Article Lead Image

‘Blackhat’ movie review, by Sabu

The infamous leader of LulzSec gives us the lowdown on Hollywood's latest look into the world of hackers.


Kevin Collier


Posted on Jan 18, 2015   Updated on May 29, 2021, 6:03 pm CDT

Opening this weekend, Blackhat is the latest in a long line of Hollywood attempts to draw cinematic tension out of the usually boring world of criminal computer hacking. Directed by beloved crime filmmaker Michael Mann (Heat, Collateral, Public Enemies), Blackhat centers around a hacker successfully breaking into nuclear plants and stock exchanges, forcing the government to call on imprisoned hacker Nick Hathway (Chris Hemsworth) to fight fire with fire.

We watched the film with former real-life hacker Hector Monsegur, best known to most of the Internet by the infamous pseudonym Sabu. It was using that name that he masterminded an Anonymous group called LulzSec (think laughing out loud at security), to hack an incredible number of commercial and government sites around the world in 2011, before the FBI caught Sabu and he became an informant.

Since being released for his cooperation with the Federal Bureau of Investigation last year, Monsegur’s computer access is restricted, so this conversation was had in person and then transcribed, and our conversation was limited to the technical aspects of hacking as shown in the film, per the terms of his release.

Needless to say, the following is riddled with technical jargon—and spoilers.

On the animated scenes, especially at the beginning, of packets (blocks of data) traveling around the world.

Hector ‘Sabu’ Monsegur: These packets are flying through the network. Every once in a while, a weird packet would hit one of these specific servers, all of a sudden a light would turn on. This is very indicative of a ‘magic packet’ setup. A great example of that would be Wake-On-Lan, WOL, made for people who have some sort of remote access to a network. Their workstation is offline, suspended, in hibernation mode. So you log in to a VPN [virtual private network] and set up a magic packet, and the packet travels and sends a message to the key address that’s connected to the machine itself, which is technically hibernation but not fully sleeping.

Once the packet comes in, the packet turns on. But was that what we’re seeing there? Or was that just some sensationalism, added some effect, like this is an evil packet that all of a sudden opens up gateways?

On the fictional National Security Agency program Black Widow, which can salvage information from a damaged hard drive.

Unless I’m mistaken, I didn’t see that FBI agent bring her laptop to their hideout. The computer they used was the one in the house, in that little facility. So [the main hacker character, Nick Hathaway] needs somebody’s password, so he spear phished a guy at the NSA. I respect that.

[Ed. note: As part of the terms of his release, Monsegur is prohibited from going into details about his criminal past, but previous reports established that one of LulzSec’s highest-profile hacks, one against cybersecurity firm HBGary, started when the group successfully spear phished executives.]

But what is Black Widow? The woman said it’s a remote login tool. But she didn’t have a laptop. So where’s the tool? Where do they download the tool from? The NSA has a public repository for that? You can just download it, anyone can download it? You need a login to log into Black Widow systems. And would the NSA really allow a non-VPN connection in the network to access the black widow? That would mean any script-kiddie on the planet could find it and maybe brute-force it.

On the discovery that the thwarted attack on the U.S. nuclear plant, which was thought in the movie to mirror the successful one against China, had been planted by an employee via a thumb drive.

The guy that was murdered towards the beginning of the film, the Spanish [Latino] guy, infected a USB thumb drive with autoruns [a function that automatically causes files to open or programs to run]. That’s how they were able to bypass the firewalls, through that reverse shell that was automatically executed with that USB thumb drive.

But that doesn’t explain what happened in China. Because there’s no evidence that that even happened in China. That was a highly secure facility, with guards and many levels of security.

On the Virtual Private Network used in the dead hacker’s hotel room.

The VPN software they were using looked like Hide My Ass. [Ed. note: Through the prosecution of hackers brought to trial around Monsegur’s case, the public learned that HideMyAss cooperates with the FBI when a court tells them to.] So I found that funny [that] they used that software here. It also looked like it was constantly Perfect Privacy, maybe.

They also make a big deal of “Oh my God, the signal’s traveling all around the world!”

It’s fucking VPN software.

On a scene where Hathaway needs access to a particular server, walks up to a server storage rack, and pulls out the correct one.

Near the end, when he went to the server center, he accessed the server. Mind you, he just picked a random rack. He had no idea what rack the website was hosted out. He just randomly guessed. Not only did [Hathaway] guess that, but [he was] pulling out drives and mounted a drive. How do you know that’s the drive to mount? All of a sudden you magically fucking figure that out instantly?

Why even go to Jakarta to get this information? You spear phished the NSA. You hacked into the machines, you infiltrated fucking everything along the way. You stole $76 million at the end of the film. You did all this hacking, all this blackhat shit, all the social engineering, and you’re telling me you couldn’t social engineer the data center operator in Indonesia? Get into a stabbing and shooting war?

On the central villain’s master plan.

Why are you hacking bank accounts? Why are you stealing money from stock exchanges and blowing up power plants, so you can increase the price of a certain good, or making money off of futures? Or you could just hack the bank itself and take all the money. Or take a fraction of money every day and withdraw it somewhere in Malaysia.

It’s not realistic. If you can spear phish the NSA, you have no problem hacking that server.

On Hathway’s actual commands when he hacked.

The thing I thought was really interesting is that [main guy] is a super fucking hacker, but he was debugging the binary. He was opening the binary like a document reader. There’s no disassembler, no assembly that we saw. [Ed. note: So-called assembly language is a text representation of binary, which is the version of code that a computer actually reads to perform tasks. A disassembler turns binary code into a text format, which is not the format in which a hacker or engineer would work.]

Yes, you can try to find some strings in a binary, if you have a Linux machine and you open this up, and then you execute a string’s binary name. You’re gonna see the strings inside the binary. Does that usually happen? No. Because there’s also command called strip, and strip would remove all the symbols and all the strings from it, the whole point is to clear out and to make space for the binary. So him reading the binaries in pretty much text format was kind of stupid.

The thing that was interesting to see, what most hackers would like, is the shell sessions, the Unix sessions. If you paid attention to the commands, they were fucked up.

In the scene when he mounts that damaged drive, he runs these weird commands. You notice he’s executing “cp/” [command], the path to the mount. But there’s no spaces, so technically the command doesn’t exist. If you were to run that right now, it’d tell you “command not found.” Those are blatant errors that could have been easily corrected.

In the Matrix, they had it right, they use a proper Nmap [network mapper, a tool for auditing a network’s security] execution. It showed us, realistically, the packets doing this, getting shell code, hashcodes here and there. That’s more realistic than running a bunch of long commands.

They’re also using the wrong octets on the IP addresses, but they’re probably doing that so people can’t scan actual IPs. I can understand that, that makes sense.

Illustration by Fernando Alfonso III

Share this article
*First Published: Jan 18, 2015, 1:33 pm CST