Hackers (the movie)
Welcome to the September issue of Hacker Chronicles!
Sorry about last month’s duplicate letter. I sent my service provider an error report as soon as I noticed and I’ve included their technical rundown of the bug at the end of this issue, for your indulgence.
This month’s feature is special. It completes the review of what I consider the golden triple of original hacker movies!
Movie one of the triple is WarGames (1983) and its hero is an example of an unintentional hacker – a person who out of curiosity starts to poke at computer systems and finds criminal plans afoot or triggers something dangerous. You can read my review here.
Movie two is Sneakers (1995). It features professional hackers who break into systems for money which means they risk becoming agents of the wrong principal. Read my review here.
Now it’s time for movie three, Hackers (1995). It features a group of vigilante hackers – people who use hacking to fight oppression, corruption, or government surveillance. In that sense, it’s the one most similar to my novel Identified.
Enjoy! /John
Writing Update
The new cover is out for the electronic version of Identified on Amazon. We had to change color scheme for the print version because the way Amazon creates the thumbnail makes it look faded. So still some work to do there. We’re almost there with just some adjustments for artifacts that appear in Amazon’s scaling.
Here’s where I am in writing the sequel:
September Feature: Review of Hackers (1995)
The Hackers movie is a true classic and much more alike the real hacker community I know. Underdog mentality, queers, cyberpunk, elitism, and pranks.
Spoiler Alert: Yes, spoilers below.
Trailer: YouTube
Hacker Rating
Hacker Realism: ⭐️ ⭐️ ⭐️ ⭐️
Hacker Importance for the Plot: ⭐️ ⭐️ ⭐️ ⭐️ ⭐️
Hacks: ⭐️ ⭐️ ⭐️ ⭐️
The Wiz Kid Hacker
The movie starts with flashbacks to when very young hacker Zero Cool “crashed 1,507 systems, including Wall Street trading systems, single-handedly causing a seven point drop in the New York stock market.”
He is sentenced to probation during which he is forbidden to own or operate a computer or a touch-tone telephone until his 18th birthday.
Thoughts
Kids or teens being elite hackers was very much a thing in the 1990s and early 2000s. It started to taper off when they got referred to as “script kiddies.” The term script implied unsophisticated programming. You don’t hear about such young hackers today but I’m sure they exist. At the same time, serious hacking has become so complicated that you need several years of experience to pull it off. Or even a team.
Zero Cool Grows Up and Changes His Name
Seven years later we see Zero Cool (Jonny Lee Miller) at home, on his 18th birthday, taking over a TV network through social engineering and hacking. He changes the programming to something he likes.
There is apparently another hacker who also remote controls this particular TV station. They start chatting with Zero Cool, who in the moment decides to change his name to Crash Override. We see the chat on the screen.
YOU HAVE TREAD UPON MY DOMAIN & MUST NOW SUFFER WHO R U?
CRASH OVERRIDE WHO WANTS TO KNOW?
ACID BURN SEZ LEAVE B 4 U R EXPUNGED
They both command the TV station to play their preference and we see robot arms grab VHS cassettes from each other, trying to get theirs playing.
Acid Burn eventually terminates Crash Override’s connection and wins the fight.
Thoughts
Zero Cool would have no way of being a knowledgeable hacker if he had indeed not touched computers until he was 18. So the assumption has to bee that he’s violated the conditions of his probation.
Handles were a huge thing back when I got into computing. Today Zero Cool, Acid Burn, and Crash Override may sound comical but they ring trustworthy to me for the 90s. An interesting cultural bridge is to graffiti where handles are also popular. There they are called “tags” and artistic work repeating the tag creates an identity. I think one reason for handles instead of names was that both hacking and graffiti were skirting the lines of legality and some level of anonymity was prudent, but you still wanted credit for your work.
