Class Topics
3. Networked Communications
During the movie, in order to gain access to the revised camera layout the resident hacker Nine Ball uses something known colloquially as a “phishing scam.” Phishing refers to a cyber crime using social engineering in which victims are targeted using personal information or their visited websites to gain access to their files or personal information with “permission.” Common examples of this are the infamous “Nigerian Prince” emails, “Accidental Purchase” messages related to accounts owned by the victim, and “Follower Tracker” sites that claim to show otherwise invisible social media metrics with account information. Phishing uses typically two techniques, both seen in the movie: deception and malware [4]. The first technique is the social aspect: in the movie Nine Ball targets a department head related to security, picking through his social media to find something that might be used to draw in the victim. She uncovers his love for a particular dog breed, basing her initial mail and attachment on the dog. By basing it on the victim’s own interests, the victim is much more likely to follow through with the phishing attempt and allow the attacker access. The second technique is the more technical aspect: embedded in the initial email, Nine Ball creates a program that when downloaded allows her remote access to the victim’s computer. This program, known as malware, is the more dangerous aspect of the phishing attack. Once the victim has been lured into accepting the malware onto their computer in one way or another (downloading a program, inputting credentials into a fake website, etc.) the attacker can then make use of their personal information maliciously. In the movie, Nine Ball uses a program to remote into the victim’s computer and steal security details related to the Met; later these details are used to pull off a major theft in the Met. Despite its effectiveness in the movie, phishing is regarded as an older-style scam. Many tools and client-side technologies have been developed to combat phishing attempts. One such method is authentication: a method of ensuring that requests and inquiries originate from valid users rather than malicious scammers. An example of this comes from banks: “Some banks (e.g., Bank Austria) employ user transaction authentication numbers (TANs) for filtering phishing email. The TAN is sent to the user via a short message (SMS) through mobile” [4]. However, this approach is costly in terms of infrastructure, time, and money. Additionally, this approach does not work well against phishing scams where the attacker is actively monitoring the phishing attempt and communications: such as Nine Ball is in the movie. As ways to counter phishing are developed, so too do phishing techniques evolve.
4. Intellectual Property
According to the World Intellectual Property Organization (WIPO), “copyright will protect the originality of a work and the creator’s right to reproduce it. This means that if copies of an original object are 3D printed without authorization, the creator can obtain relief under copyright law” [1]. Based on this, the 3D prints of the necklaces and other jewelry items in the movie are illegal because they break copyright law. However, there is some debate about “who owns an object when it is first conceived by one individual, digitally modeled by another, and printed by a third” since 3D modeling takes some artistic effort to design prior to printing and the 3D print sometimes requires extra steps afterward such as assembling, sanding, etc. [1]. Overall, the 3D printing of the jewelry was an illegal invasion of intellectual property under copyright law, but because this computing technology is still on the rise there is a gray area when it comes to copyright laws for 3D print designs and final 3D prints.
5. Information Privacy
According to the Journal of Information Science, “... users maintain 70% control of their digital footprints. However, the remaining 30% of online activities are unconsciously floating with digital dynamics and resulting in a wide range of non-expected consequences from identity theft to kidnapping”[3]. The movie illustrated both the unaware and aware aspects of digital footprint. The “30%” unconscious data was illustrated by how Debbie Ocean was unaware of how large her digital footprint was. The digital footprint which Nine Ball (the criminal’s team hacker) found easily. The “70%” of controlled data is shown in the public Facebook page that an employee of the MET Security team has online. Ironically, his public data put him in a compromising position when Nine Ball uses his information for a personal phishing attack. This leads to his identity being breached. This brings up a point later made in the journal article. That people often think “I am not a target” as a way of having cognitive dissonance to lower their fear of vulnerability [3]. The employee on the MET security team is a perfect example of this as he publicizes his love for poodles online and ends up compromised for the same information. All while attending his 9-5 for the security of the MET.
6. Privacy and the Government
In Massachusetts, according to bills S.46 and H.142, it is illegal to put video cameras in bathrooms and other private places where people have a reasonable expectation of privacy [2]. Some other states in the U.S. have similar laws regarding privacy, however, if there is no state law that specifically prohibits video surveillance in private places, state tort laws can be brought into effect to protect privacy in locations where there is an “expectation of privacy” [2]. The only exception when it can be legal to put security cameras in bathrooms is when they are pointed towards common areas [2]. It can be used in institutions to secure students’ safety or in public places to protect against theft and vandalism. However, there should be a written notice about camera placement inside the bathroom. Other limitations include the camera not allowed to be moved, zoomed in or out, or angled. In the movie, Nine Ball uses her hacking skills to turn the camera away from the bathroom doors which makes it possible for Constance to steal the necklace inside the bathroom and then leave unnoticed. After the necklace was stolen the museum’ owner commented: “This is the most sophisticated museum security in the world. Every piece of art is recorded from multiple angles. We just don’t happen to keep art in the bathroom”. This leads to the debate over whether “the privacy of the people [is] more important than their safety or possible theft”.
