Security In Media: Scorpion - S1E1 - Pilot

Overview:

Scorpion is a new show on CBS about a group of genius misfits who are geniuses. That may sound redundant, but it's far less repetitious than how this show beats you over the head with how genius these genius-level geniuses are. If every letter in the word "genius" was a genius, then the level of genius-ness of one of these geniuses would be some large number instances of the word "genius." A number so large I can't even think of it because I'm not a genius. Of course, since they are geniuses and this is Hollywood, they are also socially inept criminals. Because, you know, the idea of a group of geniuses successfully and cooperatively working for the government is just too bizarre for people to handle.

But, this is not about the dissection of cliche TV tropes. It's about Information Security in Media. While it doesn't appear that this show will solely be about things IT related, they chose that as their plot for the premiere episode. The premise is this: communication software for the LAX airport control tower was just updated. That update contained a bug that crashed the software, severing communication between the control tower and incoming planes. While they were able to redirect some of the planes destined for LAX, there are others that are too close to LAX and too far away from other locations to be contacted. They need to get the software up or those planes will run out of fuel and crash.

Spoilers and foul language ahead

The Problem:

Software updates have bugs all the time. We know this because we are always constantly updating our software. Adobe. Java. Windows. Update. Update. Update. Microsoft has "patch Tuesday" because it updates once a month. Adobe might as well have patch "1 o' clock." Is it possible for a software update to have a patch that crashes it and renders it unusable? It's possible, but unlikely.

Patches and updates don't appear out of thin air. Someone (or many someones) have to create and develop them, and no company or team is going to send out a patch they didn't test themselves. Testing can't eliminate all problems, and crashes can happen rather frequently when you are dealing with interactions among different applications. For example, I have an applications with a database back-end. Upgrading either component may break that connection and prohibit the functionality of the application (because it can't communicate with the database). But that doesn't seem like what's happening here:

This seems like some sort of proprietary operating system that can't even start up because of this update. It may be a hardware issue, but we can only speculate.

However, the real problem is the nature of this update. Where did it come from? The original software is 15 years old and the company went out of business. So who is creating and sending out updates?! If you look at the screen grab above, the date of the revision coincides with the "15 years ago" date, but it should be the date of the revision itself, which is only 45 minutes old. There is no explanation for what's going on.

This is actually a not uncommon problem. Companies go out of business all the time. If your organization relies on software from smaller companies, it is prudent to consider the risk that the company will go out of business or otherwise stop providing support for the software. This can be mitigated through the use of software code escrow or by transitioning to different software maintained by a different company. Clearly someone is maintaining the software here, because they're creating and sending out updates. Why not contact them?

The Solution:

Not to spoil the ending, but the solution is basically to find an unaffected version of the software and re-install it. In other words: restore from back-ups. Genius (did I mention these guys are geniuses?). Back-up solutions are basic information security practice. And while not everyone follows basic information security practices, LAX is practicing it here! They have back-ups. Those back-ups are updated every 12 hours. If all that is required is to restore from an unaffected version of the software, and they have that right there, then: problem over!

Yet, for some reason (other than manufactured TV drama) they can't restore from those back-ups. Not that the back-ups are inaccessible (they are in danger of being overwritten) they just can't use them. Don't know why, because the show never addresses that as an option (despite the room full of genius geniuses) and their solution is to get the physical copy of the off-site back-up and e-mail it someone to install it.

Seems rather inefficient. Not that I doubt that a 15 year-old program is small enough to be e-mailed, but they never address how this is going to fix the problem. It's just "click the link" and -poof- everything is fixed. The dialogue of the show implies that a single instance of the clean software will be automatically distributed to everywhere else. This implies some sort of central management and distribution server, which means they need to install the clean software wherever the software is centrally managed, not just on some random workstation.

But, alas, though they gain physical access to the back-up copy, they can't e-mail the software to the intern (though he's clearly trying to ftp it), because the software is corrupted because the genius shrink let it sit next to the car speaker:

So sad. Except... not quite. Yes, it's common knowledge that magnetic fields can wipe and corrupt magnetic media such as hard disk drives. Degaussing is an official method for doing so. However, it requires extremely strong and concentrated magnetic fields. Wrapping a hard drive in a towel and having it rest next to a car speaker simply isn't going to do it. It's more likely the file is corrupted because the update had already started and they yanked the hard drive out in the middle of it, or they physically damaged hard drive when they yanked it, or the hard drive was part of some sort of RAID array and all the information is useless because they don't have the other hard drives that make up the array.

At the end of the day, they don't have the back-up software and apparently there aren't any older offline backups. Backing up every 12 hours is nice, but having only one instance of back-ups is not. Any number of things can make a back-up unusable, so online back-ups are almost always supplemented by saving back-ups to tape, usually for a year or more. It's probable that this is the case, but no one is there in the 24/7 shop to ask, suggesting that LAX needs to reevaluate its service contract.

