Title : The Remote Computer Requires Network Level Authentication
link : The Remote Computer Requires Network Level Authentication
The Remote Computer Requires Network Level Authentication
i want to introduce kim who is going to do mr. robot panel, thank you. unfortunately we don't have any clips for you but we do have a great panel of experts here who are going to answer all of your technical questions i am going to introduce the panel, we definitely want it to be interactive
The Remote Computer Requires Network Level Authentication, we all know that we are here for mr. robot panel, right? you all know the show , right? kim: so, i'm going to start with some overview questions... primarily, initially directed at kor. i want everyone to jump in, if any questions are relevant to you.
just to get started on some overview, i wanted kor -- just give us an idea how exactly the show came to gether. kor: can you guys hear me now? alright, really quickly, before i get into that, there are two members of the consulting team who couldn't be with us today: michael bazzell and james plouffe. michael, if you're here, put your hand up... you're supposed to be here... no. alright, um, inspiration for the show. our creator and showrunner sam esmail -- he is egyptian, and he has relatives who are living in egypt, who experienced the arab spring. and dealing with that, and knowing how a younger generation was able to use technology in a way to thwart internet censorship to get the access that they needed to technology and social media was a huge inspiration for mr. robot. that, coupled with the fact that sam and, i believe, many people in this room share
this disdain for how hollywood has portrayed technology and hacking in film and tv up til this point and upon my first meeting with him -- that's the first thing we bonded over, was how much we hated that how much we cringe every time we see a show about hacking or movie about hacking we wanted to do it right, and we thought that doing it in a realistic way would be dramatic, and would be enticing and compelling. and that really empowered me to just -- and i got in a lot of fights and altercations since that moment and i still continue to do so, but it's all in the name of making it authentic and making it realistic. hopefully, we're doing a good job of that, and will continue to do a good job of that . so those are the two main inspirations for the show.
kim: so how sam get the characterization of elliott alderson so spot on? because it's not just the hacks that hollywood gets wrong, it gets wrong the hackers and the culture of the community. kor: so, sam dabbled a bit in hacking as a teenager, but by no means does he refer to himself as "hacker" these days. but it's interesting, having been exposed to both worlds -- writing and the tech community i see that, just the isolation, the stress, the anxiety, the social awkardness, the amount of time spent alone in front of a computer, problem-solving... how frustrated i used to get when i tried to code, tried to solve a problem and i couldn't figure it out, is very similar to the stresses i experienced breaking a story, or trying to nail a scene, or writing scripts... so i think the comparison between a hacker and a writer from an anxiety perspective... it's very, very similar.
and the drug usage, the social awkwardness, all of this... i think sam has infused his experience as a writer, and put it into this hacker character. and it works because those worlds are very similar, and being able to make those connections, as to how similar those two worlds are and of course, you're using different parts of your brain. but still, i think a lot of the isolation and loneliness is rampant in both worlds. which is why it works, which is why so many people in this community can relate to elliott. because... it's hard being alone. i think it's one of the great things about defcon, we get to get together and actually talk to each other -- in real life. kim: but he also gets at -- the other hackers that we see in shows are sort of, let's just say, "black hat," where they're all powerful, and they're not human, essentially. and elliott is very "human," and very psychologically messed up a lot of things, mentally unstable, and... those elements all exist in this community, we have suicides (inaudible) stuff like that, and he gets that kor: and i again, i think that's prevalent in the writer's community, as well. it's another similarity. it's the engine that makes the show work.
and i think the character of vulnerability is what draws you in and makes him relatable. he's not a superhero, he's terribly flawed, but he has good intentions, and wants to change the world for the better, even if doing so, he ends up destroying the world. it's compelling. kim: i wanted to ask about forming this group of consultants. because the first season, the first show, the pilot, was done without you. and then after it got picked up, you came on board. but you only had one consultant at that time, that first year, correct? kor: yeah, it was me and michael bazzell that first season. the role didn't really exist, i kind of just fell into it. i was working for sam, i was in the room, i was pitching ideas and he knew i had a cybersecurity background, so he knew that i could help in that way, so i remember looking at the original "bible" for season one and the evil corp hack that he had planned out was very... fantastical and kind of crazy, and i said if we want to ground this in reality, this is how i would do it, and this is where your data targets would be,
and these would be the methods of taking them down, and from that we kind of explored the attacking the off-site tape backups and the redundant data center in china, or the disaster recovery (inaudible)... so we kind of formed the network infrastructure of evil corp early on, and that dictated our trajectory for season one, the big hack of season one. and it was me and michael bazzell coming up with a lot of those ideas, incorporating them into the show... and was lucky enough to form an even bigger team for season two, which was awesome. kim: so, why don't you walk us through... i just want to get to the hacking -- so, alot of the hacking appears to be grabbed straight from the headlines, and also from black hatand defcon -- let's just admit, you're cribbing from us, right?
kor: i totally am. kim: so, the prison hack was defcon 2011. kor: defcon 19. kim: tiffany rad. kor: there was a whitepaper, a great demoi found on youtube, that i studied, and that was the inspiration for that last hack inthat show. so, definitely, ripping you guys off. kim: so you have the ransomware, the iot (internetof things) hacking, obviously, latest episode, you have hacking android phones with the roguefemtocell, and also the affiliate link hack
that darlene does to get free food. so explain to us, what is the process forcoming up with the hacks, do you have a hack idea first, and then it gets written in tothe plot, is the plot written first, and then you come up with the hack that fits the plot...and how do you guys work together? kor: so, the story ideas come first. the story will always come first. we will always act in the best interest ofthe story. so i'm in the room everyday with a group ofvery talented ideas, pitching story ideas, trying to nail down the structure and thearcs for the season, and there are breaks
in those discussions where sam will say "alright,here we need to have a hack, we don't know what it's going to be, but elliott's goingto hack, and he's gonna be in this point in the story after we're done." so, after that, i'll reach out to my team-- these guys -- and we'll have a brainstorming session, saying we need to work within theconfines of this story point, we need to get elliott from point a to point b, and whatis available to us, what's realistic, and what makes sense, what's efficient, what'ssmart, what would be cool to see visually on-screen. so it's weird that we kind of have two differentwriters groups working in tandem -- we have
the story writers' group, and we have ourtechnical writers group. we throw out ideas, argue with each other,try and find the best option, and once we finalize the best idea together, i bring itback to the room, and it gets incorporated into the script. and at that point it's really short, generaldescription -- a couple sentences that describes the hack: big picture. once we get to production, that's where thenitty-gritty detail work starts, and we actually have to pull off the hack. so i need to work with the props departmentto make sure the hardware looks completely
accurate -- they've never heard of a raspberrypi before, so i have to tell them exactly "here's where you can buy one, here's themodel we need." tour the set, to make sure we don't have aridiculous amount of cat5 cables all over the arcade, there are only like 5 workstationsthere. i have to work really closely with an animator,and these guys, to nail exactly what the screen content looks like. so, oftentimes, one of these guys will dothe hack for real, and send me screenshots or video of it, and then i have to take itto a flash animator, and we build out an interactive animation based on what these guys did.
