More Code In Movies: Nmap Meets Snowden (nmap.org) 73
After Saturday's story about the code samples in the new movie Arrival, an anonymous reader reminded us of this classic essay at Nmap.org:
For reasons unknown, Hollywood has decided that Nmap is the tool to show whenever hacking scenes are needed... While Nmap had been used in some previous obscure movies, it was The Matrix Reloaded which really turned Nmap into a movie star!
Nmap.org has a tradition -- the first person to notify them when new Nmap appears in a new movie wins a signed copy of Nmap Network Scanning "or a T-shirt of your choice from the Zero Day Clothing Nmap Store." (The site adds that "movie script writers, artists, and digital asset managers are also welcome to email Fyodor for advice.") And Nmap.org just added another film, Oliver Stone's new movie about Edward Snowden. In one early scene, Snowden is given a network security challenge at a CIA training class which is expected to take 5 to 8 hours. But with the help Nmap and a custom Nmap NSE script named ptest.nse, Snowden stuns the professor by completing everything in 38 minutes!
According to the site, even the movie's trailer features Nmap. Anybody else have their own favorite stories about code in the movies?
Nmap.org has a tradition -- the first person to notify them when new Nmap appears in a new movie wins a signed copy of Nmap Network Scanning "or a T-shirt of your choice from the Zero Day Clothing Nmap Store." (The site adds that "movie script writers, artists, and digital asset managers are also welcome to email Fyodor for advice.") And Nmap.org just added another film, Oliver Stone's new movie about Edward Snowden. In one early scene, Snowden is given a network security challenge at a CIA training class which is expected to take 5 to 8 hours. But with the help Nmap and a custom Nmap NSE script named ptest.nse, Snowden stuns the professor by completing everything in 38 minutes!
According to the site, even the movie's trailer features Nmap. Anybody else have their own favorite stories about code in the movies?
but can nmap hack the gibson? (Score:4, Funny)
but can nmap hack the gibson?
Re: (Score:1)
Re: (Score:1)
No, no. You copy it to your floppy. At a speed slower than I can read out loud.
Re: (Score:2)
I had a pleasant time in line doing a code review.
Moss is that you?
How can they use that with such an evil license? (Score:5, Funny)
Re: (Score:1)
Showing a program operate almost certainly does not make that movie a derivative work...
Re: one of the biggest issues with 'tech' movies (Score:1)
Re: one of the biggest issues with 'tech' movies (Score:4, Funny)
Well, duh, it takes a while for really large transfers. I mean, that's a lot of digital money to move through those internet pipes, right?
Re: (Score:2)
dongles
TRIGGER WARNING PLEASE
Re: (Score:1)
Re: (Score:1)
If it was in the 80's, maybe. All those transfers were sent to the fed via (hardware encrypted) 56k lines. So it might've actually taken 10sec.
Re: (Score:2)
You forgot:
*** Cracking a password one character at a time until all the characters are filled in. Nope, passwords are an all or nothing proposition.
*** Hacking/coding as a real-time activity (e.g. furiously typing code to block another hacker in real-time). Actual programmers roll their eyes here, knowing how painfully slow writing and testing code is in real life.
(albeit boring as fuck) scenes and sequences.
Aaaand, you just hit on why Hollywood doesn't show reality. Reality tends to be boring as fuck 99.9% of the time. Movies are (typically) mea
Re: (Score:2)
What? Don't guns always make ktcht sounds whenever moved more than 2 centimeters in any direction?
Padding Oracle and many other password attacks (Score:2)
> ** Cracking a password one character at a time until all the characters are filled in. Nope, passwords are an all or nothing proposition.
Many attacks against passwords/keys are character-at-a-time. All types of padding oracle attacks are character-at-a-time, as are sql injection with results determined by the presence or absence of an error. (where password like 'a%'). Padding oracle attacks include POODLE and Lucky Thirteen.
> *** Hacking/coding as a real-time activity (e.g. furiously typing co
An example of character at a time (Score:2)
Here's a specific example of hacking a password one character at a time, with details of how it's done.
Like most message boards, you can see my profile by going to:
slashdot.org/~raymorris
With many scripts, the profile url ends with ?userid=123
If you're a programmer, you know that's likely to be implemented with a line of code like this:
SELECT * FROM users WHERE userid='$input'
That ends up running:
SELECT * FROM users WHERE userid='raymorris'
Note that you get an error message if the username doesn't exist.
To
Try reading the whole post (Score:2)
Try reading the post before criticizing it and you might not make a complete fool out yourself again. Try reading the last three sentences or so starting with "if the password is hashed".
Re: (Score:2)
It's useless to give an example of attacking something with passwords stored in plain text.
There's tons of systems out there with passwords stored in plain text, and often those systems are also poorly protected against SQL injection, so if you're looking to obtain a password (as opposed to just login) the method explained by raymorris is actually quite clever. I'm not sure I would have thought of it.
Re: (Score:2)
Re: (Score:2)
> ** Cracking a password one character at a time until all the characters are filled in. Nope, passwords are an all or nothing proposition.
Many attacks against passwords/keys are character-at-a-time.
To clarify, I'm talking about scenes where a password character is *found* by some cracking algorithm, visually represented by randomly flipping characters and digits, which then lock into place one by one. It's essentially a Hollywood-invented password-cracking progress bar. Sort of like this [youtu.be], although they're just decoding screens of text (which is equally silly). You're talking about iteration over all possible combinations, which is of course how brute-forcing passwords works.
