Michael Mann's new cyber thriller Blackhat opens Friday. The movie starts with a villain hacking a Chinese nuclear facility and the New York Stock Exchange, resulting in death and stock dips. The plot gets complicated from there, but it features Chris Hemsworth as a muscle-bound, MIT-trained hacker who is sprung from the clink by the FBI to help track the bad guy down. Instead of Thor's hammer, he uses digital footprints to go after the bad guy. Last week, a bunch of real-world hacker types got an advance look at the film in San Francisco. It was thanks not to their cracking into Michael Mann's computer, but to a screening Universal Studios organized for Silicon Valley's cybersecurity elite, including security engineers from Google, Facebook, Dropbox, Twitter, Tesla and Yahoo. Hollywood wanted to know if the film would pass muster with "cybersecurity influencers" — Universal's term for the group — and surprisingly, it did.
"It's the most accurate information security film I've seen," says Parisa Tabriz, Google's security princess. (Yes, that's her actual job title). When Tabriz heard last year that the acclaimed director of Heat and Last of the Mohicans was making a movie about hackers, she wanted an early preview. It turns out she had an in: Her Los Angeles-based brother plays poker with Chris Hemsworth's agent. After a private screening at Michael Mann's office in L.A., Tabriz suggested organizing a larger event for security technologists in San Francisco. Mann and the studio behind the film liked the idea so much that they booked a 240-seat theater, told Tabriz to invite all her infosec friends, and sent Mann and the film's stars to talk about how they prepared for the film. That including "sitting down with people in DC to talk about cyber security," bringing on Wired’s Kevin Poulsen and OkCupid hacker Chris McKinlay as consultants, and "hanging out with black hat hackers."
Hemsworth also revealed that he had to do "months of computer training," which involved learning how not to type using just his index fingers. The Australian actor said the biggest security takeaway he got from the experience was the importance of data minimization — "not keeping photos and emails and stuff."
Tabriz was worried that the attendees would tear the film apart during the panel. "These people are trained to find problems and it’s a skill that translates to everything," she said. The first questioner praised the "most plausible hacking scenes I've seen in a film" but criticized a scene in which Wei Tang's network engineer character points at a computer screen and says, "Here's the IP address." She is not in fact pointing at a string of numbers that make up an Internet Protocol address but instead at a server name.
The film captures real ways people hack, including social engineering a security guard into inserting a malware-laden USB stick into his computer and getting an (extremely gullible) NSA agent to download a key logger disguised as a PDF file on a 'change your password' email. "The tools and commands they were using were simplified but accurate," said Tabriz. She contrasted that with movies that gloss over how hackers break into systems with 3D renderings of Matrixian digital magic working or present completely unrealistic scenarios, such as Hugh Jackman in Swordfish cracking a password in 30 seconds with a gun at his head. "It's not that easy," said Tabriz.
However, there were a few points in the film that elicited giggles from the crowd, usually for extremely geeky mistakes. "Overall, it was super accurate about ways of attacking a network," said one tech company's head of security. "It was just where the rubber hit the road that they made mistakes. People laughed because there were text comments in the binary code."
The film is well-timed for tapping into our escalating fears about the threats of a connected world. Mann said he was inspired to do the film a few years ago by Stuxnet, the weaponized malware that was designed to destroy nuclear centrifuges in Iran. While it gets the technology right, it runs into problems with plot realism. There are far more gun and knife fights than most information security technologists usually encounter and the movie would have you believe that the FBI would be willing to partner up with the digital unit of the People's Liberation Army, a.k.a. the kind of Chinese military hackers that the FBI recently put on their most-wanted list.
More than that, it's hard for a film like this to compete with current events. Hollywood's grappling with the precarious nature of online security has been on our screens constantly for the last year, from celebrities' nude photos being stolen from their iCloud accounts in "the Fappening" to the exposure of power players' emails in the Sony Pictures hack. Both episodes were far more dramatic than the film Mann has dreamed up. When it comes to cyber thrillers that show us how much damage digital attackers can do, The Interview beat Blackhat to the punch.