This post contains spoilers for the movie Blackhat.
If you were expecting Blackhat to be a slick digital whodunnit carried by riveting hacking scenes, you’re going to be disappointed. Instead, you get Chris Hemsworth as Nick Hathaway, a convicted hacker who is roughly as strong and bulletproof as Thor, smashing tables on people’s heads. There are also several tense helicopter flights, gunfights, and a poorly-written love story.
Videos by VICE
And then, there’s the moment that many have said throws away any goodwill the film may have developed in the network security and hacking communities: The FBI sends a spear phishing email—a message designed to fool the recipient into downloading something malicious—to an NSA agent, and the NSA agent falls for it.
Here’s what happened. Hathaway needs a secret NSA program called “Black Widow” that can recreate corrupt or destroyed data—in this case, data that has been destroyed by nuclear radiation in a hacked reactor. He and the FBI call the NSA to ask for authorization, and the NSA says no.
The FBI then gives Hathaway permission to pose as the NSA agent’s boss and send that agent an email containing a corrupt PDF file that gives Hathaway access to his computer, allowing him to take Black Widow and ~save the day~.
The NSA finds out and is PISSED, and then everyone besides Hathaway and his love interest are killed, the two live out their lives as rich outlaws, after a knife fight between two hackers.
It’s nuts.
“I’d agree that scene pushes the bounds of reality a bit,” former FBI cyberagent Michael Panico, one of the two security consultants on the film, told me. “My input was, well, you’d ostensibly think the NSA worker would be smarter than that. I told [Mann] that in order to increase the odds that someone would click on [the PDF file that contained malware], the email should reference the phone conversation the person just had, and the email should come from his boss.”
I get the pushback. I get it.
“I get the pushback. I get it. But we’re not making a documentary, we’re making a movie,” he added. “I think it’s a good question, but we made it as realistic as possible. And you know, you’re relying on the judgment of one human being clicking on something he knows he shouldn’t, but maybe he’s had a bad day, maybe he just wants to go home, maybe he’s stressed or tired. It can happen.”
Former blackhat hacker Kevin Poulsen, the other consultant, more or less agreed. He told me that “Black Widow is a problem” and that it’s “a reach for a couple of reasons.” The NSA would never have a tool that powerful just hanging out on an internet-connected computer, for example, and there’s no way to rebuild corrupt or purposefully destroyed files (as done by a smart hacker) based solely on the surviving data that’s around it. This idea was “so embedded in this key plot point,” however, that Mann decided he couldn’t write around it.
On the likelihood of an NSA agent falling for a spear phishing attack, Poulsen was a bit more defiant. It could happen, he says.
“I’ve seen a lot of skepticism, but I think it’s completely realistic. A well-constructed spear phishing attack can fool almost anybody,” he told me. “It was crafted to come from his boss. It wasn’t just one of those random emails you get—that’s exactly how almost all serious intrusions start.”
“They’ll pick the most vulnerable person in the organization and a class of people who are not that technically proficient,” he said. “And then, once they get past the firewall, they’re in. The current line of thinking is that’s how the Sony hack started.”
I don’t think I’m totally convinced, but in talking with Poulsen and Panico, I did gain a bit of respect for the film. I don’t know that anything anyone could say would make me think it was an enjoyable experience, but that’s because of the weak dialogue—an overt reference to the “cyber 9/11” that politicians have told us all to fear was particularly cringeworthy—and a confusing plot.
“It’s meant to be a popcorn movie, but [Mann] was serious about making the hacking elements ring true,” Panico said. “What’s interesting is that the hacking scenes are what drive the plot along—it puts the people together with one another so that you can have the action sequences.”
He’s right. The few hacking and cyberpolicing elements the story did have, outside of the spear phishing attack, I thought were done fairly well. There’s the Stuxnet-like attack on a nuclear reactor, there’s an attack on the stock market, and there’s a reference to the cyberforensics method of analyzing two separate parts of code to determine that two different people wrote it.
In this case, that’s the impetus for springing Hathaway from prison—the bad guy has taken a tool he helped write in college and has improved upon it and made it more malicious. That bit, specifically, was crafted by Poulsen.
“When they’re first looking at the bad guy’s code, there’s this big question about how, you can have computer intrusions where you could learn something about the attacker and his plans and his psychology by looking at the code,” he said. “There’s a lot of different coding styles, some even use code other hackers have used in the past, which ends up being a big clue here.”
Poulsen, who spent five years in prison for phone hacking, even suggests that it’s plausible that a hacker would be as insanely ripped as Hathaway is.
“There are definitely hackers who become very buff, tough actors as a result of doing time,” he said. “Max Vision [the real-life hacker Hathaway is based on] is a body builder.”
So, if you’re very into cybersecurity, there’s certainly enough to geek out over—and enough to get mad about—that it’s worth checking out so that you can be part of the conversation. If you’re expecting a hacking opus, it’s not Blackhat. Mann has not, as Poulsen noted, made a film in which you’re riveted by watching people code.
“The Social Network was the closest I’ve ever seen to having people sit at the keyboard in an entertaining way, which was thanks to Aaron Sorkin’s amazing writing,” he said. “Most of the time, you have to get away from the keyboard.”
I’m not here to pile on the film. I didn’t love it, and much of the action was nonsensical. I would not recommend it to a friend, primarily because I felt like the hacking played too much of a background role—throwing out the word “Onion router,” having the bulky Hathaway tap out a few lines of real-looking code or actual Linux commands, and showing the inside of a computer as a series of pulsing blue lights, does not a hacking movie make.
Just before the climax of Blackhat, Hathaway makes some seemingly profound pronouncement to his adversary, who he has finally tracked down in Jakarta: “It’s not about zeroes, or ones, or code,” he says. The same can be said for Blackhat.