and it's something we can put in front oframi or christian, and they don't have to think about it, they can hit the wrong keystrokes,and the right characters will show up on-screen, and the screen will behave the right way weneed it to. and we shoot all of these sequences practically. sam hates using green screen. i hate using green screen, so we don't burnit in after the fact. and even that process -- these guys will tellyou how many times i've called them at 4 in the morning saying "we need to fix this andit needs to be ready by 9am." and i have to work with an animator to gothrough like 15, 20 revisions, and make sure
there are no typos, and make sure everythingis working properly, if we're going to rebuild this terminal sequence, or whatever screensyou're seeing. and then i work with the actors and try toget it right, and then i work with a completely separate a small splinter group, to shootall of clips that need to be inserted in building out these sequences. so there'll be great shots of hands on a keyboard,make sure that they're hitting alt-tab when they need to toggle windows at the right time. little, little things that you don't thinkabout, that no one in production in hollywood really cares about.
but on this show, it's a big deal to us tonail those details. and luckily, you guys are picking up on it,and we're really happy about it. andre: i just want to say, i've worked onsome of the largest breaches in u.s. history, and working for kor is worse than all of them. because at least when i go home from the f.b.i.,i was at home... kor would still call me at 3 o'clock in themorning and say "i need you to do a video of exactly the output that elliott would bedoing, and send it to me in the next hour because we're doing the animation." but what was cool is that if you notice thatthere's some easter eggs that are there.
when it doesn't work, we have to work throughit for several hours, or change the hack. there's multiple times in which -- i won'tgo through all of them, but we had a hack in place, and it was in the script, and wehad it ready to go, and then all of sudden, actually when we tried to do the hack, itdid not work. kim: can you elaborate on that? can you tell us about the hack, and what didn'twork? andre: uh... no, because we may actually useit again, but i'll allude to the fact that the first episode, the hack that you saw wasnot the original hack. kor: he's referring to the ransomware attackin the first episode of season two . andre:
but even then, it goes beyond just a hack. with that particular episode, it was the setdesign, we need to be able to have a bank, and systems that we would need, and the typeof personnel that would have access to the type of systems that we want, and how we wouldportray that on the show and make it realistic, so people could say "yes, someone with thatskill set, or someone with that job would have access to that system, and if i plugin that device, or i access a specific system, it could pivot to the next system, and thenhave a cascading effect." that's the level of detail that we're goingin, because i know that you guys are looking at the same thing, and we don't want to makecsi cyber, where (inaudible) marc: it's
also really surprising how disproportionatethe amount of work that goes into something like (inaudible if you look at some of thesmallest things, like the affiliate link hack, only a couple seconds of screen time. that was days of discussion, because the originalscript -- the hack was laid out, we hated it. we wanted to shape it into something thatwould really work, so we went round and round, and we re-shaped it into something which,ultimately, people were dissecting and writing entire articles on those few seconds -- that'swhen you know we got it right. kim: what was it originally that you rejected?
are you guys familiar with what he's talkingabout? marc: darlene's getting free food by usingaffiliate links that belong to her boyfriend, so she gets credited for whatever clicks thathe should be credited for. the original hack involved dns cache poisoning,and this massively elaborate thing... and i looked at it and... that's not realistic. there's no way you would expect that levelof effort for something as simple as that, when there are so many other elegant, simpleways in which you could do it. and we bounced around the team, came up withmultiple different options, and the one we went with at the end was actually we wouldtarget a specific piece of infrastructure,
the proxy apn, and by compromising that, anythingthat goes through that apn gets re-written into whatever we want. and the net result is a realistic hack thatcould be pulled off in the real world, and have real world implications, and that's thekind of hack that i want to see. kim: so this was the hack involving the postmateswebsite, where anytime anyone would order food, darlene would get a $10 coupon for freefood. kor: and something else that i should justnote -- if we have an issue with a hack, the script changes. i go to sam or the other writers and i saywe need to find another way around this.
and it's interesting because, i think themost common argument i have around the room, especially in season 2, sam would want a bighack that's intricate and complicated, and it'll fill this page, to turn the scene, toget elliott to this next point in the story... and then when we talked about it, we'd belike "it's pretty simple, and it's smarter and more efficient to do this, but it's notas sexy on screen." so if i throw that idea out, sam will say"well that sucks, i don't want to do that, that's boring." so, we have to strike that balance of whatis visually compelling, what will move the story forward, and still meet the expectationsof the tech crowd that is analyzing the technology
that we use, and the motivations for the hack,the tactics that are used. ryan: for me it's almost like being in a virtualpenetration test, where if you've ever done pentesting or red team work, you always endup in a situation where you're a couple days in, nothing you've tried is working, and you'rekind of stuck -- you have a set of things you have access to and you have a set of goals,and you've gotta figure out how to cross that chasm and get from a to b. and a lot of timesthe story is exactly that -- kor will come to us and say "here's the context, here'swhat needs to come out of it," and it's awesome that if that requires certain dialogue ortweaks to the scene to make it real, they're totally willing to do that.
