The following is an article provided to HFC by author and computer programmer Robert D. McAdams, who holds full copyright, and has been published here with his permission.
By: Robert D. McAdams, 2019-07-21
Would you like your writing to use the terms correctly for science and technology? Would you prefer it if people didn’t roll their eyes if your characters “hack the mainframe” in your story? Would you like some common terms explained so you can use them with confidence in your writing? If so, you’ve come to the right place.
Who am I, and why do I have any authority to write about this stuff you ask? Fair enough. My name is Robert D. McAdams, and while I am a writer, I am also a senior computer programmer for Hewlett Packard Enterprise. I hold a BS in computer science (with a minor in information security and digital forensics), and I have been working in the industry for more than 20 years. I am, by no means, an expert on everything but I am an expert concerning the technology I use and create every day. If that’s good enough for you, then let’s keep going.
Let’s get some common terms out of the way first.
- Firewall – can be hardware or software based, essentially this is a list of rules that acts as a gatekeeper on a network. It decides what traffic can get in or out. A firewall is essentially the bouncer standing at the door to the nightclub with the list of IDs allowed in and out.
- Internet – a global network of computers talking to each other on various ports (for the web that would be ports 80 and 443 for most HTTP/HTTPS traffic (HTTP stands for hyper-text transfer protocol, in case you were wondering)). The internet is the wild west, and more or less impossible to monitor or control on any wide scale.
- Intranet – (notice the change in spelling!) an internal network generally not connected to the outside world (although frequently an internal network connection also allows access to the global internet). An intranet is locked down, each user is known, and has to be logged into their account to use it, monitored, and controlled.
- VPN – virtual private network. Essentially this is like paying your neighbor to run an Ethernet cable from their house to their shed, and then into your house, and giving out your new “business address” as your neighbor’s shed. You’re still sitting in your house, but now you’re using your neighbor’s network, and the public “address” you give out is your neighbor’s shed.
- Hacking – this is a generic term that essentially means nothing. It can mean whatever the user wants it to mean. It is commonly used by writers (and the media) to mean “person who can break into computer systems.” It’s fine to use it that way, but it essentially has no real specific meaning other than someone who is an expert at something related to computers.
- Cracker – Someone who breaks passwords/encryption. Usually by trying every possible combination of characters until they guess the right one, or using a predefined list of password hashes (AKA a “rainbow table”), or simply guessing the password based on their knowledge of their target (and/or commonly used passwords).
- Upload – This is a term that infuriates the techno savvy when it is used wrong. If you are uploading something, you are sending it FROM your device TO somewhere else. It is going AWAY from you. In modern terms, you’re sending it “to the cloud.”
- Download – This term (used incorrectly) also annoys technology knowledgeable people. If you are downloading something, you are pulling it TO your device FROM somewhere else. It is going TOWARD from you. In modern terms you’re “syncing it locally from the cloud.”
- CPU – this is the brain of a computer. It stands for Central Processing Unit. Your phone has one. Your laptop has one, and most likely your car and your TV have one too. They can be big, or little, powerful or wimpy, but they are the part of the computer that carry out the instructions written in the computer code.
- Memory – Generally speaking, you can think of memory (in technical-speak “RAM” (which stands for Random Access Memory) as a notebook. If the CPU is the brain of a computer, the memory/RAM is the notebook the owner of the brain jots down information about what it is currently working on. When it’s done with a task it throws the notes away and starts a fresh page for the next task.
- (Hard) Disc – (Also known as the “hard drive”, “hard disk”, HDD, “fixed disc”, etc.) This is the long term storage for the computer. It’s where files are kept. You can think of it as a filing cabinet kept down in the basement that the “brain”/CPU stores files in. Also known now as “spinning rust” derogatorily, they are now considered slow, noisy, and “old school.”
- Solid State Drive – (Also known as an SSD and a “solid state disc”). These are the new and sexy replacements for the older “hard drives”. They’re fast, essentially silent, and have no moving parts. They’re essentially memory/RAM configured to allow for long-term storage. You can think of them like an assistant who follows the “brain”/CPU around all day holding piles of documents ready to hand to them in less than a microsecond.
