Ocean’s 8

Zero Cool
h0llyw00d h4x0rs
Published in
11 min readNov 23, 2018

It’s good to know that years of studying computer science, software engineering, cryptography, and network security have not all been for nothing. Because now I can finally use those skills, to assess how good at hacking Rihanna is. I want my childhood back.

Rihanna plays Nine Ball aka Baller, a badass weed-smoking pool-playing computer hacker enlisted to help pull off the heist. Because you can’t rob anything without a computer hacker. She refuses to give her real name, which is a strong start, and shows off her skills almost immediately by shutting off the lights in the crew’s business-casual warehouse.

Now the hideout truly is off the grid

Hacking into utilities is a Hollywood staple, presumably because it gives a quick and easy visual indicator of proficiency. I’m going to assume she didn’t hack the lights themselves, given I have Philips Hue bulbs everywhere and struggle to turn them on and off remotely while stood three feet away.

More likely she just cut the power to the building. This is fairly unrealistic as it assumes the power supply is in any way networked, and not all hooked up via a fuse box from the 40s. But it always looks cool so I’ll give it a pass. Although more realistic would be: everything refusing to turn back on, Nine Ball muttering as she makes her way to the basement, resetting the trip in the fuse box, and every electronic device in a half-mile radius beeping in unison, for a solid five minutes, along with the microwave never working again.

The main hack of the movie is Nine Ball gaining access to the security infrastructure of the museum where the heist is to take place. Everything shown after is just a lot of staring at webcams, which all sounds plausible, so let’s focus on how she initially gained entry.

Rather than simply hack the museum servers, Nine Ball decides to pick a target from the personnel directory on their website. Specifically, the “McCallister Staff”, which appears to be the name of the museum’s security department. Evidently named after Kevin McCallister (whose home security was the stuff of legend).

Notice all the emails are of the domain mccallsec.com, which if you go to in real life has a nice fan message:

From the personnel list she decides to go for Paul Damanian, department head of “Visual Matrix Design”. How does she find him? By stalking him on Facebook, of course! And then using his love of Wheaten Terriers to design a crappy email campaign she just knows he’ll click on.

Phising Expedition

This kind of attack is called Phishing, and is being depicted more and more often in movies; which is great because it’s exactly the kind of thing that happens in real life. Hacking a secure computer network from the outside can be impossibly difficult and take months. Why go to all that effort when you can trick some dude into opening a dodgy email attachment?

Everyone thinks they’d be too smart to fall for it, but it’s precisely how John Podesta got his emails hacked before they wound up on Wikileaks. And, sure enough, Paul takes the bait here too; which gives Baller full access to his work computer.

Enter the Visual Matrix

This picture doesn’t look like much, but it’s the sort of thing security professionals love to pause and peruse. We get out plenty. You can tell a lot by shots of the hacker’s desktop, and it’s nice to see things done properly even if it’s only on screen for a second and almost all of the audience won’t care. It’s the hacking equivalent of bumping the lamp.

And this one has a lot going for it at a glance. In the bottom right you see a terminal, the title bar says “root@kali” on it. That’s great attention to detail, as Kali is a Linux distribution dedicated to security and penetration testing: it’s what real life hackers would use.

There’s also an icon for the Iceweasel web browser (a version of Firefox without the trademarked name or artwork). No hacker would be caught dead using Internet Explorer, but the hardcore would also avoid Chrome because of the association with Google.

Finally, on the very left of the screen there’s what looks like code. All hackers can code, so why wouldn’t there be some? However, on closer inspection it’s immediately clear something is off. The code is clearly JavaScript in an html page (what with the tags). It also has comments in it, which say things like “colorpicker” and “sliders”. Seems odd for a hacking tool?

Here’s where my spidey sense tells me they got lazy. Hollywood has gotten into a trend of showing random code on-screen. But rather than commission any which looks plausible, they instead find some online. And sure enough, after a quick sleuth, I found that very same file.

It was sitting in a Github repository. What’s Github? It’s a website that hosts code of any and all varieties publicly; it’s used heavily by the open source community, which means there’s loads of free code on it. Anyone, including a Hollywood SFX tech, can search it to find code for just about anything. And so I did a quick google search for “github webcam hacking” and you’ll never guess what I found…

1337 hacking tools

Second result! Hilariously, the top result purports to be a webcam hacking detector, that can detect:

“programs that use computer Webcam with or without your knowledge”

There’s no code for this miraculous tool, only an .exe file you can run if you’re brave enough.

The irony is, the code they picked is very much not for hacking webcams. It’s a guy called Jorik messing around with showing stuff from a webcam on a webpage. The description reads “Some hacking with getUserMedia and canvas”, but hacking here is used in the sense of “messing around” not “computer hacking”. Easy to confuse, I know.

The code in the film comes from the file “greenscreen.html” and evidently is meant to be used in conjunction with something else to load your face onto a webpage and let you play around with the colours. Here’s what it looks like loaded up:

Jorik now works as a UX Engineer for Google; I wonder if he knows his silly test project from 2013 was used by Rihanna to help pull off a major diamond heist?

Having hacked into the guy’s computer, Nine Ball’s work is just beginning. It’s a sign of improvement that she doesn’t just stop here. Older films may have left the rest as read: “he clicked the thing, so now she controls everything!!”. But sadly, that’s not really how hacking works in practice. Having access to your laptop doesn’t automatically give me your gmail password, and on networks run by actual security companies, there’s differing levels of access and passwords everywhere. And so, (Not-So-Straight) Baller goes to work looking for privilege escalation to get access to the good stuff, while Paul basks in the privilege society already gave him while looking at dog pictures.