the second part that's hard is -- my initialreaction to a lot of these is "wow, how are we going to make this technically accurate?" and it's that same sort of conundrum, andyou brainstorm the way you do when you're actually in a real-world pentest -- well,if i did this and then this and then this, that actually could kind of get the charactersthere. and then it's all about, let's do it on screen,let's get some real tools such as kali linux, let's simulate as much as possible, and thenstreamline it down to what fits in a couple seconds of screen time. andre: on the other side of that what's veryhard is -- if you haven't caught up, you know
that the f.b.i. is about to be hacked -- havingwalked through the technical accuracy of hacking the fbi without disclosing state secrets andhaving national security implications, and being able to do it in such a way that you'reable to gain access to information that will advance fsociety, but not reveal anythingthat i don't want anyone in this room to be able to also leverage. kor: we must have had, i don't know how manyhours of discussing fbi infrastructure and how to hack the fbi. a lot of work went into it. marc: i know so much about hacking the fbinow.
andre: and the fbi knows that you know that. kim: i want to go back to the hacking, buti wanted to jump to opsec (operations security) for a second. jeff wrote a great article for playboy inwhich he pointed out some of the opsec issues with the hacking group. jeff: it's tough because i love the show,and so i don't want to be that guy on the side of the room picking off "oh, they forgotthe comma," but you tell the story about how sam sits there, the moment somebody onlinesays something negative about the show, sam calls you "did we get that right?" becausehe's so obsessed.
so it's tough because i want to provide criticism,and insight, but i don't want to tell you your job. so that's why my last article was talkingabout surveillance operations and i was trying to guess "is she being followed?" are you trying to show that darlene is freakingout, is she seeing ghosts where there aren't any?" so i decided no, she's probably getting followed,there's some dark army action going on, there's some fbi action, so let's just pretend she'sbeing followed -- what did she just do wrong, and what did the followers do wrong?
you would never reveal yourself as a followerunless you were trying to send a message to the person you were following. you would only do that if you want them tochange their behavior or spook them, and then see what their reaction is, see how they behave. reveal that you're following them, you forcean error, and what does that error reveal. you see this in tv all the time, so i've beenhaving a lot of fun with it, because i'm tying it back to other books and movies, and tryingto draw a broader picture. but so far, you've been getting almost everythingright, which is pretty cool. surveillance is really, really hard to do,and at some point you're going to have to
start criticising by saying "how do thesepeople who've never done this before professionally, they don't have professional training"--youdon't learn how to do tag-team surveillance, counter-surveillance, unless you actuallydo it... so at some point, i'm waiting for them to put on vr goggles and say "no waiti'm practicing my counter-surveillance," so we're just assuming they have all this skilland all this knowledge. so at some point i'm waiting for the backstoryof "how'd they learn all this stuff?" marc: if we ever do that, or if we ever dropa cat5 cable out of an airplane, i want you to all kill me. kor: there is something else i want to touchon, echoing what ryan was saying about using
real tools. kim: it's one of the things we've all seen,is that they're actually using the tools, we've seen dave kennedy's set (social engineertoolkit) tool, and everything else, and kor is very adamant about making sure, not justthat the hacks are correct, but that tools are correct -- but he gets a lot of grieffor it. kor: it is an ongoing struggle between meand the legal department at nbc universal, in an effort to clear real hacking tools onthe show, especially using the tools in a way there are maybe helping a hack, or associatedwith a hack, there's some negative connection. and unfortunately our roles are pitted againsteach other.
they want to minimize legal risk, and i wantto make the most authentic show that i can. so it is very difficult for me to convinceour clearance department to reach out to companies and to ask permission to use a tool. it's very, very hard. i've had so many conversations, very intenseconversations around that very topic. we've taken risks -- marc has reached outto members of the community, i've reached out to members of the community, we got somegreat feedback, and luckily these people were fans of the show, so we were able to incorporatethat software and hardware in the show... but it's much easier for me if you guys reachout to me directly.
if you guys reach out and say "hey, i wantto showcase my tool or this piece of software in the show," i want to hear about it. and i've read some articles recently aboutproduct placement and integration, and that's all bullshit. the theme of this show is consumerism andconsumer culture, and from day one sam and i -- we've always talked about wanting touse as many brands as possible, wanting to showcase as many brands as possible, and reallyexplore the world of people who work in businesses and how they operate. so it helps us to ground the show in realityif we can use real software.
so if you guys want your tools showcased inthe show, let me know -- it's much easier if you express interest first instead of mehaving to convince a conglomerate to reach out to you. kim: you actually used a real company forthe ddos, prolexic. kor: we used a lot of real companies in thefirst season, and there are these instances where we do a kind of "knock-off" where itlooks like a specific tool, but we can't make it exactly like it. and i just want to stay away from that, iwould much rather use real tools and solutions. kim: marc, you had said that you're doingthe real simulations of the hacks, and you're
going through the steps. you talked about actually consulting withoutside experts in certain cases, different expertise, to figure out kinetic reactionsand things like that -- want to talk about that for a second? marc: yeah, it's not just me, everyone onthe team has reached out -- there are a couple of i'd love to talk about all of this stuff,but we can't -- because i don't want to give spoilers that could damage the story, spoilingthe illusions (inaudible) let's just say, there are a number of things that happen indifferent parts of the show, and if we have any doubts about the realism, if we have anyconcerns about the physics involved, or the
science behind it, we will reach out to experts,professors in some cases, and talk to them, and say "in this hypothetical situation, whichi can't tell you about, i can't tell you why, would this work? is it realistic? how would you expect it to happen? is there any advice you can give us aboutwhat to expect?" and we take that on board and use that toshow what we do, and ultimately the production team uses that to shape everything that goeson from that point. kor: and we do that with everything, by theway, it's not just from an it perspective
or a scientific perspective, even from aneconomics perspective, or a psychology perspective, we seek out experts in those fields, to makesure we are nailing the accuracy of what would a post "5/9" world look like, how would elliottreact to certain situations, dealing with his delusions and inner demons. so it's something we always want to reachout to experts in those fields. kim: so what are your favorite hacks so farin the show? doesn't have to be one that you worked on,or it could be. jeff: well the one where i was finally allin on the show was when i started seeing hacks fail.
