Software Integrity

 

CSI: Cyber is technically painful to watch

Last night, a few of my brave Synopsys peers stepped away from their regularly scheduled lives to join me in watching the new CBS show CSI: Cyber. Even before the start of the show jokes were flying in anticipation of all that could go wrong based on past portrayals of  tech on TV.

Early on in the show, we knew we were in for a treat when we heard the line, “Any crime involving an electronic device, is by definition cyber.” While the concept behind the main hack of the episode (a baby monitor being compromised, which allows attackers to gather enough information to actually kidnap the baby) is technically possible, many other technical elements were either marginalized or flat out absurd.

Even if we were to forget that teleporting hasn’t yet been invented (how else did they travel so quickly?), the fact that individuals and corporations have legal rights, and the fact that locating and reversing malware to the point it becomes perfectly legible source code takes a non-trivial amount of effort, there were still plenty of technical issues to gripe about:

  • The entire datacenter scene. The baby monitor developer was instructed not to talk to the FBI but the company handed over their source code for Mr. Neckbeard? Not only that, but he successfully finds vulnerabilities in source code while simultaneously plugging himself into random network ports? All hail the new king of double billing—I wish I could do secure code reviews and internal network penetration tests at the same time like this guy.
  • The password cracking stuff was way off. The world’s greatest white hat mentioned using a 3 GHz processor, which not only is a totally vague/worthless statement (clock speed gives no indication of throughput; it’s much better to refer to it in terms of attempts per second) but also implies the usage of CPUs for brute forcing. First off, iterating through an entire key space is an offline attack, and this is clearly an online situation. Second, no one uses CPUs anymore for their hash cracking. I could go on, but this bullet point is long enough and I’m already starting to rage.
  • There’s just no way a hacker would put in a payload to transmit their private bidding communications to the victim’s webcam. This one really hurts them, since the fact the parents heard the voices was the whole reason this kidnapping became a “cyber case” in the first place. The writers must have been struggling to find a way to make it more clear the web cam was involved and the route they took here was just bad.
  • Who knew bad code is red, good code is green? I’ll save so much time reviewing source code if I can remember that. Also later in the episode why did the malware have to sparkle?
  • A hacker dedicated enough to spy on a baby to learn the parents’ schedules, steal the baby and set up an online baby auction would probably obfuscate his IP address using TOR.

Fortunately (or unfortunately, depending on how you look at it), CSI: Cyber was pretty much what we expected. Thankfully, we had our CSI: Cyber bingo cards on hand to track the tech clichés including beards, blinking lights, arbitrary jargon, and girls with dyed hair. If I do decide to watch any more episodes of CSI: Cyber I’ll probably schedule a viewing party and turn bingo into a drinking game by taking a shot every time someone says “cyber.” If you think your liver can handle it, feel free to join me.

Leave the IoT Security to actual security people. We’ve got you covered.

learen more