Behind the scenes of the Emmy-winning series with its real-life information security consultant.
With the Season 2 finale of “Mr. Robot” upon us this Wednesday — and Sunday’s Emmy Award win for Rami Malek as Outstanding Lead Actor — it feels like an appropriate time to reflect on my own involvement with the show as a technical consultant, and, more broadly, the show’s implications for information security.
The technical questions I was asked by the show’s writing staff threw me off balance on several occasions, because what they wanted the characters to do was on a larger scale than the types of attacks I was accustomed to contemplating. Thinking about how to compromise a web server and then pivot to a database server to get at some data, for example, pales in comparison to executing a crypto-ransomware attack like the one against E Corp. And that attack, as it turned out, was only the beginning.
The exercise of planning some of the show’s hacks is certainly interesting, but the more dire the consequences, the more difficult it becomes, because what’s being shown could — and in some cases has — happen(ed).
The question I get asked most often is “How did you get involved?” with this show that has been praised for its “unusually accurate portrait of hacking” used by our heroes against the evil E Corp.
A long time ago, in an office building far, far away, I worked with the [now] staff writer and tech producer Kor Adana. I was responsible for IT security, and Adana was a trusty lieutenant. We worked on a lot of things, but the best project we ever collaborated on was only loosely work-related. Specifically, we may have used some hacking tools in order to remind a free-riding coworker that, in order to partake of the donuts that magically appeared every Friday, you were supposed to sign up to periodically provide said donuts. When his browser wouldn’t take him anywhere on the internet except the Dunkin’ Donuts website, the message became clear and justice was served. Those hijinx may have been what sealed the deal for Adana and I.
Years after that stunt, we ran into each other in LAX, and Adana mentioned that he had something in the pipeline that he couldn’t talk much about, but which had him very excited; he asked if he could “call with questions” if it came together. A few months later, the call did come with the introduction: “You’re on speaker with the writers’ room …” which is a surprisingly disorienting phrase when your day job is not in Hollywood.
By the way, astute “Robot” watchers may have noticed that a certain minor E Corp executive and I have something in common. The character’s name — James Plouffe — and his untimely end — he committed suicide on live TV — were part of the “compensation” for my work during the first season.
Kor had intended this as a surprise which, owing to the studio’s legal obligations, got revealed earlier than planned: it turns out that someone insisting “he’ll totally think this is hilarious” does not provide attorneys with the same level of comfort as a signed agreement promising not to sue over things my namesake does on screen. In hindsight, it made me wonder what trauma I had inflicted to warrant being dispatched in such a fashion but — for the record — I did think it was hilarious. Though my character was short-lived, you can see nods to my continued involvement in the Season Two references to the water contamination in Flint, Mich., seen throughout the E Corp Risk Management department.
How does it all come together?
Like most successful enterprises, making it happen is a team effort. The writers’ room for “Mr. Robot” typically starts up in mid-fall, and after they’ve sketched out some of the broad arcs, the tech consulting team (led by Adana and comprised of Michael Bazzell, Ryan Kazanciyan, Andre McGregor, Marc Rogers and myself) get to work. In many ways, we’re in a parallel writers’ room: While the rest of the writing staff are working on the what, where and why, we’re focused on the how (with Adana as our conduit to the show’s universe).
When I’m asked what it’s like to work on the show, I share the IT urban legend about an angry customer demanding that a technology vendor send its 10 best engineers to help the customer design a fix for a problem introduced by the vendor’s hardware. The vendor account executive politely declines by explaining that if you put 10 smart people at the same whiteboard, one will be writing and the other nine will be erasing.
That’s exactly the way it feels sometimes as we hammer out the particulars of how the characters will perpetrate their various miscreant acts. Each member of our team has a different background and perspective, so we come at the objectives from different angles. As such, we usually have to spend a little time arguing to make sure the ideas we’re proposing account for the latest security research, and that they pass a “MythBusters litmus test”: Is it Busted, Plausible or Confirmed?
Obviously, Busted is an immediate disqualification, Confirmed is usually acceptable, and Plausible is the subject of additional scrutiny, research and debate. We spend a lot of time on this because, in addition to making the attacks realistic, we also want them to be timely.
Why do other shows (and movies) get it so wrong?
Much has been made of “Mr. Robot’s” fanatical attention to technological detail, which stands in stark contrast to the depiction of technology in most other forms of visual media. Executive producer and head writer Sam Esmail deserves a lot of credit for empowering Kor to get it right. They have the dedication of documentarians when it comes to showing technology and hacking as they are. The amount of time we spent vetting which actual models of smartwatches could be successfully compromised to attack Susan Jacobs’ home automation system in the Season Two premiere, the construction of Samy Kamkar’s Magspoof, as well as the “cantennas” (Wi-Fi signal boosters made from Pringles cans) that Elliot and Darlene use are just a few testaments to that dedication.
The particulars of the show’s devotion to accuracy have gotten a lot of coverage elsewhere, but it begs the question “Why isn’t that devotion shared?” It’s probably less a case of not sharing and more a case of not understanding, combined with the wrong people being in the right place at the right time.
Early depictions of computers in movies were confined to “green screens” (text-based terminals that were the interface to mainframes, not to be confused with the green screens that are used for image compositing and visual effects). As computer technology matured and Hollywood began to rely more on computer generated images (CGI), the folks recruited to be technical consultants were often computer graphics wonks — as opposed to IT professionals — so they had a feel for some operating system fundamentals, and they knew a lot about building and animating amazing 3-D models, but they didn’t really have a perspective on how technology got used in a typical corporate setting. As such, the depiction of computers evolved into a lot of dazzling (if unrealistic) animations.
One other way that popular entertainment misses the boat is by treating “hacking” as a deus ex machina. Because hacking isn’t usually the centerpiece of a typical drama, it is easily relegated to the role of shortcut. Hacking is how other shows get from Point A to Point B without doing a lot of heavy lifting; if one character needs something, a second character can “hack” something to get it so that things can move forward. It doesn’t need to be right, it needs to be fast because it is a tool of convenience, not plot development.
Will it make a difference?
The late, great playwright Edward Albee is credited as having said, “the function of art is to bring people into greater touch with reality …” I certainly hope that “Mr. Robot” accomplishes that. The show is tackling a lot of issues that are relevant to all of us, not the least of which is cyber security.
Technology is so pervasive that it has become an afterthought in spite of the fact that, at the risk of sounding melodramatic, it’s the center of an arms race. Technology has become inextricably intertwined with our business and personal lives, but we don’t always exercise appropriate levels of caution or skepticism with regard to how we use that technology. In fact, we often use technology in a way that would be analogous to driving without seat belts or not having door locks on our homes.
I hope that “Mr. Robot” has helped make people more mindful by illustrating the potential dangers, and that we will all place greater value on cyber security as a result.
James Plouffe has worked in networking and IT security for more than 15 years, in organizations ranging from startups to the Global 10. He is a lead solutions architect with MobileIron, and a technical consultant for the award-winning hacker drama “Mr. Robot.” Reach him @MOBLAgentP.