because normally the hack always works, justat the right time, and i think it was toward the end of season one when they were droppingusb keys and the keys didn't work, and then the police department antivirus caught something,all that stuff made me think "ok, great, how are they gonna problem-solve, how are theygonna get around that?" the failure that they had was actually moreimpressive to me than the success of the hack. ryan: the first thing that hooked me was actuallyreally simple, when elliott was guessing people's passwords -- the fact that it wasn't likeconventional tv depictions where it was just guessing something super obvious like "password1,"it was combinations of password patterns that people often use, like last two digits ofthe year you were born, with a really common
password phrase, if you've ever done passwordcracking or looked at a statistical analysis of most common password patterns in dumps,you see exactly that. so his whole mindset about figuring out passwordsfor different targets and how realistically that was portrayed really made me realize"wow they're actually thinking about this in a realistic manner." andre: for me, season 2 episode 1, where youhad the booby-trapped computer... i've been in so many situations where i'vewatched my peers not do the proper chain of custody of evidence collection for incidentresponse and it's very accurate when you're the local state police departments that arestill trying to figure out how to deal with
computers and how to deal with digital evidence,it was just very accurate and you'll see that as the season grows that there's more of anfbi presence, and how the fbi would deal with incident response and data breach, but thatwas a pretty cool hack. kor: this is always a hard question for mebecause i'm really torn, you know i love a lot of the hacks that we did season 1 andseason 2, but if i had to choose one it would probably be episode 5 when mobley is set tospoof a text message to one of the workers to create a diversion. kim: this is at the data center where elliottis trying to deposit the raspberry pi and he spoofs--- kor: actually my favorite mightbe the raspberry pi, i take it back ryan:
in that same episode, when they edit the wikipediapage, to give elliott his cover, the amazing part is that--i'm seeing that scene for thefirst time and thinking "well that's not realistic, because if that's a high profile person'swikipedia page, it's not just going to be editable by everyone," but no, the dialoguein the show one scene later sets credibility for him having spent all those years buildingup reputation so that he could edit those wikipedia pages. jeff: i remember watching that scene and thinking"uh-oh, elliott didn't put on any gloves and his fingerprints are all over that raspberrypi." marc: i have to say i love all of them, andfor me the biggest thing was i watched the
whole season 1 and i didn't throw anythingat the tv. kim: you had said that when we talked thatyour goal of going into season 2 was actually to make the hacks more elaborate than season1, and you were also concerned that the hacking could become repetitive. because hackers tend to, when they find somethingsuccessful they tend to repeat it over and over and over again. so how are you going to (inaudible) for fiveyears. how are you going to get over that issue ofrepetition? marc: i think the way they're doing it isby widening the team, bringing on new minds
with new ideas. it is tough, because in the real world asa hacker, you'll have certain things that you do really well, and you'll keep usingthem because they're successful, why change them? but that doesn't make for great tv, because"ok, so he's going to throw the usb sticks down again, yay." much better to be accomplishing more interestingthings by bringing in new characters and bringing in new experts ryan: i've been fortunate towork with a lot of people in different disciplines, and one of the things that was fun for meworking on a few of the really elaborate hacks
that are coming later in the season was tryingto draw on a few different disciplines that hadn't previously been shown in the precedinghacks. so you think about all the different fields,reverse engineering, application layer exploits, and we're just scratching the surface of thetypes of hacks you see, the types of devices that are targeted, the techniques that peopleare using. so, yeah hacking can get repetitive, but ithink there's still this whole world of things we can show that are both realistic for thesituation, and for people who are pausing the screen and tweeting the screenshots, somegood stuff for you. kor: just so you guys know, that's a primaryproblem that we discuss internally, this group
here, we're constantly talking about theseideas about -- what would be the most efficient hack to use for this situation. and then someone will throw out an idea, andi'll have to say "no, we did that in episode 3 of season 1, so we can't do that again,we have to think of something else that still makes sense." so we have to justify why we're not doingthat again, and why we're using this new tactic, and why that makes sense for this episode. kim: what mistakes have you made? kor and jeff brought up the fact that samand you are basically on reddit and twitter,
you're not watching the shows when they arebut you're watching the reactions to the show and when people do point out the mistakes,he makes sure that you know about them. kor: in season 1 there were some screens thathad typos, and there were things that just slipped through the cracks, some point inscreen capture in one of the pdfs, there was a lot of just jibberish, and that was becausethe animator -- he didn't fall asleep, but just ran the text that i gave him throughthis randomizer and put that into it because there was a clearance issue and it just slippedthrough. so i fixed it for the second time we saw itin episode 6 or 7, i believe, but then i think on elliott's drug report in episode 3, marijuanais spelled incorrectly.
things like that, i got an email from samsaying "why did this happen? why are we making stupid mistakes like this?" kim: you also had a phone in airplane modeor something kor: we did have a phone in airplane mode, gideon's phone was in airplane mode. so it's interesting because now i know whowe're dealing with, and we haven't had any instances of that in season 2 because i'mkind of a nazi when it comes to these screens, and if there is a mistake or a typo, i workwith post-production to fix it before it airs. so hopefully this kind of thing doesn't happen,but again, i'm sure something is going to slip through the cracks again, because wehave people devoted to screenshotting this
and then posting it on social media and makingmy job and my life much harder... thank you. question: (to andre) i'm wondering, if youwere involved in season 1, you worked at goldman sachs, and given the culture of the show andthe messages behind it -- why, when you left goldman sachs, and if that had any bearingson how realistic it is to have someone from the inside of a big firm. andre: so i didn't work season 1 but it'san interesting question because goldman sachs has a very "sharp" culture, is what i wouldsay, when it comes to technology and security, and being an engineer in that space, in thefinancial sector, in new york, and being an agent investigating intrusions for the financialsector in new york really had a lot of barriers
for innovation and imagination that you mightget in silicon valley, where i am now. so i think that culture that you see in season1 at e corp is almost identical to my experiences when i was at goldman sachs, when i'd justgraduated college and i could see that exact world today, and i have seen it in other situations-- you're right, goldman sachs is probably the "sharpest" of the ones that are there. question: how did the decision in the writinggroup come for elliott to break the "fourth wall" so often, turn and face the audienceand have that active dialogue. kor: the question was how did we come up withthe idea to have elliott break the "fourth wall" and actually address "us" as his friend.
