Hackers rollerbladed into theaters almost exactly 30 years ago. The 1995 movie features young, fashionable, rebellious techies (Jonny Lee Miller, Angelina Jolie, Matthew Lillard, and others) as they go up against a corrupt security officer (Fisher Stevens) framing them for an oil-tanker cyberattack.
The film is filled with additional, less final-level hacks that range from realistic to eye-rollistic, including but not limited to streetlights, class schedules, permanent records, and school sprinklers.
Nathan Hunstable remembers watching Hackers shortly after its release, when he was a young teenager who had “zero interest in computers.” Now CISO at CEC Entertainment, owner of Chuck E. Cheese, Hunstable’s interest in computers has upped a bit.
We asked the CISO (who began his IT career as a movie-theater network admin) a simple question with a complex answer: How does Hackers—and its many hacks—hold up? Get your popcorn ready. Some security threats—like social engineering—never die.
- In the opening scene, a TV-station employee is socially engineered to provide a modem number, which then gives Dade “Zero Cool” Murphy (played by Miller) access to the VHS tape delivery system and on-air lineup.
What’s (very) real: The underlying aspect of social engineering in the cyberattack is “very real,” Hunstable told IT Brew. In this case, Dade pretends he catastrophically lost an important file and calls a security guard with fake desperation; he needs the guard to share a nearby modem number to solve his disaster. As a CISO, Hunstable trains teams to be ready for exactly this kind of social engineering attack, which can even include someone pretending to be from an IT department or internet company, to try and gain access to server rooms, he said. He also makes sure a small subset of people have permission to access-critical functions. On top of all that, the IT team rarely talks on the phone. “If somebody were to call up any of my people in a couple of my departments, they’d be like, ‘Why are you even calling me?’” he said.
What’s not: Two robotic mechanisms—controlled by competing hackers—fighting over a VHS tape. “There’s an assumption throughout this entire movie of speed or bandwidth. I mean, some of this stuff just would have taken so long,” Hunstable told us.
Also, dialing into a modem is only half the hack. With a modem number in hand, Dade calls into a single one-off terminal, not a big mainframe-like machine that could potentially call out to another service like a VHS-tape dispenser, according to Hunstable. “Being able to hack something and then all of a sudden you have control of somebody’s computer is certainly possible in some instances, but for the most part, that’s an overexaggeration of what hacking actually is,” Hunstable said of the scene.
- Dade activates the school’s sprinkler system and makes it rain in the hallways.
What’s real: At Chuck E. Cheese, Hunstable has to protect thousands of internet-connected devices, including card readers, cameras, animatronics systems, and sprinklers—tech that’s segregated via firewall rules that isolate or block unapproved connections and traffic. For optimum security, he segments as much as possible. “We have things that I can’t manage from here that I have to go be standing physically in front of,” he said. “If it’s that critical, it needs to be out-of-band.”
What’s not: A sprinkler system connected to the Internet circa 1995 “seems like a terrible design,” Hunstable said.
- Fellow hacker Kate Libby (aka “Acid Rain,” played by Angelina Jolie) adds 113 traffic violations and a DUI offender status to a Secret Service agent’s record.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
What’s real: Any changes from the inside, including database ones, will inherently “look legitimate.” To account for the insider threat, Hunstable reemphasized the importance of restricting critical permissions and monitoring permissions—a common safeguard to stop a rogue change.
What’s not: Hacking federal agencies isn’t easy; a system would have to be “completely ignored or mismanaged,” he said. “Could a nation state or the best hackers in the world probably do it? Absolutely, if they had months or years to figure out ways to get in and find those loopholes and social engineer or [conduct] physical reconnaissance and all that. Could some kids jump on a pay phone and hack into it? More than likely, no.”
- The finale: A computer worm designed to cause an oil spill.
What’s real: Cyberattacks have impacted the maritime industry, including a 2017 malicious-software outbreak on the network of shipping conglomerate A.P. Møller-Maersk; the “NotPetya” attack caused reported damages of $300 million. Maritime cybersecurity is its own industry today; with modern boats, “everything’s on the internet,” Hunstable said.
The 2024 cybersecurity guidelines from the Baltic and International Maritime Council (BIMCO) revealed how a company’s IT department upgraded a power management system and discovered “a dormant worm that could have activated itself once the system was connected to the internet and this would have had severe consequences.”
What’s not: “I think that was something that they sensationalized in the movie, but is incredibly more realistic nowadays,” Hunstable told us.
Lightning round: Realistic or not?
- Hacking in sunglasses. “Hell no. I couldn’t. I’m 42 years old. I can barely see in this bright room that I’m in now.”
- Crashing 1,500 computers in one day. “Sure, in a sense, that it probably could have happened. Would it have happened to that scale? Because they make it seem like all these things are stitched together into some sort of network…Back then, you were still dealing with the majority of systems not even online.”
- Someone not reading a security officer’s “carefully prepared memo on commonly used passwords.” “That was a problem back then, and it is a problem now…I can do all the training I want. I can do all the memos I want. We send out weekly newsletters. None of it matters if people don’t read it and they actually learn from it, abide by it, listen to it.”
Or if it’s a movie: Watch it.