What Blackhat Gets Right: A Chat With Former Hacker Kevin Poulsen  

What Blackhat Gets Right: A Chat With Former Hacker Kevin Poulsen  

Back in Kevin Poulsen’s hacker days, before he became writer and Wired editor, he pulled stunts like taking over the phone lines in a radio contest to win himself a Porsche, or breaking into the FBI’s computer system when he ended up on the agency’s Most Wanted list to change his physical description. He served a five-year sentence for his crimes. Now he’s consulting for Hollywood hacker films.

Poulsen’s story itself was not the inspiration for the film Blackhat; it came from Kingpin, Poulsen’s 2012 account of Max “Vision” Butler, a white hat hacker who when released from an 18-month cybercrime sentence could no longer find proper employment and turned to the other side. Max Vision provided the framework for Hathaway, the hacker played by Chris Hemsworth (yes, the sexiest man alive) in Blackhat.

As we’ve pointed out before, Hollywood has a really hard time making hacking look interesting in a movie, and even harder time portraying it accurately. Blackhat comes about as close as anything we’ve seen before, and it wouldn’t have done so without Poulsen’s expert influence. We talked to him about the process.

Gizmodo: What do you think Blackhat got right, and what did it get more right than other computer crime movies in the past? And did it miss anything?

Poulsen: The biggest thing it got right was broadly the international nature of cybercrime — how a single attack can implicate so many countries. It’s gonna go through a bunch of different servers, and it can be very hard to pin down who’s behind it.

But that’s something that hasn’t really been done in movies before. Then we put a lot of work into finding plausible ways that malware and hosting arrangements and all these other things could be used to advance the plot and all of that I think turned out pretty nice.

It must have been hard to determine a way to show computer activity on a screen in a way that’s exciting.

Yeah, well, he (director Michael Mann) did this great CGI at the beginning of the film. I had nothing to do with that, but that turned out really good. When I learned that he planned on trying to visualise a computer intrusion with graphics, I immediately thought of all these other movies where that’s been done just horribly, and I voiced that concern and he wound up having this very specific plan to make it this very physical look. And I think he actually got the EDA file for an actual chipset and motherboard and put that right into the CGI, so it’s actually very authentic.

What kind of notes would you give the director?

Well, in an earlier version of the script, the… I’m trying to phrase this without any spoilers. At one point the Chicago commodities exchange gets hacked and in an earlier version of the screenplay it was conceived that the exchange’s servers were air gapped, which means they weren’t connected to any network. They were physically isolated, electronically isolated. So that doesn’t work because commodities exchanges are by nature not air gapped. They’re extremely wired. They have high-speed connections to traders and trading platforms.

So we had a discussion about ways we could make the system secure and force an attack to come from the inside without going to the extreme of an air gap, which doesn’t work. Then we just developed the idea that they would have extremely strong perimeter defence and a good firewall and they’d perform de-packet inspection and they’d have an intrusion prevention system that responds to attack and that wound up being in the film.

So in terms of real-life application, what you think constitutes terrorism in hacking, and where do we draw the line?

So far the only real terrorism we’ve seen in hacking is when, as with the Sony attack, there’s an actual terrorist threat at a company. My own feeling is that’s probably going to be as close as we get to terrorism. I don’t think we’re going to see attackers actually causing the kind of kinetic effect that takes lives or injuries people physically. I think terrorists will probably still be using crude physical attacks in the future.

I think sometimes people overreact because they don’t understand what cyber crime is.

Well, Sony was a serious attack. That attack hit a lot of innocent people. I don’t think there was an overreaction to Sony. In the general matter, I think, yes, people overreact. Like the CENTCOM hack, CENTCOM’s twitter feed was hijacked, and some people reacted as if this were CENTCOM’s own systems being hacked and defence data was at risk. And of course it never was, it was just a twitter account being hijacked like it happens every day. Sony, though, was serious. You had people working without computers in an active entertainment company for like a month. Not to mention all the personal health information and private data were released.

There’s a scene in the movie where an NSA guy falls for a phishing attack and clicks on a file called “black widow.” And I had to laugh a little bit because I feel like, wouldn’t a guy like that be trained not to fall for something like that?

Oh, a guy like that would fall for something like that. That’s how most sophisticated attacks begin these days, with what’s called a spear phishing attack, so it’s a phishing attack that’s custom crafted to get a particular person. So it comes from somebody that that person knows. And it’s an email that they’re expected or that seems right for whatever’s happening at the time. So that part is completely plausible.

The part where the phishing attack gets you into a classified top secret unified system, that’s absurd. But the idea that an NSA would click on an email like that is completely feasible.

And to have one of your guys played by Thor?

I mean, yeah, most hackers are better looking than Chris. (laughs) But he did a fine job.

So far the feedback I’ve gotten from computer security geeks who’ve seen the film has been positive. So far, at least the people that have reached out to me that have talked about it have had good things to say about the level of authenticity. Obviously it’s not a documentary but as far as, you know, like Hollywood blockbuster treatment of computer hacking, I think this is the most authentic that’s been done.

Blackhat hits Australian cinemas on February 26.