The cassette robots battling it out is hilarious and a decent way of visualizing hacking. The hack also shows how machines still just do what we tell them and don’t have a will of their own. However, it’s very unlikely that robots of the 90s could do anything out of the ordinary. I.e. it’s not trustworthy that they can “see” another robot holding a cassette and take it from them. They’d just be able to get a cassette from its designated place, put it in player, get it out again, and return it.
Artificial intelligence is supposed to be able to adapt to new scenarios, including cyber defense. It could be so called anomaly detection but I think all such defense systems so far have fallen into the trap of fighting the previous war. Human creativity still beats computers’ vast processing capacity. In my view, that’s why computers beat humans in rule-based challenges like chess but lose when the degrees of flexibility increases.
Cool Kids, Nerds, and Sprinklers
Crash Override, whose real name is Dade Murphy, moves with his mom to New York and Dade starts at a new high school. His mom is worried that he’ll never get into college if he screws up again.
Another student called Kate Libby (Angelina Jolie) helps him with the school transfer. Kate is cool and hot and pulls a prank on Dade. She tells him there is a rooftop pool at the school building. When he gets up there, the door locks behind him and and he finds himself trapped with other freshmen who fell for the same joke. On top of this, it starts raining.
Dade hacks the school’s computer system to get into the same English class as Kate who we realize he is getting romantically interested in. A fellow hacker under the handle Phreak or The Phantom Phreak (Renoly Santiago) sees him do it and they connect.
Phreak takes Dade to a club where teens hang out. Dade sees Kate play an arcade game and challenges her. He beats her high score and then sees her leave with her cool boyfriend on a motorbike.
To get even on the roof top prank, Dade hacks the school’s sprinkler system to trigger during school. He opens an umbrella just in time to not get wet whereas everyone else is soaked, including Kate.
Thoughts
Hacking school systems to get better grades or manipulate the schedule is a classic. I often question those kind of hacks since it’s data created by humans to capture human decisions. The change is detectable in real life when the grades are printed for signing or the wrong student shows up for class. I think a lot of teachers would double check at that point. Hacking works better when the consumer/user of data has little to go on in judging the trustworthiness of the data. Take hacking of voting systems for instance. Voting secrecy means that the people or computers counting the votes have no way of gauging their trustworthiness.
The way Phreak and Dade get to know each other resonates with me. Back in high school you’d become friends with anyone who was as interested in computers as you were. It was a nerd bonding thing. There’s even more of that in Hackers where they rave over a cool laptop and kind of find each other.
The sprinkler hack sadly builds on a trope in Hollywood fiction – that all sprinkler outlets deliver water at once. I happen to be a trained firefighter and sprinklers don’t work that way. It’s a pressurized system and as soon as one outlet is opened, the pressure in the rest of the pipes drops. If you open a handful, it’ll just be dripping. You want to only spray water where there’s fire, or formally where there’s heat. Otherwise you’re just causing water damage. In addition to this, sprinkler systems are typically mechanical, not electrical, so you can’t hack it remotely. There’s a small glass veil filled with an alcohol and that veil plugs the water outlet. When the temperature gets high enough, the alcohol expands and shatters the glass veil, letting the water out. That obviously happens on a one-by-one basis where there’s heat, not coordinated for all outlets.
Being Elite
Dade meets two of Phreak’s other hacker buddies – Cereal Killer (Matthew Lillard) and Joey Pardella (Jesse Bradford) who doesn’t have a handle yet.
Cereal Killer checks if Dade is elite by asking if he recognizes a stack of books.
- Green: International UNIX Environments
- Orange: Computer Security Criteria, DOD Standards
- Pink: Guide to IBM PCs
- Black: Devil book, UNIX bible
- Dragon Book, compiler design
- The Red Book, NSA trusted networks
Dade passes the test easily.
Joey who also wants to be elite, tells the others that he has hacked a bank across state lines. Phreak and Cereal Killer tell him that’s stupid because hacking across state lines can provoke the FBI. They challenge him to get into serious hacking instead of going for banks.
