Wednesday, April 06, 2011

A pre-review of 'breaking_in'

UPDATE: no, a smash-n-grab is not a pentest

Tonight, Fox debuts a comedy called "breaking_in", about a small pen-test company. I haven't seen the show, but I'm the CEO of a small pen-test company (i.e. Christian Slater's character), so I thought I'd create a "pre review" of the show. (Also, one of our exploits, FedEx-ing a iPhone to a company was already dramatized in the show "Leverage" -- we got a nice thank-you note from the producers -- this gives me license to pre-comment.)

Physical vs. Cyber

The most important difference with reality is that pen-testing is almost always a computer thing. Companies hire us to hack into their computers. In the show, it appears they focus on physical penetration. A hacker might disable the alarm system, but the other characters rappel down ropes from the skylight during the night. That's logical: what pen-testers really do is sit at a computer all day long staring intently at the screen. And what we are really doing is writing the proposal and budget before the test, and compiling the results in a report for the customer, rather than doing the penetrating. There is no way to dramatize this for TV.


I did want to discuss ethics. We pen-testers share the same abilities as hackers -- does that not imply we share the same ethics? Wouldn't exploring this ethical issue make a good story? The answer is a greater suspicion of unethical behavior leads to greater emphasis on good ethics. We fire employees not only for ethical violations, but also any appearance of ethical violations. At my last company, we fired an employee for running an unauthorized port scan at home, not because we thought he was trying to hack somebody, but simply because some might interpret it as trying to hack somebody.

Another side to ethics is the fact that pen-testers are generally highly paid. We gouge our customers (we are worth every penny). There is no temptation to screw that up by crossing a line. Sure, we frequently get our hands on hundreds of millions of dollars during pen-tests, but there is no temptation. The risks involved in actually trying to pocket that money are too high compared to the income we get anyway.

According the previews of breaking_in, the CEO of that company blackmails an underpaid hacker to work for him. I've seen others that are similarly unethical, but if such a CEO is willing to cross the line in that case, he will probably keep crossing lines and taking chances, until he either goes bankrupt or gets put in jail. A good example of this is in Kevin Poulson's book "Kingpin": several times Max Butler tried to go straight, but his ethics were so poor that he keep crossing lines, and kept getting caught.

The upshot is that any established pen-testing company is likely to be far more ethical than average, not less ethical.


The characters in the show are a bit odd. That's about right -- everyone I know who does pen-tests is a little weird. Though, it tends to be the boring sort of weird, like not bathing, rather than exciting weird, like driving a HumVee. Though, there was this one bank in San Fransisco whose chief security expert wore goth clothing to work, and the occasional cross dressing (his wife helped him pick out the clothes).


The show has a love interest, of course.

As you might expect, females are rare in the testosterone fueled community of hacking, but they aren't non existent. There are some really talented females at the top of our profession.

I might be live blogging the show tonight, maybe just inanely twittering it @ErrataRob

1 comment:

Andi Baritchi said...

After five minutes I couldn't take it anymore and I changed the channel.