Notes for season 1 episode 13, “Root Cause”
02:51 Finch’s background searching includes a screenshot of what is clearly Facebook but without a logo, rather than some in-universe site.
06:50 Finch constructs a waveguide antenna out of a tube of potato chips. “Its dimensions are perfect for capturing wifi radio waves.” Pringles Cantennas are one the more famous of the Wardriving hardware hacks that emerged in the early 2000s, and it’s a Pringles tube that gets used for this purpose in an episode of Mr Robot. You could, around 2005, buy commercial cantennas that were styled as erstaz Pringles tubes. (Ironically, Pringles tubes have a diameter of 72mm which is considered just slightly too small to be ideal for user with 2.4GHz. But since Finch is using a different brand of chips, “SPUD”, maybe the can is slightly larger.)
07:14 The neighbourhood has wifi names that look like Xbox gamertags. There are a variety of protection modes enabled WEP, WPA, WPA2. Finch cracks the WPA password instantly via an undisclosed method. There are more WEP networks than I’d have expected for 2012 – I’d given up on getting an internet connection on the Nintendo DS (which could only handle WEP) since everything seems to have switched to WPA by 2010. Firing up WiFi Explorer, currently all the networks I can see in 2023 are either WPA2 Personal or open. I think I have yet to connect to a WPA3 network.
07:22 We see more perpetual Warners domains for angry blogs (takebackourunitedstates.com, keepwashingtonaccountable.com, therealamericanvoice.com) but looks like they forgot to register lifelibertyandpolitics.net ?
08:59 “…it was a PGP-encrypted anonymous email account.” So, I assume this means the file is an archive of downloaded mail that has been PGP encrypted, and then magically decrypted by Finch by some unknown method.
12:15 “The IP addresses match, but there are big discrepancies in the TTL values and the headers are failing to authenticate.” The implication is that the mails have been planted, but this is a bit techobabble. TTL values aren’t really a thing that stored email has. DKIM headers can be used to authenticate headers, but this wasn’t in wide use by early 2012. (Yahoo had been using a precursor signing scheme, though. In fact the patents will expire later this year.) The trace headers (eg “Received:“) can contain timestamps and other elements which might indicate a forgery, which is probably what’s been alluded to here… but “outbox” mail doesn’t usually have them.
14:42 “They spoofed his internet search history […] so that he looked guilty to the police.” Ok, the search history makes sense – but the mails were “PGP-encrypted”, so the police would need to have the capacity to break PGP in order for this to be effective?
16:10 Brennan Brown portrays Agent Donnelly, but in the UK he’s mostly known for spending previous years as head of the Orange Film Commission Board (a series of commercials in which a film board, funded by a mobile phone company, will only commission projects in which mobile phone services can be featured).
19:16 Finch’s technique of deliberately running malware in a “sandbox” is something that’s accessible for people to do online, sites such as joesandbox.com.
19:15 Finch’s screen shows a cool Visual Traceroute when locating the hacker’s server.
19:32 You know it’s a legit movie hacker when they have Nmap open, as is traditional. (In this case they’ve literally just included the Zenmap screenshot from 2007.)
20:09 Reese asks Finch for the most direct route from the police station to the court house, rather than use a maps app. Finch is basically Siri at this point.
22:30 Ah, the classic “hit phone screen with hammer” response to malware. It’s so common in TV shows for devices to be “destroyed” by smashing the screen. It destroys the resale value, perhaps, but doesn’t necessarily prevent forensic examination.
32:04 The radio-transmitter stuck to the shoe was disguised as an 8-Pin DIP, for some reason?
39:03 I can’t clearly make it out, but it looks like the YouTube-type site that Root leaks the audio to is youlenz.com