- 2FA – Two Factor Authentication. Even banks get this one wrong. Most authentication systems require that you authenticate yourself with something you know (e.g. a password). That is one factor of who you are. In order for something to be a second factor, it cannot also be something you know. So, your bank asking you for your “secret question answer” is not using two factor authentication. They are using one factor authentication, twice. Both things are what you know. Other factors of you are: what you have, what you are, what you sound like. For example, if you have a list of codes written on a piece of paper in your wallet, and the bank asks for the 3rd letter from the 15th line to authenticate you — that is another factor, because it comes from something you have. (Another common form of this is a physical token usually kept on a USB key, which must be plugged into the computer to authenticate you. The physical possession of the USB key fob proves you have the second authentication method, and it is something you have.) Something you are could be your fingerprint or blood or hair or DNA. And, obviously, what you sound like would be your voiceprint.
- Social Engineering – This is a fancy nerd-speak way of saying “to trick someone” in order to get information out of them. Usually by pretending to be an authority figure, or a friend or family member.
- Emulator – A software environment built to mimic a specific hardware setup. The most common types of emulators are those used in business “virtual machines” to run multiple “computers” at the same time, usually as a server cluster. You can think of an emulator kind of like the Holodeck on Star Trek, it’s a way to use software to mimic what a real-life piece of hardware (like an old video game console) worked — right down to the CPU clock speed, the size and type of the RAM, the way the graphics were generated, etc.
Okay, so now that we have terms out of the way, let’s discuss common scenarios I see which tend to be depicted incorrectly in Film/TV and books (all of my examples are going to be TV and movie based though, because those are more visual).
It seems like most of the writers and decision makers involved with Film and TV learned about computers and the internet in the late 1980’s/early 1990’s, and then never updated their set of information again. Authors of novels are doing better, but they also tend to get common scenarios and facts wrong. Let’s look at some common scenarios I see which, while not impossible, are extremely improbable. In order to make them believable, you will need to address the problems I outline for these scenarios below.
Scenario 1: Computer expert accesses a system they didn’t design, and don’t have an account for, and within seconds breaks the security, opens the doors, gets the data, etc. Examples: Jurassic World: Fallen Kingdom, Independence Day.
Scenario 2: Guessing a password and getting into a government/restricted computer. Examples: Swordfish, Sneakers, WarGames.
Scenario 3: Gaining access to a system (the character didn’t design/doesn’t have an account for) and immediately being able to use it or get data from it. Examples: Star Wars Episode IV, Jurassic Park.
Scenario 4: Stopping an outside attacker shown as neigh on impossible. Examples: Almost every Star Trek episode ever made that features computer attacks, Brooklyn Nine-Nine, NCIS.
Problems With Those Scenarios
Scenario 1: Quickly breaking security on anything is hard to do. And that’s when we’re talking cracking/guessing someone’s password on a standard consumer-grade (e.g. it’s for sale at Target or Amazon) computer. When the computer is a consumer-grade model the attacker will be able to make certain assumptions about how it works, how the operating system works, and how the security operates.
Most (larger) companies and major powers don’t use consumer-grade equipment to guard the access points to their systems. In the Jurassic World example, Franklin Webb opens a control panel, connects a laptop to a few wires, taps a few keys, and has the doors open in literally seconds.
Even if he has the master command and control software originally built for that system installed on that computer (unlikely, unless he was using an emulator and a VPN to trick their firewall), and he had a system admin override authentication token ready to go (and he had some way to authenticate to whatever intranet security system they were running in order to issue that token), that operation still would have taken at least a half minute alone (if not longer) for the system to boot up and wake enough to recognize the commands he was sending it.
And, we’re just going to ignore the fact that there was still power running to that system, the tower was still standing, and the software was still running error free on an island choked with jungle, and overrun with dinosaurs.
Most companies and major powers (especially those of the Death Star building variety) use custom configurations of computing power and custom software to run their systems, especially security stuff.
