Cyber Defense Review

Thank You Very Much, Mr. Robot

By CPT Brent Chapman | July 27, 2015

Recent headlines provide a virtually unlimited source of material for Hollywood’s latest trend: the cyber-thriller.  From the paranoia-fueled Person of Interest, to the widely-panned CSI:Cyber, these shows attract a huge audience and often inform a significant segment of the population on all things technical.  They also, as discussed in a previous Cyber Defense Review post, have the potential to educate users about the risks of information security on a very large scale.  USA Networks’ newest cyberpunk thriller, Mr. Robot is one of the newest entrants into the fray.  The show has already received rave reviews, not only for its immersive and dark tone, but also for its unusual technicaly accuracy.

The pilot for the new series Mr. Robot, cleverly titled “eps1.0_hellofriend.mov”, opens with our protagonist named Eliott Alderson narrating his thoughts of insecurity and paranoia.  It has a taste of the familiar: technically prodigious emo introvert drowns in social angst.  Thankfully, the clichés stop right there.  The episode quickly cuts to a scene where we see why Eliott is different.  He confronts Ron, the owner of a coffee shop whose network Eliott’s hacked and has been monitoring for several days.  Explaining what he’s done in a very matter-of-fact way, Eliott reveals his hack and also his knowledge of Ron’s illicit image sharing website.  Ron pleads and even offers money to Eliott for his silence, but Eliott refuses citing his disinterest in money.  Ron can only stand there, mouth agape as Eliott leaves the coffee shop – just as the police enter.

 

 

Eliott confronts coffee shop owner Ron, whose network he hacked, about his illegal file-sharing website “Plato’s Boys”.

 

There’s no question that what Eliott does is illegal, but he apparently does so with good intentions. We learn that by day, he’s a security engineer protecting powerful companies from hackers.  By night, he’s a digital vigilante taking down criminals with his technical talent.  His fog of cognitive dissonance follows him throughout the episode, and it’s beautiful.

The show does a tremendous job is covering technical themes without reducing itself to walking the viewer through with ham-fisted dialogue.  We get the sense of how impressive “gigabit” is sheerly through the conversation.  Rather than telling the viewer what social engineering is, for example, Eliott gracefully demonstrates how easy it is to do several times in setting up his prey for the takedown. Elliott, at one point, calls a target pretending to be a bank’s fraud prevention department in order to get personal information.  The questions Eliott pose seem legit, but the target only briefly expresses suspicion about who the caller really is before providing the information anyway.  Is this far-fetched?  Absolutely not.  The far-too-common trend of weak passwords and the dangers of oversharing on social media are also explicitly called out in the episode.  And they aren’t just mentioned once or twice – these concepts come up quite frequently.  Are the writers lazy?  No, quite the opposite: they’ve done their research and found that these are the most common causes of data breaches.

In terms of realism, Mr. Robot gets as close as any show I’ve seen so far.  Attacks are hard work.  Done correctly, they take time to properly plan and execute if the attacker wants to stay hidden and out of prison.  There is no ‘enhance’ button that Eliott presses to solve his problems, nor are there cutscenes into the computer internals to follow a pulsing red light representative of the malware that was just downloaded.  What is shown, rather, is Eliott’s methodological approach to overcoming his challenges.  He does his homework.  He makes mistakes.  He tries again.  He succeeds.  Sure, there are still shortcuts and continuity errors, but for a hacking show it’s comparatively minimal.  Mr. Robot also seems to play on current global and socioeconomic events to attract the non-techies.  The increasing tensions between conglomerates and hacktivists are a major focus in the pilot episode.  Though it’s not completely clear that there’s a ‘correct’ side, it’s quite entertaining to be completely immersed in the well-constructed world of online warfare, mostly from Eliott’s point of view.

I sense that many viewers will finish an episode not able to remember a command or specific technology that Eliott used, but will instead recall scenes of social engineering in action and how it can affect them.  This is what’s important.  As part of a security community, we should aim to raise the understanding of those around us.  Mr. Robot is just the type of show we need to inspire, entertain and educate us all about cybersecurity.

 

 The views expressed in this article are those of the author and do not reflect the official policy or position of West Point, the Department of the Army, the Department of Defense, or the US Government.



US Army Comments Policy
If you wish to comment, use the text box below. Army reserves the right to modify this policy at any time.

This is a moderated forum. That means all comments will be reviewed before posting. In addition, we expect that participants will treat each other, as well as our agency and our employees, with respect. We will not post comments that contain abusive or vulgar language, spam, hate speech, personal attacks, violate EEO policy, are offensive to other or similar content. We will not post comments that are spam, are clearly "off topic", promote services or products, infringe copyright protected material, or contain any links that don't contribute to the discussion. Comments that make unsupported accusations will also not be posted. The Army and the Army alone will make a determination as to which comments will be posted. Any references to commercial entities, products, services, or other non-governmental organizations or individuals that remain on the site are provided solely for the information of individuals using this page. These references are not intended to reflect the opinion of the Army, DoD, the United States, or its officers or employees concerning the significance, priority, or importance to be given the referenced entity, product, service, or organization. Such references are not an official or personal endorsement of any product, person, or service, and may not be quoted or reproduced for the purpose of stating or implying Army endorsement or approval of any product, person, or service.

Any comments that report criminal activity including: suicidal behaviour or sexual assault will be reported to appropriate authorities including OSI. This forum is not:

  • This forum is not to be used to report criminal activity. If you have information for law enforcement, please contact OSI or your local police agency.
  • Do not submit unsolicited proposals, or other business ideas or inquiries to this forum. This site is not to be used for contracting or commercial business.
  • This forum may not be used for the submission of any claim, demand, informal or formal complaint, or any other form of legal and/or administrative notice or process, or for the exhaustion of any legal and/or administrative remedy.

Army does not guarantee or warrant that any information posted by individuals on this forum is correct, and disclaims any liability for any loss or damage resulting from reliance on any such information. Army may not be able to verify, does not warrant or guarantee, and assumes no liability for anything posted on this website by any other person. Army does not endorse, support or otherwise promote any private or commercial entity or the information, products or services contained on those websites that may be reached through links on our website.

Members of the media are asked to send questions to the public affairs through their normal channels and to refrain from submitting questions here as comments. Reporter questions will not be posted. We recognize that the Web is a 24/7 medium, and your comments are welcome at any time. However, given the need to manage federal resources, moderating and posting of comments will occur during regular business hours Monday through Friday. Comments submitted after hours or on weekends will be read and posted as early as possible; in most cases, this means the next business day.

For the benefit of robust discussion, we ask that comments remain "on-topic." This means that comments will be posted only as it relates to the topic that is being discussed within the blog post. The views expressed on the site by non-federal commentators do not necessarily reflect the official views of the Army or the Federal Government.

To protect your own privacy and the privacy of others, please do not include personally identifiable information, such as name, Social Security number, DoD ID number, OSI Case number, phone numbers or email addresses in the body of your comment. If you do voluntarily include personally identifiable information in your comment, such as your name, that comment may or may not be posted on the page. If your comment is posted, your name will not be redacted or removed. In no circumstances will comments be posted that contain Social Security numbers, DoD ID numbers, OSI case numbers, addresses, email address or phone numbers. The default for the posting of comments is "anonymous", but if you opt not to, any information, including your login name, may be displayed on our site.

Thank you for taking the time to read this comment policy. We encourage your participation in our discussion and look forward to an active exchange of ideas.