Swordfish
Swordfish is a 2001 action thriller about an ex-computer hacker becoming involved in an elaborate bank robbery. The film is distributed by Warner Bros, who always open their movies with the same intro; it’s an aerial shot of some studio buildings, which then pan into a rotating Warner Bros logo. However, for lots of movies, they jazz it up. Like in The Matrix, where the entire sequence is in green. In Swordfish, the title sequence glitches out like it was recorded on a spectacularly bad VHS tape. Because, as we all know, you can’t have hacking without it looking like the very video stream has been compromised en route to your screen.
The film preposterously stars John Travolta, Hugh Jackman, Halle Berry, and Don Cheadle, which goes to show that a star-studded cast is usually married to a shit-stained script.
Hugh Jackman plays Stanley Jobson, the world’s second best hacker — presumably as voted for in Hacker Monthly. He doesn’t look, sound, or act like a hacker. In fact, the only distinguishing features from a standard Hugh Jackman role are that he’s wearing an earring and loves his children. Given he’s not a proper hacker, he doesn’t have a proper hacker name. And so for the rest of this piece I’ll be referring to him as Jobsworth.
The first hack of the movie occurs a half hour in, where Jobsworth is tasked with hacking into the Department of Defence in 60 seconds, while Vinnie Jones points a gun to his head, while receiving a blowjob, while John Travolta and Halle Berry both watch. You may want to take a few seconds to process all of that.
DoD Hack
We start with a classic Hollywood login page. It’s not clear from the picture if this is meant to be a website login, or an internal system available directly over a network. However, Travolta describes it as “DoD dBase, 128-bit encryption”.
The problem here is the lingo doesn’t match the imagery. We clearly see a login box, with a username and password, yet Travolta calls it dBase, which is a database management system (think of it as the original Microsoft Access). It’s also not clear if this dBase is a set of encrypted database files stolen by Travolta, or if he’s trying to break into a remote database. I say it’s not clear because it’s implied to be over a network, but lots of other things only make sense if it’s not. I’m also worried they don’t even mean dBase and they just think it’s a cool abbreviation for “database” that hackers use.
Travolta asks how Jobsworth intends to perform the hack: “maybe slide in a Trojan horse hiding a worm”. Are you actually kidding me?
A worm is a type of malware designed to spread, and we’re breaking into a single database here. A trojan horse (these days just called a trojan), is malware that’s designed to look like a legitimate piece of software. Much like its namesake, the idea is you sneak nefarious software onto a computer by tricking the user into willingly installing it. Which is also not what is happening here.
Jobsworth gets to work on his hack, starting with the help of his trusty compiler:
A compiler is a piece of software that’s used by programmers to help translate their code into files a computer can actually run e.g. a “.exe” file. So the idea here is that he’s writing some code to help him do the hack.
To the right of the code, is a list of six IP addresses. This makes no sense, as they’ve got nothing to do with the code at all. Nothing. They’re also all invalid addresses. IPv4 addresses are split into blocks, with each block numbered 0–255. But each of those addresses has a number above 255 for one of the blocks. Were the producers scared they’d inspire a generation of hackers if they dared to include a valid IP address?
At the bottom of the screen we have 3 going things on, all of which are wrong:
- There is a table with some binary in it, among other things. This is a table of EBCDIC codes, and without going into details is only relevant to IBM machines and Jobsworth is using a Dell. Even if he were using an IBM machine, showing this table at all times would be completely useless. Maybe he’s using the tool remotely on the server, I hear you not say. Well, it’d still be wrong as he said the server is a PDP-10 which doesn’t use it either.
- There seems to be some sort of typing aid, suggesting words as he types, under the EBCDIC table. Only literally none of the words corresponds to the what he’s typing. Instead, they’re generic computery terms such as “database”, “search”, and “telnet”.
- The words Tx Rx are off to the side by themselves. Those terms are related to modem connection speed, but they forgot to include any numbers with them so they’re also useless.
You may have noticed I’ve not mentioned what the code itself is doing or where it’s from. I was saving it until last because it’s a doozy.
The code on the screen is written in the C programming language, and it actually is related to DES. It’s a snippet from the Electronic Frontier Foundation’s DES cracker! They probably got this code from a book the EFF published in 1998 called Cracking DES — Secrets of Encryption Research, Wiretap Politics & Chip Design.
To explain what that’s all about, let’s go on a brief tangent.
Data Encryption Standard (DES)
DES is a standard for encrypting data. It was designed by IBM, and first published in 1975. Originally it was meant to have a key size of 128 bits (all you need to know here is a larger size is usually better). But after consulting with the NSA, they changed it to 56 bits, which ruffled some feathers.
