Cyberwar and the myth of the Hollywood Hacker

penny-arcadeDepiction of computing and hacking in Hollywood has long been the subject of amusement for techies around the world. From the preposterous idea that you can hack into an alien computer, to increasingly unbelievable graphic user interfaces, film has been poisoning our perception of computing for years (and don’t get me started on CSI:Cyber). Bucking the trend is the fantastic Mr. Robot, which for the first time in my memory has actual believable Linux code on screen. But even that show is guilty of a bit of exaggeration for dramatic purposes.

Such portrayals of tech have led to the creation of a trope known as the Hollywood Hacker, where super-users and impossibly-fast computer nerds can hack into anything in seconds, including accessing electric devices such as light switches and razors. Hollywood Hackers are magical beings that can access any system at any time, can guess any password and can bring down entire cities to their knees.

While the inaccurate depiction of real life in entertainment is not bad thing as such, the myth of the Hollywood Hacker can create unreal expectations of what can be achieved with a computer. The magical hacker can do anything, no system is secure. Having said that, there is real hacking taking place, hackers have stolen personal data, infiltrated secure systems, and there is no doubt that there is indeed a cyber cold war going on between the US, Russia and China. The difference is that real hacking is much less spectacular than the fictional accounts. Hacking is often a combination of social engineering, exploiting vulnerabilities, attacking badly implemented security, infecting a poorly-run computer or site, and just hard graft of looking at lines of code. Hackers can just take advantage of a lucky opportunity, such as a lost/stolen computer or phone. In short, there is no such thing as the Hollywood Hacker.

This trope has been a lot in my mind recently because Anonymous has declared war on Islamic State (Daesh) in what has become #OpParis. In a BBC interview, the person in charge of the operation’s Twitter account declared their goals:

“Our main goal in this operation is to identify the perpetrators of the Paris terror attacks and all terrorist organisations linked to them, acquire intel to dig deep into the roots of their manpower, disable their propaganda and stop their reach on social media, release their information to the public, and flag down any threat to mankind.”

Very laudable, but perhaps a bit over-ambitious. The news that Anonymous was taking on Daesh has taken the news by storm, and it is really getting quite a lot of positive press and coverage. In various forums that I’ve visited a vast majority of the public seems to be quite supportive of Anonymous. Finally someone is doing something against the massive threat represented by Daesh! People are clearly afraid and they want government to take swift action, and as this is not forthcoming, they applaud any group that takes action, even if it is an amorphous hacktivist collective taking matters into their own hands.

While #OpParis has been active mostly on Twitter, people have been leaving encouarging messages, asking for even more action:

“@opparisofficial You #Anon guys are supposed to be pretty good at all this stuff. How about bankrupting these guys.”

“@opparisofficial glad to have you guys on our side empty there bank accounts too”

Opinions like the above are precisely what made me think of the Hollywood Hacker myth, it would appear that your average Twitter user has a specific pre-conception of the powers that hackers command. In this mythical world, hackers can identify anyone, they can hack into their computers, access their mobile phones, steal their bank details, and empty their coffers. In this mythical world Daesh is history.

But I seriously doubt that Anonymous can wage that kind of cyberwarfare. The idea that a group like Anonymous can hack into bank accounts and empty them is far-fetched if you understand the nature of the collective and the limitations of what can be achieved through average hacking. There is nothing so far that indicates that ISIS has a complex online structure that could be affected by cyber-attacks. It is also very unlikely that the type of financial operations they have in place would be exposed to any sort of online hacking attempt. Most reputable reports of how Daesh funds its operations describe that it is through “oil sales, kidnap ransoms, smuggling, extortion, taxes, looting, bank robberies”, with little indication that these proceeds are even stored in bank accounts accessible to western hackers.

Where Anonymous could have a real effect is against Daesh’s propaganda machine. By all accounts, ISIS has a very sophisticated PR apparatus in place that makes use of all sorts of Internet outlets, using Twitter, YouTube, PSN, WhatsApp and their own proprietary apps. After Paris, there is even evidence that they may be moving communications to the Dark Net. So anything that could affect their capabilities in this area must be a welcome exercise.

So far, #OpParis claims to have taken down over 5,500 Twitter accounts related to Daesh. This is an impressive claim, and the mainstream press is completely lapping it up, I have lost count of news items that simply repeat the statement with no further questions. I have no doubt that Anonymous can shut down social media accounts, after all, they already did it after the Charlie Hebdo attacks in another operation called #OpIsis back in February, where we heard similar claims of victory against the jihadists. Yet here we are again, with thousands of Twitter accounts still in operation even after the initial “success”. The problem is of course, that for all the rhetoric, the amount of damage that Anonymous can actually do is quite limited. In a more sedate tweet, they comment:

The issue with such an objective is that Twitter is just one channel of communication, Daesh has been using anything they can, open and closed, private and public. If you are only attacking Twitter, you are just scratching the surface. Moreover, as far as I can tell (and please correct me if I’m wrong), #OpIsis and #OpParis seem to be mostly conducted by Westerners, the two top Anon Arabic Twitter accounts command 455 followers combined. I have also been worried by the lack of verification of the claim that 5,500 Twitter accounts were removed (and again, I’ll be happy to be directed at any evidence).

Seeing the history of Anonymous operations, it is undeniable that there are real hackers involved with the movement, and I really hope that they can do some good. But we really cannot expect them to do more than prove to be a nuisance for Daesh. Hollywood Hackers do not exist, so we cannot rely on myths in a time of crisis.

Defeating terrorism will take more than a few keyboards.

Edited to add: I just read an interesting point about how removing Twitter accounts might be counter-productive. Intelligence services do want to have Daesh members tweeting, good source of intel.

Comments 1

Leave a Reply