Serious Hacker Face

She starts by searching for the “camera matrix”. It was only at this point I realised the “Visual Matrix” from Paul’s job title is probably the name of the system for running the security cameras and she was specifically targeting the department head who’d definitely have access to it. So bonus points there.

One quibble is that this is meant to be running on Paul’s machine, which runs Windows. However, the program featured is clearly the GNOME System Manager, a Linux equivalent of the Windows Task Manager, which is why it looks like it’s crawled out of the 80s. The search itself is coming back with file names (e.g “MET camera_policy.pdf”) as opposed to actual processes such as “Adobe Acrobat” which, if you think too hard about, doesn’t make a lick of sense but I’ll let it slide.

After finding the program/process/thing she’s looking for, she’s immediately greeted with…a password prompt. But being the ace hacker she is, Rihanna has just the thing to deal with such an eventuality: a magic box.

Now, despite being only five seconds long, there’s a lot going wrong in this clip so I’ll go through all the reasons it’s terrible one by one.

First off, the entire premise of using the box doesn’t make sense. The box is specialised hardware designed solely to brute force passwords (try every possible combination). It’s the sort of thing you’d use if you were trying to break an electronic safe or lock and you didn’t want to lug an entire computer around. They’ve mostly fallen out of use these days as manufacturers have wisened up and added lockdowns after one too many unsuccessful attempts; rather than let you try four billion passwords in the space of five minutes.

It makes no sense that Nine Ball’s using it over the internet. It’s plugged into her computer. In which case, why does she have a password cracking box when she could just uhm write a computer program to do the exact same thing?

Klingon Password Cracker

Secondly, it’s displaying the passwords it’s trying on the box. That doesn’t make sense because a) it should be trying at minimum thousands a second so they’d be going so fast you wouldn’t be able to see, and b) even if it was only showing a sample, who cares what all the incorrect passwords look like: “oh yeah, for an extra $50 we can make the box show you a list of all the passwords it isn’t”.

Doubly bad is literally all the passwords displayed in the scene are ridiculous. In the picture above it’s trying a password with a space in and a character I’ve never seen before in my life in it. The trick to brute forcing a password is to start with the simplest or most common ones and work your way up. That’s because you don’t want to be sat there for four hours only to find out the password was “123456” (if that is your password please change it now). But here Balldora’s Box is freestyling with the Cyrillic alphabet after three-and-a-half seconds.

Let’s skirt around the fact the box is only trying passwords eight characters long, meanwhile on the screen it’s twelve. It’s the sort of thing that gives hackers rage-induced hernias but nobody else cares about. Instead, we need to talk about password boxes.

As anyone who’s ever logged into a computer knows, the way every password boxes works is: for every character you type, that character (or an asterisk) is displayed. Every password box except this one. This one is showing a random combination of visible characters and asterisks, and even though completely different passwords are being tried, only some of the characters change at any one time. This visual device is nothing like how any sort of password system works. Passwords are either right or wrong. Password boxes never go “oh you got it wrong that time, but the 6th and 9th letters were right so we’ll just leave them there as-is for you”.

The icing on the cake is while the password is being cracked, we see that very same code again in the background. Only this time it’s moving. Moving.

Where’s that code on the left coming from?! The magic box is cracking the password, Baller isn’t even typing and yet the code’s off in a corner writing itself. Seemingly, Nine Ball has created AI and ordered it to produce colour pickers of questionable quality.

After finally cracking the password, Nine Ball is finally into the main application: the “Visual Matrix Controller”:

Here we have a very strange blend, where the window decoration is the same as her Linux computer, even though it’s meant to be running on Paul’s Windows machine (notice the red cross in the corner). But the app itself looks like it was made in Microsoft Word. Or rather, it is Microsoft Word. It literally has the ribbon interface in the top corner, complete with the text formatting icons and the shape creator. What the hell is going on?

Depiction wise, this film is an absolute state. It’s annoying because there’s so much it gets right. Lots of little details that show some of it was definitely done by someone who knows their stuff. For example, in this very picture, tucked away in the bottom left corner:

This is output from NSE, the Nmap Scripting Engine. A tool in every hacker’s toolkit. In The Matrix Reloaded Trinity uses Nmap when shes hacks into the power station: that’s a real hack! That was a big deal in 2003, and that very same tool is casually being shown here. It’s also shown more prominently later on when scanning the necklace, and indeed, that shot made it on to Nmap’s movies page.

Whoever added that must have been reduced to tears when they found out what else was going to be depicted. Knowing all their hard work was going to be overshadowed by Rihanna’s visual-metaphor-in-a-box. It’s heartbreaking.

It’s somehow worse when a film gets the little things right but the big things wrong, because it means they do know better. I imagine professionals in every field feel this way when they see films that depict their work. Like a civil engineer watching a bridge get built over the course of a film, with all the welding correct and the expansion joints, or whatever, are well designed, only for the camera to pan out to reveal the entire thing is constructed out of lego.

Some films depict hacking in a way that suggests the lights are on but nobody’s home. Ocean’s 8 depicts it like everyone’s home, but the lights are off and they won’t switch back on.

Grade: C

--

--

Zero Cool
h0llyw00d h4x0rs

Creating GUI interfaces using Visual Basic since 2001