise when they want there to be, but actually, I’ve been in rooms like that. My old bedroom had lots of computers in them. And it’s noisy, lots of fans going and humming and things. And his computer equipment is pretty old. So I imagine that would have been really noisy in real life.

Simon Edwards 54:27
It was interesting as well, when he changed her grades and she told him not to. Yeah. He’s being a bit sociopathic there because he’s doing something against somebody’s will. And then he changes it again later when she leaves the room. Yeah. And he says that he can’t get caught. And that is a classic criminal outlook where unless criminals are trying to go up the their hierarchy and maybe doing jail time is part of the thing that they need to do in their path to success. Not getting caught is something most criminals have in common with their view on life. They don’t think they’re gonna get caught.

Marc Briggs 55:04
But he thinks it’s technic… The implication is it’s technically impossible for the school to say that, that it was us or me that has changed his grade.

Simon Edwards 55:14
And this is classic, ‘clever person thinking’ because he knows enough about computers to believe he knows everything about computers. And of course, you can be tracked, you can be caught, because computers are really good at one thing, which is logging what’s happened. And in fact, later in the movie, he does get caught. Now, okay, I don’t think it’s the school that does it’s the FBI because he logs into a defense computer system. And it took them long enough to find out that he’d done it.

Simon Edwards 55:39
But there were cases back at that time where Russian spies were dialing into computers and stealing information over long periods of time, because in those days, modems were really slow. So downloading a document might take you 10 minutes, whereas today, it’s a second. Yeah. And every minute that that connection is maintained all these switches are keeping a track of it. And Cliff Stoll wrote a fantastic book called the Cuckoo’s Egg, which I recommend to everybody, no matter how technical or otherwise you are, where he tracks one of these guys, and with almost no equipment or knowledge on how to do it. He he goes from being an astronomer to being like a network forensics guy, and it’s fascinating, like, he connects printers to the telephone line to see what’s going on sort of over a weekend and comes back to a room for the paper. It’s really, really cool.

Marc Briggs 56:27
So what’s it called again?

Simon Edwards 56:29
The Cuckoo’s Egg by Cliff Stoll. So yeah, I think that was it was a really good film. It is quite realistic is less so when you have the AI of the big baddy computer at the end.

Marc Briggs 56:43
You get to sit it’s got like the world map hasn’t Yeah, yet to see all the Intercontinental missiles sort of going over each other in it. And he only realizes that in the last second that mutually assured destruction is destruction nonetheless,

Simon Edwards 56:59
yeah. And the way we’re living our lives with nuclear war over our heads is the same as playing Tic Tac Toe. there is never a winner. No, yeah.

Marc Briggs 57:07
And doesn’t get in doesn’t get into that network by using the then he does a lot of so he does social engineering, doesn’t it? Because he he wants to play like chess or tic tac toe.

Simon Edwards 57:19
He does war dialing. So what he does is he calls lots of different numbers to try and find interesting places to go.

Marc Briggs 57:25
And one of them says, Do you want to play a game?

Simon Edwards 57:27
and he thinks he’s broken into a game software company. So he doesn’t realize that these core games are actually military training programs.

Marc Briggs 57:34
And he then he does a lot of research on a software designer. Is it a program? Yeah,

Simon Edwards 57:40
the professor, I can’t remember his name, who wrote this AI and then he and his girlfriend go and find this guy and try and turn to stop what’s going on.

Simon Edwards 57:49
And it’s it’s his son that his dead son’s name is the backdoor password.

Simon Edwards 57:54
That’s right. So yes, there is a backdoor in this so it’s all locked down.

Marc Briggs 57:58
He doesn’t know hack head on the the DOD does he?

Simon Edwards 58:01
No, so Matthew Broderick’s character goes and find someone who knows a way into the system through a backdoor that he himself programmed into it. Joshua, I think was the name of the Boyd or pass. Yes, yeah. Sorry. Spoiler alert, anyway. Yeah.

Marc Briggs 58:16
It came out in 1983. If you haven’t seen it by now…

Simon Edwards 58:20
Yeah, sorry, not sorry. But is I think that is worth watching. Again. I saw it not too long ago, and it was just as entertaining.

Marc Briggs 58:27
Really? Yeah, it’s good. That’s one for your classic film nights during lockdown

Simon Edwards 58:31
more entertaining than Blackhat. But maybe less realistic.

Marc Briggs 58:34
Yeah. Okay. Yeah. It’s simpler times.

Simon Edwards 58:38
Yeah. Maybe that’s that’s just the right thing for me.

