The Hacking of Hollywood
In a town where everyone has been pwned, or soon will be, there’s no such thing as false paranoia. Which brings us to Oliver Stone and his upcoming Snowden biopic.
It ’s a cold day in Munich, and Oliver Stone, Hollywood’s most notorious director, is staring down the world’s most notorious hacker, Edward Snowden — or, at least, the actor who’s portraying him, Joseph Gordon-Levitt. Stone’s here filming his controversial biopic of Snowden. The film, which will be released in spring 2016, traces the whistleblower’s rise from lowly army enlistee to the National Security Agency contractor who exposed the U.S. government’s classified surveillance program.
But Stone isn’t just concerned about capturing the saga behind Snowden’s incredible leaks. He wants to make sure that no hacker comes after his film and leaks its secrets before the movie’s release. “It’s a major concern for every filmmaker,” he tells me, during a break from shooting. And it’s one that’s even more pronounced with a movie that promises to reveal more about Snowden than the world yet knows. “If you can hack his story,” Stone says with caution, “it would be a big prize.” In a way, Stone is making a meta-movie that no one has seen before, building a firewall around a film whose subject is an icon of bad infosec.
This explains the stealthy guy with the Fu Manchu beard milling around the set. He’s Ralph Echemendia, Hollywood’s go-to digital bodyguard, a reformed hacker from the dark side who now helps filmmakers, celebrities, and moguls keep their valuable data secure. It’s a challenge that’s only compounding as Hollywood — like the rest of the world — moves more and more of its content and communications online. “The concern is a lack of control,” Echemendia tells me.
Stone says such precautions, while new, are “the wave of the future.” In the wake of the giant hack against Sony Pictures last November, now marking its one year anniversary, Hollywood is playing an increasingly wacky game of Whack-A-Mole, trying to club down one hacker only to find another one rearing its head. It’s a game coming at an increasingly costly price. Last month, court documents revealed that Sony will be coughing up as much as $8 million to settle a class action suit with employees whose personal information was compromised in the breach, and that’s likely just the tip of the iceberg. While the total potential cost of such hacks are hard to gauge, some estimate the bill could fall somewhere between $150 and $300 million based on similar incidents at other companies.
This is the big-screen version of how vulnerable it feels to live online in 2015, from Beverly Hills to Capitol Hill. Just a few weeks ago, CIA director John Brennan’s email account was hacked — with its content dumped online by Wikileaks — after he was compromised by what appears to be a high school student. And as Snowden’s most recent leak of documents on the U.S.’s clandestine drone program proves, the nation is fighting to future-proof itself before it’s too late. It’s a battle that’s leaving everyone on edge. As Stone tells me, “it’s a dicey, unknowable game.”
But this isn’t just a story about how easily Hollywood can get pwned. It’s a larger narrative laced in irony: how the movie studios created the myth of the hacker in the popular imagination, only to become victim of the real thing. Perhaps it was easier to believe the silver screen version of the threat, which often seemed to be personified by some scruffy genius in black surrounded by walls of HD monitors (see White House Down), blowing through high-end security systems like Swiss cheese. But it doesn’t take an evil genius or nation state to break through the firewall. In fact, you don’t even need to be a hacker to do it.
U HAVE TREAD
UPON MY DOMAIN &
MUST NOW SUFFER
WHO R U?
He starts to type ZERO…
WHO WANTS TO KNOW?
Dade’s screen dissolves into:
Unbelievable. A hacker!
— Hackers, 1995
Hollywood’s hacker war began on February 19, 2004 with a simple phone call. It happened at a T-Mobile store near Los Angeles. The caller told the salesperson he was from the T-Mobile headquarters in Washington. “We heard you’ve been having problems with your customer account tools?” The caller said.
“No, we haven’t had any problems really,” the clerk replied, “just a couple slowdowns. That’s about it.”
“Yes, that’s what is described here in the report,” the caller replied. “We’re going to have to look into this for a quick second.”
“All right, what do you need?” Then he dutifully gave the caller the company’s internal web site for managing customer accounts — along with his username and password to get on the system. The caller, in actuality, was a 16-year-old hacker from suburban Massachusetts, Cameron Lacroix. And, as Lacroix bragged to the Washington Post soon after, a little bit of social engineering was all it took to pull off the first big Hollywood hack.