and i have to give all the credit to sam onthat, he wrote that into the pilot before we ever formed the writer's room. and if you read the early drafts of the pilotbefore it was a feature, it opened with "hello friend," and him speaking to us. and it's weird because it really draws youin -- when i read it, when i saw the pilot, i bought into this connection that i had withthis character who is addressing me this way, i've never seen a show do that before in thatway, and the ways in which he's vulnerable with us, the ways in which he blames us forcertain things, and now he's upset with us, doesn't really trust us... it's fascinating.
we talk about that in the room, we treat theviewer, we treat "friend" as a character, in the room when we're breaking the storyapart and talking about it, and it's something we take into account. so, that's all sam. i haven't seen many movies or shows that dothat in that way. question: i work in consumer education, andi understand the importance of how it is for us to see that the hacking is right, but whatis your team hoping for the "normal" person to get out of the show, are you trying toeducate people more on the threats that are out there, or is it just "edu-tainment?"
kor: anyone feel free to jump in... we areliving in an age in which we are more and more dependent on our devices and our technology,and there are a lot of people in the younger generation who know how to use these appsand know how to use their smartphones but they don't know the ways in which they'revulnerable. and if the show can shine a light on that,and you can think about "oh shit, if i leave my phone unlocked, this is how long it takesfor someone to root it, and install a piece of malware" i think that that's great. if it increases that level of paranoia andawareness, i think that's a good thing. ryan: for me, it's unavoidable now to stayisolated from the hacks that are in the news
every week. that's great from an awareness perspective,but it also has a "numbing" effect and what i want is for the show to have consumers expectmore of the companies that are building the software that they use and depend upon, thatthey trust to keep their data private, because the reality is that if they are not feelingthat pressure, then organizations are always going to take shortcuts and we're going tokeep dealing with poorly developed services, poorly designed software, corners cut, andwe've all seen the effects of that. so i love getting people thinking, caring,changing their behaviors based on that. andre: it's just refreshing for my motherto know what i've been working on for so many
years. and i say it honestly because we spend somany years trying to educate the public, and it's not working... finally, i open up cnnthis morning and i notice that 7 of the various conversations and presentations at black hatwere on the cover of cnn, i mean 2 or 3 years ago that was not the case. we're getting to the point where people arestarting to understand technology, and the point now where hopefully we get the educationin before people have the personal pain that i think we experience with hacks like sony,and hacks like we're seeing with the campaigns, and the icloud photo hacks, we're waitingfor that big cyber 9/11 moment which hopefully
never happens, but i think we're all expectingit to happen. if we can get to a point where the publicunderstands that "password123" is not good, and where we have a little more understandingof our security, and we do it through a show that's fun, that's what i want. marc: for me, i've been doing defcon for 18years and for 18 years i've watched tv shows portray my community like a bunch of weirdos,a bunch of idiots who don't know anything about computers, who portray hacks as mysticalthings that happen when you connect magical devices to cars and suddenly remote controlthem, and i'm sick of it. i want to see real stuff on tv that doesn'tmake me rage, and i want to see accurate portrayals
of people in my community, people i can relateto. so being able to do this and be a part ofthis, to me is a gift. andre: funny you mention that marc, becausei always remember this story -- everyone seen die hard 4, live free or die hard, where thefbi cyber division is kind of a focus, well i always remember the producer-director cameto fbi headquarters to see what cyber division was like, and as they got the tour, they werevery disappointed because it looks like a 1960s middle school, and as agents we watchedthe movie like "man, i wish we had all this technology!" so we show something that's fabulous on television,like the bourne identity type of movies, when
in fact none of that exists, so now we havea show that we're able to slowly work through the technical advances that we have today,and ideally i want everyone from congress who watched mr. robot to have said "oh wow,this is possible" because we need to have everyone who has a decisionmaking abilityin government to know that everything that we have is vulnerable from a cybersecurityperspective. question: you've mentioned you have to runthings by nbc universal's legal team, i just want to know how it went when you decidedit's ok for elliott to go pirate a movie with utorrent, and have all the scene release groupson. can you elaborate on that at all?
kor: there are a lot of funny easter eggsthat are hidden in the show, and that's one of them. and luckily that wasn't a discussion... butnow it will be, thank you for bringing attention to it. kim: seriously, you never cleared that? kor: i mean, we cleared utorrent. i looked into some other tools, utorrent wasthe only tool that cleared, and i will always go with the tool that cleared as opposed toripping off another one or re-imagining the design.
so i can speak to that. for the pirate groups... i don't know what you're talking about. jeff: i noticed on that screen that elliottis a pretty bad leecher, he shares very little and (inaudible) kor: i don't know where hegot that tactic from either question: i heard you say that the screens are recreated fromflash, that's interesting because most of them are just text based screens, why don'tyou just write it in python to create a mockup of what it's doing, or even rather than thatjust have a server that is literally being, your own test server, rather than doing itin flash.
kor: we've explored a lot of these options,and since i believe we're the first show to even bring this much effort toward this levelof authenticity... it's only me on the set, and a video and animatorand video engineer. so the way to utilize the crew's time, theactors' time, the most time-efficient way of doing it at this point is creating a flashanimation, only because we have medium shots and wide shots where we have actors sittingin front of a workstation and they need to walk through the animation and get to theright detail on the screen, and the added effort of trying to teach them the correctcommands, and relying on that, or standing on the side with a wireless keyboard and runningit myself while they're kind of faking it,
it doesn't make as much sense as putting themin front of an interactive animation where they can just freely type and the right contentwill show up on the screen, and we can easily reset it and go for take 2 immediately after. my hope is in future seasons, as i grow thisteam, that we can delve into that more, and show that in a more realistic light, mainlybecause recreating these things in flash, there's so much room for error and typos andjust weird behavior that i spend so many hours with adam brustein, our amazing animator,we go back and forth really finessing these animations. i would love to do it for real, but i haveto convince our producers and the studio that
it's worth it to them to bring on a biggerteam to really manage that. because when you're on a set and the crewis trying to make their day and they're behind, nobody's thinking about the tech. the only person on the set thinking aboutthe tech is me, which sucks. andre: the short answer is, as a society,we will never get rid of flash. it will survive the apocalypse like twinkiesand cockroaches, flash will never go away. marc: the other thing to think about is, interms of the accuracy of what you see on screen, you couldn't do that with a python script. because if you have a script just shoot outthe things that are supposed to come up in
a hack, that's not really the hack, that'sa very artificial simulation of what's supposed to come up. what they're doing is, they're creating ananimation based on the intelligence they get from technical experts. we've done the hack, demo'd it, filmed it,sent it to them, they all look at that, then they make the animation. so that animation is an accurate re-creationof the hack, with the right timings, the right outputs... so it's really as accurate as youcan get without doing them. i would say, their only two options are doit, or do what they're doing now.
