Saturday, August 05, 2006


ScienceBlogger Question

Talking of movies, this week's "Ask a ScienceBlogger" question is another one I find interesting to answer, but this time with a small twist:

What movie do you think does something admirable (though not necessarily accurate) regarding science? Bonus points for answering whether the chosen movie is any good generally.

The twist I want to put on it is that I'm aiming at something related to computer science (because it's my field), notoriously misrepresented in films even today, and that I'm particularly aiming at computer security, too often overlooked in the movies — and in real life. "Admirable" is not quite the right word here, so let's say "notable" instead.

And the movie is "Mission: Impossible", from 1996, for its depiction of how Tom Cruise breaks into a top-secret ultra-secure computer system at CIA headquarters. Here's the security setup:

  • The computer is in a secured room, all by itself.
  • There's one door to the room, secured by a triple authentication system that uses voice recognition, retina scan, and handprint scan.
  • There's only one person authorized to go in and log into the computer.
  • The interior of the room is protected by sensitive temperature sensors.
  • The interior of the room is protected by sensitive sound sensors.
  • The interior of the room is protected by pressure sensors in the floor that are so sensitive that a drop of sweat hitting the floor will set them off, as we see later.
  • The only other opening to the room is a single ventilation duct in the ceiling (well, you knew that, right?), and that's protected by a system of lasers that will detect any breach.

Pretty sophisticated! They've covered everything, haven't they? What can the Impossible Mission team do? Well...

  • They wait until the authorized guy leaves. They have already stolen his username and password.
  • They defeat the laser system in the standard sort of "defeat the laser system" way, using reflectors/refractors and introduced beams. We'll leave aside the issue of how silly this is.
  • They lower Tom Cruise by rope. They do it slowly and carefully, because, remember, they can't make noise, and he can't raise the temperature of the room.
  • He's perspiring! And a drop of sweat is about to drip off his brow and hit the floor! Ah, but that works out (I forget, now, whether he's able to catch it, or whether he makes sure it drips somewhere harmless).
  • He gets down to the keyboard and display, in the middle of the room, and he logs into the system with the stolen password. He gets the information he needs. We knew he would!

But what's the flaw here? Oh, it's so simple, it is. I think of it as an application of Occam's Razor, or maybe a related derivation of it. Occam's Razor says, essentially, that the simplest answer is usually the best one to go with (for a more accurate explanation, see the Wikipedia entry). The related derivation that I invoke here is that if you don't get the simple stuff right, the whole thing collapses; this is seldom more true than it is in computer security.

The security system knows that no one is in the room — and that, in particular, the single authorized user just signed out and left. It knows that no one came through the door. Why on Earth would it allow anyone to log in? The fact that anyone tried should have caused an immediate lockdown.

Yes, it's as simple as that: this complex system, protected by an intricate high-tech system of biometrics and sensitive sensors, succumbed to the simplest, silliest, low-tech "I stole his password" attack.

Except I think I was the only one in the cinema who was laughing.

No comments: