Untraceable or Uncatchable?

Brian Krebs

On Friday, I caught a showing of "Untraceable," a horror/thriller flick about a serial killer who relies on computer insecurity to help him broadcast his crimes onto the Internet.

Far too many hacker movies completely flub the technical details, and from viewing the trailers I was certain this one would as well. But the film actually got most of its Internet facts right (nevermind the bit where the bad guy remotely hacks a car, or the laughably inaccurate point-and-click trap-and-trace capabilities of the FBI agent played by actress Diane Lane). Still, it wasn't that great of a flick.

But one theme of Untraceable I thought was noteworthy was the power that cyber criminals wield with legions of hacked computers at their fingertips. I think the movie also helps frame a healthy debate over whether the most-wanted cyber criminals are in fact untraceable or just uncatchable.

First, a quick synopsis of the film (spoiler alert: It's entirely possible that some portion of what follows will ruin an important surprise of the movie). The psychopath in the movie murders his victims for everyone to see in real-time by streaming live video of his captives' plight to an Internet site. The victim in each murder is confined to some kind of automated death-inducing apparatus whose operation is hastened commensurate with the increase in hits on the site from curious visitors.

The film's engine of death is a cutting-edge type of "botnet," or amalgamation of hacked PCs that are remotely controlled by criminals, typically for use in sending spam or hosting scam Web sites.

In the old days (pre-2006), crooks hosted fraudulent or illegal Web sites at static Web site addresses that could be targeted and darkened by Internet service providers or law enforcement. Nowadays, criminals are increasingly turning to so-called "fast-flux" botnets to keep their scam pages online indefinitely.

Let's say the fraudster's site is "scammer.com." With fast-flux, the numeric Internet address attached to scammer.com changes every few seconds or minutes. For example, if Alice visits scammer.com at 10 a.m., and Bob types the same Web site name into his browser a few minutes later, Bob will see the same content as Alice did, but the content will be served from a different compromised computer within the botnet.

From the bad guy's perspective, the beauty of this approach is that by the time law enforcement officers or ISPs deep-six the Internet connection of a customer PC found to be used in a fast-flux scheme, the fast-flux site content will have long ago moved to yet another hacked PC.

The single constant in this scheme is the domain name that is used to hand off the visitor's request to any one of thousands of PCs that could serve up the content. While law enforcement can pressure domain registrars to revoke the registration for Web site names found to be used in fast-flux networks, the scammers can simply register another domain, or switch to a registrar that is far less responsive.

I purposefully avoided reading critics' reviews prior to seeing the movie, but when I was researching show times I came across an article at MTV.com that quoted an ex-FBI agent as panning the film's premise, essentially saying that the idea that people can be anonymous online is an illusion.

The story quotes former FBI special agent Ernest Hilbert: "There's been a number of sites I've gone after where people have done a similar things. These would all be things that the FBI would eventually figure out and track back. [It would] probably take upwards of a couple months, locking it down to each particular thing."

Gilbert is technically correct. Nothing is untraceable online. But the reality on the Internet today is far less cut and dry. If they apply enough resources and pressure, law enforcement investigators can eventually trace the origin of these fast-flux sites back to the "mother ship," the very servers responsible for pulling all the strings. But that accomplishment means little if U.S. authorities can't convince the law enforcers in the mother ship's host country to prosecute or at least pull the plug on the bad guys.

The unfortunately reality is that U.S. law enforcement and private security professionals already have traced the origins of some of these fast-flux fraud networks, only to find that they originate in countries where we have little political or legal influence.

Right now, the bad guys are using fast-flux networks mainly to fleece Americans. Maybe one day true psychopaths will use them in a way depicted in this film. I've always maintained that the problems of Internet and computer network (in)security won't seep into the public consciousness until people start dying because of security vulnerabilities.

When this happens, however, it will more likely be the result of weaknesses in the digital systems that control essential public utilities such as the power and water utilities, complex systems that for a variety of reasons are increasingly being connected to the Internet. This is not as far-fetched as some would have you believe. The CIA last week divulged that hackers had darkened cities in other nations by attacking weaknesses in the computers that controlled distributed power networks.

Anyway, I can't recommend seeing this film, chiefly because I found it frankly insulting (not to mention gruesome): By virtue of watching the movie, we are led to believe that each of us is yet another tiny cog in the distinctly American voyeurism machine that churns out these kind of unfathomable sociopaths.

David Perry, director of education for computer security firm Trend Micro, said he, too, thought the movie came closer than perhaps any other to getting the technical details rights. Still, Perry said, he wouldn't recommend the movie to a friend.

"It's really sad that the first hacker movie to not be completely laughable from a technical perspective is a movie that nobody is going to see," Perry said.