IZBR

Hi! My name is Isaac Basque-Rice, I'm A Security Engineer and former Abertay Ethical Hacker, and this website is a repository for all the cool stuff I've done, enjoy!


Project maintained by IBRice101 Hosted on GitHub Pages — Theme by mattgraham

What Your Family Thinks You Do: An Analysis of Hacking in Hollywood

By Isaac Basque-Rice

Have you ever been having a conversation with a non-technical person when the topic of what you study (or do for a living) has come up? I’m willing to bet that within a minute of the word “hacking” leaving your mouth, the person has leaped at the opportunity to ask you whether you can hack X, Y, and Z for them. Why actually is that?

Hacking has been (for better or for worse) an absolute mainstay in movies for over 40 years. For most people, this is the only interaction they have with cybersecurity outside of work and the odd news story. It stands to reason, then, that the depictions we all see and scoff at are what most people think we actually do. This talk will go over these depictions, talk about their effects on hacking culture and culture at large, and hopefully answer the question “How is hacking used in the movies?”

Introduction

I imagine I’d be hard-pressed to find anyone in this room who had never seen a movie about or prominently featuring hacking. We’ve all seen the memes, the characters on NCIS who use the same keyboard at the same time to speed up a blue team engagement, the teenager who nearly ends the world by accidentally breaking into a NORAD supercomputer, or the surprising amount of characters who try to steal fractions of pennies from their employers’ bank transfers.

Whilst we, of course, all know that at least most of the time, these depictions aren’t what we’d call “accurate”. The number of YouTube videos, articles, Reddit posts, and tweets debunking various aspects of these movies means that the question of accuracy has, in my view, been absolutely done to death. This isn’t the type of talk where I’m gonna throw up a clip of a film and nitpick everything. So where does this leave us? I think it opens the door to a more interesting question, and that is this:

How is hacking used on the big screen, and how might this affect both the hacking subculture and culture more widely?

But to get a good idea of that, we need to tackle something more basic, and that is…

Who Are Movie Hackers And What Do They Do?

When writing this talk, one of the first places I looked, for better or worse, was Google Scholar. Maybe this was a way of giving myself a bit of legitimacy, or maybe it was a trauma response from writing my dissertation. Either way, I stumbled upon an article entitled “Forty Years of Movie Hacking” which considered the implications of media representation of hackers from 1968 to 2008, written by Damian Gordon of Technical University Dublin. This paper, although flawed in its analysis of art (bro calls documentaries “not movies” and discounts animated movies out of hand, which irrevocably harmed my soul and proved to me that STEM people need arts education), is, for us, an incredible starting point.

This paper gave me two things:

  1. A definitive list of movies I can base this whole thing off of (including a couple that are actually good!) and specific information about the hacking scenes and hackers therein
  2. A semi-detailed analysis of the hackers in these movies - their ages, jobs, whether they are heroes or villains, and so on

From this paper, we can tell that the average movie hacker is in their late 20s, works in IT, is a protagonist, and engages in outsider attacks. The accuracy of this can be debated till the cows come home (don’t we all like to think we’re the Main Character?) but the fact is that this is the perspective most people will have on us assuming they get all their information from the movies. Well, that or the classic basement-dwelling stereotype, but I think that that mental picture is mostly directed towards Incels and Redditors these days.

As an aside, multiple sources I’ve found claim the average age of infosec professionals is above 40 which I was genuinely quite shocked by and am inclined to question, I’m not shocked by the overwhelmingly and increasingly skewed gender ratio or anything though, which this paper also fails to cover.

Genre

Gordon classifies each of the films he studied by genre, of which he identified 5:

So here I’m gonna take a couple of minutes to go over each of these genres and talk about the purpose of hackers in them.

First I’m just gonna clear up a term though, you may hear me refer to some films as “genre films”. These are films that fit a well-defined genre that has a pre-packaged audience. Every MCU film, pretty much, is a genre flick that appeals to the audience of people who like superhero films, same with most horror movies, rom-coms, etc. Not every film in this talk is a genre film but, well, when you see a specific trope being used over and over again in certain kinds of films you’re gonna get some genre movies in there too, just natural.

