Archive for September, 2008

« Older Entries

Hacking in Hollywood

Tuesday, September 30th, 2008

I said this before, and I’ll say it again - I can’t stand Hollywood movies about hackers or hacking. I just can’t deal with that shit. The classic Hackers is possibly the single notable exception to this rule. And that’s because this movie is actually a clever satire - it takes the popular culture image of a hacker, and the average Joes concept of what hacking is, turns it up to 11 and then ads a dash or realistic jargon, or real references here and there. It is a ruthless caricature poking fun at the hipster image of a hacker existing in the media and the so called “hacker culture” perpetuated by script kiddies who think they are 1337. I have no clue whether or not this satirical layer was added intentionally, or whether it simply emerged because later Hollywood productions tried to imitate it. In ether case the sheer badness of the film caused an integer overflow and as a result it became good again. And I guess it’s all that matters.

Of course a if you manage miss the joke completely you can still enjoy the movie as a campy, off-beat fun ride. Everyone wins. End result is a cult classic loved by computer professionals and clueless people alike - often for very different reasons. Few others have ever accomplished anything similar. In most cases any attempt to portray “hacking” on the silver screen ends up in a massive load of epic fail. As an example I give you a scene from the movie Swordfish:

Can anyone explain to me what is going on in here? Cause to me it kinda looks like this guy is playing some sort of 3d puzzle game. He is typing on the keyboard like a madman, cursing, jumping around and etc… In the meantime his (obligatory) multiple screen rig is showing some funky animation depicting cubes of shimmering code falling into place, scrolling text and lots of blinking lights. It’s silly!

Most Hollywood movies depict hacking this way. Some sort of abstract, incomprehensible activity that apparently involves a lot of frantic typing without using a space bar. But it doesn’t need to be this way. Here is a hacking scene from the matrix. Watch closely on what shows up on Trinity’s monitor:

Did you catch it? You can clearly see the characteristic output of Nmap (a very popular port scanning tool), and then exploits the very real, but also very old ssh vulnerability to take control of the remote system. This depiction was so realistic, that the British Computer Society felt compelled to release a joint statement at the time, urging movie goers not to attempt to emulate it.

To a lay person both scenes would look equally incomprehensible and cryptic right? In both cases we see characters type stuff on the keyboards, and see some scrolling commands and text output that is really not essential to the story. The Hollywood produces usually assume that since an average person doesn’t know the first thing about hacking they might as well make the activity visually pleasing.

The thing is that people do know how hacking looks like. Anyone who uses their computer for more than browsing Myspace and chatting on AIM knows that what you see in the Swordfish scene (or the scenes from the Hackers movie for that matter) are totally fictitious. Unless you are a lumberjack and live in a log cabin in a middle of a forest with no electricity you probably know a programmer, sysadmin, or an IT guy of some sort. Or at the very least you may know that computer whiz kid from the neighborhood who fixes your laptop whenever you infect it with to much spyware.

There is a certain way computer interfaces look, and there is a certain flow to a typical computer operation. I think that most movie goers these days realize that “hacking” into a computer system involves activities such as running programs, typing in commands, and for example looking stuff up on the internet. Most people realize that this whole “typing really fast, to control some 3d animation on the screen” thing is incredibly silly. In fact I have seen it parodied, joked about and made fun of in mainstream media well outside the usual geek circles.