Marc Briggs 58:43
All right, Simon. Well, thank you very much for your insight into the Hollywood interpretation of hacking. I think across the board. we’ve, we’ve had a few examples of how hacking is realistic, and, and slightly less examples of of unrealistic hacking. I think the unrealistic elements have come from the speed in which hacking is being carried out, and the coordination of the multiple tools being used simultaneously. And so it’s they’ve they’ve speeded up and combined a lot of techniques and known vulnerabilities, just to make things a little bit more dramatic.

Simon Edwards 59:32
Just to say the TV series Mr. Robot is worth mentioning as well, that was very realistic because

Simon Edwards 59:38
a special mention for Mr. Robot.

Simon Edwards 59:39
A special mention for Mr. Robot, certainly the first series, and there was one part where you know that they always make drama, there’s always we’ve only got 30 seconds to do this, or, or whatever will happen. And they came up with a really clever way where the boss had an authenticator app running on his phone, and they got the code off it which meant they literally had, I don’t know 30, 40 seconds to get to a keyboard and type this code and before it renewed,

Marc Briggs 59:43
Yeah, it’s got like 40 seconds.

Simon Edwards 1:00:03
Yeah. So like, you know, they’re using multi factor authentication as a dramatic piece. And I thought that was quite clever.

Marc Briggs 1:00:11
Yes, as a bit of tension, because you want a, you know, a short timeline and stuff like that.

Simon Edwards 1:00:16
And it but it’s realistic is not a synthetic kind of completely arbitrary “Oh quick! You got 10 seconds or something all blow up…”

Marc Briggs 1:00:21
Yes. Yeah, yeah. Oh, Mr. Robot.

Simon Edwards 1:00:24
Yeah. I like to playlist folks.

Marc Briggs 1:00:25
Yes. Well, so that was a quick run through some of the some of the hacking movies or at least the ones that we decided to chat about tonight. Thanks very much, Simon for for your time.

Marc Briggs 1:00:39
This is the last episode of DE:CODED in this Series One, I hope you’ve enjoyed the series, there’s, it’s been pretty popular, which we’ve been encouraged by

Simon Edwards 1:00:49
Yeah, it’s been really fun to do as well,

Marc Briggs 1:00:51
yeah. And we’ve got our eye on a few topics for Series Two, which will be coming out once we get around to doing them. And in the meantime, we’ve got some special podcasts, which we’ve got lined up that were coming out in the next couple of months.

Simon Edwards 1:01:07
Yeah, that’s a good point. So if you want to make sure that you catch those, you can obviously subscribe, because we’re gonna always try and ask you to do that. But we have a newsletter as well, you can find on our website. And what we’ll do is we’ll send a message out before the new episodes come out – the new ones and also Series Two. So if you want to know in advance, when that’s happening, just subscribe to that we’re not going to spam me with other stuff.

Simon Edwards 1:01:31
And there’s another benefit actually, to subscribing to that mailing list, because we’ve got some gifts that we can give you. Some real physical things. We haven’t been able to go to any conferences in the last year and a half. So we’ve got some extremely high quality and dare I say it stylish SE Labs, key rings to give away. And I think if if you want to just send us your address, sign up to the newsletter, and then reply to that with your address. And we’ll send you a key ring until we run out of them.

Simon Edwards 1:01:58
But also, if you want to include something that we think will be funny or interesting, you stand a chance of winning a security key as well. It’s a little USB dongle for multi factor authentication, worth probably about $40 or so. So you know, it’s a significant little thing that you can use to put yourself into the top 1% of internet users in terms of security. According to Google, so few people use multi factor authentication, if you use one of these things, you will be in the top 1% regardless of what else you do.

Simon Edwards 1:02:28
So please come to our website DecodedCyber.com sign up to the newsletter. Get ready for the next series and in the meantime, enjoy the free swag that would be happy to send out to you.

Peek further behind the curtain with DE:CODED Circle.

If you would like access to exclusive, private content from the security testers at SE Labs, please consider applying to join DE:CODED Circle.

DE:CODED Circle is a moderated, vetted community built with the goal of sharing threat intelligence and business-focussed security knowledge to responsible peers.

Apply to DE:CODED Circle now.

Feedback

Please send your comments, questions and concerns to info@decodedcyber.com.

About

SE Labs Ltd is a private, independently-owned and run testing company that assesses security products and services. The main laboratory is located in Wimbledon, South London. It has excellent local and international travel connections. The lab is open for prearranged client visits.

Contact

SE Labs Ltd
Hill Place House
55A High Street
Wimbledon
SW19 5BA

020 3875 5000

info@selabs.uk

Press