"Untraceable" Movie's Plausible, But Pathetic Premise


The new movie "Untraceable" is a variation of an old murder-mystery theme, in which the self-proclaimed invincible antagonist taunts authorities with his ability to elude them. Rather than leaving obvious clues that lead to dead-ends, the Untraceable killer uses a Web site that broadcasts a video of his victim hooked to a Kevorkian-type death machine to demonstrate his power. The site goes viral faster the Will Farrell's "The Landlord," and the whole world and the Feds--led by actress Diane Lane--can watch people die in real time.

Two catches: First: the higher the site traffic, the faster the victim dies; second, the site is untraceable, meaning the Feds can't find the killer or save the victims.

Disclaimer: I haven't seen the film or read the script, but I can pretty much assume that there will be a lot of angst, soul-searching, regret and, ultimately, redemption when the killer is eventually caught and the killing spree is brought to an end. This is Hollywood, and it's required that there's either a happy ending or some type of justice resolution.

My question, though, was if the technical premise of Untraceable was plausible. If you think back to some of the hacker and cybercrime movies in recent memory, the premise is simple--use technology to steal millions or cause untold catastrophe and chaos--but the technical implementation is ludicrous.

*** CHECK OUT "Baseline Top 20 Hacker Movies of All Time" ***

Remember Swordfish--staring tinsel town heavyweights John Travolta, Hugh Jackman and Halle Berry--about a criminal group that coerces a reformed hacker into a bank robbery scheme? Despite RSA Security being the film's technical advisor, they somehow blended encryption and firewalls as being the same technology that had to be cracked. Ahem.

Then there was "Hackers," starring everyone's favorite Angelina Jolie, in which a group of kids get framed for creating a virus designed to cover an embezzlements scheme. Yeah, they had to "hack the Gibson," which was a 3D maze of files and digitally represented mainframes. Yes, brute force attacks are real; visual hacking is not.

Or the '80s classic "War Games." in which a young Matthew Broderick and Alley Shedy, find a backdoor to a supercomputer at the Air Force's NORAD nuclear command center and nearly spark World War III by playing rudimentary video games. Oh, Joshua liked Tic-Tac-Doe, but much preferred "Global Thermal Nuclear War."

Untraceable is something a little different, because it's just plausible enough to make someone try it in real life. To test the technical varacity of the movie's premise, I reached out to three well-known security experts: Gene Spafford at Purdue University; Marcus Ranum, the man who arguably invented the modern firewall; and G. Mark Hardy, a national and cybersecurity consultant and Navy reserve officer.

"Like many such questions, the answer is 'it depends,'" Spafford said. "If you can instrument arbitrary routers/networks as you do traceback, then no, it is not possible to completely mask the location. However, that is not always possible. For instance, if there is a NAT (network address translation) router/firewall on the path between source and sink, then the traceback stops at that point, and unless you are able to instrument beyond that point, you can't say where the traffic is coming from (if it is even originating "inside" the NAT)."

Ranum concurs: "You can always just roll the connection back a hop at a time and you'll find it. That's basically what traceroute does automatically (try bringing up a command shell in Windows and typing "tracert www.whitehouse.gov"). You could mess with the routing tables but only at the edge of the network, and the edge is easily geo-locatable. If you were tracing someone and they weren't geo-locatable on the edge then you know that they were someplace along the routing path and you could nail them pretty quickly."

"I suppose the bad guy could be setting up a site on a transient address, then taking it down in a few minutes and moving to someplace else, but you'd still be able to determine the edge network where it had appeared and that would be physically located someplace on the other side of a router."

Hardy, who often lectures on terrorists use of the Internet and was the first military officer on the scene at Ground Zero on 9/11, said, "The key is to redirect Web sites--hit one, it forwards to the next, then so on. Using an offshore server in a country that doesn't share law enforcement data (e.g., China), or bouncing through two countries that hate each other: US-Pakistan-India, I can serve up information from my hidden server to the temporary server, sort of like a Citrix session. Take down an intermediate point, I just re-route by changing my DNS information. Hey, that's the whole point of the Internet, right? Survivability."

The real issue, as Hardy raises and the panelist agree, is really about law enforcement cooperation, collaboration and technical prowess. Any system is hackable and nearly every Internet connection is traceable, provided you have the cooperation of the owners of every hop along the path. That is not so easy.

"For many reasons, including issues of politics, philosophy and technology, there are places around the world where law enforcement can get neither cooperation or data, so the path goes cold at that point," said Spafford. "This is a current problem in investigating issues of fraud, spam, and stalking."

Ranum was a little less generous toward law enforcement. "The snappy answer I wanted to make is that [the "Untraceable" premise] is quite plausible, because when it comes to networking most feds still couldn't find a router if they had it stuck up their nose," he said.

Well, I guess there are some things in reality that do transcend into Hollywood fiction.

*** CHECK OUT "Baseline Top 20 Hacker Movies of All Time" ***

What's your favorite hacker movie?