Once inside T-Mobile’s system, Lacroix could simply look up the accounts of celebrities, reset their passwords, and get access to their data. First he prank-called Laurence Fishburne, quoting him passages from his role in The Matrix. Then he hit the mother lode: Paris Hilton’s Sidekick phone, including her address book, messages, and nude photos, which he leaked online for the world to see. After being caught and sentenced to four years in prison for this and other hacking crimes, Lacroix bragged that breaking Hollywood’s digital system was “easy,” he said, “too easy.”
And so it is that lone hackers with admittedly few technical skills have succeeded in repeatedly disrupting a multibillion dollar industry, with no remedy in sight.
No matter how sophisticated a security system may be, it is only as safe as the weakest link in the chain. Often that comes down to a single person who fails to follow proper protocol. This inherent weakness helps explain the popularity of one of the most common and effective hacker tactics of all: spear phishing.
In a spear-phishing attack, a hacker targets a specific company by probing for one careless person to open the door to the rest of the network. In practice, this means sending individual emails that look like they’re coming from someone you know, along with a link. But, in fact, it’s an attacker posing as your friend, and the link isn’t to some cute cat video: it’s malware that gives them total access to your computer.
Because Hollywood has so many layers of assistants and secretaries and makeup artists and stylists and agents and lawyers, and so on, that’s a lot of opportunity for a hacker who just needs one of these people to click a bad link to get inside. It gets worse. With everyone on their own devices, these increasingly virtual organizations are having people log on to their systems from hardware that the companies trying to secure their data don’t fully control. And because the town is so fluid, it’s not just the current employees who provide potential weak links — it’s anyone who has ever passed through the fold. “Hollywood has a problem now where it has to protect all this information from thousands of people,” Ernie Liu, the services manager investigating the Sony hack for FireEye, a leading computer security firm, tells me.
Think of it as the cost of convenience. Everyone wants immediate access to each other, to their work, their files, their scripts, their news, their gossip, all at a click of a button. There’s a buzzword in Silicon Valley, “friction,” which gets at this. People don’t want much friction between them and whatever is on the other side of their screen. And they’re willing to cut dangerous corners to get it. This includes clicking on links they shouldn’t click, and, more disastrously, setting up online accounts with flimsy security measures in place.
That’s why you don’t need to be Die Hard 4 supervillain Thomas Gabriel to turn the town upside down; it only takes one lonely dude with a lot of time on his hands.
Not only does Hollywood blow basic infosec in the real world — it has no idea how to write an accurate hacking script (see Die Hard 4 above). We asked some top computer security journalists and researchers about their favorite worst hacking scenes. Read their responses, and add your own.
It happened again in 2008 when Chris Chaney, an overweight, unemployed film geek in Jacksonville, Florida, took advantage of Hollywood’s weak-linked fence better than anyone. He wasn’t even a hacker, just a good guesser. After hitting correctly on the Gmail address of a celebrity, whose name he’d eventually forget in the flood of others that followed, Chaney just needed the right password to break in. To retrieve a lost password, all it often takes is answering a default security question.
I visited Chaney after he was caught and he explained his strategy to me this way: Celebrities love their pets — talking about them in interviews, posing with them for magazines. So when he ran into the security question checkpoint, he simply punched in the name of the actress’s dog. With not so much as a warning bark, he was in. From there, he used that one celebrity’s address book to find the emails of other stars, lawyers, and agents. He then went along, person by person, guessing their security answers and reading all their messages in turn. He even set a forwarding system in place, which would alert him any time his victims changed a password.
The lesson is clear: When the weakest link is people, which it so often is, there’s no need for high-level intrusion skills, zero day exploits, or keyboard heroics so often used to dramatize hacking in notorious fictionalized scenes from TV shows like NCIS and movies like Swordfish.
“His technical skill level compared … to everyone in that realm is very low,” Josh Sadowsky, the FBI special agent who investigated the case, tells me one afternoon recently at the FBI office in Los Angeles, “but he is very resourceful and he had a lot of time on his hands.”