Look at the screens they show in Jurassic World: Fallen Kingdom, does that look like Windows 10 or Mac OS X to you? No? Then how the hell does Mr. Webb know how to break into it so easily? It isn’t a WordPress site running on the public internet with a common security flaw in a plugin he can exploit; it’s a private system on a private network running custom code he’s (theoretically) never touched before.
Think of the computers in any office you’ve ever worked at. Could Mr. Webb just walk up to one of them, connect a wire to his laptop, and immediately start issuing commands to open doors, and access the internal data systems?
Yes, he has Claire with him, and she does help him get into the computer in the movie — but only after he gets the door open all by himself. That decision was made by a movie executive to give Mr. Webb a more active role in the movie.
But in reality, Claire would have needed to drive that bus for it to go anywhere. She was the only one who not only knew how the system worked, but who also had an account to use the system (and we’re just going to assume their system admin was smart enough not to expire her account after 90 days of not changing her password, since she was still able to use her handprint to get into the system once the doors were open).
Bottom line, computer experts tend to exploit weaknesses in known systems to gain access to them. They tend to attack common computers and platforms, because those are the things they know about. They almost never sit and spend the time to guess a password on a live system anymore, because most systems lock you out after 3-5 bad tries, and will alert the owners of the system to a possibly compromised account. Getting into a computer system isn’t easy, and is almost never done in seconds.
Scenario 2: With very few exceptions, no government or military power (usually) takes the risk of connecting their real systems (that matter) to the public internet. The main reason the original ARPANET (the grandfather of what became the modern internet) was created was to provide the US government and military a means of communication that could survive a nuclear attack, and which was private and under their control. When it was first created, in order to use it, you had to pass through physical (in-person) military and government identity and security screening to get into the physical rooms that contained endpoints which allowed you to access and communicate with other endpoints on the network.
In the modern world, the successor to the ARPANET is called DARPA and the military has its own “MilNet” that is setup with the same idea as the original ARPANET — it routes around damage and stays up even if a node (or two, or three) goes down. It’s still a private network, and isn’t accessible to kids in their parent’s basements, or criminals trying to break into government systems.
Yes, some governments still get hacked. As I write this in July of 2019, Bulgaria has just had their worst data breach in their history with nearly all of the personally identifiable information of most of their adult working population exposed in the breach. However, that breach was possible because their government foolishly was still using a third party to hold the data, and that third party not only had the data stupidly connected to the public internet, but also contained in an insecure system that had already been proven to be hackable the prior year in a smaller breach.
But any government that knows what it’s doing doesn’t have anything important connected directly to the internet. If they do, they don’t advertise it, they monitor it constantly, and they have a firewall sitting in front of it that is configured to let in very specific people from very specific internet addresses attached to a specific geographical location that a VPN won’t be able to trick.
Bottom line, even if an important system with important data is connected to the internet, attackers don’t sit at home trying to guess the password (or even worse, trying over and over again to guess it). The most successful attacks are the ones which nobody knows have happened. Attackers are looking to gain access to a database which they can download and attack at their leisure offline. The only attacks which are carried out live online are done with socially engineered stolen credentials to authenticate as a privileged user in order to try to gain access to said database.
Scenario 3: I know what you might be thinking, and no, Han Solo knowing how to use the systems on the detention level isn’t what I have a problem with in Star Wars Episode IV. He was actually in the Imperial Academy and (theoretically) gained some familiarity with those systems while he was (briefly) working for the Empire. No, my problem with Episode IV is R2-D2 being back to jack into any computer it can find a port to connect to, and the droid is immediately in the system, knows what commands to issue, and how to navigate it.
I have the same problem with Lex’s character in Jurassic Park being able to sit down at Nedry’s computer and know how to use it because she’s, “seen a UNIX system before.” (To be fair, the system shown in Jurassic Park was actually real. It was a Silicon Graphics workstation running a goofy 3D file system called Fsn (pronounced “fusion”) — so it is theoretically possible she could have seen and even used that exact same setup beforehand, but extremely unlikely, as Fsn was never fully developed or released widely.)
