Not only does Mr. Robot set the bar for dystopian hacker suspense thrillers, it's also a great hacking show that's true to the culture and portrays technology authentically. So I gathered some of the smartest hackers I know in a Keybase group chat to talk about the show. (The chat transcript has been edited for brevity and clarity.) This week's team of experts include:
- Jen Helsby: SecureDrop lead developer at Freedom of the Press Foundation.
- Jason Hernandez: a technologist who studies surveillance and works in IT, and is the tech editor for North Star Post.
- Harlo Holmes: a digital security trainer at Freedom of the Press Foundation.
- Micah Lee: a technologist with a focus on operational security, source protection, privacy and cryptography, as well as a journalist at The Intercept.
- Freddy Martinez: a technologist working on whistle blowing technologies. He serves as a Director for the Chicago-based Lucy Parsons Labs.
- Matt Mitchell: a hacker who leads cryptoharlem, which aims to teach basic cryptography tools in the inner city. He also trains newsroom journalists (at Global Journalist Security), activists & human rights defenders in digital & operational security.
This week we discussed Capture the Flag, reverse shell tools, and Shodan.io:
Yael: Shall we talk about Stage 2?
Micah: So Stage 2 is a plan for a straight-up terrorist attack? They're planning on taking down a whole building, with people in it and everything? Eliot didn't know what stage 2 was until this episode, but Mr. Robot planned for it all along,
Jen: It sounds like yes, they want to blow up a building. Not sure why it's necessary to have people inside.
Freddy: Last season they also talked about "blowing up" Evil Corp, but in season 1, Elliot said, "you can't convince me with this David Koresh shit," so I'm not sure. It's possible Mr. Robot is leading it all and Elliot has no clue. But blow up/burn down might be a small distinction.
Harlo: He does say that in this episode. "Blowing up all those people" along with docs, land deeds, etc.
Yael: And everyone's student loans.
Harlo: I WON'T CRY IF THAT HAPPENS.
Yael: Yeah, I think Mr. Robot wanted to blow it up and Elliot wanted to stop that, which is why he got shot. Why aren't they having a discussion about tactics? How to blow up the building with nobody in it?
Jen: Ah yeah, you're right. UPS fires can't melt steel beams, though.
Harlo: Well, it's all in this bin file, you see.
Yael: Elliot is freaking out when he finds out plan 2 is taking place and he... calls 911 and hangs up, turns on some bug scanner, and gets on a laptop that's been unattended for a week?
Freddy: I thought it was a white noise generator
Micah: His laptop, like all computers in this show, was running Kali Linux. Well, not all computers, but all h4x0r computers.
Jason: Kali is easy for a producer to put on a bootable disk and plug in as needed.
Yael: Well, Elliot DOES use Protonmail, so he lost his hacker kewl a long time ago, at least with me. I bet he wouldn't even use Keybase chat.
Harlo: Somebody get Kor on the phone and tell him about Qubes.
Matt: Yeah, I wanna see Qubes OS. No shade to the collection of tools by offensive security but not everyone is rolling with Kali on their box.
Jen: Yeah, they should show Elliot's Kali AppVM if they really want to be realistic.
Jason: Also, you can run Kali in Qubes.
Matt: Maybe it's a VM (virtual machine), which is why he didn't change the background to a picture.
Micah: Kali is pretty sweet for offense tbh, especially because it has all the patched Wi-Fi drivers for monitor mode, packet injection, and all of that.
Yael: I was going to tell Elliot that if you call 911 and hang up, they usually think you're kidnapped. I wonder what a better thing to do after "accidentally" calling 911 would be.
Jen: Probably being like, "my kid was playing with the phone, sorry!"
Matt: In NYC you can call and hang up, nothing will happen. I have done it before. No call back. Nada. You dead.
Jason: Also, we can imagine the state of the 911 network is less reliable than present day, where 911 just goes out for half the country for 3 days because someone forgot to renew a domain name.