and what they're doing now is really good,though it seems pretty effort-heavy for kor and the others. i would love to seem them do it for real,but the reality is... i've been hacking for 25, 26 years of my life,i'm probably way better than any actor, and i find it hard to do that. many of the hacks i filmed and made and sentover, i had to do four or five times to get it right, work out bugs. that's a hell of an effort for a productioncrew to take on. kor: and even after the fact, after they sendme that material, i'll go back and forth with
them because, maybe we're working on a differentdistro, or maybe i want to nail what the prompt looks like under these circumstances, so i'llask these follow-up questions -- if my goal is to replace ip addresses with easter eggs,or hostnames stuff like that, it's this constant dialogue i have with this team about the hacksthat they're creating, and how to successfully re-create them for the show. jeff: i have one question for kor, or i guessthe team, and it's around the timeline -- my last article in playboy, i noticed you havea character that walked by and they have a "r.i.p. american economy," with the date -- and soi'm trying to figure out how many months has
it been since the hack, so what android versionsare we using or whatever, so unless the show is progressing at a current day rate, you'regoing to be in a situation where you'll be using older and older distros to be time-periodaccurate, so that is a whole nother level of nightmare. ryan: fortunately, the government will neverbe using the most up-to-date anything, so... andre: the government is off xp, ok? kor: to jeff's point, season 2 starts 30 daysafter the end of season 1. and the big evil corp hack took place on 5/9/2015,so of all the pieces of software that i clear, i need to find the version that was out inmay 2015, which is kind of tough.
and it's going to make our jobs harder andharder as each season progresses, because we're treating that timeline in real-time,we're just picking up where we left off in each season. so it's going to get more difficult. question: i was wondering about the season2 trailer arc, where that idea came from, and whether or not it's going to continueat all in the future. kor: so what he's referring to is the phonenumber that was in the season 2 trailer that led you somewhere, that led you somewhereelse, that sent you on this whole code-breaking game.
and we have hidden a lot of that in season2. in every single episode of season 2, thereare elements of code breaking, and anyone who is familiar with the defcon badge contestwill get a huge kick out of dealing with what we've hidden in season 2. so my answer to you is yes, that will continue,i don't want to give you too much information on where to find those little hints and wherethey are, but just based on monitoring our subreddit and twitter, that not all of themhave been found, and more are coming. question: could you give a little intro tohow that idea came to have that arc happen? kor: i wanted to do this in season 1, andi bugged sam and i bugged people in the studio
-- it started with i wanted to use real ipaddresses and real phone numbers. huge argument. can't use real phone numbers. finally convinced them to let me use realip addresses, they gave me a pattern of ip addresses for season 2 that i'm using. and then once the digital marketing team atusa caught on that our fans were this into it and screen-shotting every screen, and igave them examples of people trying to hit these servers that we show in season 1, orcomplaining about our fake ip addresses that we use in season 1, so the digital marketingteam, between seasons 1 and 2 were convinced
that this was worth their time and effort,so now i'm working very closely with them to build out this kind of interaction. and it's a goldmine, in season 2 if you seean ip address or you see a url, it will lead somewhere. ryan: when i first started working with koron the first sequence i helped out with, i had done an on-screen mockup and i did a copy-pasteof the terminal text to make it easier for the editors, and because it was all vms, iwas using rfc 1918 addresses, so that my simulations could talk to each other, but the situationrequired real addresses so i just copy pasted a made-up ip off the top of my head and stuckthat in there.
and i sent an email to kor, and i said "iwonder who owns that ip block?" so i go and do a whois on it, and it's dodip space. so... i emailed him immediately after and was like"hey, you guys are probably going to change the addresses, but just in case, don't usethat address because i pulled it out of my ass, but i don't want someone seeing the showand trying to hit that address." question: you've already touched on dealingwith the legal team, i was just wondering what kind of stuff have they rejected thatyou wanted to do. like what the negotiation process was kindof like?
kor: unfortunately i can't go into detailabout what they rejected without naming some of the companies that were involved in thosetalks. but i know that it starts off with me presentingmy best case scenario, so here is my top 3 choices of tools to use for this specifichack, and we're already working to do that. and sometimes if something doesn't clear,i'll go back to these guys and be like "what other tools can we use that we can get awaywith?" so our clearance co-ordinator will talk toour legal department and they'll assess the risk and figure out is it worth it to approachthis company, or is it worth it to just stay away and do our own thing and make up a fakename or fake design.
which is 100% of the time what they want. and that's a huge point of contention, andi'll go back and forth with our clearance department, our legal department about it. and i understand it, i understand that that'stheir job, and that's great, so it's hard for me to reach out... and i did have thesetalks with these guys luckily marc knows some of these guys, so i asked him, i rememberasking him, i can't tell you what tool it is, but there's at tool that shows up in episode9 of this season where i asked him "are these guys fans of the show? these guys are hackers, right?
they dig the show, they'll be cool if we reachedout to them and asked them to sign a clearance," and he was like "yeah of course." what the legal department wanted to do, wetook that route, and luckily it made it into the show. can't say what it is yet, but it's great,it's awesome. hopefully it's something that will get easier,and like i said before, if you guys reach out to me it makes my job a lot easier, andi think we can see a lot more in the show if you guys just make first contact. question: my question, i really liked to seethe faraday cage, and i'm wondering if you
have any plans for consumer products or anythinglike that to help protect mobile privacy and security? andre: yes, it's one of those things thatif you go into it, then we sort of expose things... at one point we were in a conversationwhere we said "we used the faraday cage once, we can't use it again," so as we have moreideas, i don't really want to tell you because i want you to see it in season 3. marc: the stuff that's going to come up, thething that drives it is the story. we are kind of slaves to the story. we are trying to find technology that fitsthe story.