This shorter key size was widely believed to make the algorithm insecure, and allow for the NSA to decrypt messages using their vast computing resources. To prove this point, RSA Security set up a series of challenges called the DES Challenges starting in 1997. They provided a series of DES-encrypted messages, and the goal was to decrypt those messages by brute force (trying every possible key). RSA Security consulted for Warner Bros for Swordfish, which is presumably why it says DES in the first place.
The first two DES challenges were solved using distributed computing. Essentially lots of volunteers ran some software on their computers, which collaboratively tried all the possible keys over a span of weeks/months.
Meanwhile, the EFF was designing their own dedicated machine to do the job, which they called Deep Crack (playing on IBM’s Deep Blue chess computer which had beaten Gary Kasparov a year earlier). The EFF are all absolute heroes, and if you care about digital privacy you should totally donate to them.
Deep Crack won the third DES challenge, owing to the fact it was able to try 90 billion keys per second, and could successfully decrypt any message encrypted with 56 bit DES in 9 days. The machine cost around $250,000 to build, which made it well within the realm of medium-sized companies, never mind state actors. Along with the machine, the EFF also published the Cracking DES book, which contained an explanation of how they built it along with the full source code they used to interface with it.
Fun fact: in 2021 people are still making DES cracking machines! The best of them is the crack.sh DES cracker which can crack any 56-bit DES key in 26 hours or less!
Back to DoD Hack
The source code Jobsworth is typing is from Chapter 5 page 37 of the Cracking DES book. Specifically, the code reads the configuration file to set up the machine. Real hacker stuff.
There are two problems with Jobsworth’s approach here. The first is that the full code he’s typing out, off the top of his head, is 46 pages long in the book and he only has 60 seconds. The second is that he does not have the DES cracking machine, which feels like a critical omission. I don’t think Travolta would need the second-best hacker in the world if the task was: “can you decrypt this DES-encrypted file using this $250,000 dedicated DES cracking machine I’ve kindly provided”.
That said, even if he managed to type all 46 pages of code, and then successfully compiled, ran it, and used it to control the dedicated EFF machine that takes up to 9 days to run, then it still wouldn’t work. And that’s because the machine is for cracking 56-bit DES. But the film makes a point about this being “DES 128-bit”.
So what is DES 128-bit? It doesn’t exist. After the DES Challenges proved that 56-bit DES was insecure, DES was superseded by a new algorithm called Advanced Encryption Standard (AES) in 2001. AES does come in a 128-bit variety, but DES never has and never will. So this entire scene is 128 bits of bullshit.
Unsurprisingly, Jobsworth’s first attempt fails. Although I suspect the film isn’t quite using the same logic as me as to why…
Undeterred, Jobsworth moves to a completely different approach via his patent-pending speed typing approach.
This time he attempts to guess the password using what appears to be a list of common account names across various types of servers. The list is unique enough that they definitely cribbed it from The Neophyte’s Guide to hacking (1993 Edition).
This is another case of the depiction not knowing what it wants to be. Is he trying to guess a decryption key or is he trying to guess a username and password combination? It can’t be both. It also makes no sense that he’d be trying huge lists of possible user accounts. If you have 60 seconds to guess a username and password combination, you had better already know a valid username for it.
After that fails too, he sticks with the same approach, typing in lists of words and then bafflingly moving onto numbers, before his time runs out.
Turns out, the gun to his head was just a prank. Oh you jokester Travolta, what are you like? However, after the knick of time he presses enter and turns his computer around to reveal:
This shot is only on screen for a fraction of a second, which is good because it makes absolutely no sense. Compiling encrypted passkey? It manages to be wrong in 3 different ways in only 3 words:
- You don’t compile keys, you compile code.
- Why is the passkey encrypted? He’s meant to be finding a key to decrypt something, not encrypting anything.
- Why is it called a passkey? He’s looking for a key, the word is just key. It’s not short for passkey. A passkey is what you use to get into your room in some hotels or another term for a Bluetooth pairing code. Neither of which is happening here.
And yet somehow…it works! The magic of Hollywood.
To be fair to Swordfish, everyone else is also confused about how he managed to pull off the hack as later on in the film. Travolta asks explicitly, to which Jobsworth answers by saying: “I dropped a logic bomb through the trap door”. Halle Berry correctly spots that this is nonsense, and replies “no you didn’t”, before ruining it by adding “you didn’t have time”.
A logic bomb is some software that triggers when a logical condition is met. For example, some code that deletes critical files should a certain employee be terminated. A logic bomb wouldn’t be relevant here, given he’s hacking into a system, not setting some disastrous future consequence to happen to a system he already has access to.