Yael: Oh, somewhere before this scene Dark Army was talking about how Elliot's dad used to work for them and now Elliot does. Was this the first time that was stated explicitly?
Matt: YES. I liked the scene where they say they use Elliot (and his dad) for their focus.
Freddy: If he was working for them, how come they were broke? Crime pays.
Micah: It sure sounds like the Dark Army is planning on killing Elliot when they're done with him.
Jason: I just don't get the motive for anybody on the Dark Army.
Freddy: Presumably they have connections with People's Republic of China and are interested in geo political hacking.
Jason: I guess...why hasn't Taiwan been invaded then?
Yael: It's not them simply trying to inflate the price of Ecoin?
Matt: Well seems from season 2 Dark Army became more than hackers with masks, they had guns, poison pills, and connection to China.
Freddy: Bureau 121 hacks for [North Korea], but I think is physically in China.
Matt: They want political gain in Washington and financial gain via Ecoin, but seems the end game is much bigger. In season 3, they go from world's smartest motorcycle/Uzi gang to dominant world players.
Yael: So, let's talk about the NSA building.
Jason: The Intercept had an article on it while ago. Full of international telephone switches and NSA hardware.
Freddy: Henrik Moltke is a beast at finding these NSA buildings.
Micah: So, while the rest of NYC had a power outage lasting for days, the hackerspace was throwing a raging party, and it also happened to be during a major CTF (Capture the Flag).
Yael: It's on the way from Elliot's apartment to the world's loudest CTF qualifier.
Harlo: WITH THE WORST MUSIC
Micah: "The only hackerspace with dedicated fiber connections."
Freddy: LEFT. The only hackerspace left.
Matt: OH, I love how hackerspaces feel like a techno club. And hackers are beautiful!!!
Jen: That seems like a very annoying environment to work on a CTF with like 10 bros behind your computer as you're trying to figure something out.
Jason: They should have just gone full HACKERS and had someone on roller skates.
Freddy: Nobody sits around and yells during CTFs unless it's crash and burn, where if you fail programming (after first compilation) you have to drink.
Yael: That was way too frickin' loud for a CTF. And I don't think you're allowed to get help from randos. DQed.
Matt: Well at cyber security awareness week (CSAW) at NYU Poly is a big one that is pretty quiet, but at CCC it's loud.
Micah: Have you ever been to the DEF CON CTF area, with incredibly blaring music and huge animations on projectors all the time?
Matt: Yeah DEF CON is loud all the time, all day, every day.
Yael: I was at the CTF area at the last DEF CON and it was hidden behind the stage and very quiet. Unless I'm just not remembering the dub step; there was a lot of alcohol involved. I do remember having long conversations with the team putting it on, though, so it couldn't have been that loud.
Freddy: The music at the hackerspace has to have loud beats, personally, I hack to only trap music.
Harlo: That was some skrillex shit.
Freddy: Some people hack to ambient noise. For example, I like this playlist with the Blade Runner soundtrack on it, too.
Yael: No Eno Ambient Music for Airports for you.
Micah: BTW for readers out there who don't know, Capture the Flag is incredibly fun. This website lists upcoming CTF challenges around the world, many of which are open to anyone on the internet.
Yael: And if you're not a hacker, just do Puzzled Pint! I'm also looking for Hunt for Justice teammates lol.
Matt: I recommend for anyone getting into this stuff the capture the flag at picoCTF built for high school students. I have some CTF links for readers:
Micah: So Elliot being super-fast-wizard at CTF...wasn't so real. The challenge they talked about sounded legit, but there's no way Elliot would know what the challenge was or where the vulns were without spending at least like three minutes looking at the problem.
Jason: Yeah, I had no idea what Elliot was actually explaining to that guy with the over-indented Python code.
Yael: I think Elliot went there to try to... find a random computer? To try to close a backdoor which would end phase 2 how exactly?
Micah: Oh yeah, I don't understand why Elliot doesn't just carry a laptop. He just walked up to someone on the CTF team and they're like, "You're good, join our team. Here, take my computer. It's running Kali and logged in as root, but I don't mind, sit at my keyboard."