In contrast, I present t
That was entertaining. NOT brute force (Score:2)
That scene was entertaining.
I think I was unclear. I'm NOT talking about brute force. I'm taking about finding the first character, then several seconds later cracking the second character, then several more seconds to get the third character, etc. Here's a step by step for one easy example, a boolean return SQLi:
https://slashdot.org/comments.... [slashdot.org]
Padding oracle attacks are the same - you find the first character, then you find the second character, etc. Here's a rough description of one other similar exam
Re: (Score:2)
Pfft, why bother with all that work when you could just launch a cyber-nuke? Amateur. ;-)
The attack I described doesn't require CSRF (Score:2)
The attack I just described gets the cookie, it doesn't require CSRF, and will get the cookie for most any site.
Note the URLs used are all 404, they don't exist. CSRF would be causing the browser to load a legitimate and important URL like change-password.php?newpass=hacked
Re: (Score:2)
Re: (Score:2)
*** "enhance!" (+ rinse and repeat)to blow up a single pixel of a reflection in a car's side mirror captured by a fuzzy analog security cam into a glorious full hd image.. nope. that's even worse
Turns out that ones kind of working now.
https://github.com/alexjc/neur... [github.com]
Re: one of the biggest issues with 'tech' movies (Score:2)
It's ok if the results are printed using Kryten's butt printer... then you're really pulling it out of someone's ass.
Re: (Score:2)
I hate when they "type" code sequentially, top to bottom in a single stream. Sure, you might write a stupid simple shell script that way, but not C, C++, or Java.
Re: (Score:3)
Yeah and never a single copy-paste from StackOverflow.
Re:one of the biggest issues with 'tech' movies (Score:4, Funny)
Most of the time, when they want to show something "happening" it always seems like it is one of the following:
1. Cat of some text file, log or source code on a semi transparent console window
2. Custom script of output text (hello world type of thing) also on the transparent console window
3. Some custom GUI using Tk or Qt windows that open and close very fast and at least one progress bar
4. A map that zooms in/out
5. An image or video
Also, during any of these, the "hacker" is seen to be typing away madly at the keyboard but somehow doesn't seem to be using any key modifiers (CTRL, ALT, SHIFT) and doesn't appear to be directly affecting anything seen on the screen.
I am also amazed that people who are pressed for time (the owner of the computer is about to walk in the door) always seem to know exactly what they are doing even though they have (presumably) never seen this computer/software. I know if it was me, I would go to put in my USB thumb drive and find that the IT staff hot glued the port or the local AV is blocking the file transfer or it is a USB-C and I don't have an adapter so I try to e-mail it to myself but the e-mail program is password protected so I try to use web based mail, but my 2FA blocks access from this device so I have to dig out my phone, but I have no service so I try to connect to an open WiFi hotspot, but there is something wrong with it and I am not getting an IP address or the authentication gateway is broken..... and I'm caught by the guy walking in the door....
Seems legit (Score:1)
>running nmap
>what is this computer shit
>ahh, it must be
>
>code!!1
c'mon, man. these guys handle time travel (Score:1)
They should be using LISP (Score:5, Interesting)
The other reason for choosing LISP is that aliens would have a better chance of understanding it. Being based on the Lambda Calculus. [wikipedia.org] it represents a fundamental understanding of the theory of computation. It is likely that other intelligent species would recognize it. It's unclear that C or C++ show that any intelligent life exists on earth.
Comment removed (Score:5, Funny)
Re: (Score:3)
Bah.
Aliens surely developed the Apple ][, which powered such scenes until recently, and can even power a time-traveling killer robot! :)
hawk
Re: (Score:1)
Re: (Score:2)
APL would look really nice - and very "codery". https://en.wikipedia.org/wiki/... [wikipedia.org]
Re: (Score:2)
It's unclear that C or C++ show that any intelligent life exists on earth.
ever seen ternary operators in Python?
Typical languages:
value = condition? true_value : false_value;
In Python:
value = true_value if condition else false_value
The Python version sounds like a petulant teenage girl.
Blackhat - erotic novel in a hex editor (Score:4, Informative)
In the movie Blackhat there's a screen where a hex editor is used to analyze some malware code. The hex code is just random nonsense, but the ASCII conversion contains lines from an erotic novel, but with each word reversed
Here's a screenshot:
http://imgur.com/VIWNahL [imgur.com]
The text on the right says
Her lover one day takes O for a walk ....
in a section of the city where they never go the Montsouris Park. After they have taken a stroll in the park, and have sat together side by side on the edge of a lawn, they notice at one corner of the park, at an intersection where there are never any taxis, a car which, because
--
which comes from this:
https://archive.org/stream/The... [archive.org] ... O_djvu.txt
Re: (Score:1)
sun4m (M as in monkey, not U) and it also says "i386". So which is it? (very likely the latter) And it's clearly linux from the obscured names in the process list.
mame was in godzilla 2000 (Score:2)
mame was in godzilla 2000
Well, why not reuse the same code? (Score:3)
TRON: Legacy (Score:4, Interesting)
Someone cared.
Re: (Score:1)
Actually, it's linux half-ass faked to look like SunOS (Solaris).
I'm going to write a GUI (Score:2)
Re: (Score:2)