Hacker

List of movies in this genre:


Perhaps the most obvious genre in this talk about the purpose of hackers. In these films, hackers are always the protagonists, they tend to be playful twenty-somethings with cool clothes and crazy lingo, you know, real nerd fantasy-type stuff. Very occasionally hackers can be portrayed as the antagonists also, but in these cases, they’re almost always either part of a wider organisation who are really the bad guys (such as an oil company in the case of Hackers) or work for some kind of evil entity or government (Such as the character MRX in Who Am I (2014, not the Jackie Chan film) who sells data to the Russians).

When making a genre flick you really need to know your audience. The audience for these films tends to be hackers, computer nerds, the kind of people who felt outcasted by their interest in computers, and as such the way they can be portrayed is really restricted, whether the filmmakers know or not. I also think the reason there aren’t many hacking films in this vein now is because, in large part, that audience isn’t there! Hacker culture has morphed away from hobbyism and towards consumerism and profit… but anyway.

Whether the restriction of a genre film to appeal to its pre-defined audience is a problem or not, I think, is heavily dependent on the film and the context around it, if Film X is the 5th hacker flick in as many years and also the 5th to have the FBI as the Big Bad then something’s up, right?

For what it’s worth, I can only really see two films on there worth bothering to find, you can probably guess which ones.

Heist

List of movies in this genre:


Heist movies, a self-explanatory genre, often contain hackers to forward the plot. These characters are not really characters in my view, I think they’re more like devices, they tend to be an amalgamation of various clichés and plot devices that allow the rest of the film to carry on relatively uninterrupted. A way of handwaving away technical limitations that may get in between the audience and sick highwire performances or dodging lasers or whatever. This is the genre most filled, in my view, with the cliches most associated with the hacker.

Contrary to what you may think though, the presence of hackers is not a new phenomenon in this genre! In fact, one could argue that the heist film saw the birth of the hacker archetype (or at least the behaviour later associated with hackers on film). Peter Ustinov plays Marcus Pendleton in Hot Millions (1968), a con man who gets out of prison and uses various social engineering techniques, alongside a bit of physical tampering with security devices, to convince an organisation he’s a programmer named Cesar Smith, subsequently sending checks to himself under various names all over Europe.

If you prefer a more technical approach as your first movie hacker, look no further than 1969’s The Italian Job, where Benny Hill (of all people) plays a computer science professor named Simon Peach (ooer) whose services are rendered to take control of the Turin traffic light system by swapping out the tape reels on which they run and replacing them with one of his own. This, in turn, causes a distraction so our heroes can pull off the heist. I actually really like this idea, there’s not much in the way of clichés, (possibly because the clichés hadn’t been established yet) and the character actually has character there instead of just being a tool.

Heroic

List of movies in this genre:


I think if you went to look up “Heroic” in any decent encyclopedia of film knowledge you probably wouldn’t find much, this is very much a catch-all term, I would say, for movies that don’t fit any of the other well-defined genres. There isn’t much in common between Office Space and Die Hard for example (apart from being set in an office building lmao but I digress).

Due to how wide-ranging this “genre” is there isn’t much in common really between the purposes of hacking in each of the films. Normally it’s for the protagonist to gain an upper hand, be it through deleting absences from a school computer as in Ferris Bueller’s Day Off, shutting down the Federal Gold Reserve’s security in Bait, or pocketing fractions of cents from interest accrued by a former employer in Office Space.

This, in and of itself, is interesting to me though. Hacking becomes, in some cases, a magic wand for our hero to wave and get their way, and in others (such as Gruber’s men hacking open the vault in Die Hard), it’s a magic wand for the antagonist, that our hero needs to bravely circumvent to stop their evildoing. In my view, this one trope in this one “genre” is probably most responsible for a lot of people’s perspectives on hacking.

For those of you who use Tinder, or have spoken to old schoolmates about what you do, or even to an overly inquisitive uncle or something, how many times have you had to say the sentence “Sorry I can’t hack into your bank account” or some variation thereof? We aren’t wizards, but filmmakers, and therefore most people, seem to think we are.