However, the character of Nedry had already shown that (A) he built the computer systems running the park from scratch, and (B) he’d put in his own (as Arnold puts it) hacker crap into the system — specifically because he was planning to commit industrial espionage, and also to make it essentially impossible to fire him (nobody else would know exactly how to use the system he built, and wouldn’t be able to quickly or easily resolve problems with it).
Bottom line, custom code is exploitable. Computer programmers make mistakes all the time (think about that the next time you’re trusting your life to the computer program driving your commuter train) and other computer programmers know how to look for those common mistakes and how to exploit them. But those exploitable mistakes are generally things which an attacker can use to gain entry to a system, bring a system down, or cause chaos. Actually logging in and using a custom system is an entirely different problem which requires specialized knowledge.
Think of it this way, when you got your first job at a company that used custom programming as part of the job (whether that was an inventory system, the cash register, order tracking, or even just the system you used to clock in and out) — were you able to use it without explanation on day one, or did someone have to show you how to use it, or give you a manual to read? Yeah, same problem for an attacker who gains access to that system. They wouldn’t know how to use it either.
Scenario 4: To be fair to NCIS, the writers have admitted they knew their two people on one keyboard scene was nonsense, but they used it anyway because it was entertaining — and it would only annoy tech-savvy people — and to them I say, “fair play to you.”
I see the locked out of the computer and the an intruder is attacking us and we can’t stop them storylines come up all the time. We see it in Star Trek frequently (it’s a favorite theme of theirs). Cop shows use it, sci-fi shows use it, and books feature it as a standard trope.
In reality, the only reason why any of us can reach anyone else’s computer from the comfort of our own homes (and now on our phones from the parking lot of the airport!) is because that computer has been connected to the public internet. As soon as you disconnect the computer from the internet, access to it is immediately shut off.
Credit where credit is due, the writers of the Brooklyn Nine-Nine episode Ticking Clocks (season six, episode fourteen) actually came up with a plausible scenario (and one of the only plausible scenarios I could possibly think of) where this type of scenario (almost) works — the attacker is physically inside the building and directly connected to their intranet, and they can’t simply pull the plug on the servers because they will switch over to automatic battery backups, and they only backup the data on the server semi-quarterly.
(Also, mad props for casting Sean “Samwise” Astin as a sneaky criminal hacker who uses two side-by-side computers to pull off his scamming — one simply to display a countdown clock. Well done to everyone!)
However, while the writers made a very good try at making the scenario believable (I would be comfortable in betting that they consulted with an actual computer expert while crafting the plot) — they still disregard the most obvious solution to the problem.
While they explain that the server can’t simply be unplugged and shut off to protect their data (due to the automatic (and apparently non-detachable?) battery backups) it would still be trivial to simply disconnect the network cable from the server.
No connection to the network means no more risk of a data breach. That episode is probably one of the most realistic attempts I have seen to-date showing the realities of protecting a network from an attacker, and addresses (almost) all of the trivial ways to shut down an attacker once they are detected inside the network.
Bottom line, you can use this scenario, but you are going to have to do what Brooklyn Nine-Nine did and explain why the most obvious solutions to the problem won’t work.
Solutions To Make Those Scenarios Believable
Scenario 1: The easiest way to make this scenario believable is to give the character who will be breaking into the system either: (A) specialized knowledge or (B) specialized hardware (or both).
All they had to do to make the hacking in Independence Day believable was to have them rip out a computer module from the ship they had access to, and figure out that by running a wire from it into a special piece of hardware the military uses to transcode signals, then connecting David Levinson’s Macbook to that device, he could send signals to it, and the transcoder would be able to convert the signals to whatever pulse/frequency/signals the alien tech used.
There is still the small matter of creating a computer virus that would run on the alien’s computers though. To solve that problem, the easiest explanation would be to have David given access to all of the computer knowledge the government had already pulled from the ship, and that knowledge would contain enough information for him to figure out something basic that would allow him to overload or loop an instruction in their computers. Writing a sophisticated virus is out of the question, but sending a looping signal to their computers is plausible in the scenario they created. E.G. STEP A count from zero to five billion, STEP B when done go to STEP A.