Harlo: Yeah, I felt that Elliott's success at the CTF was a bit of "ex machina."
Jen: I think the idea was to prevent remote access to the UPSes.
Harlo: He did NOT succeed!
Yael: Yeah because the power got cut out? Or did they just not get to that point?
Harlo: It's still on the server. He tried to shred it but the reverse shell failed.
Jason: I thought the connection dropped because the reverse shell was deleted by the shred command.
Harlo: Okay, let's dissect this. It appears that he ran 'ls' and that showed the bin file that contained the backdoor, and then he tried to shred it, and that command failed because connection timeout. But I cannot be sure! Let's get eyes on this!
Jason: Or at least the confirmation message from the reverse shell failed to arrive
Harlo: Right—that's what I thought. But you make a good point. IIRC he deleted everything including the reverse shell.
Jason: So that would explain the timeout on the command. Experiment needed to confirm :)
Harlo: Is this a race condition thing?
Yael: I couldn't tell whether he was doing CTF or closing the backdoor. Was he supposed to solve CTF real quick and then close the backdoor?
Jason: I think he was just closing his backdoor.
Harlo: He was supposed to solve the CTF for a team by faking their score? And then get them to move on so he could use their computer?
Micah: If you freeze the frame where they're talking about the C2 listener, he's running a program called rwwwshell-2.0.pl. I looked it up, it's basically an old-school reverse shell running on port 80, disguised as a website to get through firewalls. Here is a paper about it. Also, there's no way he'd actually be using that tool. It's from 2002.
Jason: Also, one would have to imagine that old a reverse shell tool would be caught even by E-Corp.
Freddy: Well, Equifax didn't notice 30 shells on their production servers, so...
Jason: Yeah, but nobody would use that old Perl code, at least something a little more modern looking.
Micah: But also in that frame, did anyone spot the Easter egg? He was taking over the command and control server by hacking a domain name registrar to update the nameservers
Jason: Yes, Micah. Hacking a domain registrar seems non-trivial.
Micah: The CTF scene ended with browser windows with https://www.maindomain.co/doma... open on his screen.
I think that may be a CTF Easter egg challenge. I tried solving it some last night, discovered some things but didn't get it. The maindomain.co site lists the domain name ruxmsu9u.net.
$ host ruxmsu9u.net
ruxmsu9u.net has address 220.127.116.11
ruxmsu9u.net mail is handled by 10 inbound-smtp.us-east-1.amazonaws.com.
If you load http://ruxmsu9u.net it redirects to https://www.ruxmsu9u.net which is actually a different server, but if you load http://18.104.22.168/ without sending the "Host: ruxmsu9u.net" header, you get a different vhost. I poked around more, found some interesting stuff, especially if I manually change my host header
Yael: So if we move on to the chase scene—how do you plug in a license plate number and then get a VIN number and shut down a car, do you have to be a cop? Or a pretend cop?
Micah: He was pretending to be a cop.
Harlo: Ex-cop. He is probably an ex-fed, who still has access, like a lot of private investigators.
Jason: Or even not ex.
Freddy: Chase scene was the worst. Totally unrealistic. FBI does not follow with one car!
Matt: You call OnSTAR, report it stolen, "prove" it's you and you pay for OnSTAR security. Then boom cops get tip off and car is slowed. Subscription pays for itself. They can also lock the engine block.
Yael: Maybe FBI would follow with one car if it was just low-level surveillance? Though seems like Elliot is past that point.
Matt: If it was one field agent, it would be one car.
Jason: They would call in backup if that happened.
Freddy: Surveillance teams usually work in pairs, at least 4 but often as high as 8. One person falls back, the next team picks up a block over.
Yael: If he's current FBI, why would he have to warn/rescue Elliot and Darlene from FBI? Couldn't he just say, "I got this"?
Jason: Were the followers FBI or Dark Army? Was that really clear?
Micah: I think both.
Yael: Irving said it was FBI.