So where to get a clean copy? From the planes! You see, some of the planes were out of range of LAX when the update started, so they never got a corrupted copy. So all they need is a clean copy from one of the planes and they're good. This is somewhat disturbing. As I said at the beginning, problems with updates happen all the time, yet LAX just automatically installs updates whenever they are available? Even to planes currently flying in the sky?! Best practices recommend that all patches and updates be installed and tested in a development or testing environment to determine any adverse affects before pushing out to production systems. Even then, basic common sense would suggest that you don't update the software of a plane WHILE IT'S IN THE SKY.

How do they plan to get the software off the plane? Obviously have the plane fly low enough for our genius hero (or is that hero genius? I don't know, I'm not a genius) to grab it via the plane's WiFi. But their WiFi only has a range of 100 feet (despite airlines offering full WiFi service nowadays) so the airliner has to buzz the control tower. But it doesn't work. Not because the few seconds the plane was in range was too quick for him to establish a wireless connection, locate the file on the computer system of the plane, then download it to his laptop, but because of "speed differential." Listen, I'll admit, I don't know if that's a valid problem. Maybe speed differential is an issue. How do they solve this problem? By eliminating the differential! He carjacks a really fast car and drives the same speed as the plane. Sounds good, except for some reason they need to connect physically to the plane!

Now, I've seen some ridiculous stuff. I've seen two people on one keyboard, I've seen hacking depicted as a war of moving windows around, but this takes the cake. He says to compensate for the speed differential he has to "hard-wire" the wireless connection.

Let that sink in. In order for his wireless connection to work, he has to connect a wire to his laptop. Amazing. Sorry, not amazing. Genius. Only a genius would think of using a wire to establish a wireless connection. And, as a testament to his genius, the file downloads and immediately updates and fixes all the other instances of the software in LAX and the day is saved!

Despite the fact that, by eliminating the speed differential between his laptop and the plane he just created the same speed differential between his laptop and the computers inside the control tower.

Despite the fact that there was no way for him to know where the software existed in the filesystem of the computer for him to find and transfer to his laptop.

Despite the fact that the software was never transferred to the LAX computers and no one did anything to actually install the clean software. While it's possible the file was being transferred directly to the LAX computer systems via his laptop, no  one did anything with it on the LAX computer system!

Regardless, our heroes won the day and will go one to have many adventures. Unfortunately they will probably involve computers.

Other Miscellany:

• In addition to the ridiculous issues with wireless above, our genius hero genius insists he needs a wireless signal with no chance of going down to do his work. Sorry buddy, but the nature of wireless signals is that there is no such guarantee. If you want reliability, you want a wired signal and both can be found in any number of places. It's 2014, buddy.
• Hacking. The ease at which he hacks into the airport security cameras is unbelievable. Regardless of skill, hacking is time consuming. It requires gathering lots and lots of information: Finding public points of presence, enumerating possible vulnerabilities, exploiting them, gaining inside access, mapping out the internal architecture of the network. the only explanation here is that he had previously hacked them and had left back-doors for him to regain access more easily, which is one helluva coincidence.
• In gaining access to the offsite storage, they want to cause a brownout to override the door lock. First, a brownout is a decrease in voltage. What they are doing is causing a spike: a short term increase in voltage. But if they are going to futz with the power, why not just kill it altogether? Killing the power would eliminate the immediate problem: the overwriting of the back-ups with the bugged software. Even if the servers remained online as a result of generators or UPS, the telecommunication lines would still be knocked out. They were going to yank the hard drive anyway, so it seems they went out of their way to make this more complicated then it needed to be.

The kicker:

This is part of miscellany but deserves to be called out in its own section. Early on they establish that the planes can't land or even descend for fear of running into another plane. Let's ignore the fact that, as a country, we've been flying and landing planes for a century, and there are probably layers and layers of processes, procedures, and contingencies for landing planes without communications and realize that they ignore their own rule for the conceit of the plot. Ok, so maybe the situation was desperate so they risked descending to get the files to our genius hero genius.

THEN WHY NOT JUST LAND THE FUCKING PLANE?!

They fly by, not once, but twice, and during the second time they're seven feet off the god damned ground! JUST LAND THE PLANE!

Land the plane, and you've already saved those people, you get the clean software, and you still save the day.

Conclusion

I knew Scorpion was bad news when I saw the previews. Among hitting all the tired Hollywood cliche about genius antihero genius antisocial geniuses, it seems like they made a deliberate effort to get even the most basic premises of IT and general logic wrong. It addresses the issue of genius in a very ham-fisted way. Listen, I watch Sherlock and even I'll admit that how he plays up his own intelligence and anti-social nature can be a bit annoying. But, there it's merely a trait of the character whereas here it's discussed as if it is an established fact of the universe. Even the "human calculator" plays along with the trope, so it's not merely a display of arrogance of one of the characters. Furthermore, Sherlock is GOOD. It has good story telling. Even though it is retellings and re-imaginings of established works, it feels more original than this show, which feels like the regurgitated tripe of a thousand different stereotypes. I should have known when it came out of the gate violating one of the basic premises of television: show, don't tell.

But, what do I know? I'm not a genius.