Phreak: Look, you wanna be elite, you got to do a righteous hack.
Cereal Killer: Yeah, you want a seriously righteous hack, you score one of those Gibsons, man. You know, supercomputers they use to, like, do physics and look for oil and stuff.
Phreak: Ain’t no way man. Security’s too tight. The big iron?
Dade: Maybe, but if I were gonna hack some real heavy metal, I’d work my way back through some low security and try the back door.
Thoughts
The books are a nice touch. Out of those, I’ve only come across the orange book and the dragon book, both as an undergrad. The dragon book is still a thing, last revised in 2011.
The elitism and push to prove your worth are all too familiar to me. I’ve been uncomfortable with that aspect of hacker culture most of my life. Back when I was a teen, you were either elite (spelled 1337) or a lamer. You would connect to BBSes over your phone line and you only got access to the best ones if you were elite. An equivalent today would be to only get access to the best websites if you were deemed cool.
Regarding Gibson computers, I checked my copy of the Hackers Dictionary and there is no entry for Gibson. Thus, I can only assume that it’s a reference to the Gibson Research Corporation, founded by legendary computer security expert Steve Gibson in 1985. He hosts a podcast called SecurityNow. That’s one impressive career.
Hacking the Gibson
Joey hacks into a Gibson and uses “God” as the admin password. This raises and intrusion alarm at the data center. The guard on duty calls cybersecurity officer Mr. Belford who uses the handle The Plague (Fisher Stevens).
Guard: The accounting subdirectory in the Gibson’s working really hard. We got one person online. The workload is enough for, like, 10 users. I think we got a hacker.
Joey is out to download proof that he has been inside the Gibson and picks some garbage files, i.e. data that’s thrown away. Mathematical symbols fly on the screen to symbolize complex data. He starts saving the garbage files to a 3.5” floppy disc. We see a slow progress bar.
The Plague comes in to the data center on a skateboard. He echoes Terminal 23 where the suspicious activity is at, and sees the garbage file download. His reaction is “Shit!” and he requests a trace of the phone connection into the data center.
Joey’s mom pulls the plug on his computer when he’s at 50% download but The Plague manages to get the trace. Joey hides the floppy in the duct of his bedroom.
Thoughts
Simple, self-indulgent passwords were probably popular at the time and it’s believable as a privilege escalation path once Joey is in. But it’s unclear how he finds and connects to the Gibson in the first place.
Intrusion detection with the guard noticing abnormal activity sounds sophisticated for its time. I doubt there was much of that in the 90s. But nowadays, for sure. The most interesting detection systems are canaries that silently tell you that someone with bad intentions is poking around.
Getting proof that you have hacked your way to access is popular to this day. Just take the latest hack against Uber where the hacker posted a screenshot of their access to Uber’s internal chat system. Or the hack against Okta earlier this year with screenshots of superuser access.
To echo something is a Unix command to output textual information on the screen. In this case, output exactly what Joey is doing so that The Plague can see it.
The download progress bar is a Hollywood trope at this point. Johnny Mnemonic has it, Mission: Impossible has it … But it works, and for saving a bunch of data to a floppy disc, it’s going to be slow.
Secret Service Hunt
Phreak and Cereal Killer introduce Dade to Lord Nikon (Laurence Mason). They watch the TV show Hack the Planet.
The Plague hands over the trace information to the Secret Service. Agent Gill (Wendell Pierce) runs the service’s anti hacking team and they bust Joey’s bedroom and seizes his computer. But they don’t find the floppy.
The Plague is asked about the intrusion by a company board since he is responsible for the security of the Gibson.
The Plague: Yesterday, the ballast program for a supertanker training model mistakenly thought the vessel was empty and flooded its tanks. The little boat flipped over. A virus planted within the Gibson computer system claimed responsibility.
He shows a recorded message from the virus.
