Government

Never get complacent about security, even in fiction

TV crime dramas get IT security wrong so often it's remarkable when it gets something right. On that rare occasion, you might learn something.

I recently watched a rerun of an episode of Criminal Minds, in which someone who had been terribly burned in a fire where he essentially lost his entire family got the notion into his head that he was the Fisher King and the FBI Behavioral Analysis Unit -- the heroes of the series -- were the Knights of the Round Table. All in all, the episode was only mildly better than mediocre, which put it mostly on par with the rest of the series.

In typical television fictional style, the villain of the episode just happened to have the skills necessary to crack security on a remote computer and work some serious mischief. He got access to the network at the Virginia FBI offices where the BAU worked and used that to gather information on the team. This was a man who was apparently a suburban family man, nearly killed in a fire, who spent literally years in a hospital recovering.

It is technically possible he may have gained those skills along the way, but the unlikeliness of it was striking. Any time I hear the word "hacker" in a television crime drama series, I prepare myself for a load of nonsense and unlikely circumstances, for most of which they never bother to try to provide even a half-baked explanation. Screenwriters appear content to treat computer security like magic, and to expect everyone in the audience to do the same.

I have been pleasantly surprised by two different episodes of Criminal Minds, recently. In one, where the team was trying to track down a kidnapper, they were looking at footage from a mall's security cameras. A member of the team asked the team's resident computer geek (there's always one of those, it seems -- and the person always does shockingly illegal things and generally does not act like any credible computer geek I have ever met) if she could enhance the image. Unlike, say, CSI: Miami, though, she did not just click a few buttons and wave a magic wand. There was no "Enhance," click, "Enhance," click, "Enhance," click, followed by a perfect, crystal clear close-up as if digital cameras recorded with exacting clarity all the way down to the Planck length. Instead, she said something like "I can start the process, but we do not have that kind of time!"

The other episode with such a pleasant surprise was this Fisher King episode. The team's resident computer geek, on the verge of tears because she knew how badly she had screwed up, told the team she had figured out how the bad guy had managed to get past the FBI network's defenses. She had been playing some kind of Camelot themed MMORPG on her personal laptop, which she had connected to the Internet via the FBI offices' wireless network so she could play the game. He had simply cracked security on her laptop through an exploit in the game, or perhaps via some social engineering trick (the specifics were not described), and used her laptop as a staging ground from which to crack security on other computers in the network.

The woman had introduced a vulnerability into the FBI network in the form of her own computer, running a networked computer game, and that chink in the network's armor let the bad guy in.

I suppose there are two morals to this story:

  1. Never get complacent about security. You can be your own worst vulnerability when it comes to security.
  2. Hire someone like me as a consultant if you want plausible computer security subplots in your TV shows.

About

Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.

29 comments
AnsuGisalas
AnsuGisalas

What's a great computer security subplot? BTW: the fisher king was obviously originally Peter Griffin, and Stewie Griffin who died in the fire obviously moved into his mind, hence his sudden evil genious. Isn't it obvious? (G-nidd-ik)

Tablet_Dude
Tablet_Dude

LOL. He's right and it's why I hate most hacker movies. why dont' they ever show how hacking really gets done? Am I wrong in saying that most hacks still happen through dumpster diving and social engineering?

Neon Samurai
Neon Samurai

Law & Order: Cyber-Victims Unit (clunkclungggg) He's gotta be able to write deep drama to overlay with some guy reading a stack of whois printouts.

Forum Surfer
Forum Surfer

Nothing on those shows is very realistic. Why should the IT side be any different? I spend that long watching CSI:Wherever or Criminal Minds and I see glaring mistakes everywhere. There are often mistakes with weapons used, or holsters or the way they carry/draw the weapon. Hell, certain agencies have stringent rules about trigger finger placement. Look at military forces (real ones). Your average grunt has that index finger straight riding over the trigger guard. But watch the SEAL guy with his finger on the trigger. I'm just saying that there are many, many mistakes made for the sake of drama. None of them will be believable by an expert from the related field of study. The day to day life of a real CSI tech/officer is far less exciting than what you see on tv. It's drama. They have to add unrealistic elements to create drama, otherwise it would be a very mundane hour. Deal with it or stop watching. If you want real life, then watch documentaries or go outside. :)

apotheon
apotheon

At least some of the science is somewhere within the realm of plausibility in the original CSI series (note that I'm not talking about CSI: Miami, which is just nine kinds of wrong). If they could get at least as close to realism with IT security matters as they do with, say, means of determining time of death, I'd be a lot happier.

santeewelding
santeewelding

Serendipitously, I had read several books about it just before an author of one testified here about a little girl. Her name was Danielle. She was seven.

apotheon
apotheon

I have read about the body farm.

Viperfriends12
Viperfriends12

sorry, just read this 2 days late, but dude, how old are you? What is it with people these days that think tv shows and movies are real. Hey hey now, you started it....next time you look at a show, watch and enjoy, stop nitpicking, relax. Don't pick it apart. well lets look at the new NCIS las vegas, come on, give me a break, if all us techie geeks could be like the wanna be geek in the shorts with the I can do EVERYTHING, "stop frame", "enhance", "back one frame", enhance. 2 keystrokes and and the suspect ... is ....Charlie Bummer, from Idontknow, greenland. Satellites are picking up his location now, stand by, and all of sudden there he is on a camera in the middle of nowhere. AHAHAHAHahha I'm a forensics tech and have some of the craziest and coolest gadgets out there, but hey, I should start asking the bosses for some of these gadgets the tv shows have. But have fun! And enjoy your shows.

seanferd
seanferd

Fantastic! Yes, not only are images infinitely enhanceable, but in a variety of TV/movie fiction, you can see all sorts of things shorter than the wavelengths of not only visible light, but shorter than any wavelength possible. I'm always impressed when TV gets something right, though. Even in the midst of a thousand wrongs.

