5 common mistakes about hacking in stories

In my career as a software developer, I’ve seen a lot of television and novels mangle the depiction of hackers. Today, let’s go blow apart some of those erroneous depictions.

First, let’s look at what we’re talking about.

What is IT security?

IT security is about preventing people (or programs) from gaining access to information or commands they shouldn’t have access to.

This includes things like stealing creditcard data from a company, playing a movie you have no license for, or starting a Tesla without its keys.

This covers a lot of things, and I could write a lot of things about it, as I have before, but today, I’ll stick to things that bugged me in movies and books.

1. Decrypting passwords character by character

This isn’t as common as it used to be, but I still run across it occasionally. Imagine the hero is trying to crack a password. He or she is a computer wizard and quickly starts a hacking program. A spinner starts up and one by one, the password’s characters are revealed.

I understand how this works well as a tension device, because it uses a running clock to put on pressure. However, it’s generally not how this works. You see, nowadays a series of complicated mathematical operations is applied to your password, and the result is a series of numbers that either match, or not. You do not get feedback for correctly entered characters.

Algorithms that hack password usually try a dictionary of words (like ‘god’ or ‘welcome’), and variations on words (‘welcome1′,’welcome!’), until they get a hit. Or, in extreme cases, all possible character variations are tried, but that is not feasible for longer passwords.

So, don’t put this in a book or show. There are other ways to create tension.

2. Breaking through a firewall

I’ve seen a lot of shows where hackers ‘break through’ a firewall. It is implied that a hacker can break through a firewall using enough ‘force’ or computing power, or something.

In reality, you can’t break a firewall. A firewall either accepts or rejects messages. The moniker ‘wall’ is misleading. A firewall isn’t so much a wall, as it is a traffic inspector. It’s more akin to a scanner at the airport. You don’t ‘break’ your way through an airport scanner, you sneak things through. When you want to get past a firewall, you use tricks to sneak your traffic through, or you break into its command interface and reprogram it.

3. The flashy interface

I guess it looks sexy when presenting hacking using a very slick 3d interface, with cool 3d keys or blocks zipping around the screen.

Unfortunately, actual hackers use *gasp* a terminal interface. As my User Interface professor explained to me 20 years ago: a terminal interface is the most efficient interface, however, the learning curve is the steepest as well. Hackers and experienced developers are often a fan of bare bones user interfaces because, to them, they are most efficient.

4. The hacker nerd

I know, Mark Zuckerberg set the clock back a few years. There are a lot of normal IT people out there, though. I consider myself one of them.

Yes, the profession attracts some of the weirder and more socially awkward people, but that’s probably because computer skills can be easily honed while staying away from people. Sales representative, on the other hand, requires far more hands-on human interaction.

Most IT people, and hackers, are just regular folks. You might think that most hacking is done by script kiddies in their parents’ basements. Guess again. Things like credit card fraud and hacking are a lucrative business, attracting hardened criminals and organized crime. Alongside, of course, your garden variety patsy and clumsy criminal.

5. Recompiling on the fly

A lot of hacking is depicted as a real-time process. A hacker compiles code on the spot, and responds to all kinds of threats in the moment.

That’s not very realistic. A hack does in fact go pretty quickly, often in seconds. The trick is in the preparation and the tools. For example, a hackers might run a program that performs a scan on a company’s web servers to try and find any open connection opportunities (ports) with vulnerabilities.

It looks more sexy to show a hacker battling a system, but in reality it’s more of a run-tool-X, fail, run-tool-Y, fail, run-tool-Z, I’m-in scenario. There’s also a pretty good chance that the company that is being hacked doesn’t figure out that they’ve been hacked for months or even years.

Conclusion

When you know how something works in reality, it often looks stupid in movies and writing. I’ve picked IT security, as it’s my day job. Something like surgery is probably as bad, but I don’t know enough about that to notice.

Possibly, ignorance is bliss in this matter. So sorry for ruining hacking stories for you.

Author: Martin Stellinga

I'm a science fiction and fantasy writer from the Netherlands