7. Computer and Network Security
Coming soon by Nico MacHado
8. Computer Reliability
During their plan, only one computing system had a serious reliability issue. When attempting to use the spy glasses to take a perfect 3D scan of the necklace to later 3D print, there was no internet connection. This was because they were below a thick layer of concrete for necklace security. Thankfully, the team was able to trick the security guards to let them upstairs above the thick layer of concrete so that they could “see it in the natural light.” This let them regain connection and complete the 3D scan. A research paper published in the International Journal of Engineering & Technology concluded that “among all the things performance of IOT networks is crucial” because of how frequently it is used [7]. In the team’s case, the IOT’s performance was not reliable and nearly ruined one of the most important pieces of their plan. It is little unpredictable situations like this one that makes computer and system reliability so important. One small bug and the entire system can crash.
The lack of system reliability in the Met Gala’s various security systems allowed the Ocean’s Eight team to easily hack it. Of course no system is bug free, but the Met Gala’s security system was seriously lacking in its security protocol. For starters, all systems should be equipped with some kind of phishing attack detection tool. If this tool was integrated into the company’s protocol, the phishing attack that Nine Ball performed to gain access to the security camera system would have been detected and could have been stopped. The Decision Tree and Logistic Regression learning algorithms could have been implemented for this system because they have been proven to achieve 95-99% accuracy when applied to “a rule set based on observations of phishing websites to examine various tactics employed by phishers and generate” [8]. Secondly, added security to the company’s laser protection system would have stopped the team from stealing all of the jewelry in the display room. The team did employ a very skilled acrobat to maneuver his way around the laser beams, so the added security may need to be an entirely new system altogether.
10. Work and Wealth
A big fear held by people all over the world is that automation is taking over jobs. This can be seen in Ocean’s Eight through the security cameras and laser field protecting the show room with all the precious jewels. Before security cameras and laser fields were invented, security guards would have been stationed there instead. However, humans are not infallible and can be persuaded by blackmail, bribery, or greed and revenge as in the case of the Ocean’s Eight women. These automated security measures are not only “designed to reduce the need of having personnel stationed as security guards”, but also as an attempt to remove human error from the equation [5]. Overall, creating an improved sense of safety over whatever needs security. And security is of course a necessity because “without [it], individuals will be unable to go about their daily activities- which includes work and other social activities effectively” [5]. These autonomous security measures have other important applications besides eliminating human error. Security cameras “also eliminate[...] the delays associated with the reactive approach in responding to [...] intrusion, whereby witness reports or lengthy closed-circuit television footage is scoured through to identify intruders” [5]. Without these security cameras, the insurance investigator in the movie would have taken a lot longer to find any evidence at all.
The automation of security goes beyond security cameras and laser fields. There are also “retinal or fingerprint scans [...] designed to limit physical access to an area” as well as “other countermeasures [...] designed to block access or protect privacy or both over networks” [6]. Security to guard the security footage adds another whole level of complication, but is necessary. This may consist of “firewalls, data encryption, and virus and spyware scanners” [6]. In addition, many countermeasures are designed to permit recovery or to assist in the recovery efforts if an intrusion is successful, such as backing up important files on a frequent basisAs seen in the movie, Nine Ball was able to easily access the security system protecting the security camera system, making it virtually useless.
Resources
-
Malaty, Else, Rostama, Guilda. “3D Printing and IP Law.” WIPO, Feb. 2017, WIPO Magazine. Accessed 6 Apr. 2022.
-
Lorenz, “Having CCTV Security Cameras in Bathrooms: Is It Legal & How to Identify”, (Reolink, 3/30/2022), https://reolink.com/blog/is-security-camera-in-bathrooms-legal/#:~:text=According%20to%20the%20laws%20passed,a%20reasonable%20expectation%20of%20privacy. (04/06/2022).
-
Feher K. Digital identity and the online self: Footprint strategies – An exploratory and comparative research study. Journal of Information Science. 2021;47(2):192-205. doi:10.1177/0165551519879702
-
Almomani, Gupta, B. B., Atawneh, S., Meulenberg, A., & Almomani, E. (2013). A Survey of Phishing Email Filtering Techniques. IEEE Communications Surveys and Tutorials, 15(4), 2070–2090. https://doi.org/10.1109/SURV.2013.030713.00020
-
Kommey et al. “Private Security Surveillance System.” Journal of Engineering Studies and Research, Oct. 1 2021, ProQuest. Accessed 24 Apr. 2022.
-
Rakes et al. “IT Security Planning Under Uncertainty for High-Impact Events.” Omega, 2020, Elsevier. Accessed 24 Apr. 2022.
-
Sowmya, K.V., Sastry, Dr. JKR. “Performance Evaluation of IOT Systems - Basic Issues.” International Journal of Engineering & Technology, 18 Mar. 2018, ROAD. Accessed 27 Apr. 2022.
-
Basnet, Ram B., Andrew H. Sung, and Quingzhong Liu. "Rule-based phishing attack detection." Proceedings of the International Conference on Security and Management (SAM), 2011, The Steering Committee of The World Congress in Computer Science, Computer Engineering and Applied Computing (WorldComp). Accessed 27 Apr. 2022.