Follow Datanami:
March 1, 2018

Mr. Robot Thrills Elastic Crowd with Real-World Hacks

Have you ever watched a hacking scene in a TV show or a movie and cringed at the flashing lights, the whirring sirens, and other ridiculous depictions of technology? The folks behind the hit hacker drama Mr. Robot sure have, which is why they’ve taken such pains to ensure the TV show accurately reflects real tools of the trade, including the Elastic stack.

“Almost a year ago, we got an email from the team at Mr. Robot,” Elastic CEO Shay Banon said during his ElasticON keynote address Tuesday night. “They asked permission to use Kibana in one of the TV shows. We immediately forwarded to everybody at Elastic and started to celebrate.”

However, when that episode came out last year, the Elastic employees were surprised to see that Elliot Alderson, the gifted-yet-troubled hacker who works for the mysterious Mr. Robot, was using a version of Kibana that was several years old to track a hack in real time. That old code didn’t sit well with the Elastic leadership.

“We said, ‘We think the product looks slightly better now. Can you please use a new version of the product?'” Banon said. “And the team said no. And we’re like, another user that struggles to upgrade to the new version. Can we get a break?”

But it turned out there was a good reason: The scene that included Kibana was set in the past, and the version of Kibana that was featured in Mr. Robot was the current release at that time. “We were impressed,” Banon said. “The team tries to be extremely authentic around the tools that they use to match to the timeframe.”

Ryan Kazanciyan, a security expert who works as a technology consultant with the Mr. Robot show, says that attention to detail is no mistake.

“As a practitioner in the security space, this afforded me a really cool opportunity to include the software tools that I’ve used throughout my career,” Kazanciyan said during Tuesday’s keynote address at the Masonic Auditorium in San Francisco. “And I was especially excited to have the opportunity to weave in Elastic, especially given the fantastic community that’s behind it.”

In the Mr. Robot show, Elliot is shown using a Kibana dashboard to track a malicious hack in real-time. Elliot is watching as hackers for the Dark Army traverse through the network from a UPS system they installed a backdoor on to a hardware security module they want to break into. As the hackers move across the systems, they leave a trail of log data, which is sucked up by Logstash, stored in Elasticsearch, and displayed in Kibana.

“This is off-the-books stuff, because he’s actually allowing them to continue hacking so that he can understand what they’re actually after,” says Kazanciyan, whose day job is being chief architect at security software firm Tanium. “He’s using Elastic as his own private stack to monitor all this activity and figure out what the Dark Army’s next step might be. This was built out like all of our scenes, using real systems and real software.”

The Kibana dashboard that Elliot uses to track the Dark Army hackers in Mr. Robot (courtesy Ryan Kazanciyan)

One might wonder why anybody would go through such pains to get the details right, Kazanciyan adds. After all, when hackers are depicted in most TV shows and movies, they’re often shown using tools with flashy graphics and unrealistic situations. “I think my favorite is the infamous NCIS episode where they have four hands on one keyboard so they can hack faster,” he says.

The reason why, he says, to paraphrase Kor Adana, one of Mr. Robot’s writers, is “if you have to rely on flashy ridiculous action, then something is wrong with the writing,” he says. Using real-world tools, whether it’s the Elastic stack or vulnerability sniffers or rootkits, and basing the Mr. Robot action on real hacks (such exploiting vulnerabilities in Apache Struts) helps to show the audience what’s actually going on in the real world.

“Technologies like Elastic help us be better story tellers in conveying the impact of critical things like breaches,” Kazanciyan says. “Out of all the technologies that I incorporated into the show in the third season, the reaction from you all, the Elastic community, was the loudest and was really validating and exciting for me to see.”

That level of authenticity invites a level of scrutiny that would cause practically any other TV show or movie to wilt under the pressure. While it’s very accurate, Mr. Robot, which debuted in 2015, doesn’t always get everything right.

Ryan Kazanciyan is a technology consultant with the TV show “Mr. Robot” and a chief architect at Tanium

For example, when Kazanciyan incorporated into the show a Windows credential tool called Mimikatz, the developer of the tool wrote in to point out an error in one of the arguments. “My response was, even the Dark Army operators screw up sometimes,” he says. And when some Python code shown on the screen didn’t correspond with what was returned when the script was executed, readers couldn’t let it fly. “This is why it’s a labor of love, because people notice these things,” he says.

Kazanciyan tracks the real tools used in Mr. Robot in a blog on Medium, where he gives readers tips on where to find “Easter eggs” that he and the writers drop into the show. If a viewer hits the stop button at the right time, they can find QR codes and IP addresses embedded in scenes that they can follow to find interesting items. They can even log into a LogStash server from an SSH client and, if they type in the right commands, recreate Elliot’s session where he’s tracking the Dark Army.

“One of the things that we always try to do on the show is make sure that no matter what your level of technical expertise, you can watch and understand what’s happening,” he says. “Then if you have the added bonus of understanding things at a deeper layer, [you can] engage the show at a deeper layer.”

Related Items:

Elastic to Release Source Code for X-Pack

Elastic Adds ‘One Click’ Anomaly Detection to Stack

Datanami