This message will self-destruct in five seconds.

(Warning: Spoiler Alert ahead... or maybe not. I mean, it's not like there's some big Shyamalanesque plot-twist at the end of these things...)

The other day a friend said, "You have to go see Mission: Impossible - Ghost Protocol! You will love it, ya know, because you're in security." I'm not really the type that goes and sees every action movie, but I was sufficiently intrigued by the promise that the fourth installment of the series might be a hacker flick. Those are always good for a sobering insight into what Hollywood thinks of our industry or for a laugh. So I went... and I loved it! It was the gadget filled awesomely insane tapestry of extreme action and suspense that we all have come to love and expect from Tom Cruise.

But it didn't seem to me to be a hacker flick. So I messaged my friend and I said, "The gadgets were by far the best in this movie. The story was the most appealing. The actors all had great chemistry. But that isn't why you said I would like it, so please explain, why did you call that a movie about infosec?" He then began recounting all of the scenes where Old Man Cruise has to rappelle from something or dive off something and get something out of some ridiculously locked room. But what he of course noticed that I had been too dazzled to see was that the real heavy lifting in those scenes was done by the team's standard issue hacker character (Simon Pegg). Tom has to go into the vault to get the microfiche (really, still??) but Simon is the one that gets that door open.

The most interesting part though is how the hacking is done. In a cruel twist of fate and conspiracy from the highest levels, the president initiates "Ghost Protocol" and the team becomes exiled with no access to the Carnivore-like CIA network that usually makes things like breaking the encryptions Hollywood-quick. So they're forced to kick it old-school and do a pretty nice variety of physical penetration hacks.

MI:4 has reminded me how effective the physical security attack really is. While today's military grade firewall may be Fort Knox at keeping people out of the tubes, there's really nothing that's going to stop a hacker if they're sitting right in front of the machine. Or if their increasingly disgruntled team leader is sitting in front of the machine with a pocket router after having scaled the sheer side of the tallest building in Dubai using only a suction cup and a fire hose. Or if the guy on the team who was never part of the plan that has to slide down an HVAC shaft into a subterranean server room that without the cooling system has become "an oven", and by the way the walkie-talkies aren't working and the bad guys just cut the satellite feed, is sitting right in front of the machine. Or if the plucky new female agent with a grudge and something to prove floats a balloon holding a wireless connection device over a wall to get into the signal area.... Well, I guess they can't all be extreme, but it shows the excellent point that if your physical security strategy doesn't cover the 50 feet underground and the 15,000 feet of air space above it, you're doomed. (Don't worry the plucky female agent gets extreme redemption when she completes one of our other favorite old-school physical hacks, the 'beating someone with a $5 hammer [xkcd] until they tell you the password' technique.)

Oh, and also everyone on the property should probably be assigned a dog because people are incredibly dumb.

And now...Comedy...

Friday saw the quarterly official Errata Security team building, offsite, management meeting held in at the Regal Cinemas in Atlantic Station. The Errata Security founders viewed Shoot’em Up with Clive Owen. Shoot’em Up provided an opportunity to do something I have wanted to for a while: discuss security products designed by committee. First my short review of Shoot’em Up.

Shoot’em Up as a movie exists in a place that would make Schrodinger's cat envious: it is both crap and brilliant in a constantly fluctuating state. On one hand, you have Clive Owen portraying a reluctant hero who has to shoot, stab, and generally dismember his way through a constant stream of bad people who cannot hit the broadside of a building with automatic weapons. The reluctant hero holds a special place in the hearts of action moviegoers everywhere since Bruce Willis’ iconic character, John McClane, blasted his way into the hearts, minds, lower intestines, and limbs of faux terrorists all over the world. Clive Owen keeps the basic rules of the reluctant hero alive by being able to hit what he is shooting at in ways that us mere mortals could not imagine while spending the entire time looking like who would more enjoy sitting in the waiting room at the local dentist. The movie is quiet satisfying if that is all it was but there is a strong anti-gun message throughout the entire film. The anti-gun sentiment accompanies a strong anti-company message and some good old-fashioned politician hate thrown in as well. For a movie that targets an audience of males 17-34, this is an odd choice. I do not mean to sound crass but it is almost like a porno movie preaching abstinence. I am sure what we watched was not the initial directors vision, but yet a perversion during a pitch meeting in Hollywood.

In fact, I am sure it went something like this:
Director: I wanna make a mindless action movie where a reluctant hero runs around for two hours and shoots bad guys.
Studio: That is awesome we want to make it. We have a few suggestions…
Director: Suggestions? About what, it’s a pretty straight forward movie. A guy runs around and deals death in the form of a wall of lead to bad guys. What more is there, unless you are talking about marketing tie-ins with people like Glock…
Studio: Well, we want the hero to have a heart of gold, our testing shows that most audiences like a heart of gold. In addition, mothers get upset about gun violence so we need to add a strong anti-gun message or we might be looking at protests. Also let us give our hero a sidekick, maybe a love interest, to help draw in the women. Also when I was a child a worker from a large company took my ice cream cone, so I want to add in an anti corporate message.
Director: So wait, lemme get this straight, you want to turn my 2 hours of shooting into an anti-gun campaign that also targets large companies while we just throw in sidekicks…
Studio: It is only going to be 80 minutes and it is that or we can give somebody else the money to make his or her movie…

You may be wondering what this has to do with security. I have seen some products that actually seem to get the same design by committee process.

Developer: I would like money to build the ultimate security product that everybody needs. It will work by stopping attacks by inspecting traffic into a network device and determining if its an attack.
VC: That’s awesome, we would like to give you money to do this, but we have a few suggestions…
Developer: Ok, I would love to hear them…
VC: Is there anyway you could make this product more buzzword friendly, like ASLR?
Developer: Address randomization really does not apply to network products…
VC: So we would have a great breakthrough if you made it work. We would also like you to add in stuff like anomaly detection and content filtering…
Developer: Does anybody want to buy a product like this?
VC: Sure, plus we can charge more, any way just sign on the dotted line in blo…err...ink.
Developer: Its kind of weird, its almost like you were about to say “sign in blood”…is it really necessary to tell me to sign in ink?
VC: Yes…Have a cookie.

A round up of things...

If you have been asking how to get Metasploit on the N800, you can find instructions here.

Its clock change time. If you have a blackberry and its not displaying the right time, you might need this patch.

I am on a eWeek panel this week with Jon Ellch, HD Moore, and Joanna Rutkowska. That’s right, 4 of the top 5 hackers on 2006 according to eWeek. I guess Mark is busy.

We will be making a new version of Ferret available at Blackhat Europe, with some really cool new features!

I also saw the 300. It made 70 million this weekend. That’s almost unheard of for a R rated movie. It’s great to see that there are movies moving away from the mindset that you have to make a movie PG-13 to make any money.

Maybe I am jaded but I didn’t really find it all that violent. A lot of reviewers seemed shocked over the level of violence, but it was more comic book style stuff that hardcore gore that you would find in something like Saw or Hostel (neither of which i really liked). Here is a tip for aspiring filmmakers, if half you movie is in slow motion you should find a different way to build drama or suspense. Every time there was a huge action scene I thought the slow-mo killed all momentum, it was like watching a music video...for two hours.