Dear Hollywood

Friday, December 12, 2014 · 3 min read

Dear famous producers, scriptwriters, authors, and publishers:

On behalf of the programming community, I would like to bring up a rather sore point among us. Whenever you have a scene involving “hacking”, you seem to make it a point to write scripts by mashing complex-sounding buzzwords. We all cringed when someone declared “I’ll create a GUI interface using Visual Basic. See if I can track an IP address” in CSI. We facepalmed when Randy used telnet to make a secure connection in Cryptonomicon. We spawned a subreddit when Lex used a UNIX system. And some of us broke out in hives at N3mbers’ description of IRC.

But we cheered when Trinity used nmap in The Matrix Reloaded.

When you depict ‘hacking’ as an esoteric dark art, you tell the public that ‘hackers’ are a breed of sorcerers who know the right incantations to make the Internet bow to their will.

This is a lot like claiming pharmacists are brilliant potion-makers who pass down the secrets to make mystic brews that control the human body.

But I don’t see any whizz kids saying “Hang on, I bet I can cook up a quick truth serum by distilling the monorubidium dibenzene crystal. Could you hand me the Bunsen burner?” (Followed by one of the most annoying line in all of cinema: “In English, Doc?”)

This strange caricature that popular culture has drawn is what makes people regard ‘hackers’ with a blend of suspicion and fear. It leads to a vast misperception of what ‘hacking’ really is. As a more tangible effect, it also, indirectly leads to the government not knowing how to handle computer security cases as well as other cases.

You’re stereotyping an entire community: a community with history and values.

Of course, there are the bad guys who steal bitcoin and leak Sony employee’s personal emails. The least pop culture could do about them is to stop glorifying them as tech savants and pointing out that almost all such ‘victories’ are simply cases of a big company not installing the latest updates to their software (this is not a joke).

On the other hand, there are the heroes of computer security: people who dedicate their time and resources to finding and fixing critical issues in open source software to keep us safe. These are the real geniuses; they are brilliant folks with an immense knowledge of how everything works. It’s unfair to represent them as the same people as above.

Public opinion is really important in things like this, and movies and books are huge influences on it.

So here’s a request. Next time you have a scene with hacking, consult with an expert. Or even a geeky high school student (myself included). Ask them to tell you about a plausible real-world attack, and take the time to understand it at a conceptual level.

Learn about its history: when was it discovered? Did anyone get in trouble by using it? Was it embargoed, allowing big companies to patch their systems before the general public was told about it? Or was it leaked? What might show up on a computer screen when you’re carrying out the attack?

I promise it’s going to be much cooler than anything fictional. We regularly talk about things like the BEAST attack, the Heartbleed exploit and the Shellshock vulnerability. We have tools called Metasploit. We even use the phrase ‘poisoned cookies’ in research papers.

In the world of ‘hackers’, truth is way cooler than fiction.

P.S. You might have noticed that I put ‘hackers’ and ‘hacking’ under scare quotes throughout this article. There is a reason for this. In the CS culture, a ‘hacker’ is not a criminal. A ‘hack’ is simply an appropriate application of ingenuity. Eric Steven Raymond explains this perfectly in his excellent document how to be a hacker:

There is another group of people who loudly call themselves hackers, but aren’t. These are people (mainly adolescent males) who get a kick out of breaking into computers and phreaking the phone system. Real hackers call these people ‘crackers’ and want nothing to do with them. Real hackers mostly think crackers are lazy, irresponsible, and not very bright, and object that being able to break security doesn’t make you a hacker any more than being able to hotwire cars makes you an automotive engineer. Unfortunately, many journalists and writers have been fooled into using the word ‘hacker’ to describe crackers; this irritates real hackers no end.

The basic difference is this: hackers build things, crackers break them.

If you want to be a hacker, keep reading. If you want to be a cracker, go read the alt.2600 newsgroup and get ready to do five to ten in the slammer after finding out you aren’t as smart as you think you are. And that’s all I’m going to say about crackers.

Someday, I’d like to watch a movie where the FBI imprisons a cracker, not a hacker.

Until then,

Yours Truly.

◊ ◊ ◊