Hollywood's 'Untraceable': Fact or fiction?
- 21 January, 2008 07:02
Former FBI Special Agent Ernest E.J. Hilbert II learned a lot about cybercrime before signing on to be the director of security enforcement at MySpace.com and when asked to look over a Hollywood script about cybercrime, he took on the challenge. The ironic thing, he points out, is that the fiction portrayed in the film (opening Jan. 25) is not so different from the facts he encountered on the job. Hilbert recently talked with Network World Senior Editor Denise Dubie about his past in law enforcement, his participation in "Untraceable" and why Americans need to become more aware of the dangers that lurk in cyberspace.
How did you get your start with the cybercrime division of the FBI?
I did my training in Quantico and in December 1999 I was assigned to the Santa Ana RA [resident agency] in the Los Angeles area FBI field office. Within a month, I got a call that someone had had their computer system hacked and 15,000 credit cards had been stolen. That turned into a six-year continually evolving case [Alexey Ivanov/Invita case] but we got those guys. Then that evolved into more and more and I fell into the cyber realm from there.
Did you have any background with technology?
I did some tech writing before joining the FBI, but I have had computers since I was about 12. I had a Commodore 64 and I bought my first Apple IIe when I was 16 years old. I programmed in BASIC, not Visual Basic, but whatever skills I may have had I lost in terms of the tech side of things. I just understand how it works, and I have a grasp of it. But if you asked me to sit down and hack into somebody's computer it would take me four times longer than half the guys I went after, as well as some of the people I worked with at the FBI.
My last two years with the bureau I was asked to move over to the counter-terrorism realm and work that same cyber aspect of the cyber-terrorists groups because all their stuff is going online now as well. I picked up the Adam Gadahn case, a man from Orange County [Calif.]. He went overseas and is now a spokesman for Al Qaeda; we charged him with treason ... the first time in 54 years the government has used treason charges and it had to be approved by the White House.
How did you get involved with technical consulting on movies such as "Untraceable"?
I was getting frustrated with the 24/7 of the job, I have three children and the politics of the government were getting to me so I saw an opportunity to leave by going to a consulting firm. The FBI has a media program that is manned with real, gun-toting agents, and a buddy of mine was in charge of media outreach. The producers of "Untraceable" came to the FBI to use the name and gain some insight. And the FBI does offer insight and there is no fee involved. My buddy, a sniper for the S.W.A.T team, called me up with a couple of scripts -- "Die Hard 4" was the first but the timing worked out that they were unable to use any of my input -- and "Untraceable" was the next.
Why did they want to use your insight in particular? Were there specific cases you tackled?
The FBI has something called the Citizen's Academy, in which we host different nights for various types of crimes to educate people as to why the FBI is involved with them. I was asked to present on cybercrime and we had someone else do crimes against children, which is child pornography and pedophilia situations. "Untraceable's" Director Gregory Hoblit and the producers were invited that night.
Does the FBI distinguish cybercriminals from child predators?
Child predators have been around for as long as I have been online, since 1992, and as soon as you had the opportunity for social connections you had these individuals who saw this as a chance to reach out to their groups. They don't necessarily have any specific technical expertise or cyber skills that are criminal, but they use the Internet to reach out. We've always had these guys; they've always done it. They don't have to be technically savvy. Mostly they are just chatting and drawing people in.
I haven't seen the entire film, but have watched the trailers and found the talk of networking technology very interesting. Do you feel the finished movie realistically depicts how law enforcement uses such technology to track down cyber criminals?
[Greg] Hoblit's father was an FBI agent so he wanted to hear what I had to say about the script. I basically told them it was a plausible idea but that they would have to change a lot of stuff to be technically accurate. They asked me to work with the writer and it was fun, but it happened to coincide with my leaving the bureau. They did everything they could to make it as realistic as possible and squeeze it into under two hours. The script calls for a lot more, but the truth is it is really boring to watch agents sit behind a computer and type away and run whois lookups, run trace routes and ping things. No one is going to want to watch that.
It seems this movie is being marketed to technical people, but that could be a double-edged sword if they work to point out inaccuracies. Have you heard any comments saying the technology portrayed or how it's used in the story is wrong?
One of the biggest complaints of people with regard to this movie in terms of the technology is that obviously the writers and technical consultant -- which is me -- don't know how a DNS system works and how you can get a domain shut down. And that's not true. There is an assumption that because the FBI says to do something that somebody is going to jump through the hoops and do it. It doesn't happen that way. It's a government agency, but cybercrime in many cases is business and there is a lot of money involved, major money.
What can the FBI realistically do to shut down a domain today?
Last year when they wrote the script and started shooting the film it probably did take at least one week -- and maybe in some cases two weeks -- to get a domain name blacklisted if it was based in the U.S. Nowadays it could take as little as 24 hours depending on the context and so on. Does that make this story any less plausible? No. Take out the fact that it utilizes a domain name and instead the information that is being shared is through a series of IP addresses that pop up. And those IP addresses are just mirrors of the original IP address. I can blacklist an IP address or at least black hole it -- if it is in the U.S. But if it is international, it's not the same rules.
