I watched CSI:Cyber so you don’t have to.

CSI has a proven formula for making popular TV shows. Unfortunately that history does not include accurate TV shows. When it comes to tech and things ‘cyber’ this is probably the preeminent example of CSI being bad and wrong at the same time. I thought there was no way they could top this, I was wrong.

Hollywood has had a long history of doing tech wrong. Take a look at the recent Scorpion TV show, on second thought don’t, its almost as bad. Occasionally Hollywood does get Tech correct, like with the recent Blackhat movie, but while the tech was good the movie itself was bad for other reasons. The last time, perhaps the only time, Hollywood got the movie and the tech right was Sneakers, which is coming up on a quarter century in age.

While I think it is great that TV shows like this bring technical issues to a mass audience, scaring people into thinking that the Internet is out to get them is probably not in anyone’s best interest. Humans often do stupid things when they are scared.

Let me talk first about the few things that CSI:Cyber got right. The show mentions that social media is a huge aide to law enforcement and one of the characters jokingly says that’s why he doesn’t use it. This is absolutely correct; Facebook, Twitter and other sites are often the first step in an investigation of any sort, often even before they interview witnesses or suspects.

The softball shaped camera that is thrown through an open window into the bad guys lair near the end is an actual thing that is actually used by law enforcement. They got this right.

In another scene one of the technical characters, who is labeled as ‘the greatest hacker in the world’ (I’m not even going to touch that statement) claims that RATs or Remote Access Trojans are easy to get for $40 on the ‘surface net’. He is right about the easy to get part although his price is a little high and I have no idea what the ‘surface net’ is. But yes, tools that online criminals use like RATs are very easy to come by. The thing about Remote Access Trojans is that they are very similar to legitimate Remote Access Tools like say Go To My PC or Remote Desktop,

Probably the most important thing that they got right in this show was when the Worlds Greatest Hacker was berating the lowly tech employee for allowing a vulnerability to exist in the companies software and the tech guy responds with “I took it upstairs but they didn’t listen.” This is an all to common theme that is often repeated in the information security world. Company executives often refuse to listen to security concerns and instead focus more on the bottom line. This is probably the single truest thing this show got right.

The second most important thing they got right was the weak security present in many Internet connected cameras. Many such cameras have default passwords and are easily searched for over the Internet allowing anyone to connect to the camera and watch and listen to what is happening. There have been cases where people will connect to a camera and then yell at the sleeping baby. Manufacturers of these cameras were told about their default password problems but most refused to fix the problem, that is until these stories started to hit the press and the FTC started to levy fines. Even after the companies issues an update to the devices firmware it is up to the owner of each camera to learn about the update and apply the patch themselves. This seldom happens leaving tens of thousands of devices installed in peoples homes that anyone can access.

Other than that just about everything else in the show is just completely unbelievably wrong. Not only are things wrong but they play on known false tropes, like that lead can block radio signals (it can’t), that convicted criminals are allowed to work in the field on active investigations, that you can quickly separate overlaid audio and translate it, that you need big wall sized monitors in order to catch bad guys, that hackers who could be half way across the world are conveniently just an hour or less away, that non-smart phones can have GPS aps and that cops treat forensic data so carelessly.

One of the most egregious examples was the speed at which the characters analyzed the cameras source code and it came up all green and then turned red. Source code doesn’t just magically turn red when malware is found. Reverse engineering is painstakingly hard, and it takes a lot of time. If code could just magically turn red if it did bad things, like it does in this show, the world would be a much much better place.

I was especially troubled by one of the statements made early in the show “Any crime involving electronic devices is by definition, cyber” While this is just a TV show there are people who believe this or at least will be influenced by this. This scares me as I guess that makes my electric drill cyber.

Also I loved how the characters on the show could do these crystal clear remote videoconferences from remote locations? How? They never bothered to explain where the camera was or what are they are using for bandwidth. If they did it with their cell phones I want to get on that data plan.

And I could not overlook that they had the one black person on the show repeat a racist nursery rhyme “Einie meane miny moe, catch a…” well they changed the word on the show but I’m really surprised they let that through.

If you didn’t watch this show you didn’t miss anything, at all, and I encourage you not to watch it, in fact just forget that that it exists and with any luck it will be canceled. And then we just have to wait for the next TV show to do tech wrong.

This entry was posted in Uncategorized by Space Rogue. Bookmark the permalink.

About Space Rogue

Space Rogue is widely sought after by journalists and industry analysts for his unique views and perceptions of the information security industry. He has been called to testify before the Senate Committee on Governmental Affairs and has been quoted in numerous magazine and newspaper articles as well as appeared on such TV shows as News Hour with Jim Lehrer, CNN Nightly News, ABC News Online with Sam Donaldson, and others. A recognized name within the industry, Space Rogue has written articles that are often quoted or refered to by other major media outlets. He has spoken before numerous audiances including the Digital Messageing Association, Defcon, Pumpcon, HOPE, H2K, and others. As a former member of L0pht Heavy Industries, Space Rogue ran the widely popular Hacker News Network which quickly became a major resource on the Internet for daily information security news. Before HNN he ran the The Whacked Mac Archives, which at the time, was the largest and the most popular Macintosh security site on the net. Currently Space Rogue does consulting for various companies.

One thought on “I watched CSI:Cyber so you don’t have to.

  1. Pingback: Outils, services, sites à (re)découvrir 2015 S10 | La Mare du Gof

Leave a Reply