LyleTaylor
LyleTaylor

they can't actually enhance images like that so they can see details that were never there in the first place? Oh, you've all ruined my TV watching experience! ;-)

MarioAt
MarioAt

I support several brands of anti-virus software and do other kinds of verification work by day. I write scripts by night :) and it's sad how little Hollywood knows about the IT world. This has more to do with the fact that an exciting story means visual drama, and the mundane reality of IT gets in the way. *puts Criminal Minds in queue right away*

apotheon
apotheon

Most of the time, Criminal Minds gets things wrong just as much as the rest of the crime dramas.

Neon Samurai
Neon Samurai

How is one supposed to see the waving fractil screensaver if they can't read the raw HEX; "it's a worm.. this Duke Elingson security guy...." hehe.. technological accuracy on TV can be pretty elusive outside of computer history documentaries. It seems the only time you hear "this is going to take a while to process" is if, and only if, it somehow furthers the tension in the plot.

seanpmassey
seanpmassey

TV has come a long way from "I'll build a GUI in VB to see if I can track the IP."

Tig2
Tig2

Honestly and truthfully. Your skills are best left to good and you would enjoy the... side benefits... of being a MYTHBUSTER. You and Grant Imihara in the same room... Can I take notes? If I can make that happen, could I even get video??? I can't hardly stand to watch the CSI shows. I know the chemistry and the laws surrounding that better than they do. Same goes for "Criminal Minds"

jerya
jerya

NCIS is probably the closest I've seen to reality. Although Abby and MaGee seem to do some shady things sometimes - like hacking (sic!), at least they usually allude to the fact it's illegal. The main problem I have with this show is that DNA, facial, and fingerprints are matched in record time. However, given the 1 hour time restraint, I guess a little latitude is allowed.

apotheon
apotheon

I'd say that among these fictional crime dramas that I've seen, NCIS is in second place after Criminal Minds. NCIS Los Angeles, meanwhile, is worse than any other modern show I remember seeing.

santeewelding
santeewelding

Thanks to you, Chad, that's the length to which you have taken me in my understanding of security.

AnsuGisalas
AnsuGisalas

That's a mighty small permeability, you should be safe, barring quantum-mechanical miracles.

zclayton3
zclayton3

Gee - I'ld like to read some of the talk backs, but this annoying Intel ad keeps poping over the talkback and hiding it. there is no close button and clicking on it just redirects to a full window. Using firefox with popups blocked - but there is that ad tqlking about ROI. I'll give you your stinking ROI. Hey webmaster - fix it.

DontKnowItAll
DontKnowItAll

You use Firefox? Try the Ad Block Plus extension with the Easy Privacy filter subscription. Also NoScript.

jgarcia
jgarcia

I was looking the new version of WAR GAMES with my wife and when a kid entered in a secret facility information system, she asked my: is that easy? how this kids enter in the first attempt? I had to explain them that is a kind of myth hollywood have created around hackers, as magical dark people or simple kids that do wonders in front a keyboard or a cell phone. they never tell you all the things you have to study and tests to have to run trying to find a vulnerability in a system.

jkameleon
jkameleon

It's bad for you, your family, and your country. Just say no!

dmagi
dmagi

Bad, if what is on TV is perceived as factual. Helpful, if the viewer actively analyzes the content, knowing that "popular" means there are fellow Earthlings who, for better or (often) worse, believe what they are viewing is factual. Those people need our help, sooner or later.

apotheon
apotheon

I know it's a long shot, considering how rarely it happens -- but has anyone else ever caught sight of that most elusive beast, the realistic depiction of computer security in a crime drama?

Ron_007
Ron_007

There are the kid hackers, but my all time favorite Security fantasy was the Independence day alien hack. Spotting the embedded count down timer, possible, the rest ... come on. For the various cop/forensic shows, the big failure that most of them are guilty of is the lack of chain of custody on the computer and digital storage media. Instead of taking a secured image(s) of storage media and doing their investigations on that they all just dive right in and start trying (and usually instantly succeeding) to hack passwords on the computers. Sure it is slow and boring action wise to setup Encase or whatever and make image copies of the HD, but they could at least hint at the process.

Ron Lepofsky
Ron Lepofsky

Chad: Yes, television and movie producers indeed should hire someone with your credentials as an advisor about portraying security issues more credibly. Given that entertainment strives to make security and security forensics more exciting, (a - la CSI high tech miracles) information security can be represented in a realistic yet engaging manner. Who knows, perhaps imparting useful security information to their audiences in an entertaining fashion may actually increase popularity of their work. Ron Lepofsky, B.A. SC. (Mech Eng), CISSP www.ere-security.ca

apotheon
apotheon

It would be wonderful if people actually learned something useful about their security and privacy from watching TV instead of learning that "elite hackers" can "hijack a botnet" to "crack a terrorist's encryption" -- or got some poppycock notion like the idea in the show 24 that Bruce Schneier included a well-known "backdoor" in the Blowfish cipher.