What can our government do to stop hackers or cybercriminals attacking from outside the country?
I spent a lot of time in Eastern Europe, and when we first went over it wasn't illegal for anyone to hack outside of the Ukraine, per se. The Chinese -- I don't see them helping us out a great deal. I mean they might, don't get me wrong, but it's a sovereign government and they don't have to immediately comply. All these naysayers pointing out the things we can do are partly right. But it takes time and in that time frame, this bad guy in the movie could do what he's doing. That's when someone like me working as an agent would be using tools from companies such as DNSstuff or Domain Tools or even call someone directly, asking for help to track or stop the bad guy. And in most cases individuals or governments will help as much as they legally can; the laws haven't caught up with the crimes.
What do you think needs to happen in terms of law enforcement?
I hope that lawyers and judges will see this film and ask themselves, "Is this real?" We need to do something about the laws with regard to these crimes. Even if the movie just sparks a discussion as to how far cybercriminals can go before law enforcement can step in. I want lawmakers to realize that this can happen and then force laws into place.
The movie has an element of voyeurism in how the murderer sets up the Web site to work in such a way that when visitors click on the site, it speeds the death of the victim. What do you think of the online cultural phenomenon that is driving social networking sites -- some of which put people at risk?
We are an incredibly voyeuristic society. We still have this false sense of anonymity that says when I am on the Internet nobody will know what I am doing. Originally the only way to really make money off the Internet was with pornography; when it started out, it was like 70% adult porn for the most part. People believed they could hide away and conduct their business whatever it was, but now we have moved into the social networking world -- the MySpaces, the Facebooks, the YouTubes, the Linkedins -- and about 40 new sites.
What do you think is driving this social networking craze and why do people care about other people's personal business?
Basically both kids and adults are looking to obtain fame by posting stuff about themselves online. It's the old story of the train wreck: No one wants to look but they can't help themselves. In essence it's the nature of being American, because we have the freedom of speech, freedom of practice and freedom of choice to do these things. You wouldn't have Microsoft putting however many millions [of dollars] it put into Facebook if this trend wasn't going to continue. People don't realize this information they are posting about themselves will be there forever. It doesn't go away; there is not statue of limitations.
In "Untraceable," even the lead character -- an FBI agent played by Diane Lane -- is unable to remain anonymous; the bad guy tracks her down. How do law enforcement agents protect themselves from the cybercriminals they pursue?
We don't do this job because we want the bad guys to know who we are or know where our family is. And often the press is respectful to law enforcement and is careful to not name specific agents. But in the cyber realm, someone like me that does presentations for the FBI would have bad guys latch onto them whether I was on their case or not. My information is out there, but I have taken the appropriate steps. I don't live in fear, but law enforcement in general, we pay attention, we are more aware and we see things that others don't. We have a heightened sense of awareness.
Do you feel how the murderer found the agent's home address in the movie is plausible?
Absolutely. It's not a spoiler because it's in the trailer, but it is not an external attack. It is through her daughter via a video game. And that is a very simple method. In the download world, you download a video game or get a hold of some bad software with a virus underneath or a Trojan buried inside of it, and you're vulnerable. It can happen -- it does happen.
Any other elements in the movie the naysayers may call you and the writers out on as being technically inaccurate?
The IP addresses in the movie are not real, for obvious reasons. You can't use real IP addresses, because it will point to real IP addresses. It's similar to the 555 area code for phone numbers in movies. But I know that element will get hammered on. Some of the software they utilized in the film, they worked with companies to create the imagery for movie purposes. In terms of law enforcement, they take down people a lot quicker than would be possible, but it's because it's a movie. Do you really want to see a guy drafting an affidavit, going to court and talking to judges? No. It's accelerated and compressed. But the way they go about doing it, such as trace routes, that's exactly what the FBI would do.
Does the movie portray the victims as at fault for their own downfall? Do they act irresponsibility on the Internet, for example?
Without revealing too much or spoiling the movie, it's really about understanding what you are dealing with and realizing there are consequences for your actions and then going forward. If you don't know what the consequences are going to be, then I suggest don't take that action. For instance, in this movie, the guys that get picked up and get murdered get socially engineered into doing it by the murderer -- right down to some guys who should know better.
What do you hope the public takes away from the film and others that portray cybercrime?
I hope everyone understands the Internet is not going away and for the most part, it's virtually impossible to regulate the Internet. Even the Chinese, who claim they can block traffic, might actually be blocking 40% of it. If people take the general approach that whatever they do in the real world is the same thing they would do on the Internet, then there would be a lot more protection in place. If you are walking down the street and there is a dark alley, would you run down it in the worst part of the city? Probably not. But then you get an e-mail that someone sends you with a little link that says you should go here, and you click on it. Not a smart move. I don't want people to be in fear. I use the Internet daily, but I pay attention. It's just an awareness.