Yesterday (thurs, 3/24/16) I went on a tirade on twitter, regarding an experience I had in San Francisco during RSA week, while at a vendor party. I’ll let that whole conversation stand on it’s own, it’s over —-> here.

It spurred a TON of questions, comments, and tangential conversations, as well as the typical “I want to get into infosec and I thought the CISSP was the way to do it”.

Well, everything is sort of connected. But let me build some momentum here by starting with a few ‘sayings’ or ‘talking points’:

• You will never succeed in a system thats DESIGNED to make you fail, in favor of perpetuating itself and the status quo.
• You will never change a system from the inside, since they’re typically designed to withstand SPECIFICALLY change from the inside. “It worked last year, we’re not changing anything”.
• If you want to be a hacker, and you have to ask “oh please sir, tell me how to become a hacker”, you’re never going to become a hacker. Hackers TYPICALLY are the people that analyze a thing, find a problem, and then exploit the problem. By asking, you’re demonstrating that you’re unwilling to take the time to look it up for yourself.
• just_do_it_shia_lebouf.gif.png.webm.xps.ai.fap
• if you tell me that I have to go get one of these certs to have the ability to complain about them, I will personally send Raymond Reddington and Bryan Mills to your house with a $2500 rimowa suitcase full of torture equipment. You’ll have a bad time.

So this concept is something that is rarely talked about because it is how people who have no clue about security maintain jobs in the security industry, and it is how companies and consulting org stay in business or stay ‘compliant’ while continually getting hacked over and over again, or turning in reports directly out of nessus/qualys with a rebranded PDF and charging $400k for the engagement.

It’s a four part fuckfest, so get your Gahllagher-style trashbag-poncho on, cuz it’s gonna get messy.

CERTIFICATIONS:

The original intention here was to have a way for people to know that someone ‘knows their shit’ without taking the time to interview them, ask them about their experiences, or otherwise interact with them at all, before rubber stamping them into a position of authority. The trouble is that when the certification places realized that this was HUGE MONEY, they tried to find ways to funnel as many people through the process as possible – especially people that are willing to pay 5 grand or so to avoid actually having any relevant experience whatsoever. Pay 5k, get a cert, look like you know shit. Wonderful.

Now, not *ALL*certs fit into this category. Just .. most of them. The CISSP and the CEH are two examples. You could be a plumber with no experience to speak of, but if you can convince 5 people or so to write you letters of recommendation, then bam – you’re in. Now you’re a plumber who’s never touched a firewall, and you’re ready to take your first CISO position.

COMPLIANCE ONLY SHOPS:

So compliance came into existence because places were found to be deficient in a lot of ways – like ENRON. Enron is why SOX (sarbanes oxley) exists. Look it up, you’ll see. You’ll make a face, too. There are a TON of compliance mechanisms that are designed to “demonstrate your security program (or business workflow) is up to snuff”.

Read that again. Slowly

TO DEMONSTRATE

THAT YOUR SECURITY PROGRAM

IS UP TO SNUFF

It doesn’t fucking read “do these bare-minimum steps and you wont get hacked”, does it?

Compliance is DESIGNED to be a checklist against an EXISTING SECURITY PROGRAM so that people have an idea of what their respective industry regulators are hoping to see in a company that ‘meets the guidelines’.
This is all very vague – and it’s INTENDED to be. It’s SUPPOSED to be confusing – because it creates jobs. Auditors and box checkers, people at a company to validate compliance etc.

Now I don’t claim to be an expert in any, or even a single one of these compliance mechanisms, but when you read the cliffs-notes of them all they all more or less read the same way and make the same points:

— Have some sort of security in place

— Read your fucking logs

— Have a policy so people know whats okay and what isn’t

— Check your business shit from time to time to make sure it’s solid and doesn’t have logical loopholes or problems

— Audit your security from time to time to get an idea of what your risks are (BUT NOT DEAL WITH THEM! none of these fucking things tell you what to do AFTER you get a pentest. They just want you to get one, and stop)

— then more specific stuff on HIPAA, NERC/CIP, FISMA, FINRA, SOX, PCI/DSS – because a bank doesn’t need to make sure its nuclear scada controllers are on segregated, highly monitored networks, and the hospital doesn’t need to make sure its stock trading platform complies with mandatory cashflow minimums.
At the ROOT, they’re all MOSTLY the same.
The trouble is that once these things got written they got huge and unwieldy, and places groan when they read them – as they should – this is ‘decision by committee’ and thats always an ugly mess. So what do they do? They do just the bare minimums in these regulatory statues to comply with the regulation so that they don’t get sued by the regulatory committees, or fined by the government.

THEY DO THE BARE MINIMUM THEN STOP.

this is not why compliance exists.

this is why compliance isn’t security.