Chaney had access to hundreds of thousands of emails coming and going from between his victims and their entourage of handlers, family, and friends. This lonely guy in Jacksonville held the town like a snow globe in the palm of his hand. He knew the backroom deals and blockbuster plans, the clandestine affairs and hidden fears, the actor who came off like a player but was really gay, the starlet who, unbeknownst to the media, had been diagnosed with cancer.
While tabloids dug for the slightest grain of dirt, the stuff in Chaney’s head was worth millions. All in, Chaney went undetected for not one, not two, but three epic years — sitting alone in his house as he read thousands of insider emails, perused nude photos, and knew more about Hollywood than anyone, ostensibly, in the business. It was only after he couldn’t contain himself anymore, and leaked nudes of Scarlett Johansson to a nefarious hacker, that he ended up getting busted.
Despite Chaney’s stiff sentence — 10 years in a federal prison — neither potential future victims or perps got the message to change their game. And in August 2014, just a couple months before the Sony breach, the Internet got hit with yet another big Hollywood hacking scandal: a trove of hundreds of leaked celebrity nudes including Jennifer Lawrence, Kate Upton, and Kaley Cuoco. It got nicknamed The Fappening, as in “fap,” Internet slang for the sound of masturbation.
How could this have happened? That’s what everyone wanted to know. And yet, once again, the answer was way less technical than anyone expected. The celebs had simply been Chaneyed again. Hackers had targeted celebrity accounts on Apple’s iCloud online storage service, and, like Chaney, guessed the answers to their security questions in order to retrieve their passwords. In a statement, an Apple spokesperson called it “a practice that has become all too common on the Internet.”
None of this comes as a surprise to Wes Hsu, chief of the cyber crime unit at the U.S. Attorneys’ Office in Los Angeles, which prosecutes most of the Hollywood hacking crimes. “I have foreseen things just getting worse as time goes on,” he tells me one day from his office in downtown LA. “It’s predictable that the scale of the problem is just gonna get worse, the more dependent we are [on technology].”
And here was the crazy thing, a signpost on the rocky road to come. Each of these attacks spelled out simple lessons about security and the dangers of storing personal data and intellectual property online — and yet each time, the lessons were ignored. Among Hsu, Sadowsky, and the other experts on the front lines, it’s not a matter of if someone or some company in Hollywood will get massively hacked again, it’s when. “It’s a shift in mindset,” as Liu of FireEye says, “it’s assuming that I will be compromised so when I am, not if, when I am comprised, what do I really care about?”
You like tequila, Stanley?
Helga shoots the tequila, then turns to Stanley, places her lips against his. The gold liquid drips from their lips as she spits it into Stanley’s mouth.
He pushes her away, breaking the liplock, and swallowing the tequila. She licks it from his face.
No need for modesty, we’re all friends here, Stanley.
This is bullshit. I came —
You want something from me, amigo, I want something from you. D.O.D. dBase, 128 bit R.S.A. encryption. Whattaya think? Impossible?
Stanley’s having a little trouble concentrating on Gabriel.
— Swordfish, 2001
It ’s early January, just a little over a month after the Sony hack, and I’ve come to one of the best places to discuss it: ShmooCon, an annual gathering in Washington D.C. for the best hackers in the country. A few thousand (mainly) scruffy, black-clad guys and the occasional hipster woman have taken over the Hilton to swap lock picking techniques and wander the halls in virtual reality helmets.
Among the most renowned hackers here is Marc Rogers, a hulking, tattooed 41-year-old Brit inhaling his lunch across from me. He’s seen plenty during his decades in the computer underground, first as a black hat hacker, doing things he no longer wants to admit beyond an impish grin, and now as the principal security researcher for CloudFlare, a leading computer security firm. Rogers is also the head of security for Def Con, the largest confab of hackers on the planet, held in Vegas each summer, where he has the formidable job of keeping attendees from hacking room keys and stealing satellite dishes from the roof.
The hackers here still use the Sony breach as a case study in how companies can leave themselves exposed to epic attacks — one that remains just as relevant a year later. And the real story of what happened remains a mystery. Rogers is one of the foremost researchers independently investigating the infiltration and sharing his findings. And yet even Rogers remains awed and angered by the Sony hack. The popcorn movie telling of the attack has stuck with the North Korean plot: how an irascible dictator got so angry about a Seth Rogen movie that he attacked the motion picture studio in return. But, among seasoned computer security analysts like Rogers who know this world best, this storyline is not only unproven but distracting and dangerous. “When a nation state is believed to be involved, we throw our hands up and say, ‘oh, it could never have been prevented, game over,’” says Rogers. “That’s wrong. We should be talking about how this happened.”
