Friday, July 29, 2016

Use SQL to corrupt their databases

I went to see the new Bourne movie and it definitely has a cyber angle.  I won't put any spoilers in this since I would hate to have someone ruin a movie for me.  Well, not unless you feel like "the movie has bad hacking scenes and a lame Vegas car chase" is a spoiler.  Note, you can get all of this from the trailer...  There are some places that the producers seriously suck at getting cyber right.

"Use SQL to corrupt their databases"
In an early scene, someone in a foreign language I don't speak says something that apparently translates to this.  I guess I can't fault them for this since you technically could use SQL to screw up a database, but I also can't imagine some hacker EVER saying these words.

Backdoors into CIA computers
No surprise, the heroes can hack into the CIA's classified mainframe from the Internet, because why not. Seriously, the CIA needs some decent termination procedures to revoke credentials from rogue agents and hardware tokens lost/destroyed in the field.  Also, the CIA could stand to learn from businesses about terminating credentials for agents presumed dead. 'Nuff said.


One does not simply hack the power grid
When the CIA needs to turn off power somewhere, they just hack into the power grid and shut it down.  Russia took six months in the network before they shut off the power.  Maybe Russia just sucks at hacking when compared to our CIA counterparts.

Just install some malware
Malware is magic and can pretty much do anything you need it to.  Just say the word malware three times and you can magically take over any computer anywhere.  The only saving grace here is that nobody uttered the words "zero day" so I didn't throw up in my mouth.

Hacking unknown cell phones, anywhere, and hot mic'ing them is trivial
Even when you don't know the phone number.  I have to admit, even I was impressed when CIA hackers first found, then hacked, a cell phone in close proximity to a malware infected computer.

Don't rip off DEFCON
There's a total rip off of DEFCON in the movie, right down to some of the artwork.  The story line didn't need it, don't rip off DEFCON.

Vegas geography - not for amateurs
Finally, and perhaps this is a nit pick point, a chase scene is shot on the Vegas strip. Since Hacker Summer Camp and many other conferences are held annually in Vegas, can we assume that much of the target audience know the geography?  In one part of the chase scene they drive for miles and cover like .25 miles of landmarks.  Later, they somehow teleport from Bally's to the Riviera.  Of course the Riviera was closed in 2015 and demolished in June, but hey - details...

Parting thoughts
The movie is good overall, but like a lot of movies that are "good overall" this leaves a lot to be desired when it comes to cyber fiction vs. cyber reality.  Medical films regularly reach out to real doctors to consult. Maybe it's time that producers of movies featuring hackers actually get advice from real hackers.

12 comments:

  1. Just saw it myself... **mini spoiler alert **
    You missed the part where after they hacked the cell phone, they used that to hack into the laptop that was obviously on the internet already as the malware was able to call home. (Let's just ignore the fact that any self respecting hacker who doesn't like the idea of going to prison, would not open some unknow usb outside of a controlled environment.)

    I audibly sighed at every hacking reference. Did not one single person in the entire crew take any clues from shows like Mr. Robot which was so successful BECAUSE it kept true to hacking?

    ReplyDelete
    Replies
    1. Right right. The whole clever malware scheme falls apart if the reader uses an offline device.

      Delete
  2. If you've ever watched a chase scene set in New Orleans, you'd think you could go for an hour without leaving the French Quarter.

    ReplyDelete
  3. "Use SQL to corrupt their databases!", and

    "Enhance!" that 14 pixel image and magically recreate a perfect portrait of Bourne's accomplice.


    The Bourne movies used to be good at this. This movie felt like someone's grandad had read the The Dummy's Guide to Hacking.

    ReplyDelete
    Replies
    1. The "enhance" cliche has been trashed so many times that I'm kinda shocked that the Bourne writers fell in that trap.

      You can get superresolution using stacking of slightly-different frames, but this technique would probably not work well in yhe context presented... Usually superresolution only works if the camera is handheld (and shakes slightly from frame to frame) AND the subject is not moving. I think the camera we see in the Athens square scene is a handheld camcorder... But both Bourne and Nikki are moving rapidly relative to the background. So probably a no-go.

      Aside from the SQL thing, the "enhance" thing is just the worst. It defies common sense...it sort of violates the logical principle of "conservation of data". A camera image cannot be processed to yield more data than was originally captured. You can combine frames (as I mentioned) and you can maybe guess a few pixels. But those approaches don't violate the basic conservation of data law. Even nontechnical people should intuitively grasp this!!!

      Delete
    2. The "enhance" cliche has been trashed so many times that I'm kinda shocked that the Bourne writers fell in that trap.

      You can get superresolution using stacking of slightly-different frames, but this technique would probably not work well in yhe context presented... Usually superresolution only works if the camera is handheld (and shakes slightly from frame to frame) AND the subject is not moving. I think the camera we see in the Athens square scene is a handheld camcorder... But both Bourne and Nikki are moving rapidly relative to the background. So probably a no-go.

      Aside from the SQL thing, the "enhance" thing is just the worst. It defies common sense...it sort of violates the logical principle of "conservation of data". A camera image cannot be processed to yield more data than was originally captured. You can combine frames (as I mentioned) and you can maybe guess a few pixels. But those approaches don't violate the basic conservation of data law. Even nontechnical people should intuitively grasp this!!!

      Delete
  4. I was expecting the film to be about 75% of the quality of first three and it largely fulfilled my expectations. I don't have a great deal of knowledge about hacking, but I hate when filmmakers use it as basically technological magic (i.e. the two last James Bond films). I didn't know much of the geography of Vegas, but I do know that the Armoured SWAT Van isn't heavy or powerful enough to plow through cars like that, and without sustaining any evident damage! There were myriad other annoyances, but the biggest of which was the excessive number of cuts and shaky camera work (I know Bourne is all about handheld, but come on).

    ReplyDelete
  5. This comment has been removed by a blog administrator.

    ReplyDelete
  6. While it's true that the Riviera was closed in 2015, I can attest that it had already been completely demolished prior to my stay there in 2009.

    ReplyDelete
  7. You can use SQL to "screw up" a database from a business perspective... E.g. dropping tables or (if you include proprietary functions and extensions like T-SQL) deleting data files, or maybe doing a destructive UPDATE (replace all references to "1337 h4x0rs" with a NULL, for example)

    But I wouldn't call that "corruption". First, any competent relational dayabase DBA is going to have backups and redo logs and probably some mechanism for a point-in-time recovery...

    If you want to corrupt a database, I would use malware to screw up the disk. Or if they are using transparent disk encryption, screw around with their encryption keys. I did that once by accident and it really screwed up our nonproduction Oracle databases badly...

    ReplyDelete
  8. "Use SQL to corrupt their databases". I explained to my wife that the equivalent would be for us to walk into a construction site and yell at all of the workers to "Use hammers to affect the nails!".

    ReplyDelete
  9. I have been using Kaspersky protection for many years now, I would recommend this Antivirus to all of you.

    ReplyDelete

Note: Only a member of this blog may post a comment.