the main thing i put into it is, if you putthe wrong tech in, it can be really jarring. you're watching this great story, you're gettingimmersed in it, and then someone does something fundamentally stupid, and suddenly you'reout of the story. so what we do has to fit in nicely, any opportunityfor something to come up, we'll look at it, we'll try and use it. because we want to be realistic, at the sametime we want to use it to send a message. and the best way to do that is to use coolthings. question: yeah i think you're doing a greatjob. i guess it was kind of a leading question,because taking the idea of a standalone faraday
cage and making it mobile is what i'm workingon right now, it's called silentpocket. marc: product placement! jeff: for those who can't see, he's wearingan evil corp shirt. question: first of all, thank you for puttingtogether a show about hackers that doesn't suck. jeff: that's about the best compliment you'llget from us. andre: sneakers is a great movie. kor: and wargames. jeff: but those are movies, not a tv show.
question: question about the easter eggs,they're starting to get more complicated, what's the thought process of coming up withthe easter eggs, is it you guys, it sort of seems to be inspired by the cicada 3301 typeof puzzles. is that you guys or the media team? kor: so it's the media team and myself workingon it primarily, sometimes i'll check in on these guys and just ask for advice about wherewe lead question: you know they shipped the hoodie that we got for solving kor: the americangiant hoodie? question: the fsociety one, i think it's badasskor: yeah, i don't want to say too much about it because i don't want to ruin it and spoilthe fun out there for everyone that's involved
in it, but in addition to posting the showand getting through these cuts and trying to finalize everything, i'm still workingwith the digital marketing team non-stop, the easter eggs as well, which is a taxingeffort. but it's amazing how many people are intoit. it's really satisfying to see the online responsewe're getting from it. it's awesome, it's more than i could haveasked for. jeff: i have a question, we talked a lot aboutamerican viewers, what's your experience with international viewership? kor: from what i can gather, i know that theshow is not available streaming completely
internationally, so people have to cut somecorners to watch it, depending on where they live. and last i checked, we were the number onepirated show in the past month or so. which i'm fine with, i'm sure people at thenetwork probably hate me saying this, but i'm fine with that. just the social media response we've beengetting internationally, from latin america, europe, it's phenomenal. it's really satisfying to see that the showis striking a chord on a global scale. question: i had a really good question buti forgot what it was.
i apologize for asking this one, but there'sbeen a lot of speculation online about what "atsu" is. in the first season elliott uses a commandcalled "atsu," it sort of looks like "sudo" is it an internal thing to evil corp? what's the official response to that? kor: so the official response -- i knew iwas going to get this question some day -- none of us worked on the pilot, so the pilot hadtheir own consultant who, i don't know how present he was, and what kind of interactionhe had with the animator on the pilot. from what i have heard, he just left him witha stack of code, and left him to sift through
so you have an animator who's never even workedin a linux distro before staring at code, he doesn't know what it means, he needs tolearn how to animate it and recreate it for a pilot for a tv show. so... "atsu" was probably just a misstep. and there's a lot of things like that i canpoint out from the pilot that i have issues with. so luckily we were able to remedy that aswe got the series pickup, and i was working on episodes 2 through 10 to make sure thatdidn't happen. marc: one of the other things you have toremember is these kinds of shows evolve, they're
not static, and as they move on, there areadditional dimensions that get added, things get better, processes change kim: kor thisraises the question from when you and i talked previously, where do you envision the showgoing? the show is operating on many layers, you'vegot the basic plot of the hacking, you have elliott's mental deterioration, his issueswith his father, things like that, you have the control issues and all its permutationsin hacking , now you've introduced this whole thing with whiter0se, there are a lot of tangentscoming, and we've seen other shows fail spectacularly when they're trying to juggle too much, lost,for instance, how are you guys ensuring that you guys don't get "lost."
or: great question, sam and the other writersand i have a roadmap for where we want the season to go. unlike some of the other shows that were mentioned,i have a feeling that they were writing themselves into a corner because they didn't really knowwhat the end was, what the conclusion of the story was. we know where we're headed, and we have certainmilestones that we're trying to reach on the way. so i don't feel like we're ever going to getinto that situation, as long as we stay true to, organically, where our characters areemotionally, and where the journey will take
them. so as long as we're tracking elliott and theother members of fsociety emotionally and organically serving the story justice, i don'tthink that's going to happen. and i know some people had issues with pacingof season 2 in the first couple episodes being slow, i read a couple reviews and blogs aboutthat, and really all i can say is... we dropped a huge bomb at the end of season 1. we destroyed the economy, elliott had therealization that he has delusions and he's suffering from... he's basically insane. and he needs to work that out, he needs toreconcile that.
and i think him working out those issues andthose inner demons, and connecting it metaphorically to things that are common to the tech crowd,whether it be infinite loops of insanity, or kernel panics, i think that's organicallywhere the story needs to go. i think it's compelling and intriguing, so...hang in there. that's all i'll say. andre: i think you'll get a bit more explanationas to the history of things as you go through, there's a lot of allusions to certain thingsjust "happening, " now we'll help you understand why they're happening, that does take time. but i will tell you this without giving anyspoilers: it's fantastic.
there's a few episodes, then you get to theend and you're like "wow, it's there." just make it through some of the characterdevelopment, you're going to get to that point where you'll say "i did not know that." i can't tell you which episode, but it's comingsoon. question: my question is with the inclusionof the scene from "hackers," who was involved in that conversation? this panel shows there's a lot of care thatgoes into making this good information about hacking, but that specific piece of scriptjust calls it out. were you a part of that, was there a discussion,how did that go?
