Hollywood's 'Untraceable': Fact or fiction?

Former FBI Special Agent Ernest E.J. Hilbert II breaks down how the premise of "Untraceable" is not so far-fetched.

Former FBI Special Agent Ernest E.J. Hilbert II learned a lot about cybercrime before signing on to be the director of security enforcement at MySpace.com and when asked to look over a Hollywood script about cybercrime, he took on the challenge. The ironic thing, he points out, is that the fiction portrayed in the film (opening Jan. 25) is not so different from the facts he encountered on the job. Hilbert recently talked with Network World Senior Editor Denise Dubie about his past in law enforcement, his participation in "Untraceable" and why Americans need to become more aware of the dangers that lurk in cyberspace.

How did you get your start with the cybercrime division of the FBI?

I did my training in Quantico and in December 1999 I was assigned to the Santa Ana RA [resident agency] in the Los Angeles area FBI field office. Within a month, I got a call that someone had had their computer system hacked and 15,000 credit cards had been stolen. That turned into a six-year continually evolving case [Alexey Ivanov/Invita case] but we got those guys. Then that evolved into more and more and I fell into the cyber realm from there.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Former FBI Special Agent Ernest E.J. Hilbert II learned a lot about cybercrime before signing on to be the director of security enforcement at MySpace.com and when asked to look over a Hollywood script about cybercrime, he took on the challenge. The ironic thing, he points out, is that the fiction portrayed in the film (opening Jan. 25) is not so different from the facts he encountered on the job. Hilbert recently talked with Network World Senior Editor Denise Dubie about his past in law enforcement, his participation in "Untraceable" and why Americans need to become more aware of the dangers that lurk in cyberspace.

How did you get your start with the cybercrime division of the FBI?

I did my training in Quantico and in December 1999 I was assigned to the Santa Ana RA [resident agency] in the Los Angeles area FBI field office. Within a month, I got a call that someone had had their computer system hacked and 15,000 credit cards had been stolen. That turned into a six-year continually evolving case [Alexey Ivanov/Invita case] but we got those guys. Then that evolved into more and more and I fell into the cyber realm from there.

Did you have any background with technology?

I did some tech writing before joining the FBI, but I have had computers since I was about 12. I had a Commodore 64 and I bought my first Apple IIe when I was 16 years old. I programmed in BASIC, not Visual Basic, but whatever skills I may have had I lost in terms of the tech side of things. I just understand how it works, and I have a grasp of it. But if you asked me to sit down and hack into somebody's computer it would take me four times longer than half the guys I went after, as well as some of the people I worked with at the FBI.

My last two years with the bureau I was asked to move over to the counter-terrorism realm and work that same cyber aspect of the cyber-terrorists groups because all their stuff is going online now as well. I picked up the Adam Gadahn case, a man from Orange County [Calif.]. He went overseas and is now a spokesman for Al Qaeda; we charged him with treason … the first time in 54 years the government has used treason charges and it had to be approved by the White House.

How did you get involved with technical consulting on movies such as "Untraceable"?

I was getting frustrated with the 24/7 of the job, I have three children and the politics of the government were getting to me so I saw an opportunity to leave by going to a consulting firm. The FBI has a media program that is manned with real, gun-toting agents, and a buddy of mine was in charge of media outreach. The producers of "Untraceable" came to the FBI to use the name and gain some insight. And the FBI does offer insight and there is no fee involved. My buddy, a sniper for the S.W.A.T team, called me up with a couple of scripts -- "Die Hard 4" was the first but the timing worked out that they were unable to use any of my input -- and "Untraceable" was the next.

Why did they want to use your insight in particular? Were there specific cases you tackled?

The FBI has something called the Citizen's Academy, in which we host different nights for various types of crimes to educate people as to why the FBI is involved with them. I was asked to present on cybercrime and we had someone else do crimes against children, which is child pornography and pedophilia situations. "Untraceable's" Director Gregory Hoblit and the producers were invited that night.

Does the FBI distinguish cybercriminals from child predators?

Child predators have been around for as long as I have been online, since 1992, and as soon as you had the opportunity for social connections you had these individuals who saw this as a chance to reach out to their groups. They don't necessarily have any specific technical expertise or cyber skills that are criminal, but they use the Internet to reach out. We've always had these guys; they've always done it. They don't have to be technically savvy. Mostly they are just chatting and drawing people in.

I haven't seen the entire film, but have watched the trailers and found the talk of networking technology very interesting. Do you feel the finished movie realistically depicts how law enforcement uses such technology to track down cyber criminals?

[Greg] Hoblit's father was an FBI agent so he wanted to hear what I had to say about the script. I basically told them it was a plausible idea but that they would have to change a lot of stuff to be technically accurate. They asked me to work with the writer and it was fun, but it happened to coincide with my leaving the bureau. They did everything they could to make it as realistic as possible and squeeze it into under two hours. The script calls for a lot more, but the truth is it is really boring to watch agents sit behind a computer and type away and run whois lookups, run trace routes and ping things. No one is going to want to watch that.

It seems this movie is being marketed to technical people, but that could be a double-edged sword if they work to point out inaccuracies. Have you heard any comments saying the technology portrayed or how it's used in the story is wrong?

One of the biggest complaints of people with regard to this movie in terms of the technology is that obviously the writers and technical consultant -- which is me -- don't know how a DNS system works and how you can get a domain shut down. And that's not true. There is an assumption that because the FBI says to do something that somebody is going to jump through the hoops and do it. It doesn't happen that way. It's a government agency, but cybercrime in many cases is business and there is a lot of money involved, major money.

What can the FBI realistically do to shut down a domain today?

Last year when they wrote the script and started shooting the film it probably did take at least one week -- and maybe in some cases two weeks -- to get a domain name blacklisted if it was based in the U.S. Nowadays it could take as little as 24 hours depending on the context and so on. Does that make this story any less plausible? No. Take out the fact that it utilizes a domain name and instead the information that is being shared is through a series of IP addresses that pop up. And those IP addresses are just mirrors of the original IP address. I can blacklist an IP address or at least black hole it -- if it is in the U.S. But if it is international, it's not the same rules.