That level of instruction is fairly simple to setup in a computer, and it creates a loop that the computer can’t escape from. (Of course, in modern computers, there are safeguards setup against such infinite loop exploits, but we’re going to just ignore that.) You can hand-wave away exactly what was done in the code sent to the alien system, so long as you sufficiently explain how it is that your hero (or villain) figured out how to send instructions to their alien computer in the first place.
In the Jurassic World scenario, they had the solution to the problem literally on screen. Claire. She was not only an employee who worked at that park, but also a very high level employee. She had access to everything. She could have given Webb her own backup copies of their custom OS, the manuals on how they worked, and even the schematics for the custom hardware they used. She also could have literally just handed him an employee-only laptop which was useless off the island, but she could have trained him on how to use it so when they were on the island it would connect to their employee intranet and everything he’d learned would work.
Outside of Claire essentially handing Webb the keys to get into their system, another plausible way for him to gain access is to have an admin key fob/dip switch/circuit interrupter or knowledge of a system backdoor or a default system username & password. I’m sure you’ve occasionally seen on the news where someone has hacked a roadside construction sign to say something silly like “CAUTION, ZOMBIES AHEAD!” That is an example of someone looking up the default admin username and password for that make and model of sign in a manual posted on the internet. The manufacturers ship them with a default user/pass (usually something like “admin/admin” or “admin/1234”) which they say in the instructions to change when setting it up — and that is frequently not done.
The same idea can be applied to someone who has an admin key fob (or any other type of device you wave at, touch, or plug into a system) which grants immediate admin access and authenticates the holder of that object as whatever permission level was assigned to that object. (That was the theory behind those rank cylinders in the pockets of the Imperial Navy officers in Star Wars by the way. The idea was they had to plug those rank cylinders as their 2FA into the computer to issue high-level commands).
Bottom line, you can create a scenario where your hero/villain are easily able to defeat the security of a system and gain almost immediate access to it, but you need to explain how they are able to defeat that security. The easiest explanations would involve stolen/borrowed admin credentials or authentication objects, or specialized knowledge they somehow acquired.
Scenario 2: I covered the solutions to this problem to a certain extent when describing the scenario of an attacker quickly and easily guessing/cracking a password.
In effect, in order to make this scenario believable, the easiest thing to do is show the character who is doing the password cracking either has a stolen password due to social engineering, or they have a stolen security certificate which allows them to use the private key from that cert to authenticate not with a password, but with the cert instead (many company computers do this now, you can log into your company intranet using your network account’s username/password, or with the private key associated with your trusted identity cert stored in the “TPM” (Trusted Platform Module) of your computer.
Another way to make this scenario believable is to have the character mention that they got a data dump from the target company/organization and paid someone to run cracking tools on it until they were able to extract some high level usernames and passwords from the data.
To make that believable though, you need to state that they foolishly stored the passwords in their system unencrypted or that they ran rainbow table dictionary attacks against the hashed/encrypted passwords to figure out what the passwords were.
Another way to get around this issue is with a trusted device. That’s essentially the plot behind the movie Sneakers. They luck into a special box, which allows them to connect to government computers with a fixed password, as the security for the system is tied not in knowing a password, but in physical possession of that box (it even comes with a handy-dandy manual that tells them how to connect to the various systems).
Bottom line, it isn’t realistic to show a character at a computer going, “Bet I can guess their password in three tries. Hmm, I know they like pineapples, how about pineapple? No? Well, their wife’s name is Megan, how about Megan? Nope? Ah, I got it, Cincinnati! Bam, we’re in!”
“How’d you know it was Cincinnati?”
“Easy, that’s where [so and so] went to [blah blah blah] so I knew they’d use that as their password.”
If you can’t do that with your family member’s passwords, how on earth is someone supposed to be able to do that with the password their target setup for an important government/company computer system? Especially since those types of systems tend to lock you out after 3-5 bad tries, and they also tend to raise alarms after 2 bad tries. It’s much easier to steal a password, steal a database and crack a password, or steal a device that bypasses the need for passwords all together.