His next answer is “I used a password sniffer”, which is similarly wrong. A password sniffer is software that scans network traffic for passwords broadcast over that network, which isn’t what he was trying to do here either.
Finally, Jobsworth says: “I don’t know exactly. I see the code in my head. I can’t explain it”, which I guess would be more impressive if said code hadn’t been already published in a book 3 years prior. Jobsworth is evidently Rain Man, but for hacking. Regular old Dustin Hackman.
Hail Hydra
Having successfully hacked into/decrypted/logic bombed/whatever’d the Department of Defence, Jobsworth is now in the pro league. He’s given access to John Travolta’s big boy computer, which you can tell because it has seven screens. Seven. No word on whether that’s also seven computers, or just one poor Pentium struggling to power all those screens.
It’s not just a multi-screen system, though. It also has a DS3 connection, which allows it to access seven different networks simultaneously. That’s one a screen!
What they need from Jobsworth is for him to build them a worm. But not just any old worm: a Hydra. Which is “a multi-headed worm to sniff out footprints across an encrypted network”.
If you’ve never heard the word Hydra in this context before, that’ll be because they made it up. Computer programs can already do multiple things without having a dedicated term for it. The Stuxnet worm, for example, is famed for how complex it is and how many things it can do.
Apparently, the network is being encrypted by a “Vernam encryption”. There’s only one Vernam cipher, although it’s better known as the “one-time pad” technique. The idea is you encrypt a message with a key that’s as many characters as the original message. It’s not practical to secure any sort of network ever, they just picked something they thought sounded good without doing even a cursory check.
Jobsworth calls Vernam: “a true 128-bit encryption”. Halle Berry ups the ante, by revealing that it’s actually 512-bit here. Neither of which makes sense. The key has as many bits as the message that’s being encrypted, it’s pretty fundamental to how this thing works. In fact, the cryptography in this movie is so bad I found a post on a crypto blog solely dedicated to complaining about it.
So the plan is to: “go in over the phone lines, pop the firewall, drop in the hydra, and wait for the money”. Simples! But first, they’re going to need that Hydra…
Crouching Tiger, Hidden Worm
Jobsworth handily has a worm that he always uses, the source code of which he’s hidden in an old mainframe computer run by his alma mater (where nobody would ever think to look).
The alumni page is running off an IP address that in real life is invalid, like all the IP addresses in this movie. The login page is using RSA, which doesn’t make much sense but they did consult on this movie so I guess it’s more of an easter egg.
The code shown is cribbed from a detailed hacking guide called Hacking Kit, published in 1997. Well, I say published. It’s not a book so much as a long text file that was widely available on the internet at the time. It explains how to break into Linux servers, and also handily includes some scripts to help you. The code featured here is Perl code from one such script called “cmount.pl”. This script essentially allows you to scan the entire internet for an insecure type of file server that you can just log into without a password. Which, surprise surprise, has nothing to do with what Jobsworth is trying to do here.
I’m also not convinced by the logic of storing the code for your hacking tools on an old mainframe. It sounds cool, but in real life, you don’t have to hide such things: you can just encrypt the files and store them wherever. In the film, encryption can apparently always be broken by hacking savants, but outside of the film, PGP has been around since 1991 and if you PGP-encrypted a file in 1991 even the NSA still wouldn’t be able to decrypt it today.
Worm Creation
The worm generator is a tool to generate worms, apparently. It’s also a visual tool, because everyone knows all the best hackers use point-and-click.
There’s a menu on the left-hand side, which betrays the fact that this tool is actually AutoCAD, a computer-aided design package historically used by architects and engineers to design things like buildings and cars. What an innovator Jobsworth is, I bet he can also DJ using MS Paint.
You may also have noticed the sideways scrolling text. Hollywood loves scrolling text and weird characters. Static screens are perceived to be too boring, so if possible everything needs to move around to give the illusion of excitement.
So now we have our worm generator tool. It’s green because, I mean, how else could you hack? And it also has what appears to be a tetradecahedron prominently displayed for absolutely no reason.
And we’ve not even gotten to the text yet. Oh boy.
Having text on the left and the right like this is inherently ludicrous, especially when you have seven screens, but the text itself also makes very little sense. The main thing to remember about code and hacking is that everything means something. What looks generic at a glance is usually unbelievably specific.
The top left has output from a hacking tool called Hunt. They probably copied it from a book called “Hack Proofing Your Network”. Hunt is used for monitoring another connection on the same network. Think of it as the network equivalent of peeking over someone’s shoulder as they’re using their PC. Makes no sense it would be here.