Sci-Fi

List of movies in this genre:


It won’t surprise anyone to learn that Sci-Fi is the genre in which the most sort of fantastical forms of hacking are put on display. R2D2 twisting some… thing that Wookiepedia refers to as a “scomp link” to locate Princess Leia in Star Wars, Neo fuckin flying all about the place in The Matrix, Captain Kirk hacking into the USS Defiant to lower its shields in The Wrath of Khan, or the whole of Tron. But Sci-Fi is also no stranger to a more “realistic” (or at least traditional) portrayal of hacking and hackers.

John Hughes’s Weird Science, a film about two boys Frankenstein-ing a sexy woman through using the computer, depicts our “heroes” hacking into the US Military for processing power to achieve the greatest single feat of misogyny since Sean Connery last opened his mouth, leaning into the age-old filmic tradition of depicting nerds as really just not great people, lovable sex pests, etc. Of course, you can ask any woman in STEM and she will tell you that there is a certain level of truth to that and I’m in no position to disagree really.

“TrueLife”

List of movies in this genre:


The final genre on this list, and another that, in my view, is only sort of a genre, is a genre in the same way that those weird Netflix categories are, like “Korean films based on a true story” or whatever.

This genre, though, is pretty interesting in its depiction of hacking, in that it, by and large, kin of needs to get it right. Obviously, there are liberties taken in places to maintain entertainment but by and large they have to stick to what really happened. As such, I don’t really think that hacking serves that much of an explicit narrative purpose in these films outside of just being something that happened, you know?

Let’s Go to the Movies!

So now I’ve gone over the primary genres in which hackers appear it is time to do a bit more of a deep dive into specific films, having a look at their plot, their effect on the culture, and my personal takes. Note that most of the movies I’m gonna talk about here are of the Hacker and Sci-Fi genres specifically, this is because in my view these best reflect preexisting attitudes towards hackers, especially given that the writers are all… well… writers, not technical, you know.

With that out of the way, we can start with one of the all-time classics of the genre:

How About A Nice Game (Of Chess)?

The framing of hackers as good guys - lovable rogues who do what they do for the fun of it, has a… well, dubious relationship to the truth at best. Naturally, this may be how a lot of us got our start in cybersecurity, but is this the kind of person we deal with daily? As a blue teamer myself I have to say that in my experience most hackers now are more interested in money than they are in harmless pranks, playing games, or changing grades.

Often, though, this compulsive need for movie hackers to have a little fun with it ends up being the inciting incident for the plot. Let’s take, as our first example of a movie hacker, one of The Big Ones.

WarGames (1983) follows the story of David Lightman, played by a young Matthew Broderick who incidentally gives a genuinely very entertaining performance for a child actor. After pulling the classic “hacking into the school computer to change his grades” move seen in such later classics as iCarly, Stranger Things, Ferris Bueller’s Day Off, and the daydreams of every little nerd in high school (myself included), David decides to also hack into what he assumes to be a video game company to play a new game, eventually accidentally starting the countdown to Global Thermonuclear War.

Although there are plenty of examples of hacking in Hollywood before this (I’ll go over a few in a moment) this movie is undoubtedly the father of Hollywood Hacking. Talking whilst typing, “We’re In”, weird unrealistic UIs that kinda work like slot machines, the works. With that said, though, the realism of this film for the time is… surprisingly good, which is uncanny. Looking at the film in its historical context, we see instances of phreaking (telephone line manipulation), social engineering, and Wardialing (calling everyone in a specific area code) which got its name from the film and speaks to the impact that WarGames had on hacker culture.

The impact this film has had on the cybersecurity, cultural, and legislative landscape is, maybe surprisingly, pretty immense. It was the first mainstream depiction of the internet and “Served as both a vehicle and framework for America’s earliest discussion of the internet”. As just mentioned, Wardialing gets its name from WarGames. This is a relatively old-school method of attack, with its utility hitting its peak in the dialup days when crackers would use it to guess user accounts (by listening to voicemail messages) or to locate modems that might provide an entry point into computers or other electronic systems. Bulletin Board Systems saw a sharp rise in activity in the weeks and months immediately following the release of WarGames, which one sysop attributed to the film introducing viewers to modems.