And to understand how it happened, one has to understand that this wasn’t the first time Sony had been hacked. Four years ago, the company became a target after it sued a young coder, George Hotz, for hacking into the supposedly unhackable PlayStation 3 gaming console. Though Sony feared that Hotz had made it possible to play pirated games on its system, Hotz was actually more interested in restoring the ability to run the Linux operating system on the machine — an ability that Sony had removed despite the demand of geeks online. “Stupid move!” Hotz told me soon after. “You know how much Sony probably regrets that move today.”
Hackers broke into the company’s PlayStation Network — the company’s online gaming and entertainment subscription service — divulging the e-mail addresses, passwords, birthdays, and home addresses of 77 million PSN subscribers. It was among the top five data breaches of all time. Days later, hackers found an exploit in the Sony Online Entertainment service that allowed them to release the details of twenty-four million personal accounts.
It wasn’t just the wave of scores that left the company reeling, it was that the hackers had been having such an apparently easy time of it, looting like celebratory Droogs. What had started as a sort of Robin Hood campaign in defense of one of their own had become, ostensibly, a showcase for how lamely Sony had secured itself.
“We accessed EVERYTHING,” one of the hacker groups posted, and added rhetorically: “Why do you put such faith in a company that allows itself to become open to these simple attacks?” The pummeling not only left the company with a black eye, but with massive financial losses. Jim Kennedy, the senior vice-president of strategic communications for Sony Corporation of America, told me at the time that the company had learned its lesson. “In the end, it must be recognized that no system is absolutely foolproof,” he wrote me in an email. “Constant vigilance is essential.”
But, as Rogers and the other self-described “truthers” at ShmooCon say with a laugh, Sony didn’t seem to learn much at all. Security was still getting short shrift because, it seemed, it was seen as an unnecessary expense — or something they thought they had under control.
In a 2007 interview with CIO magazine, SPE Senior Vice President of Information Security Jason Spaltro admitted the company’s digital defense strategy is governed heavily by economics, saying “it’s a valid business decision to accept the risk” of a security breach. “I will not invest $10 million to avoid a possible $1 million loss.” According to files spilled in the leak as reported by Fusion, at the time of the hack there were just 11 security personnel on staff, most in senior roles — three information security analysts, three managers, three directors, an executive director and one senior vice president. It’s unclear whether Sony Pictures’ security thinking has evolved significantly since then, or whether the escalating costs of the recent breaches have changed the company’s internal risk calculus.
A tight-fisted ROI stance would go a long way toward explaining the breach and the chaos that followed the Sony hack last fall. Rogers got on the case after seeing a suspicious photo making the rounds on Twitter. It showed a flier posted in an elevator at Sony Pictures in London which read “PLEASE DO NOT LOG ONTO YOUR PC EQUIPMENT OR COMPANY WIFI UNTIL FURTHER NOTICE.” A strange image had snapped onto the computer monitors across the offices of Sony Pictures from Los Angeles to London. It looked like an Iron Maiden stoner black light poster. A red-boned skeleton rose from a purple rocky enclave, crawling with green-skulled spiders.
Over the image were the words “Hacked by #GOP” along with a threat: “We’ve already warned you, and this is just the beginning,” the message read, “We have obtained all your internal data including secrets and top secrets. If you don’t obey us, we’ll release data shown below to the world.” Below the message were five links to what appeared to be Sony internal data. “It was like a bucket of cold water,” Rogers recalls. “I was like, ‘whoa, there’s something going on here!’”
Rogers and another guy who joins us for lunch — a ponytailed, soul-patched security researcher named Dan Tentler — are among those diving into the code to find out what had happened. Tentler co-founded Carbon Dynamics, a firm that does security testing for computer threats facing corporations and high net worth individuals, including celebrities. Tentler and others weren’t surprised to find Sony on the receiving end again. “People have been into their networks and out of their networks left and right and center,” Tentler says.