Directly under that, we inexplicably have a HTTP connection although it describes it as “TCP” with a version number that doesn’t exist in real life. Underneath that, and also to the right, is some Perl code. I can’t even find where they got this from, but it’s both invalid and basically doesn’t do anything. I despair.
With the generator loaded, Jobsworth gets to work building his worm. He does this by slotting in pre-built components:
The components are modules, which as I mentioned earlier complex worms like Stuxnet actually do have. Here it shows us what at least one looks like:
This is more code from EFF’s DES cracker, which why not I guess. It didn’t work for the DoD, and he has the entire thing memorised anyway, but may as well throw it in.
The scene is meant to illustrate Jobsworth working hard on his worm, but it doesn’t make a lick of sense. The reason he’s struggling is that some combinations of modules seemingly cause the worm to fail to generate, which means he has to start over.
Obviously, this isn’t really how software works. All the modules would have been built so they could all be used at the same time. It’s a bit like he’s designing a cutlery set but the fork is made out of wood and the knife is made out of sandpaper. In reality, he’d just have a worm with all possible functionality built-in from the get-go, and then just turn off bits he doesn’t need.
The worm itself is to be used to steal a bunch of money from a bank. For reasons it’s not worth explaining, the worm needs to run from inside the bank itself and so there’s a heist involved. Later in the film, we get to see it all up and running:
Good job he remembered the “password database query” module! Interestingly, it (top right picture) also says port 120. Network connections between computers happen on ports numbered being 0 and 65535. Why that many? Well 65536 is 2¹⁶, and powers of 2 crop up everywhere in computing, so the reason is ultimately related to the size of the data type expected to be used to read network packets.
By convention, certain ports are used for particular things, for example, the web uses port 80 for unencrypted connections and 443 for encrypted connections. Port 120 is listed as only really being used by the Skun trojan, which was first discovered in 2002 — one year after Swordfish was released.
After the Hydra has done its thing, Travolta is now 9.5 billion dollars richer. Thank God there were exactly the right number of boxes to display the number!
Surely this movie is done with the hacking now? If only. There’s quite a silly exchange where all the money goes missing again while Jobsworth is leaving the building.
Unfortunately, Jobsworth is apprehended and it’s revealed he programmed the software to steal the funds back and move them to different accounts every 60 seconds. You could say it’s gone in 60 seconds, but I’d rather you didn’t.
He set this up to run long after he was safely gone, but evidently messed up the timing what with only being the second-best hacker. Ironically this actually does qualify as a logic bomb, so of course nobody in the film bothers to call it that.
After being confronted, Jobsworth says: “The accounts are encrypted with a 1024-bit cipher, even I can’t break through the firewall” which, you guessed it, makes no sense. Encryption and firewalls are two very different concepts.
However, it turns out Travolta is an expert in what we in the industry call rubber-hose cryptanlysis, illustrated by this XKCD comic:
With Travolta now hanging Halle Berry from a rope until he gets his money back, Jobsworth gets to work retrieving the funds:
This code is interesting in that it clearly doesn’t make sense at a glance, but took me quite some time to figure out exactly what it’s even meant to be.
It seems they’ve tacked some code onto the end of the output of the traceroute command. Traceroute is to do with networking and has no good reason to be on this screen.
The code is in a language called N-Code, which is specific to a tool called Network Flight Recorder (NFR). NFR isn’t around anymore, but it was a tool that let you scan and filter network traffic. This particular code is cribbed from a book called Hacking Exposed: Network Security Secrets and Solutions, published in 1999.
What this code does is detect when someone is scanning your computer to see what public services it’s running. This is called a port scan, because how it works is by just trying to connect to every possible port (all 65536) and seeing which ones you get a response to. If you get a response on, say, port 80, then you know the machine is almost certainly running a web server.
So this code is for use in a defensive tool, which doesn’t fit here. They’ve then lazily tacked some words that vaguely resemble code onto the end (starting with “, timer clock”):
This pseudo-code seems to say if a timer is at a specific time then magically route all the money to the Monte Carlo bank account. This has nothing to do with monitoring network traffic and doesn’t make sense in more ways than I count, which is par for the course at this point.
Summary
There’s a bit in the film where Travolta explains the art of misdirection, which is fitting because this entire movie is like a cheap magic trick. A magic trick which only works if you never look at what’s right in front of you.
I don’t know why RSA Security consulted for this movie because clearly their advice was unheeded. At every step of the way the logic of what Jobsworth is supposed to be doing is deeply flawed, all of the technical terms are used incorrectly, and most of the code is cribbed from hacking guides and then used in completely the wrong way anyway.
There are no redeeming features here; everyone involved should be ashamed of themselves.
Grade: F