kor: i was a part of that, and that was justour "meta-moment" of pointing fun at ourselves, basically. even though it's ridiculous, i love that movie,i grew up watching that movie, i'm sure a lot of people in here are fans of that film. and other writers in the room are fans ofit as well, and it was a fun way of kind of calling out that there's going to be a tvshow that's going to fuck it up. maybe we might be that show. hopefully we're not, but at the time of writingthat script it was a little joke that we wanted to incorporate, and i think the communityloved it and embraced it because i have a
feeling that everyone in this room has probablybashed "hackers" at one point or another, and it was a fun scene. question: i love your show, and thanks againfor teaching our parents about what we do. so, as a woman who codes.... you mentionedthat there was a hack that was failed, so i was just giving thought to the beginningof fsociety's females that's kind of on the same level as elliott. kor: well i think in season 2 we made an effortto really flesh out the rest of our cast, and i know that season 1 is more about elliott'sjourney of figuring out what's happening, season 2 is more about dealing with the consequencesand repercussions of what happened.
and it gives us an opportunity for them todeal with it. and i think you've seen enough of season 2at this point to know that we're spending a lot more time with our female hacker characters,our female cybercrime characters, and it's a hope of mine that we continue to do that,so just keep watching season 2, it's something that we are definitely moving forward. andre: i will say this though, i'm lookingat the room, it's refreshing to see the diversity, because it's not fair all the time in thec-suite of the conversations that we have about this, and as the community is growingand learning, to find people that look like me and look like her, that are in this room,it's (inaudible) kim: kor, you and i had talked
about this, the diversity on the show, andhow it was very intentional kor: it was intentional, by design. we wanted to make sure we had badass femalehackers as part of fsociety, we wanted to have an iranian hacker, we wanted romero tobe the old school phreaker, mobley is of indian descent, it was definitely by design, ourhope is that it does inspire that kind of diversity that andre is talking about. marc: the thing is when you look out at defconyou realize that the hacker community is quite diverse, which is why it's really great tosee a show that actually represents that. question: i always have a lot of empathy forthe victim and the perpetrator -- have you
ever thought of having a backstory for philipprice? i realize the target of the story is the "99%." but the more important question is, have youthought about the kids' workshops that we have here. "only through our children we will conquer." kor: actually, marc and i were just talkingabout the kids' workshops and a couple of us are probably going to do a talk at oneof those tomorrow afternoon. to answer your philip price question... yes.
we have thought the backstory, and keep watching. you'll get some more of that. question: my question has to do with personalsecurity. in season 1, elliott's hacking social mediasites for his co-workers or whatever. i understand people with simple passwordsare not going to be doing two-factor authentication or anything of that nature. however, there are services, gmail, facebook,when you login from another system, it's going to send you an e-mail that notifies you, renderingaccess from those other users null and void. was there ever a conversation about that,and if so what was the reasoning behind not
including login notifications. kor: it's always a matter of time, and howmuch real estate we have on the page, how much time we have in the cut to devote toa hack, and even the steps that we want to show, we can't always show them all, it alwaysgets cut down in the editing process. so it is a conversation we've had and it'sjust us making the decision of what are the important beats we need to see to convey thestory about this hack, and how he's compromising this account. but, to your point, if i can get that leveldetail into the show, that's my goal. i know it's all our goals, to get as muchdetail as possible into those sequences.
question: my question is, so you've mentionedyou get feedback from sam when you get something wrong, like there's a typo or when somebodypoints out a screen is wrong, but have you gotten any feedback about the show being usedto teach? i had an opportunity at my job to introducesome colleagues of mine who are not part of this field -- my field, which is forensics-- and i said if you want to know what hacking is, who hackers are, please go watch thisshow. and i see people nodding, people have comeback to me and said "oh my god, i watched this show, it's amazing." so my question is have you heard about, whetherit's somebody in the c-suite, or a teacher,
or just a person saying "i was inspired byyour show" have you gotten the feedback of the show being used for good. kor: 100%. ryan: i was in meetings all week for work,i don't think a single person, be they engineer or practitioner, or at the executive level,hasn't gotten that out of the show. enjoys the increasing awareness, enjoys thefact that it causes them to think about an attack vector that wouldn't have come to mindotherwise. i think that's one of the ways it can be aforce for good and for education. kor: and one of the best compliments i'vereceived and i've received it on numerous
occasions, people come to me and say "i don'tusually watch television, i don't watch anything, i don't watch tv, but i watch mr. robot becauseof the hacks you guys portray, and how scared it makes me about using my devices." andre: you didn't mention you have the leaderof the free world as your fan. it was actually interesting because i wason the set, and sam was super excited, he was like "the president loves our show," andthe fact that he got contacted by a personal aide... i don't even know if i should be saying it,but i think it's important because he said "he watched the show, and loves mr. robotand wants to see season 2."
that is the levels that we're getting, that'sexactly what we're looking for. there's a trickle-down, right, if we can getthere, then we're getting others in government, in the c-suite, that conversation that i'mhoping that we get. kor: my hope is that that's the reason he'sinterested, it's not because we impersonated him in the first episode of season 2 and hejust wants to see what's up and what we're doing. andre: i also don't know when he binge-watchedmr. robot, i don't know where he has time for that. kim: air force one.
andre: ah, touchã©! he has a plane... question: as far getting this onto a networkchannel, from the network's perspective, was it "here is a hacking show and it's technicallyaccurate," or was the technically accurate part something they actually cared about. kor: the technically accurate part was somethingthat sam cared about. i'm not sure that the network was that investedin it at that point, they just saw a great script written by an auteur film maker, andthey wanted to pursue that project. i think once the pilot came out and sam wasable to deliver that level of authenticity,
it set the bar and the expectation, and youhave network executives reading these articles published by tech journalists, talking aboutthe technology that we show. so i think it was something that was alwayson sam's radar that he wanted to pull off, and luckily when i met him, we were completelyin line about that. and to his credit, he just kind of poweredme, and let me fight with whoever i had to fight with to get that level of detail intothe show. and obviously the fact that i was able togrow the team for season 2 speaks to the point that the network and the studio are supportive of that, which is great.
At the end this articel The Remote Computer Requires Network Level Authentication
Now you have reading The Remote Computer Requires Network Level Authentication with link addresshttps://networkrealtionforbussiness.blogspot.com/2017/05/the-remote-computer-requires-network.html
0 Response to "The Remote Computer Requires Network Level Authentication"
Posting Komentar