In terms of legislation, two critical pieces can be directly attributed to the release of this film. Ronald Reagan, a curse on his name, was a former Hollywood film star (a pretty shitty one at that) and hence a family friend of writer Lawrence Lasker’s. In a private screening of the film on its opening weekend at Camp David, Reagan asked his joint chiefs of staff “Could something like this really happen?” To which the answer, a week later, was “it’s much worse than you think”. This resulted in “National Security Decision Directive Number 145 - National Policy on Telecommunications and Automated Information Systems Security”, the first presidential directive regarding cybersecurity in US history, which gave the NSA control over all government computer systems containing “sensitive but unclassified” information.

The news media also latched onto this, focussing on “the potential for a WarGames scenario to exist in reality”. This media push undoubtedly left a huge imprint on the psyche of the average Westerner towards hacking and led in no small part to the passing of the Computer Fraud and Abuse Act of 1986. Legislators in favour of this bill argued that the film “showed a realistic representation of the automatic dialing and access capabilities of the personal computer”. In essence, the entire concept of unauthorised computer access being illegal, a notion upon which our industry (and my job!) is partly built, can be owed to a film directed by the same guy who made Saturday Night Fever… Okay probably not but let me have this ok?!

It’s a Unix System…

Of course, I can’t talk about hacking in movies without touching on a little bit of sensationalism. Here it’s going to take the form of Steven Spielberg’s 1993 masterpiece (the one that isn’t Schindler’s List (Isn’t it so crazy that he directed both films in the same year? dude really is the GOAT)), Jurassic Park. The cultural importance of this film cannot be overstated. It was, at one point, the highest-grossing film of all time, grossing over a billion dollars at the box office (adjusted for inflation), and, the hallmark of a really great film, it has spawned a wide array of sequels, spanning the whole gamut of Hollywood Cash-Ins, from “Mid” to “Trash”.

The thing that most people remember about that film is the fucking sick nasty dinosaurs but something that’s very rarely part of the conversation around this film is the hacking that is so crucial to the plot.

In the film, Dennis Nedry, the primary programmer for the Park’s internal systems, becomes the catalyst for the plot of the film when fuelled by financial greed, he decides to steal and smuggle dinosaur embryos off the island on which Jurassic Park is situated. To do this, Nedry has to shut down his own security system, unleashing the dinosaurs into the Park, as well as shutting off all power and communication to, from, and around the island.

Once Samuel L Jackson has gone through a great deal of exposition explaining how difficult everything will be to get back online, in the climax of the film, Lex, the kid hacker, manages to hack into Nedry’s flashy terminal and get everything back online just in time to get in contact with Richard Attenborough’s Dr Hammond.

This infamous hacking scene, in particular the quote “It’s a UNIX System… I know this!” spoken by Lex, has given birth to an entire subreddit, r/ItsAunixSystem, which chronicles all of the times in media that the writers clearly do not know what they’re on about when it comes to technology. Ironically enough, though, the system Nedry’s computer is running is a real UNIX system! In the film, a derivative of a Silicon Graphics OS called IRIX runs a 3D filesystem navigator named fsn, which you can install on your own system if you like! Whether this is a realistic OS to have in prod is… debatable at best but it’s not quite as bullshit as you were led to believe by those damned self-righteous Redditors.

Whilst I’m here though, I would like to say a few words about the sensationalism of hacking in film. Irrespective of whether or not the UI on this computer was real or not, it still served the same purpose. To mystify the audience.

On the film’s release, the World Wide Web was less than three years old, and still very much the preserve of nerds and freaks (I like to think I’d be online back then too). The general public had limited exposure to computer networks. As a result, the hacking scenes served to mystify and intrigue audiences. In the words of Arthur C. Clarke: “Any sufficiently advanced technology is indistinguishable from magic.”

And magic is essentially what it is, the parallels in this era of cinema are pretty stark! Representing abstract or maybe sometimes kinda boring concepts using interesting visuals, using special tools and elaborate rituals within a set framework to accomplish a goal that forwards the plot, writers end up getting kinda lazy with it, it’s all there! The only difference is that, because hacking is real, it ends up also reflecting a broader trend in Hollywood during the ’90s, where technology was often presented as both a savior and a potential threat.

What Is Real?

