There seems to be a lot of chatter (at least on my highly biased Twitter and Facebook feeds) about how terrible of a show CSI:Cyber was. People seem to be extremely concerned about the fact that the show did not portray all the hacking related activities (cyber, infosec, whatever you want to call it) precisely as it is in real life. So here’s my take at it.
First – I’m not talking about the overall quality of the show. I’m not a TV critic, and I’m not going to go into the casting choices, the bad acting, the hollow and predictable script or any of the cinematographic elements. Let’s just focus for a second on what irks people the most – cyber.
So let’s talk about some (again some!) of the technical elements that show up there:
1. Hacking into baby cameras. Totally true. http://www.cnet.com/news/hacker-shouts-at-baby-through-baby-monitor/
2. Social media being a major source for intelligence. Been using it for a decade now through red teaming. Actually joined a social risk management company as it’s that big of an issue. (www.zerofox.com)
3. Social engineering – micro expressions, cold reading, etc. Legit. Again – red teaming. We even teach it on our red team classes.
4. The camera ball used to survey a site before entering it. http://bounceimaging.com/
5. Usage of malware (RAT) to spy on people. Welcome to the last 17 years of my professional career. And yes – you can buy this on the “surface web” (WTF – can’t you just say Internet?). Blackshades used to go for about $40-$50 a pop as far as I recall (and no, not going to do the homework for you and link to a live site that sells this. Google it.).
6. Companies that release products with known flaws in them? Yeah, you are probably reading this from one of those. Welcome to reality, where business decisions trump technical purity and security. Companies want to make money. Fast. If fixing all the flaws found in the software or hardware will keep them from making money, guess what – they will prioritize these to a point where they can get $ in the bank.
And yes – there where some highly amusing things where the artistic license was taken very liberally. Malware showing up in the code as red letters (vs. the traditional green on black). Fingerprints taken from a scene of a crime using an “Expensify” like app – quick snap of the phone’s camera, and within seconds you got a match with full profile and mug. Tracking every IP address to a physical location and swatting it within minutes. A teenager that needed help on a console game from a 30-something year old FBI agent. Having an online bidding that consists of basically a conference call conducted in multiple languages (nobody has time for this – it’s all going to be done through IM’ing, and on dedicated forums). And the list goes on… no regard to the judicial process, medical examinations that are beyond absurd, taking an hour to drive from DC to Baltimore, but from Baltimore to upstate New York in minutes just to get to the drowning car so that the baby can be saved.
Am I hearing my lawyer friends going crazy on the lack of judicial process? About the deal that put a convicted felon to work closely with the FBI? (they are having hard time finding good people because they smoked pot FFS)? Nope. You know why? BECAUSE IT’S TELEVISION.
It’s not a documentary.
If it would be, 90% of the show would be someone staring at a debugger on a screen, drinking coffee, eating junk food, and cursing. And then writing a report. I’m sure that’s a blockbuster – call in the writers.
So ease off. Be thankful that this isn’t another Scorpion, and that there are enough elements in the script based on reality, kick back, take a load off and watch your entertainment on TV. If you want more accuracy – feel free to watch the hundreds of videos from conferences like BlackHat, Defcon, Derbycon, etc. You’ll get educated. Can’t promise anything about entertained though