"Untraceable" Movie's Plausible, But Pathetic Premise
|
The new movie "Untraceable" is a variation of an old murder-mystery theme, in which the self-proclaimed invincible antagonist taunts authorities with his ability to elude them. Rather than leaving obvious clues that lead to dead-ends, the Untraceable killer uses a Web site that broadcasts a video of his victim hooked to a Kevorkian-type death machine to demonstrate his power. The site goes viral faster the Will Farrell's "The Landlord," and the whole world and the Feds--led by actress Diane Lane--can watch people die in real time. Two catches: First: the higher the site traffic, the faster the victim dies; second, the site is untraceable, meaning the Feds can't find the killer or save the victims. Disclaimer: I haven't seen the film or read the script, but I can pretty much assume that there will be a lot of angst, soul-searching, regret and, ultimately, redemption when the killer is eventually caught and the killing spree is brought to an end. This is Hollywood, and it's required that there's either a happy ending or some type of justice resolution. My question, though, was if the technical premise of Untraceable was plausible. If you think back to some of the hacker and cybercrime movies in recent memory, the premise is simple--use technology to steal millions or cause untold catastrophe and chaos--but the technical implementation is ludicrous. *** CHECK OUT "Baseline Top 20 Hacker Movies of All Time" *** Remember Swordfish--staring tinsel town heavyweights John Travolta, Hugh Jackman and Halle Berry--about a criminal group that coerces a reformed hacker into a bank robbery scheme? Despite RSA Security being the film's technical advisor, they somehow blended encryption and firewalls as being the same technology that had to be cracked. Ahem. Then there was "Hackers," starring everyone's favorite Angelina Jolie, in which a group of kids get framed for creating a virus designed to cover an embezzlements scheme. Yeah, they had to "hack the Gibson," which was a 3D maze of files and digitally represented mainframes. Yes, brute force attacks are real; visual hacking is not. Or the '80s classic "War Games." in which a young Matthew Broderick and Alley Shedy, find a backdoor to a supercomputer at the Air Force's NORAD nuclear command center and nearly spark World War III by playing rudimentary video games. Oh, Joshua liked Tic-Tac-Doe, but much preferred "Global Thermal Nuclear War." Untraceable is something a little different, because it's just plausible enough to make someone try it in real life. To test the technical varacity of the movie's premise, I reached out to three well-known security experts: Gene Spafford at Purdue University; Marcus Ranum, the man who arguably invented the modern firewall; and G. Mark Hardy, a national and cybersecurity consultant and Navy reserve officer. "Like many such questions, the answer is 'it depends,'" Spafford said. "If you can instrument arbitrary routers/networks as you do traceback, then no, it is not possible to completely mask the location. However, that is not always possible. For instance, if there is a NAT (network address translation) router/firewall on the path between source and sink, then the traceback stops at that point, and unless you are able to instrument beyond that point, you can't say where the traffic is coming from (if it is even originating "inside" the NAT)." Ranum concurs: "You can always just roll the connection back a hop at a time and you'll find it. That's basically what traceroute does automatically (try bringing up a command shell in Windows and typing "tracert www.whitehouse.gov"). You could mess with the routing tables but only at the edge of the network, and the edge is easily geo-locatable. If you were tracing someone and they weren't geo-locatable on the edge then you know that they were someplace along the routing path and you could nail them pretty quickly." "I suppose the bad guy could be setting up a site on a transient address, then taking it down in a few minutes and moving to someplace else, but you'd still be able to determine the edge network where it had appeared and that would be physically located someplace on the other side of a router." Hardy, who often lectures on terrorists use of the Internet and was the first military officer on the scene at Ground Zero on 9/11, said, "The key is to redirect Web sites--hit one, it forwards to the next, then so on. Using an offshore server in a country that doesn't share law enforcement data (e.g., China), or bouncing through two countries that hate each other: US-Pakistan-India, I can serve up information from my hidden server to the temporary server, sort of like a Citrix session. Take down an intermediate point, I just re-route by changing my DNS information. Hey, that's the whole point of the Internet, right? Survivability." The real issue, as Hardy raises and the panelist agree, is really about law enforcement cooperation, collaboration and technical prowess. Any system is hackable and nearly every Internet connection is traceable, provided you have the cooperation of the owners of every hop along the path. That is not so easy. "For many reasons, including issues of politics, philosophy and technology, there are places around the world where law enforcement can get neither cooperation or data, so the path goes cold at that point," said Spafford. "This is a current problem in investigating issues of fraud, spam, and stalking." Ranum was a little less generous toward law enforcement. "The snappy answer I wanted to make is that [the "Untraceable" premise] is quite plausible, because when it comes to networking most feds still couldn't find a router if they had it stuck up their nose," he said. Well, I guess there are some things in reality that do transcend into Hollywood fiction. *** CHECK OUT "Baseline Top 20 Hacker Movies of All Time" *** What's your favorite hacker movie? "Click here to send your nominations to Larry Walsh". |
For more IT related content on the blogosphere, check out www.ithub.com
Comments (8)
I saw "UNTRACEABLE" a few weeks ago in London and I found the movie to be presented in a very authentic and sensible manor. It wasn't overly technical but it atleast "tried" to be reslistic. The film itself was very intense and suspenseful and reminded me of good thrillers like "SE7EN" and "SILENCE OF THE LAMBS". No... "UNTRACEABLE" won't win Oscars but it is a great thrillride with more tech savvy than almost any other Hollywoodland cyber-thriller. Recommended.