Harlo: I have to appreciate the car chase escalating in intensity as the guy reads out fucking VIN numbers.
Matt: I think it could buy you time to slip away from one agent, but if you are the subject of an investigation and it's this big, because they are following Darlene after questioning, it could be one person doing follow up tag. But I don't think it would warrant more than one person to follow or door knock a person of interest.
Jason: Or was that SUV even set up by the "fixer" guy? Get a buddy to rent a Suburban, follow you around, have them call his cell phone and act like on-star, then hit the brakes
Matt: I like the way you think. TRUST NOTHING, it is Mr. robot after all. It's masterful directing to make VIN numbers feel that REAL.
Yael: After that scene was the revolutionary one where Elliot got us riled up about the evils of capitalism but was also upset that he contributed to four people's deaths. They turn our dissent into intellectual property y'all.
Matt: WORST SCENE EVER. *Vomit.* My love of Elliot is lost!
Harlo: It's totally like Eminem rapping.
Matt: Because Elliot was an anarchist superhero. We CAN blame capitalism. We can blame governments. It's like a revolutionary being like, "you know, we should just try to vote our way to a better America."
Jen: There was fsociety merchandise in the storefronts during the "fuck capitalism" part of this segment ;)
Yael: Oh, and there's a Trump cameo.
Freddy: The show producers tried to make it somehow relevant to the political turmoil in our current times but also link it to previous season 2 and connect the two (the political times and S3E1).
Matt: Agree. Don't put Charlottesville footage in there.
Micah: Did you notice the timing of the shots with the dialogue? Elliot says, "What if instead of fighting back we cave. Give away our privacy for security," and it shows Trump, and Theresa May. "What if we choose weakness over strength?" Trump's inauguration. "Blame all the world's leaders for aiding and abetting them." Shows Putin on video screens.
Jason: The problem with any show that gets too tied in to "real time" is that reality changes and it's sometimes hard to keep your plot in sync.
Yael: Okay, so let's talk about the Tyrell scene with Shodan.io. One of our future chat members said that looking for Tomcat on Shodan is usually a good place to start during recon.
Matt: Shodan, the search engine of things, made more powerful in the age of Alexa & Google Home. I pay for 100 queries a month that I never use.
Yael: Here's a fun DEF CON talk:
Jason: Tomcat is very common for running enterprise software. He searched for Alfresco which is an enterprise content management system
Freddy: Shodan is good, but most enterprise don't publish the software they use, it's usually behind load balancers.
Jason: People mess up and put enterprise apps on the internet all the time.
Matt: Also on AWS leave things open and online.
Freddy: Shodan is okay, Fierce is another good one for mapping infrastructure. Web apps are usually not going to get you in.
Matt: Nah, won't get you in at all, but if you wanna do a House of Cards style traffic cam hack, it's a start. Pray for default passwords. admin:admin.
Jason: The top result on the search was an Apache Tomcat server supporting tls 1.0-1.2, using Apache Coyote 1.1. I'm not familiar with Coyote but when I searched that version, Google auto-suggested "vulnerabilities" and there's a Metasploit module from what I saw. The fact that it isn't only accepting TLS 1.2 only also seems like a bit of a flag that it isn't being updated or aggressively secured.
Matt:Ha! Yeah, Google & https://www.exploit-db.com your way to pseudo hacking the thing. Shodan and some time....
Yael: Anyone have any predictions for next episode or anything to add?
Jason: Why doesn't fsociety just blow up the building with a botnet of hoverboards?
Yael: Can they get the people out first?
Freddy: Next episode, we need more haxx.
Matt: Yeah, I wanna see more scenes like the CTF. I was SO HAPPY to see that in there.
Micah: For most good CTF challenges you have to sit down and develop an exploit, which takes a bit of time, a lot of testing, and often like working in a debugger.
Freddy: Yeah, the CTF is good but could be more realistic, basically 10 people sitting in quiet :)
Yael: With pained expressions.
Get six of our favorite Motherboard stories every day by signing up for our newsletter.