So why does Hollywood insist on insulting our intelligence this way? Why do they show us shiny animation assuming that we wouldn’t understand what was going on in the first place. Some people will probably argue that showing “real hacking” would be irresponsible. I would naturally laugh, and explain the concept of full disclosure to these people. Think about this logically:

  1. No one says that Hollywood needs to show new, cutting edge zero day vulnerabilities
  2. Besides, a zero day vulnerabilities would be old news long before the official move premiere
  3. Including an old vulnerability in a blockbuster movie would possibly make people nervous and force them to finally patch their systems - so it would be a benefit for everyone
  4. No one says you need to show a step by step tutorial - what Matrix did was perfect - they made up a script with a made up name, and then stated it is exploiting the ssh crc32 vulnerability

Showing just glimpses of real exploits, or inessential bits of code is not irresponsible, or dangerous. It is no more dangerous than showing your average episode of Myth Busters on TV. After all, Myth Busters use real physics and chemistry principles to make things blow up like every week. You know - the stuff you could look up in your high school physics/chemistry book - they use that stuff. How is using basic, common knowledge computer science and computer security principles to do privilege elevation or remote exploits any different?

All I’m asking is this: if your movie revolves around hackers, hacking, security exploits or programming, please, please, please hire a technology consultant and for god’s sake listen to him. Ask him to write down a list of technical jargon terms the characters should know, and pointers on their usage. Have him write sample lines the characters could say while hacking/programming. Have him work with the post-production team to create appropriate visuals. That’s it! One guy, few hours of work. Whatever you will need to pay this dude is probably insignificant to the amount of money you spend for the CGI, pyrotechnics and the stunt work.

Seriously, if you know nothing about computers why do you think you can write and/or direct a good movie about hackers and/or programmers? When you are making a movie about police men, soldiers, firemen, lawyers or salesmen you probably bring in a specialist who explains to you and the actors how the things are done in his profession, makes sure you use an appropriate lingo, and don’t make huge blunders. No one seems to be doing that for computer related stuff though. It seems that it is easier to just make stuff up instead.

Posted in entertainment, rant, security, technology | 14 Comments »

JQuery Tablesorter: List of Builtin Parsers/Sorters

Monday, September 29th, 2008

On of my users tried to explain a bug to me today. Apparently the results on the search page would not sorting properly. Or they were sorting but not by date but by half or a quarter of the date. Or at all. Or they would sort correctly, but sometimes they didn’t and only half sort them. Needless to say, I was thoroughly confused and since this was not one of those “just read the error message to me” issues, I decided to visit the desk of the person who was complaining.

When I got there, I got a small demonstration. “Watch this!” she said, as if she was going to do some trick and I got scared for a second that she will do something that we could not have predicted, and inadvertently crash the whole application due to some hidden bug. You know the type of the bugs - the ones that are completely missed in code review, overlooked in testing and only come out when a user starts clicking buttons you didn’t even put into the design somehow. Fortunately she just typed a query into a search form, and tried to sort the results by date. Then she triumphantly pointed at the screen: “See! That’s what I mean”.

She was right. The results were indeed getting sorted according to the date column, but the algorithm was wrong. Instead of sorting by date, the table was sorted alphabetically/numerically with the obvious results. So I went back to my desk to figure out what went wrong.

The sorting was done by the Tablesorter Plugin so I assumed that the algorithm was right started digging in our code first. I soon figured out what was causing the issue: blank date values!

It’s simple, to avoid clutter missing dates are simply not displayed. So a table will look a bit like this:

<tr><td>05/25/08</td> <!-- snip --> </tr>
<tr><td>08/01/08</td> <!-- snip --> </tr>
<tr><td></td>         <!-- snip --> </tr>
<tr><td>12/11/07</td> <!-- snip --> </tr>
<tr><td>11/10/07</td> <!-- snip --> </tr>

If there are not blank cells in the column, tablesorter script correctly recognizes it as a date column. If it sees blank cells, it reverts back to a text sorting algorithm. Since only some queries would produce blank cells like that, this issue went unnoticed for quite a while. I guess we trusted tablesorter to do the identification thing properly.

The fix was trivial - force the tablesorter to treat date columns as date columns no matter what they contained. You pretty much have to specify the data type for each column:

  $(document).ready(function() 
  { 
    $("#myTable").tablesorter(
    {
       headers:
       {  
         0 : { sorter: "shortDate"  },
         1 : { sorter: "shortDate"  },
         2 : { sorter: "shortDate"  },
         6 : { sorter: "shortDate"  },
         13 : { sorter: "shortDate"  },
         14 : { sorter: "shortDate"  },
         16 : { sorter: "shortDate"  },
         17 : { sorter: "shortDate"  },
         19 : { sorter: "shortDate"  }
       }, 
       widthFixed: true,
       widgets: ['zebra']
    }); 
  });

Btw, guess how I knew that I needed to use the “shortDate” keyword? Because I looked at the tablesorter.js code naturally. Initially I tried “date” but of course that did not work. Next I stared at the online documentation for 20 minutes before I decided it was pointless, so I just downloaded un-minified version of the script, and scanned through it looking for parsers and their names.

Tablesorter is a great plugin, but it really could use more in-depth documentation. While I was digging around in the code, I decided to write down the names of all the parsers for future reference. Here they are:

  • text
  • integer
  • currency
  • floating
  • ipAddress
  • url
  • isoDate
  • percent
  • usLongDate
  • shortDate
  • time

The auto detection in the script works pretty well most of the time. It can however fail for simple reasons such as blank lines. I’m surprised that the list above was nowhere to be found on the page. Oh well… It’s here if you need it.

Posted in javascript, programming, technology, web design | 4 Comments »

Name That Game #1

Friday, September 26th, 2008

New game in the spirit of Name That Movie or TV Show cycle I’ve been doing here. This one is a bit different and possibly more difficult. Or it could be easier. I don’t know.

This version of the game may appeal to slightly different crowd. Instead of identifying movies, I’m asking you to identify video games in the picture below. And instead of random screenshots, I’m actually using the box covers. Naturally since each video game box has the name of the game printed on it, and usually a signature, distinct art I’m adding some Gaussian blur to each of them. I tried to make them fuzzy enough to conceal telltale details (and the title of course) but clear enough to allow you to recognize the box by shape, color and composition.

I tested it on my brother and he immediately identified 5 boxes correctly, 2 incorrectly and had no clue as to the rest. So hopefully this won’t be solved by the first commenter. :P

Name That Game #1

Something tells me I’m making it to easy, but we’ll see. Let me know whether you like this new variation on the game. I will probably continue making “Name that Movie” panels in the future, but this could be another fun distraction. :)

Posted in entertainment, games | 10 Comments »

Create Arbitrary Sized Sparse Files under Windows and Linux

Thursday, September 25th, 2008

Apparently there is something to be said about short blog posts. Allegedly I tend to get long winded sometimes and my posts can run a tad verbose sometimes. I usually tell people to STFU and go read Steve Yegge if they want to see verbose. I’m short, concise and to the point compared to him. But I figured that I’ll try some of that short blog post thing that people seem to be enjoying in other parts of the web. So I’m making a post about a silly little windows command. This is so that I don’t forget it about it next time I need it.

Have you ever needed a file of specific size to test something but you didn’t care what that file was? You know, just a space holder or a space filler kind of a thing? This is what you need to do to create one on Windows XP:

fsutil file createnew file.ext 10000

Naturally file.ext is the desired name of the file you want to create, and the numeric argument is the desired size in bytes. Note that fsutil creates a sparse file which means that this operation will be blindingly fast. For example it took about 3 seconds to create a 10GB file on my elderly windows machine.

Useful trick. I sometimes use it to see how a given app will act when it encounters a file of certain size. To accomplish the same thing in linux you apparently need to do something like:

dd if=/dev/zero of=my-file bs=1 count=0 seek=10G

I messed around with it, and the bs and count are important so don’t just skip them. The seek attribute specifies the desired size of your file, and here you can use human readable units (like 10Gb in the example).

So if you ever need a file of a specific size to test something, here is how you make one. How is that for a short post? What do you mean 350 words is not short? Ah, go to hell then. I tried. Next post will be verbose again. ;)

Posted in howto, linux, technology, unix, windows | No Comments »

« Older Entries