Virus: Unless $5 million dollars are transferred to the following numbered account in seven days, I will capsize five tankers in the Ellingson fleet.
The Plague: The problem is that we have 26 ships at sea and we don’t know which 5 are infected.
The Plague tells the board he thinks Joey is behind the virus based on the hack he witnessed.
After the board meeting, we learn that The Plague created the virus himself to get Secret Service to seize Joey’s equipment. He is worried about the garbage files.
The Secret Service and The Plague find the social connection between Dade and Joey and crash into Dade’s apartment. They want him to help them find Joey’s disc.
The Plague asks to be alone with Dade in his room. Gill approves. The Plague tries to plead with Dade as a fellow hacker and says he understands him. Dade refuses to help. The Plague smashes his stereo with a baseball bat and threatens to get Dade jailed before leaving.
Thoughts
Hack the Planet has become part of pop culture. The (in)famous hacker collective Anonymous has #HackThePlanet on their Twitter profile, you can buy Hack the Planet earrings on Etsy, you can get yourself a t-shirt on hacktheplanet.com, and it’s a popular meme in hacker circles.
The virus and its threat to sink supertankers raises the stakes. It’s unclear how a virus can control vessels at sea in the 90s. But in modern times, a lot more things are automated and connected to the internet so that kind of a threat is real. In 2017, the world’s largest container shipping line, Maersk, got hit with the NotPetya malware and it affected container shipping, port and tug boat operations, oil and gas production, drilling services, and oil tankers. Wired magazine deemed it the most devastating cyber attack so far in history.
Dade’s refusal to work with the Secret Service and The Plague cements the movie’s fight-the-system take on hackers.
Acid Burn
There’s a party at Kate Libby’s. Dade, Phreak, Cereal, and Nikon are there but instead of partying, they check out Kate’s cool laptop. Kate finds them at her home desk and questions why Dade is there. Phreak refers to her as Burn and Dade learns that Kate is in fact Acid Burn – the hacker he fought in the TV station attack. She likewise learns that he is Crash Override.
They pick up their who-is-best conflict and agree on a hacker challenge. If Kate wins, Dade becomes her slave, i.e. must hack stuff for her. If Dade wins, they go on a date and Kate has to smile.
The challenge is to make life hard for Agent Gill to get back for Joey. They go on a hilarious hacking spree. Kate cancels Gill’s credit card. Dade changes a classified ad to request raunchy dates for Gill which floods him with suggestive phone calls. Kate gives Gill 113 DUIs which gets him arrested. Dade flags him as deceased.
They are at a tie and need one more round. The prize is raised to the loser wearing a dress at the date.
Thoughts
Messing with someone’s life is popular in hacker fiction, especially getting the victim’s credit card cancelled or giving them a criminal record. We saw the latter happen in Minority Report. Such an attack nowadays would most likely be focused purely on the digital domain. It makes me think of the recent tragic case where a man got his Google account erased and his cellphone carrier service cancelled on false grounds. All email, cloud storage etc gone. Once your email is gone, you typically can’t get back into any other accounts either.
Hackers competing is a long standing tradition. It’s done in organized for in so called Capture the Flag competitions.
What’s On the Floppy?
Joey is no longer grounded and gets the floppy out of the duct. He decides to meet with Phreak and hands the disc over for Phreak to investigate. Joey has a tail however and they have to flee. Phreak hides the disc before he gets arrested. He uses his one phone call from jail to call Kate and tell her to pick it up where they always hide things.
Kate and Cereal go home to Dade and ask for help. He reluctantly agrees to copy the disc to keep as proof if Kate and Cereal get busted.
The Plague is still pressuring Dade and goes after his mother. He changes her record to being a wanted felon. She’ll be gone for life if Dade doesn’t give him the disc. Dade agrees to hand over his copy and does so in a back alley.
Kate, Nikon, and Cereal are analyzing the garbage data. Dade agrees to help them. The do an all-nighter and we see the flying math symbols again. Eventually Dade cracks it.