SPE spokesperson Jean Guerin had downplayed the breach to the press, at first saying simply, “We are investigating an IT matter.” But the hack soon took on a life of its own, leaving no doubt about its breadth and seriousness.
Notably, the leaked files included reams of sensitive emails discussing major Hollywood players in frank and unflattering terms, many written by or to Amy Pascal, the former co-chairperson of SPE’s Motion Pictures Group, who lost her job shortly after the hack. In one exchange, producer Scott Rudin called Angelina Jolie “a minimally talented spoiled brat.” In another, Pascal and Rudin joked about President Obama’s taste in movies, suggesting several African American-themed films: “Should I ask him if he liked DJANGO?” Pascal wrote. “12 YEARS,” Rudin replied. Pascal responded with other movies starring African Americans: “Or the butler. Or think like a man? [sic].” (Pascal declined to comment for this story.)
By Thanksgiving, Sony Pictures workers were still without online access or computers. Whatever the GOP (a.k.a. Guardians of Peace) wanted remained unclear and irrelevant, it seemed, as the leaks flooded the web in the coming days of December: unreleased movies (Fury, Annie, Mr. Turner, Still Alice and To Write Love On Her Arms), employee data (social security numbers, salaries, passwords, user names, PDFs of passports, including Angelina Jolie’s and Jonah Hill’s, and even custom jewelry orders from Tiffany’s), and corporate financials (budget reports, licensing deals, Federal tax returns).
With the Sony passwords on the Internet, the truthers took a sample and analyzed it. They looked at the length of the passwords, whether there seemed to be a policy in place governing the complexity of the passwords, and, if so, whether that was being used. The researchers were amazed to find that many of the passwords were contained in easily accessible plain text documents labeled “password,” and that many of the passwords themselves were just the word “password,” too. “This isn’t a simple slip-up,” as Rogers put it, “this is a serious organization-wide failure to implement anything like a reasonable security architecture.” The conclusion about Sony’s vulnerability: “The information that we looked at from Sony wasn’t good,” Tentler says, “but it wasn’t really any worse than anybody else.”
With The Interview due for a Christmas Day release, suspicions turned to North Korea, which had already dismissed the movie as “an evil act of provocation.” After weeks of speculation, the FBI released a statement confirming that “the North Korean government is responsible for these actions.” One of the key reasons the FBI cited was the malware used to attack Sony was similar to malware previously linked to North Korea.
The truthers had a different take.
The malware had been publicly available for some time, and could have been picked up and used by anyone. Plus, the code found on the Sony machines had specific paths to the Sony passwords, indicating someone had intimate knowledge of Sony’s systems. There was no mention of The Interview in reference to the attack until after the media raised Rogen’s film as a possible explanation. Further, dumping Sony’s internal files onto the wide open Internet — instead of using them or selling them — suggested that the motivation was simply revenge, not intelligence gathering or extortion. “The attackers had many ways to become rich,” Rogers concluded. “Yet, instead, they chose to dump the data, rendering it useless. Likewise, I find it hard to believe that a ‘Nation State’ which lives by propaganda would be so willing to just throw away such an unprecedented level of access to the beating heart of Hollywood itself.”
Norse, a security firm also looking into the proof, said the data instead pinned the attack on a laid-off Sony technician under the pseudonym Lena. According to Norse senior vice president Kurt Stammberger, the GOP was not a nickname for North Korean hackers, but instead a group of scorned Sony ex-employees looking to get back at their bosses. “This is a company that was essentially nuked from the inside,” he told CBS News not long after the hack.
His company has yet to produce a smoking gun. But, like any good movie plot, there are twists and hints of conspiracy. Tentler says his girlfriend was at his apartment when she was paid a visit by federal agents who wondered about all the Sony data he was downloading. “Just to warn other security folk working on the Sony leaks — the FBI just visited my home,” he tweeted, shortly after they came to his place. “I wasn’t there, so I’m not sure what they wanted.” Tentler never heard from them again. But the question remains: why would the FBI care about some geek researching into the Sony hack if they knew North Korea was responsible all along? The FBI declined to comment.
INT. STOCK EXCHANGE SKYSCRAPER - ELVEVATOR - DAY
Neo is reading the code of the building.
What can you see?
It's strange, the code is somehow different.
Is that good for us or bad for us?
