Frequent Slashdot contributor Bennett Haselton writes in today with a nerd-oriented review of "Untraceable," which opened in theaters last Friday. Read on for Bennett's take on what the movie gets right — a surprising amount as these movies usually go — but be warned, his review contains spoilers.
I went into the theater planning to come out with notes for an article like "Everything that 'Untraceable' gets wrong" (feeling pessimistic after "Swordfish" and "Firewall"), but it actually doesn't do that bad. Oh, it gets stuff wrong -- I don't think the FBI can "blackhole" an IP address by clicking a button -- but the errors are for dramatic license, not technical howlers, and the plot holes fall more in the category of things that could have been accomplished more easily some other way. In fact the dialog goes out of its way in several spots to make sure we know they know what they're talking about; screenwriters can't win with these movies, because they'll get grief for getting too much stuff wrong, but if they explain things correctly, it breaks the reality when we can feel the writers telegraphing their knowledge to the geeks in the audience. But it is mostly accurate, and the movie throws you just enough softballs for you to impress your movie-mates as well as the patrons two rows in front and back of you.
The movie takes its first stab at geek realism right at the top, when Diane Lane tells Colin Hanks that his Internet date is never going to see him again because she's more attractive in person than he is. (So far, the only thing wrong with this is that Colin Hanks has exactly the kind of adorable-nerd face that appeals to girls who like to think they don't care about looks.) Then Diane Lane explains how she's ensnaring the cyber-criminal on her screen, in a set piece that has nothing to do with the rest of the plot, like the pre-title action sequence in a Bond movie. First, in a horde of pop-ups covers her monitor, and a site tries to entice her into downloading and running a program that contains a trojan horse. She runs the trojan horse on a virtual machine, where she watches it steal a file full of passwords and financial records, but she inserts her own trojan into the data that's uploaded back to the criminal's computer. In a few moments they find the user's IP address and realize that it must be a neighbor stealing that person's wireless service.
Batter up! I think that an FBI cyber crime expert would have a pop-up blocker installed, but moving on. If a criminal wanted to gain access to your machine to steal your financial records, tricking you into downloading and installing a trojan horse as part of another program, is probably exactly how they'd do it. (However, a trojan wouldn't automatically and instantly find a file full of passwords, even if she did named it "passwords.txt" as bait.) The biggest slip is that if you upload a trojan horse back to someone who was downloading data from your machine, there's still no way to force the remote criminal's computer to run it, as happens in the movie. And a criminal that smart would probably be running the operation from the compromised PC of someone in another city, not stealing a neighbor's wireless access. (In any case, while having the criminal's IP address would allow you to go to someone's ISP and ask them to turn over the records of where that person lived, the characters should not have been able to narrow an IP address down to a person's house without that extra step.) Also, if I heard right, the FBI figures out who the guilty neighbor is even though he has no priors, based on the fact that he has two registered handguns. That will offend a certain portion of the audience, so viewers of "27 Dresses" in some cinemas may hear angry gunfire coming from the next theater.
However, most of these errors were probably necessary to show what the main character does in as short a time as possible and to end the set piece with the villain actually getting caught, so this is probably the best the movie could have done. Don't point that out to your date, of course, since she'll be more impressed by knowledgeable sneering, especially if everyone in the seats around you can hear what a smart guy she's with.
Then the main villain's site is introduced, and the movie has to handle the question of how a site with its own top-level domain like KillWithMe.com would be able to remain online despite showing real-time streaming video of a murder victim being killed. (The hook in the movie is that the more people visit the site, the faster some automated murder contraption kills the victim.) Diane Lane explains how, in a virtuoso sentence designed to silence the nerds who would otherwise say afterwards that there's no way that could ever happen. You'll know the line; it's the one right before her boss says, "I didn't understand anything you said; something about 'Russia'?" Apparently the domain is registered in Russia, and the DNS servers use a low TTL (yes, Diane Lane actually says "low TTL" -- sexy!) to switch the hostname between thousands of different IP addresses, each belonging to some compromised machine.
If you had to come up with a way to do this in a film, and if you assumed that Russian authorities could not be persuaded to go after the domain registrar (something nobody tries in the movie), this would probably be the simplest way that was semi-plausible. You need the site to resolve to thousands of possible IP addresses so that it can't be made to disappear by simply taking one machine offline. The way the movie demonstrates this, though, is for Diane Lane to make one of the site's many IP addresses go dark by clicking a button on her screen and causing it to be blackholed, before the hostname switches to the next IP. The only people who can actually do this in real life are backbone operators with an axe to grind, not the FBI (something the movie actually acknowledges with a passing reference to Net Neutrality legislation!). Ah, but here's where you can knock one out of the park: If you assume, as the movie does, that the FBI has the ability to blackhole individual IP addresses, then they could shut the site down not by blocking the site's IP addresses but by blocking the primary and secondary DNS servers for the killwithme.com domain in Russia, so that if people's computers couldn't communicate with the DNS servers, they'd have no way of resolving the hostname.
By now, the surrounding theatergoers should be threatening to jam your USB thumb drive keychain into your nostril, but you're not done yet. At one point a character targets an IP address beginning with "10.*", and everybody knows those are reserved for intranets, not the public Internet, so you can point out that that's like the 555 prefix for a movie phone number. Later, the heroine finds that a Trojan horse installed on her daughter's machine, has access to all files on all PCs in the house. That could work if (a) the other PCs were set to share out files to other PCs on the same local network, or (b) if the traffic between the other PCs and the wireless router were unencrypted, although it's unlikely the main character would make either of these mistakes.
But you don't want fellow viewers getting the idea you're too Net-savvy; one suspect is later described: "He blogged, he built web sites, he practically lived online," which sets the bar a little low for qualifying as a sociopathic online loner.
With regard to the non-Internet technical details, I have no idea if OnStar can actually help you get through a traffic jam the way they do in this movie, but I'm sure they paid a lot of money to have it appear that they could (although maybe they got a discount since the movie later shows the villain hacking into Diane Lane's car's system, during which the brand name "OnStar" is definitely not mentioned). Speaking of product placement, several in the audience snickered when the movie twice showed the heroine conspicuously logging into the Windows Live interface. But Microsoft may have gotten an even better deal: while the villain's operating system of choice is never mentioned, during closeups of his screen at the end, you can clearly see the word "GNU".
Or maybe it just fits with his overachieving character. After he ties his victims to a bedframe, he likes to elevate it into the path of the camera using a remote-controlled motorized winch evocative of a medieval torture device. Unless I'm mistaken, though, that happens before the site is actually streaming, which means he could have just as easily walked over and lifted up the bedframe. With that kind of fetish for doing simple things the horrendously hard way for no reason, why didn't he just go ahead and wear a "Got Linux?" t-shirt?