Dade: It isn’t a virus. It’s a worm.
Nikon: What’s this one eat?
Dade: It nibbles. You see this? This is every financial transaction Ellingson conducts, yeah? From million-dollar deals to the 10 bucks some guy pays for gas.
Kate: The worm eats a few cents from each transaction.
Dade: No one’s caught it because the money isn’t really gone. It’s just data that’s shifted around.
Kate: Right. And when the worm’s ready, it zips out with the money and erases its tracks.
Dade: Joey got cut off before he got to that part.
The team realizes they are being set up to take the fall for when the worm makes off with the 20+ million dollars it has. They need the rest of the file to figure out where the money is going.
Dade says he thinks he knows who wrote the worm. In this, he admits he gave a copy of the disc to The Plague. When they question him why, he mentions that he has a criminal record and that he used to be Zero Cool. To make up for giving the disc to The Plague, he’ll help hack the Gibson to get them the rest of the garbage files.
Thoughts
This is where the plot changes from teens hacking for fun to a thriller with high stakes.
Dade handing his copy to The Plague is a weird twist. Surely The Plague understands that they may have made several copies of the disc. The only thing the floppy gives him is proof of what the hackers have at minimum. Dade could have given him a floppy with just parts of what they have. The twist helps in making Dade feel guilty and help the others but the threats to his mom should be enough for that.
Multiple copies of the floppy gets to something that is a unique challenge in hacker fiction. Digital data can exist in infinite, perfect copies. You can’t have something akin to The One Ring to Rule Them All. I tackled this in my novel Identified by making backup data be a key part of the plot.
But the challenge is just one side of two. Infinite digital copies also gives hacker fiction a unique advantage. Protagonist and antagonist can possess the same token at the same time. You’ll see that too in Identified where compromised, or copied, crypto keys goes unnoticed because there is nothing missing.
Now we get to the worm. This is the only real letdown in this movie. The script writers took an existing hacker term and blew it. A worm is not something that eats something. A computer worm is a self-replicating piece of malware that uses computer networks to spread. What they describe is not a worm at all, it’s a salami slicing attack where you gather small pieces (slices) to get something big in the end (the whole salami). The first real internet worm was the Morris worm in 1988 so worms were well known when Hackers was written.
The Showdown
The team needs a bunch of intel to be able to hack the Gibson. Dade and Kate go dumpster diving for printouts. Cereal pretends to fix woman’s phone at the Ellingson company but instead installs a phone tapping device under her desk.
Meanwhile, The Plague pushes Gill to move on the hackers or else the virus will be triggered. The team learns through the tapping device that they’ll be arrested the next morning. The clock is ticking.
Kate takes Dade to Razor and Blade, the TV hosts for Hack the Planet. She explains that they need help distracting Ellingson personnel while Dade steals the garbage files. Razor and Blade suggest a distress signal to all hackers.
Dade hacks NYC’s traffic light system to go all green at 9 am when the cops move to arrest them. The hackers flee using rollerblades in the car chaos.
They meet up at Grand Central Station, connect their laptops through public phones and use all hacks (“viruses”) they have to stall and confuse Ellingson while they try to get access to the Gibson and get the complete garbage files.
We see corporate PCs get locked with funny screensavers and landline phones get swamped with calls as a result of all the hacks.
The Plague starts fighting them to protect the Gibson and seems to be winning. He triggers the virus, traces the hackers’ signals to Grand Central Station, and notifies Gill who thinks the hackers are responsible for the capsizing tankers.
Razor and Blade get the global signal out and hackers from around the world start hammering the Ellingson system.
Gill and armed forces reach Grand Central.
Dade finds the garbage file in the Gibson. The Plague kicks him out. Joey is the only one left with a chance to get the garbage file. He succeeds.
Razor and Blade direct the world’s hackers to instead hammer the Gibson to slow down the virus and stop the tankers from taking on water.