Scenario 3: The solution to this scenario to make it believable is essentially the same as in scenario one. Your hero/villain needs specialized knowledge, or they need a hostage to make this happen, or they need to stumble across a helpful custodian or user manual so they can figure it out.
The video game Halo used the helpful custodian to solve the problem. Guilty Spark 343 is a computerized monitor/custodian who decides the protagonist in the story (the Master Chief) fulfills the qualifications it needs to see to recognize him as a Reclaimer, which means he gets to give it orders and have it help him get into the computer system.
To solve my problem with R2-D2 being able to use computers it had no knowledge of (while the rebels had the architectural schematics of the Death Star, I sincerely doubt they also stole the computer source code or user’s manual as well), is to have Han slap a CPU module into it that gives it the knowledge it needs (maybe by yanking it out of the head of a droid they shoot in a control room?).
To solve my problem with Lex knowing how to use that specific UNIX setup in Jurassic Park, we can hand-wave that away and take her at her word, she’s seen it before. But what would make the scene believable is that she knows a common place in that file system that “hackers like her” (yes, she calls herself a hacker in the movie) store their secrets. And sure enough, Nedry was arrogant enough to keep his secrets in there, and the first line of the secrets file tells her the commands she needs to type to protect the room Nedry worked in (that would have been his top priority, to protect himself first).
Bottom line, you can get around the issue of people being able to use a computer system they’ve never touched before (ignoring how they gained access to it in the first place, as that’s scenario one’s problem), by giving them specialized knowledge, or having them find a helpful manual, a helpful helper, or giving them a hostage to exploit. But you have to, in some way, provide a bridge across their lack of knowledge and experience with that system. Them just intuitively knowing how to use it as soon as they touch it is not in any way realistic.
Scenario 4: I covered some solutions to make this scenario believable while outlining it, but let’s dive in a little deeper. The goal of this scenario in your writing should be to show your character(s) working (together) to ward off an outside threat and/or to protect some sensitive data.
You can still use this type of scenario, but honestly, instead of an attacker breaking into their network and your characters having a hard time shutting down their access, it would be more believable to turn the scenario into more of a heist movie type of scenario. E.G., the data will be moved to protected backups in a portable hard drive via an armored car with an armed guard who has the hard drive in a case hand-cuffed to their wrist.
Or, the data is in a USB stick in the shirt pocket or purse of a special agent. Or whatever. The idea of the scenario stays the same, there’s an intruder trying to get the data, and they don’t know where the intruder is, or who they are. But they know the target of the heist, so they are looking for anyone around that target, or anyone hurrying out of the building (or spaceship, or whatever).
If you insist on making the scenario a computer-based one where an outside attacker is trying to get the data, please note that in reality, even battery backups can be disconnected or shut-off, and disconnecting the network cable from the server, or shutting off the network power or network routers would work just as well as shutting off the power to the server to protect the data. If it isn’t connected to the network, then the only way to get data out of it is physical access to the server itself and either removing a hard disk or using a USB stick to download some data to carry out.
Bottom line, most books and TV shows and movies make it seem like evicting an unwanted guest from one’s network is harder than it seems. The NCIS episode showing two people furiously typing on one keyboard to try to defend their network is probably the most egregiously bad example I could show of how ridiculous the scenario usually is.
In reality, if an attacker knows they’ve been detected, they usually immediately disconnect, douse everything in bleach, and then set it on fire in a dumpster while wearing gloves in the alley behind the motel room they rented with cash to try to stay untraceable. The last thing they want to do is keep fighting to stay inside a network once they know they’ve been spotted, because they’re worried the FBI will come to kick down their door at any minute.
That’s all I’ll cover for this article. I’ve only scratched the surface of the wide range of topics available to write about in the computer science universe, but these four scenarios are pretty common, and addressing the logical pitfalls in your writing when dealing with these types of scenarios will make your writing much more believable.
Robert D. McAdams