Well, it looks like every floor is wired with explosives.
Bad for us.
— The Matrix Reloaded, 2003
On a chilly morning in February, I arrive at the Los Angeles office of FireEye, the computer security firm hired by Sony to investigate The Hack. But I find it curiously empty. Lights off. Desk chairs in the gray cubicles, abandoned. A lone white ping pong ball sits on the floor under its abandoned table. But, as Liu, the FireEye investigator on the Sony case, tells me, there’s a reason it’s so quiet. Since the firm has been on the case in early December, they’ve been essentially camped out at Sony. “This is the first time I’ve been to the office in a month,” Liu, a young guy with spiky hair, bloodshot eyes, and a freshly pressed suit, says wearily.
FireEye and a company it recently acquired, Mandiant, has been on the front lines of Hollywood’s hacker war since the company started in 2004. Their job is not only to respond to the incidents, but help out with everything from the public relations to the legal affairs. Liu compares his job to grief counseling. “I’ve actually had people cry in front of me because they’re so upset,” he says.
FireEye’s research adds yet another wrinkle to the North Korea theory: nation-state-backed hacking, it turns out, is not a just figment of paranoid cybersecurity officials and overly imaginative Hollywood screenwriters — it is real, and there’s evidence to show movie studios like Sony may be in the crosshairs, even if North Korea is not the most likely source of such attacks.
FireEye was warning about the vulnerability of Hollywood back in March 2014, months before The Hack, when it released a report saying that a different group of Southeast Asia based hackers had Hollywood in their sights. “Mandiant has observed high rates of China-based cyber intrusions against industries that China’s state authorities consider strategic — and entertainment is likely no different,” the report read. “We expect China to increasingly target the film and entertainment industry.”
The interest among the Chinese hackers had two key motivations, Mandiant reported: both to keep an eye on Hollywood content that might compete with their own entertainment releases, and, perhaps more important, to see how the country was being portrayed in upcoming films. Mandiant had already found that a hacker group from the People’s Liberation Army had, according to its report, “hacked into a leading U.S. entertainment conglomerate that produces and distributes creative properties worldwide.” (But the “conglomerate” wasn’t named.) The threat of cyber espionage had been growing steadily since February 2013, when security researchers traced hundreds of terabytes of stolen data from Fortune 500 companies to hackers in Shanghai.
Those prospects promise to significantly raise the ante in the future, security experts say, exposing companies in Hollywood and beyond not only to opportunistic low-tech malicious social engineers and phishers, but to far more disciplined and sophisticated hackers with long term goals who know how to use and even create their own custom exploits.
“The cyber challenges we are talking about are not theoretical, they are real,” Admiral Michael Rogers, commander of the U.S. Cyber Command and National Security Agency director, told the House Committee on Intelligence last November after the Sony hack. Rogers cautioned that the failure to respond could cause “truly catastrophic failures.”
It's D.E.R.T.'s opinion that it's too late to stop Day 1. But we think we can hold them at Day 2.
(shaking his head)
Hope you're stocking up on batteries because the assholes doing this are already loading Day 3!
What happens on Day 3?
Day 1 is them just fucking with you. Shut down the gas pumps, make you late for dinner, set off some alarms. The beginnings of panic. Day 2, the heavy shit starts, banks, Wall Street, crash the lifelines, screw with public confidence - but it's just a jerk off to get the government chasing it's tail. While you assholes are busy trying to turn the phones and TVs back on, they're planning to cut the only lifeline that really counts.
(turns to McClane)
Power. Day 3. The only lifeline left will be electricity and, when the grid goes, so goes America.
— Live Free or Die Hard, 2007
It ’s another perfect cocktail hour in Hollywood. The beautiful people are descending on a table of fine cheeses and wine. There’s the natty studio head talking with the scruffy producer in skinny jeans, the prime time actress nibbling a grape. But they don’t know what they’re in for this evening.
A little bit later, they gather in a windowless conference room where the town’s self-described “ethical hacker,” Ralph Echemendia, is up to his usual tricks: scaring the shit out of celebrities, agents, and movie producers. Echemendia is taking a break from his time working on the Snowden movie for Oliver Stone. Tonight, he’s here in the stylish offices of Anonymous Content, producers of films and TV shows including True Detective and Winter’s Bone, where he’s presenting a workshop he calls “Hacking Hollywood.”