Gill finds the team and arrests them.
Dade manages to throw the disc with the complete garbage files in a trash can and then yell “They’re trashing the flow of data. Trashing, trashing!” to Cereal as he’s taken to a police car. Cereal finds the right trash can and the disc.
The Plague celebrates with champagne. The hackers took the blame and he got the money.
As Gill tells TV news about the arrest and the dangers of hackers, Razor and Blade take over the broadcast and Cereal appears on the screen. He explains The Plague’s scam.
The Plague flees in disguise on a plane to Japan but is arrested mid-flight.
Dade and Kate go on a date. And kiss.
Thoughts
Dumpster diving and phone tapping are classics. However, both are quite obsolete with fewer and fewer print-outs and more and more end-to-end encryption of communication.
Making law enforcement go after the hackers for the virus is a clever way to disguise the salami slicing attack. I like that part. And it makes it clear that the hackers are the heroes since they are the ones being framed.
The hackers unite signal from Razor and Blade is over the top but there is some sort of collective movement among hackers. The latest example is 300k hackers uniting to fight for Ukraine in cyberspace. They coordinated through the messaging app called Telegram.
Using news broadcast to talk to the world has never worked for me in fiction. You see it in many places, including the Bond movie Tomorrow Never Dies and Johnny Mnemonic. I sometimes think it’s used because the US to some extent has had a couple of moments where the world has been watching. The lunar landing the 9/11 terrorist attacks are the ones I think of. But in those cases, people were watching their domestic broadcasts of the events and there are time zones that come into play. In Hackers, Cereal only needs to address enough of the US public to make sure Gill moves on The Plague so I give this one a pass.
Final Remarks
Hackers is a loving portrait of 90s hacker culture with even some queer elements to it. That and the fact that one of the two master hackers is a woman makes it feel the most modern out of the golden triple. If you watch it, you’ll be able to tell that I got a lot of inspiration for Identified from this movie, and paid tribute by letting two of my main characters – Kiss and Jitterbug – use Katy Libby and Dade Murphy as their fake names.
The movie did not do well at the box office so it’s one of those that grew with time. I would love to see more movies like this and have more queer elements too. I want the sensation of going to the hacker conference Defcon weaved into a great thriller plot.
Hack the Planet!
Currently Reading
I’m still reading George R. R. Martin’s A Dance with Dragons. At this pace, it’ll take me the rest of the year. It’s going to get the lowest rating from me out of the five novels in the series. I’m doing better with The Adventures of Tom Sawyer but that’s reading aloud so it takes a while.
Rundown of Duplicate Letter Bug in August
Here’s what my service provider Buttondown told me about the duplicate letter bug.
It was a hell of a time actually finding the bug, so here goes:
Two useful parts of context, re Buttondown’s architecture:
- Buttondown has a concept of “receipts” which is basically “has subscriber A received email B?” to prevent double-sending.
- Each email in Buttondown has a
status
(“draft”, “about to send”, “in flight”, “sent”, and so on) governed by a state machine. Transitions from one state to another actually cause the emails to send.
Buttondown has a cron that checks for emails that are stuck “in flight” (their governing state machine didn’t mark the email has having completed) and, assuming nothing seems awry, tries to rerun the email, by diffing the receipts expected for the email and the receipts actually present for the email.
Buttondown’s cron runner runs every 15 minutes. If the previous cron (from 15 minutes ago) is still running, the cron will be running twice — once for the run at 0:00, and once for the run at 0:15.
The “receipts” for each email are — or I should say were — only created once an email has actually been sent to a subscriber, not once the asynchronous request to send a specific email to a subscriber has been kicked off.
Neither of those above points are particularly problematic on their own, but combined they meant that if Buttondown’s governing cron monitor was taking a long time for whatever reason and the backing asynchronous queues were backed up, we’d be “resending” “stuck” emails that were already in-flight!