The other day I got into a conversation of movie “pet peeves”. There are a lot of common cliches that Hollywood drags out, some of which just drive me up the wall.
One of these is the computer assisted “hacking” of a numeric access code. Typically the actor will place an electronic safecracking device with a ten digit LCD display on it near the keypad. They turn it on and numbers start whizzing by on the LCD screen. At even increments of time, digits on the LCD screen will stop scrolling — and eventually all ten digits will be “locked” and the security of the system has been compromised.
This special effect gets dragged out any time a “break in” scene that is “high tech” is needed. So you see it in about every other episode of Alias, or in a movie like “War Games”, or what have you. And of course, this would never really work like that.
How does the safecracking device know that it has some of the digits but not all of them right? A well designed security system must never tell you if you have some of the digits right — because this reduces the chances of guessing the combination from ten to the tenth power ( one in ten billion ) to ten TIMES ten ( one in hundred ). So if this security flaw existed, why does the safecracking device bother scrolling so many numbers by??? Surely one hundred is more than enough (and in fact you should be able to guess it in no more than ten tries — just like the game Mastermind).
(as an aside, this type of attack where you are able to tackle each digit independently is how cracking a safe with a dial works. The attacker listens to the tumblers which make a noise when they’re in correct alignment.)
So the security does not exhibit the digit-by-digit flaw, which it most assuredly would not unless they really want ten year old Mastermind players breaking in. In that case, how does the safecracking device know that it has one of the digits? There is no way to know. Furthermore, there is no way to know “how much longer” it will take. Although this is a popular Hollywood suspense builder…
The thug approaches the back of the van, gun raised. Cut to inside the van. Our hero franticly types into the computer..
Hero: (Whispers into phone) Just a few more seconds….
The thug reaches for the door latch on the back of the van and starts to turn it… Cut to inside, a progress bar marked “Time until access code is deciphered: 2 seconds” is on the computer screen…
etc….
The best you can hope to know in a “brute force” attack like this is the worst case scenario — if you’ve tried 10% of all the possible combinations and that took you 6 minutes, then at worst you’ll be done within one hour. But you never know if the next combination that you guess will be the right one. I remember once when I forgot the combination to my bike lock that had a three digit combination. It takes a person about twenty minutes to brute force that lock by trying every combination. But if you’re lucky and the combination is 012, you’ll be done much sooner than that.
Oh, and also there is of course no way to know when you have one digit right, so you can’t stop spinning the first dial.
Oh, and don’t you think that the security personelle (or software) would be alarmed by the fact that billions of guesses at the super secret password were being fed into the system?
The real irony in this type of foolishness is that it doesn’t alert people to the *real* security holes in the systems they deal with. And these can be a lot more interesting. For example, it is quite common that a security system is touted to be very secure because it has a 128 digit password. But then later it is realized that a lot of those digits are always the same – thus making it not very secure it all. Or the front door to a system is locked, but the back door is unlocked. Or, security is not applied consistently — have you ever asked someone to email you the password, or told them the password over a cell phone? I’d like to see Hollywood heros exploiting this type of security breach — it could be more interesting and more realistic
Our hero, dressed as a garbage collector, digs through a pile of rubbish.
Hero: (Whispers into phone) I bet it’s in here somewhere
The neighborhood cat looks on with disinterest… Cut to inside the garbage pail, a yellow post-it note is stuck to the side of a plastic cup…
Hero: Ah, here it is — the password is “fKi81A”
3 replies on “Safecracking”
Yeah, “Hollywood Heroes” could try and explain all of this, but would it be entertaining??? Not impossible, but unlikely just like if every sci-fi-esque film was as accurate as 2001 (the gold standard for sci-fi movie realism), we’d have a lot of boring space films…or, more likely far fewer of them (not in itself a bad thing).
What I’m saying is that truth is in fact more entertaining that fiction. Okay, my example doesn’t show it very well, but I think that if you read up on some real life examples of how security systems are bypassed it would make for good cinema. For example, the guy who robbed a bank by stealing the entire ATM machine with a forklift. Or the hacker who used “owned” systems to launch attacks on other systems — and the clever way a squeaky clean sys admin caught him by noticing that user time allotments didn’t add up (his investigation involved use of some ancient teletype machines hooked up to print out the hackers every keystroke).
Have you ever seen “The ‘Net” starring Sandra Bullock. I don’t recommend it, but if you want to see some really silly computer stuff, check it out.