I’m not gonna talk about this one for too long because I don’t really feel like I need to talk about the importance of The Matrix in relation to hacking in film. Feel like it’s one of those that is just so huge that there’s no point in going too in-depth about it lol.

With that said, in most people’s eyes, I would guess, the Matrix is seen as THE hacking film. The green terminal interface with falling characters, and the black leather trenchcoats with rounded glasses, all remain visual in the collective mind’s eye. It popularized the idea of hackers as rebels or digital revolutionaries challenging established systems. The film’s visual representation of hacking, with characters typing furiously at computers while navigating virtual landscapes, captured the imagination of audiences and contributed to the glamorization of hacking in popular culture.

The Matrix: Reloaded, in fact, was so culturally significant (and in many ways accurate) that Scotland Yard’s Computer Crime Unit teamed up with the BCS to issue a joint warning against “[Attempting] to emulate the […] depiction of computer hacking” in that film.

Some of the themes of the film, too, are significant in hacker culture. The film is about much more than this, but at a very basic level, the film is about a digital insurgency against powerful overlords that wish to control and enslave humanity (in this case aliens using humans as batteries). Whether this is right or wrong, this sentiment has served as an undercurrent for the hacking scene since it moved out of the realm of academia. Naturally because, as I say, that’s not really the main point of the film (IMO) it doesn’t do an amazing job of exploring the whole “stick it to the man” schtick, nor should it have to! But one movie that explores this space a little bit better in my view is…

Hack the Planet!

Hackers (1995) is the movie that, for my money, most influenced hackers’ perceptions of themselves. My manager at work, once I told him what I was doing my talk on, told me that he (and lots of hackers of his “generation” so to speak) was influenced to become a computer security person by this film. If that’s not evidence of the power of movies I don’t know what is, man.

The film follows a group of high school hackers who discover that the security chief of a large corporation is planning to run a scheme to defraud his employer. When the CISO, Eugene “The Plague” Belford, discovers that our heroes have hacked into the company and attempted to steal his salami-slicing worm (albeit unknowingly) he claims to the US Secret Service the corrupted file is code for the daVinci worm, which he alleges is planted by the high school hackers and will capsize the companies oil tanker fleet causing an ecological disaster.

Now… I will be the first to say this isn’t exactly what you could call a “good” movie… it didn’t win any Oscars and frankly didn’t deserve any of them (Although Braveheart won Best Picture and Mel Gibson Best Director that year so it sounded like 1995 was a flop anyway). With that said, its contributions to the hacking subculture cannot be overstated. Whilst it may not be the first movie to use the term “hack” to refer to accessing a computer without authorisation etc. etc. (that honour falls to Jeff Bridges in 1982’s TRON), it is most certainly the first to use it as liberally as they have. Hell, the glamorous, stylised, and generally positive depiction of hacking in this movie put it up there as iconic within the subculture all on its own.

How this film inspired young pre-hackers into The Life is numerous and varied. The aforementioned depictions of the act itself, the representation of hackers as these cool, edgy teens who wanna stick it to the man and had their own counterculture that MY MOOOOM doesn’t know anything about, the aesthetic that comes along with that counterculture (futuristic clothes, colourful hair, etc.). It brought the already burgeoning hacker culture, which up to this point only really existed on forums, text files, and online zines, into the fore (to whatever extent $7.5 million gross on a budget of $20 million can lol)… Well… there’s an XKCD comic about it anyway so that must count for something.

Attacks in Film

There are several kinds of attacks that, for whatever reason, the movie industry has totally latched onto. Whether they’re more cinematic, funnier, easier to understand, better at advancing the plot, or some mix of the lot, these forms of attack are super common in film. There is a large body of evidence that suggests that using movies in educational settings can aid in improving interest in the given subject. As such, there is a good chance that these attacks are the only ones that children watching any of these movies are aware of. Could it be that some of these attacks aren’t actually as popular as the films make out and that young people are inadequately prepared for the realities of cyber security?

