One of my exploits was on NCIS and Hollywood got it wrong

Imagine my surprise – and delight – when one of my exploits ended up on NCIS Season 16 Ep. 14 – Once Upon a Tim.

Screenshot of “Once Upon a Tim” from NCIS Season 16

This exploit, from ExploitDB, takes advantage of a Remote Code Execution vulnerability in the software package H2 Database. What that means is that using this exploit, an attacker can run any code he or she wants against the target that is running this software to get control of the computer running the vulnerable version. Ignoring the fact that Desktop never was in C:\, There was no desktop in the time period this episode was supposed to take place, and that the H2 Database software has nothing to do with free phone calls … where was I? Oh, the first few lines actually make sense. Kind of. But that’s where it all falls apart.

This post is to highlight how Hollywood has made progress in portraying information security and IT as a whole, there’s still things that can cause confusion. Mubix really made some good points in his Twitter post, so I won’t go through those again, but instead I want to cover a few different things.

On the surface, it’s easy to say “it’s a TV show, what does this hurt?” It’s not wrong to say that. But TV shows and movies are also in a great position to educate the public, rather than sensationalizing.

In my day job, I look for ways to break in to systems. I exploit weaknesses in a network to get access the sensitive data the business wants to protect. Of course, this is all with permission and approval, so entirely legal. But when Hollywood sensationalizes, it becomes harder to educate those who are interested. Yes, Hollywood sensationalizes and gets technology wrong in part because it’d be a bit boring otherwise. It can take days or even weeks before I find what I need to gain access to a system. It’s not always as simple as just running an exploit. I wrote the exploit used in this episode because one didn’t exist already for the situation I found. That takes research time. It also takes research time to find where to run the exploit you want, find the exploit for the stiation you have, test it to make sure it works.

With a bit of research, NCIS could have found a more time-appropriate exploit, though I do appreciate some attention. 😛 And that’s really what my concerns come down to – the research on tech in shows like NCIS. This exploit I wrote was in late 2018. This episode was supposed to be in a time period where dialup was still prevalent for consumers. There are more time-appropriate exploits that could have been used and it would show some attention to detail.

How does this hurt educating the public?

If the public sees “run an exploit, you’re in” constantly on TV shows, or this:

then it’s going to make it harder to get people to take appropriate steps to protect themselves. Imagine if a legitimate social engineer exercise was shown on a TV show (and a bit of Hollywood fluff added for entertainment) and they talked about how people should verify what someone is saying or if NCIS talked about the dangers of using password123 as your password. Hollywood would be in a great position to entertain and educate the public, without needing to go in to complicated exploit development or kerberoasting discussions.

So NCIS, I’m available if you want an advisor.