What kind of notes would you give the director?

Well, in an earlier version of the script, the... I'm trying to phrase this without any spoilers. At one point the Chicago commodities exchange gets hacked and in an earlier version of the screenplay it was conceived that the exchange's servers were air gapped, which means they weren't connected to any network. They were physically isolated, electronically isolated. So that doesn't work because commodities exchanges are by nature not air gapped. They're extremely wired. They have high-speed connections to traders and trading platforms.


So we had a discussion about ways we could make the system secure and force an attack to come from the inside without going to the extreme of an air gap, which doesn't work. Then we just developed the idea that they would have extremely strong perimeter defence and a good firewall and they'd perform de-packet inspection and they'd have an intrusion prevention system that responds to attack and that wound up being in the film.

So in terms of real-life application, what you think constitutes terrorism in hacking, and where do we draw the line?


So far the only real terrorism we've seen in hacking is when, as with the Sony attack, there's an actual terrorist threat at a company. My own feeling is that's probably going to be as close as we get to terrorism. I don't think we're going to see attackers actually causing the kind of kinetic effect that takes lives or injuries people physically. I think terrorists will probably still be using crude physical attacks in the future.

I think sometimes people overreact because they don't understand what cyber crime is.


Well, Sony was a serious attack. That attack hit a lot of innocent people. I don't think there was an overreaction to Sony. In the general matter, I think, yes, people overreact. Like the CENTCOM hack, CENTCOM's twitter feed was hijacked, and some people reacted as if this were CENTCOM's own systems being hacked and defense data was at risk. And of course it never was, it was just a twitter account being hijacked like it happens every day. Sony, though, was serious. You had people working without computers in an active entertainment company for like a month. Not to mention all the personal health information and private data were released.

There's a scene in the movie where an NSA guy falls for a phishing attack and clicks on a file called "black widow." And I had to laugh a little bit because I feel like, wouldn't a guy like that be trained not to fall for something like that?


Oh, a guy like that would fall for something like that. That's how most sophisticated attacks begin these days, with what's called a spear phishing attack, so it's a phishing attack that's custom crafted to get a particular person. So it comes from somebody that that person knows. And it's an email that they're expected or that seems right for whatever's happening at the time. So that part is completely plausible.

The part where the phishing attack gets you into a classified top secret unified system, that's absurd. But the idea that an NSA would click on an email like that is completely feasible.


And to have one of your guys played by Thor?

I mean, yeah, most hackers are better looking than Chris. (laughs) But he did a fine job.


So far the feedback I've gotten from computer security geeks who've seen the film has been positive. So far, at least the people that have reached out to me that have talked about it have had good things to say about the level of authenticity. Obviously it's not a documentary but as far as, you know, like Hollywood blockbuster treatment of computer hacking, I think this is the most authentic that's been done.

Blackhat hits theaters today, January 16.