Salami Slicing Attacks

Well, one kind of attack that would certainly support this theory is the salami-slicing attack. Mentioned in passing already, this is the Superman III and Office Space attack, whereby a malicious actor will repeatedly and frequently steal money, (in most cases on film from their employer), in extremely small quantities. Let’s say you work for a financial company that frequently trades, for example, foreign currencies. At the time of writing, the conversion rate between GBP and USD is £1 = $1.2247045. For almost all intents and purposes the $0.0047045 does not really exist, at least not noticeably for most people, so what’s the harm in slicing that little bit off and siphoning it into your own pocket?

Well… I mean, this is, legally speaking, theft, and I’m not getting into the philosophical arguments for and against stealing from large financial institutions right now. Regardless, this isn’t a particularly popular method of profiting from financial companies in the real world. There have been cases, sure, like the, like, two or three times where servicemen for fare boxes (like where you get tickets to get the train or whatever) were caught stealing single coins at a time or adding computer chips to gasoline pumps to fraudulently but only slightly overcharge users. There are no cases, however (or at least weren’t in 2001 when this Snopes article came out) of a computer hacker as an insider threat embezzling money in the way one can see in these films.

Social Engineering

Thankfully not all kinds of attacks in film are so obscure. Social Engineering, human hacking, tricking people into believing you and subsequently divulging confidential information, is (according to some statistics) involved in up to 98% of all cyber incidents. If anything it’s resoundingly underrepresented in cinema. To my mind, the presence of something like phishing has only appeared very rarely. I think only in Oceans 8 maybe but unfortunately I’ve not seen that movie apparently Rihanna emails something about dogs to a guy who works a casino? What a world we live in!

Fictional Hacktools

In line with hacking more generally, hacking tools in fiction can be considered akin to a magic wand. the protagonist needs something, oh nice, there’s a hacking tool you can run that does just that! How convenient :). This contributes (most probably) to a culture of, especially younger, people, who think they can install Kali Linux on their laptop and, I don’t know, steal their sister’s RAM or something (obviously not but you get my point). From a filmmaking perspective, hacktools must be super useful huh? As I say, do whatever you want. Get more power, hack the government with the press of a button, whatever.

Insider and Outsider Attacks

Insider attacks are actually fairly rare in movies, to be honest. They’re just more difficult to make cinematic it seems. The old trope of the disgruntled employee fucking something up works for sure… is it engaging? Not normally unless you’re Steven Fucking Spielberg. This lack of insider threats, however, serves to outline starkly the difference between film and reality, as (allegedly) over 58% of cybersecurity incidents were attributed to insider threats. Well, I think that statistic is bullshit but it’s certainly over 15% anyway.

Password Discovery

Finally, we have obtaining passwords, not much to say here really… people do it, it works, you know how it goes…

Nmap

Okay so just before I finish and take some questions, I only found this page fairly recently, but did you know that the nmap org keeps a list of movies that nmap is used in? I certainly didn’t until, like, Monday when I mentioned what I was doing in the office and one of the, like, 50 other Abertay grads I work with pointed it out lol.

Conclusion

Well… I didn’t mean to end it like that really but there you go. Depictions of hacking in movies go beyond flashy visuals and exaggerated plots; they significantly influence our perceptions of cybersecurity and hacker culture. These films blend reality with fiction, creating a world where hacking is portrayed as a glamorous tool used by the protagonists or antagonists to advance their narrative.

The impact of these cinematic portrayals extends beyond entertainment, as films like “WarGames” have influenced policies, legislation, and even public understanding of the internet. The fusion of technology with storytelling has woven a tapestry where hacking is both feared and revered, where tools such as Nmap become household names due to their appearances on the silver screen.

However, these portrayals often neglect the breadth of cybersecurity challenges by spotlighting only specific aspects of hacking. The prevalence of certain attack types, like salami slicing or password discovery, overshadows the more complex and pervasive threats of social engineering or insider attacks.

Despite their exaggerations and oversimplifications, these films spark conversations and fuel curiosity, inspiring interest in technology from a romanticized perspective. Ultimately, they serve as a starting point, a gateway into a world that, while not accurately depicted, still fascinates and drives many to explore the real complexities of cybersecurity.

As each cinematic hacking adventure ends, it leaves us with a combination of fascination, misinformation, and a lingering question: how accurately does Hollywood reflect the real world of hacking, and what might the future hold for this portrayal in our ever-evolving technological landscape?