Posted by Dan | January 18, 2008 9:00 AM
Well, many films demand that we suspend a certain amount of belief. Movies with monsters, aliens, and superheroes all present things that don't match up with the real world. Whether it is James Bond or Narnia, the story requires some alteration of the world to be told. If we were to apply knowledge of physics and physiology (at a minimum) to movies we'd find the majority of them unreal.
That's not to take away from your analysis, however. Something too far outside the possible does make it difficult to get into the "flow" of the movie, and a really bad misstep can ruin the whole experience -- turning Star Wars into Santa Claus Conquers the Martians.
As for me, I will likely watch Untraceable not because of the technology, but because of Diane Lane -- she's a wonderful actress, and I've had a crush on her for years. :-)
Posted by Gene Spafford | January 18, 2008 11:14 AM
I have not seen the movie myself, but given the ease of setting up botnets, mobile and offshore servers, Yahoo/Google poisoning, and a long list of well-proven, time-tested hacker techniques - I find it very plausible that a hacker could maintain a site for a significant period of time without interruption to the site or discovery of their identity.
In my experience, many ISPs and hosting facilities, even domestic ones, don't usually have the ability to respond to law enforcement needs in a timely fashion (if at all). Hardy's comments are well taken also. After all, we expect servers to go down and routers to fail, and links to be moved, so the very topology of the Internet to some degree enables clandestine servers.
Of course, the most important comment is Prof Spafford's: Diane Lane is wonderful.
Posted by Eric Uner | January 22, 2008 12:03 PM
Stick with tech, and stop writing movie reviews. Why? You can't.
Posted by Big Bob | January 23, 2008 12:46 AM
At my blog, I wrote in a bit more detail about the technical plausibility of the plot, first based on just the trailer and then, after I managed to find and read the script (I found it in Google's cache), on the whole story and explanation given in at least that version. I looked at it more from the perspective of a botnet-mediated site, which the script makes explicit and as Eric suggests, but I still find the details implausible--I think that the scenario described in the movie could easily be shut down very quickly, even without any law enforcement involvement at all. "Untraceable" depicts the same kind of fictional world you see in the "CSI" shows, where law enforcement seems to operate the telecommunications infrastructure. (As we all know, it's not law enforcement but the NSA that has that kind of access into the networks and billing records of some large incumbent providers.)
While I agree with Eric that many ISPs and hosting facilities can't give law enforcement the kind of evidence they need for a prosecution, I think it's more that they find it easier to shut down problems than to try to collect detailed evidence (like captures of network traffic and forensic information from customer machines), especially when law enforcement rarely comes through with a successful prosecution. From my viewpoint, many Internet providers and security researchers are constantly supplying law enforcement with information and leads. The legal authorities do crack down on a few high profile cases periodically, and are certainly collecting a huge amount of evidence about many thousands of incidents, but the wheels of justice turn far more slowly than it takes for major Internet backbones to shut down problem sites. Alan Ralsky, who was one of the top spammers in the world, was raided by the FBI in September 2005 but has only been indicted in January 2008.
I've been predicting at my blog that the film will prove to be a stinker, which has provoked people associated with the film to comment at some length (including calling me "a horse's ass"). So far, though, the film reviewers have been with me--Rotten Tomatoes currently has 17 reviews, 13 of which are negative.
Posted by Jim Lippard | January 24, 2008 10:55 AM
Does anyone at Baseline remember SCADA???...
If Breech (2007) was the scariest "hacker"
film of all time, how can we leave out
"Live Free or Die Hard" (2007)???...
The "fire sale" in LFoDH was over-blown
and amounted to nothing more than tactical
distraction, running cover for the more
pedestrian raid of central bank
financial balances...
But effective web-based attacks on
commercial utility infrastructures,
via well-known weaknesses in SCADA,
is no longer speculative fiction.
It has become news. And our collective
behinds are inadequately covered.
Posted by alerter | January 25, 2008 9:20 AM
You are not a very good writer and your taste sucks.
When people read what you write, you try to make yourself sound intelligent but you make very little sense. Try to just speak English and tell the story instead of always trying to sound smart.
You try to impress the readers and I believe most of them lose interest in what you write because you lose them every time. I would want someone to tell me if I was boring.
Posted by mike | February 3, 2008 1:31 PM
I am a Computer Programmer and Network Administrator, and I thought that the content was good. Mike, didn't your mom ever tell you "if you cannot say something nice then do not say anything at all"??? Maybe leave this one to the experts.
Posted by SeLTiC | March 11, 2008 5:00 PM