Is Blackhat the Greatest Hacking Movie Ever? Hackers Think So

The scene doesn’t include a keyboard. Or a computer mouse. But it shows why Michael Mann’s Blackhat may be the best hacker movie ever made.

As the film approaches the end of its second act, a network engineer played by Chinese actress Tang Wei deliberately spills coffee on a stack of papers neatly stapled at the corner. It’s a report of some kind, but you can’t make out the words. And when the film cuts to Wei in a taxi somewhere in Jakarta, we see her holding the pages out the window, drying the coffee stains.

The cab takes her to a bank where, wearing a tight white dress, high heels, and a gold necklace, she walks through the front door and approaches the front desk. She tells the security guard she’s there for a meeting, and the guard tells her where to go. But before leaving the desk, she shows him the coffee-stained papers, saying she has ruined her presentation for the meeting, asking if he might print her a new one, and handing him a USB drive. He says he isn’t supposed to, but does so anyway. And that’s how Wei and her cohort, played by onetime Avenger Chris Hemsworth, break into the bank’s computer network: via that USB drive.

For Parisa Tabriz, who sits at the center of the info-sec universe as the head of Google’s Chrome security team, it’s a Hollywood moment that rings remarkably true. “It’s not flashy, but it’s something that real criminals have tried—and highlights the fundamental security problems with foreign USB devices.”

Tabriz will also tell you that such accuracy—not to mention the subtlety of the scene with the coffee-stained papers—is unusual for a movie set in the world of information security. And she’s hardly alone in thinking so. Last week, Tabriz helped arrange an early screening of Blackhat in San Francisco for 200-odd security specialists from Google, Facebook, Apple, Tesla, Twitter, Square, Cisco, and other parts of Silicon Valley’s close-knit security community, and their response to the film was shockingly, well, positive.

Judging from the screening Q&A—and the pointed ways this audience reacted during the screening—you could certainly argue Blackhat is the best hacking movie ever made. Many info-sec specialists will tell you how much they like Sneakers—the 1992 film with Robert Redford, Sidney Poitier, Dan Ackroyd, Ben Kingsley, and River Phoenix—but few films have so closely hewed to info-sec reality as Mann’s new movie, fashioned in his characteristic pseudo-documentary style.

“These are probably the most plausible hacking scenes I have seen in a movie,” one info-sec expert said during the post-screening Q&A with Mann, Wei, Hemsworth and co-star Leehom Wang. And this was immediately met with applause from the rest of the rather well-educated audience. “As someone who has been involved in helping consultant on these kinds of [movies], let me say that you have done a sterling job.”

 Legendary Pictures and Universal Pictures

The film, which opens nationwide today, doesn’t get everything right as it weaves a dark tale about a hacker (Hemsworth) pulled from prison to help the FBI—and the Chinese government—track down the eponymous blackhat, another hacker wreaking havoc across the globe. The first question during the Q&A wasn’t really a question. “In the middle of the movie, you point to the screen and say ‘That’s his IP address,'” one info-sec expert said to Hemsworth. “But that’s not an IP address.”

And many in the audience joked that their jobs rarely required them toshank deviant hackers. “I was involved in one of the most highly public cases of cyber-esponage and I’ve done a lot of work involving nation-state attackers,” says Morgan Marquis-Boire, who helped deal with thealleged Chinese hack on Google’s infrastructure in 2009. “And my day at the office didn’t exactly involve beating down seven guys in a Korean restaurant.” But even as they criticized small parts of the film, they praised the whole.

“Unlike others, this is a film about a real person, not a stereotype—a real guy with real problems thrust into a real situation. The technology—and the disasters—in the film were real, or at least plausible,” security consultant Mark Abene, who has spent time in prison for hacking, said after seeing the film. “I wouldn’t call it a hacker movie. It was a story about cyberterrorism—and hacking played into the story—but that was part of a bigger picture.”

Good Ol’ UNIX

Full disclosure: Mann worked closely with WIRED contributing editor Kevin Poulsen in researching, writing, and shooting the film. Like Hemsworth’s character, Poulsen spent time in prison for his hacking exploits, and Mann says his input was invaluable.

Asked if Mann got anything wrong, Poulsen jokes, in his typically deadpan way, that the move is “100 percent authentic.” But in all seriousness, he’ll tell you that, whereas most movie hacking scenes are comically cartoonish, Mann gets most things right. “There are little things where he takes some liberties for dramatic purposes, and so that it’s understandable to the audience. But if you compare it to any other hacking movie, any other cyber movie, period, that has come out post-War Games, it’s head and shoulders above any of them,” Poulsen says. “It’s the first crime-thriller to hinge so heavily on hacking without becoming silly.”

Poulsen acknowledges that Sneakers is a sharp film too. But he rightly says that, unlike Sneakers, which is playful and squeaky clean, Blackhat wanders deeply into the dark side of hacking. “It really captures the grittiness of modern cyber-crime and how ruthless it has become—and profit-oriented,” he says.

What’s more, the hacking scenes look right. As Marquis-Boire says, you don’t see “Hollywood operating systems”—computer interfaces with ridiculously contrived graphics. Instead, hackers hack just like they hack in the real world: with a good ol’ UNIX command line. “The fact that they were hacking with boring terminals and scrolling code,” says Tabriz, “was closer to real cyber-security threat situations than anything I had ever seen.”

People like Tabriz also admire how the movie shows that hacking a network is sometimes a physical endeavor, not a digital one. The coffee-stained-paper scene is a great example. But there’s also a key moment where Hemsworth must remove a hard drive from a data center. “In most TV shows and movies, they live in this world where everything is connected and anyone can break into anything from anywhere,” says Tabriz. “But the reality is that, sometimes, you have to go into the real world and steal something—or con someone with social engineering.”

The Black Widow

As the Valley’s top security minds watched the film last week in a theater on the edge of San Francisco’s SOMA district, there was laughter in many places. Some laughed when a movie character said his only password was his fingerprint and the film showed a security device called a Yubikey—which requires more than a fingerprint. Others laughed when Hemsworth, with great confidence, said he would need about a month to crack a 512-bit encryption key.

This kind of thing, Tabriz says, is “so much more dramatic than the way these kinds of things unfold in real life—and people come to conclusions so much faster.” But more often than not, the laughter sprang from approval—or the I-know-this-stuff-better-than-anyone-else attitude that defines experts in any field.

The biggest laughs came during a scene in which the FBI revealed that the NSA had built a secret supercomputing service, known as Black Widow, that could analyze massive amounts of data faster than anything available to the outside world. The laughs grew still louder when Hemsworth phished an NSA middle-manager into revealing his password to the system. But although some decried the scene as ridiculous, others quite liked it, and much of the laughter arose from Silicon Valley’s deep-seated distrust of NSA. “A lot of the people in that room come from companies that were targets of the NSA,” Tabriz says. “I doubt there was unanimous allegiance to the NSA in that room.”

Stereotypes Subverted

Many in the audience applauded how Mann turned the NSA into idiots—and semi-bad guys—while also portraying the Chinese as good guys. It’s not just that Mann got so many of the details right. It’s not just that he avoided the stereotypes. He subverted them.

Is Blackhat the best hacker movie ever made? Maybe. Sneakers still ranks pretty high—as does War Games. But there’s no denying Mann’s new film throughly entertained—and, dare we say, impressed—a crowd of info-sec experts who were primed to tear it apart. That’s no small feat. “They clearly had some good technical consultants on this move,” says Marquis-Boire. “But what’s most interesting is that they actually listened.”