BSides Bristol 2024

Jurassic Park, Spielberg’s record-breaking movie adaptation of Michael Crichton’s work, is most cited for its excellent and realistic portrayal of dinosaurs and is undoubtedly responsible for introducing an entire generation to the idea of prehistoric animals. What is often overlooked though, is that the story is as much about computers as it is about dinosaurs. From the discussions of complex systems with millions of lines of code, to the core plot of a malware backdoor bringing down the park’s fences, Jurassic Park is a window into the challenges of a technology driven world and the many dangers posed by an avaricious and hasty adoption of high-tech solutions.

The Perils of Automation

“They were so pre-occupied with whether or not they could, they didn’t stop to think if they should” - Ian Malcolm

The tour cars in Jurassic Park were electric, they were automated, and ran on a track in the middle of the road, portraying driverless electric cars six years before the founding of Tesla. Almost every aspect of Jurassic Park was automated, and designed to run with minimal staff for up to three days. According to one of the chief engineers Arnold, it was “a hell of system”.

This unparalleled level of computer automation left the cognizant humans powerless when the tour was abruptly halted by a system failure. As is often the case, this happened in the worst possible moment, in front of the Tyrannosaur paddock as the island was hit by a tropical storm, stranding the visitors at the mercy of the dinosaurs, until they were rescued by a gas-powered jeep.

This raises several interesting questions in a world rapidly moving towards self-driving electric cars, controlled by software that can and will be hacked.

Insider Threats and Social Engineering

“Hiring Nedry was a mistake, I can see that now..” - John Hammond

At the core of the collapse of Jurassic Park is a disgruntled software developer, Dennis Nedry, who is approached by an unscrupulous competitor who offers him a large payout if he can help steal the dinosaur embryos. Nedry agrees, and deploys a malware backdoor that will allow him to bypass the security systems for a short time in order to access the company’s protected IP without surveillance. As he puts it, “fifteen minutes and your company catches up on ten years of research”.

Most major hacks including one which compromised and shut down some of the largest hotel chains and casinos in Las Vegas, are caused by contractors or employees being compromised through social engineering techniques. Whether willingly or not, poorly managed human elements can often be the source of a major breach.

Malware Backdoor: WhiteRabbit.obj

“I hate this hacker crap!” - Ray Arnold

Most of us are familiar with malware as .exe files, but the malware used by Dennis Nedry in Jurassic Park was an object or .obj, a feature of object oriented programming languages like Java. The malware gave Nedry a hidden backdoor to temporarily shut down the park’s security systems, and perimeter fences without being logged, allowing him to access the dinosaur embryos in cold storage and transport them to the dock, where he would hand them off to a competitor plant. The journey would take only a few minutes.

In a fatal turn of events, Nedry never makes it to the dock, as his journey is cut short by a crash that puts him face to face with a Dilophosaurus. As a result, the malware remains active impairing several core systems of Jurassic Park with ruinous consequences.

Malware disabling computer systems is a tale as old as time, or computers anyway, and continues to this day, modern threats encrypt your data, rendering systems unusable until the hackers are paid. As in the case of Jurassic Park, hackers often deploy their payloads through hidden backdoors or compromised accounts of employees or contractors.

Locked Out: You didn’t say the magic word! Ransomware

“I hate this hacker crap” - Ray Arnold

Being locked out of your own system is ironic, especially when it is the security system, used by actors it was designed to secure against, against the user it was designed to secure. This scenario is not uncommon in modern cybersecurity, where one of the most prevalent threats is ransomware, holding systems hostage using encryption, which is at its core a privacy and security feature.

Chaos Theory and Unintended Consequences

“A butterfly flaps its wings in Peking and in New York you get rain instead of sunshine” - Ian Malcolm

One of the main concepts introduced in Jurassic Park is a branch of mathematics known as Chaos Theory, which implies that certain systems like the weather have inherent unpredictability. This is due to the fact that small changes in the initial conditions can lead to vastly different outcomes.

This is an important concept to keep in mind, when making small, relatively insignificant decisions like setting up accounts, security systems or environments for a use case. It is also important to remember when deploying any security system. Many decision makers assume, their deployment will work perfectly as in the demos, without doing the testing to realize how sensitive their systems are to misconfiguration and disaster.

Confronting Complexity

“The world has changed so radically and we’re all running to catch up” - Alan Grant

The extensive software automation of Jurassic Park came at a cost, the code ran over four million lines and sparsely documented. This meant, when the malware caused parts of the system to fail, it was almost impossible to debug or diagnose.

Modern systems have followed the trend, the iPhone is too complex to repair, systems too complex to monitor and even the terminology too complex to keep up. Seriously, what is an IoC? Why do we use an abbreviation to talk about something as simple as “the malware that hacked the system”. Complexity is not an advantage, it obscures rather than reveals, which is well and good until the power fails and the lights go out.

Backup and Recovery Procedures

“I don’t blame people for their mistakes but I do ask that they pay for them” - John Hammond

That quote may as well have been from a modern ransom note.

One of the core reasons behind the downfall of Jurassic Park was the recovery procedure, that required rebooting the system. The classic, turning it off and on again, except, running to the maintenance shed on the other end of the compound isn’t as simple when the place is sprawling with raptors. Not to mention, they never rebooted the system before so they didn’t know what exactly would happen.

This is often the case when businesses are attacked, they have backups in theory but they have never had a drill to see the practical costs and consequences.

Add to this the confusion between main and auxiliary power, the computer commands to restart individual security systems and you have things on the edge of chaos.

One of the high tension scenes from the movie where the electrified fences are being restarted at the inopportune moment when Timmy is trying to make his way over them, shows yet again how your own systems can work against you, especially when communications break down and things are chaotic.

Almost Paradigm

Jurassic Park was ahead of its time in more ways than one, beyond the groundbreaking visuals is a deep and well thought out case study of complex systems and automation, a vision of things to come, and the challenges they will bring, the thrills, the joys as well as ominous warnings, we would be wise to heed.

“You’ll never look at birds, I mean computers, the same way again.”