It’s a crash course he gives around town, from production companies like this to invite-only seminars at the House of Blues on the Sunset Strip. The purpose is to educate the creative community about computer security threats, particularly now in the wake of The Hack. And, since this is Hollywood, there are also screenwriters and producers here looking to pick up some inspiration. “I want to get as authentic as possible,” Sam Esmail, director of the hacker TV show hit, Mr. Robot, who’s here tonight along with the show’s star Rami Malek.
Esmail has hired hackers, including Echemendia, to be consultants on the show. As much as anything else the relationship has served to highlight the gap between their worlds. In one episode, the hired guns suggested Esmail riff on a real life practice, in which hackers litter booby-trapped USB sticks around in the hopes that a potential victim might inadvertently pick one up and plug it in their computer, thus installing a virus. It’s thought that this method was used to infect Iranian nuclear centrifuges with the Stuxnet worm, an attack attributed to Israel and the U.S. that some experts believe set back Iran’s uranium enrichment program by months. Esmail, a self-described “tech geek nerd,” and his writers considered this too simple to believe. “We just thought, ‘Who’s stupid enough to do that?’” He says, “We brought it up to Ralph and he quoted all these stats about Homeland Security people who fell for that. I still think that is crazy!”
Reality, as he and others are realizing, is crazier than anyone can invent. “Sony opened everyone’s eyes, big time,” the organizer of the event, Anonymous Content producer Chad Hamilton, tells me. “People are freaked out.” Hamilton asked Echemendia to come here tonight to freak the attendees out some more — and hopefully encourage them to beef up their own security so they don’t end up in flames like so many hacking victims in town before.
Echemendia is dressed for the part tonight. He’s all in black with a jangle of silver jewelry like some dark arts wizard teleported in from The Matrix. At one point, he magically causes one producer’s phone in the room to ring showing the caller ID of a writer sitting across the table. “Holy shit,” the producer says, looking at his phone. “How’d you do that?”
“It’s called spoofing,” Echemendia explains. This is a way to fake a phone call or a text message so that it looks like you’re being contacted by someone you know. Spoofing has wreaked all sorts of havoc in Hollywood. Prankish hackers fake 911 calls to look as if they come from inside the homes of stars including the Kardashians and Justin Bieber — causing SWAT teams to show up at the confused celeb’s doorstep. Ashton Kutcher, Justin Timberlake, Selena Gomez, and, most recently, Lil’ Wayne, have all been victims of swatting.
But here’s the twist: spoofing, despite the producer’s awe, isn’t difficult to do at all. Anyone can simply go on to the web, and buy a so-called Spoof Card, which gives you easy access to pulling off the trick. It’s legal, because doctors and lawyers might use it to appear as if they’re calling from their offices instead of their cell phones. But of course, like any other tool, it can be abused. And this is one of Echemendia’s main missives from the other side of the hacker underworld: to be an expert hacker, you don’t even have to be much of a hacker anymore.
Echemendia understands this better than most in town. Born in Cuba and raised in Miami, he’s been hacking since 14 — at least once, crossing the legal line. “My parents got out of a really large phone bill once,” he tells me, with a smile. “I made it disappear.” But Echemendia, like many enterprising black hat hackers, saw a straighter life ahead, and applied his skills to computer security training. After getting his first break in Miami by creating a secure online ticketing system for the Marley family, Echemendia became a kind of cyber-bouncer for celebrities. When Eminem’s album got leaked early online, Echemendia was among the investigators.
Leaks of content, not just nudes, have been a mounting problem in Hollywood. For years, much of this material was copied from the DVD screeners sent annually to the panel of insiders tapped as Oscars judges — the cinema’s elite — although pirates have more recently turned to alternate HD-quality sources. Wolverine, The Expendables, and Twilight are among the films that have been compromised prior to release. The Twilight leak happened after the hacker broke into the email of Twilight author Stephanie Meyers. Though the method of the attack was never revealed, most infiltrations occur through phishing. Once inside Meyers’s account, the attacker simply phished others in Meyers’s address book. Compounding the problem is that the content is increasingly digital, which means they’re just files flying around the production unit’s emails. “In this industry,” Echemendia says, “they’ve done absolutely nothing, zero, nothing to address the fact that they’ve gone completely digital.”
Of course, Echemendia and other security specialists live off these vulnerabilities. It’s a common criticism of the security industry: that they drum up fear so that you have to hire them to help you. But he makes a good point. Hollywood is a content industry in which the content is now rendered in bits. And while the studios might be pouring $150 million into a film budget, how much of that is going toward protecting their data?
At most companies when something goes haywire, they call their IT department. But perhaps the companies instead need chief computer security officers, tasked specifically with protecting their goods. “If your company is based on digital intellectual property, you better have somebody that’s responsible for defending that,” Echemendia says, “because your company could be gone the next day if someone has access to it.”
At least some film makers appear to be starting to change their ways. For Stone, Echemendia has created a custom security system which ensures that every bit of the production — from the latest dailies to Stone’s communications with Snowden himself — is encrypted and safe. Rather than rely on off-the-shelf messaging services, the production is using a customized system for all their communications — from emails to file-sharing. Instead of sending dailies via Dropbox, they use their own systems. There’s also a monitoring program set up so that anomalies in the traffic create immediate alerts. Stone won’t reveal the cost of his system, but Echemendia says other films could emulate what they’ve done for as little as 1% of their budgets.
While numbers specifically on Hollywood spending don’t exist, Gartner, a technology research firm, reports that U.S. businesses will be spending over $1 billion a year to protect their data. In addition to directors such as Stone hiring private security consultants, studios are employing the services of firms such as Watchdox, IntraLinks and Varonis, according to a recent story in The New York Times. Lulu Zezza, head of digital security for New Regency pictures, told the Times that “Post-Sony, getting people to cooperate with me has been a completely different experience. Everyone gets that life has to change.”
Surviving the Age of Exploits is not just a matter of technical prowess. No matter how secure a company is, it only takes one bad click to let in the bad guys. The race then is not so much about building an impenetrable firewall, but becoming resilient enough to catch the intrusions before they wreak major damage. It’s also a matter of educating crews and cast to take their own privacy and security seriously.
In the Anonymous Content meeting, for example, talk turns to the Fappening, and how stars, such as those in the room, are now using two-step authentication (requiring a special code sent via text message in addition to a password to get into accounts) on social media sites. But when Echemendia tells them how easily webcams can be hacked, even one of the Fappening victims in the room, Shameless star Emmy Rossum, remains incredulous. “I mean how many times do I leave my computer open and walk around the room doing god knows what?” she says, sipping from a glass of wine. “So we should just live with a little piece of tape over webcam?” She goes on, “Note to self.”
That’s not the only note making its way around town. Given the incriminating personal emails that have been dumped by hackers online — whether Pascal’s or Brennan’s — people seem to finally be getting the message to keep the snark to phone calls or, better yet, lunches at the Ivy. “After the Sony hack,” Rossum tells me during a break, “everyone thought, well, maybe if you don’t have anything nice to say, definitely don’t write it in an email.”
For Stone, who’s putting the finishing touches on his Snowden film, the threats from Hollywood’s decade-long hacker war are loud and clear. “For any film at this point in the game, you saw what happened to Sony,” Stone adds, “you make all that work and if the film gets hacked and appears for free on the Net you wouldn’t be too happy.” And, for the record — and not surprisingly — Stone doesn’t believe North Korea was behind the Sony Hack at all. “I think it’s bogus,” he tells me. “The evidence presented was just government propaganda.” So who does he think was behind it? “It was probably done by someone with inside knowledge,” he says, “and who was disenchanted with their situation.”
As Stone prepares the Snowden film for release, the hacks continue. Specter, the new James Bond film, was available on peer-to-peer trading sites on Nov. 6, the same day as the United States theatrical release. Meanwhile, just months after the Sony breach, hacked pictures of model Charlotte McKinney in the nude appeared online, prompting headlines such as “Fappening All Over Again?” One day later, the trailer for the blockbuster movie “Batman vs. Superman” leaked early on the Web. Somewhere on the Internet, the hackers who released the clip watched the Dark Knight goad his rival, just as they were taunting the studio they pwned. “Tell me, do you bleed?” Batman bellowed, “you will.”