MINIMUM VIABLE PRODUCT:

If you spend any time in a shop that produces something: software, hardware, a widget, a product – you’ll have probably heard this term. It means “the bare minimum functional shit you need to make this thing go and be sellable in the market”.

This is why there are tens of millions of horribly insecure webcams, firewalls, watches, toilets, and other things connected directly to the internet, and it’s the core of why myself and other security researchers who ‘find random shit online’ have it so easy – because people build a thing, and once that thing is immediately viable as a product, it goes to the market (ever play an EA game? play any of the battlefields? tell me those were ‘legitimately solid’ on day 1. I dare you). Conceptually it’s easy, but it falls inline with the rest of the momentum here – doing the bare minimum and trying to get away with it for the sake of making money. Because making money is the point – not security. Security often “gets in the way” of making money – at least if you ask the sales folk. But I bet diginotar tells a different story.

HR FIREWALL:

You’ve probably seen job postings for people that have 10 years of ruby experience, or 10 years of go programming experience. It’s not a secret that job listings which come from an HR department are all sorts of broken and are routinely flying blind and solo through the jungle of bonkers. They ask for a CS degree, a CISSP and 5 years of experience to sit in a SOC an stare at an ELK stack or QRadar and literally press a button or send an email when a light goes red.

The intention here is to weed out shitty candidates. THERE ARE MANY. I’ve interviewed people who claimed they were redhat experts and didn’t know simple yum command lines. I’ve interviewed security people who “read the nmap book a while ago” and couldn’t tell me where to download kali linux. I’ve talked to networking engineers that told me about “UDP SESSIONS”.

The reason HR puts these absurd requirements into job listings is because they think it will cause people who don’t know their shit to avoid the job listing – WELL IT DOES THE FUCKING OPPOSITE – and it makes shit a lot worse for everybody.

Now, we have absurd job listings asking for absurd requirements, and places (like isc2 and the ec-concil) willing to ratify ANYBODY as ‘good enough’ if they pony up the cash.

Now we have HR departments who aren’t technical people, publishing job postings full of terms and acronyms they don’t understand, for hiring managers that very likely also do not understand what they want or even need, to get applicants who see these requirements and find out they can “just buy them” to get the job.

It’s creating hoops to jump through, for the sake of having hoops, in the false belief that jumping through these hoops makes you “better” somehow.
And it creates a market for places to give you “cheat codes” on how to jump through hoops.

And once  you get the job? There isn’t a single fucking hoop. And there’s no jumping. You sit and look at a display, or you curate a 25,000 word deep corporate policy on a confluence page.

And you paid 5k for a bootcamp, went through 7 interviews over 4 days, and moved to another city for it.
good. fucking. job.

So put these all together: Certs, the HR firewall, minimum viable product, and compliance-only “security departments”. What do you get?

HR publishes an unrealistic, absurd and laughable job description, designed to weed out bad possible candidates, but does nothing to tell legit one what they *ACTUALLY NEED* in a candidate, which leads to hiring employees that don’t know shit about security, who then work in a security department which does zero ACTUAL security – only preens and grooms the policy in the wiki, until the auditors come around, wherein they rush to get a 3rd party pentest done, then they edit the pentest report so that it matches the policy closely enough to avoid getting sued or fined this year. THEN, they are free to move on to releasing a product that has zero security considerations and was rushed out the door by a pushy sales/marketing department, because the quarterly figures are dipping and if the company stock doesn’t do well enough, the company doesn’t meet it’s figures and the stock drops, and there are bad articles written in the financial times the following week. This can lead to layoffs, or outsourcing of various departments.

That sounds MOTHERFUCKING SHITTY, doesn’t it?

Do you want to work in a place like that?

Is that your idea of a good time, or “doing security”?

Will you feel like you’re “making a difference”?

It’s a dog and pony show to make sure the people that have all the money and control don’t lose “unrealized gains” in the end. It’s smoke and mirrors to please auditors.

Non technical staff, making shit up in a policy to appease non technical auditors.

And you’re arguing with me on twitter over the value of the CISSP and the CEH in this scenario.

sigh.

For those of you who think the above is “utter bullshit”, do not despair. You can literally avoid it all. I’ll show you how!

• If you have zero security experience, but are currently a dev, a sysadmin, a netadmin or in another technical role, and are interested in moving into a security role, it’s actually pretty easy. Keep doing what you’re doing, and start going to the community conferences. Not huge ones like comdex/blackhat/rsa, the little ones near you. showmecon, shakacon, shmoocon, toorcon, derbycon, bsides, layerone, hushcon (ask twitter, there are tons of these) – the cons attended by “the doers”. The people that do the things – that make the tools – that present at cons on neat topics. There are very few “doers” in the community – stick close to them and you’ll absorb A TON.
• Most people in the community are super happy to share – so jump in, make some friends, and ask questions. Don’t ask  “how do I get started”, it’s too broad – pick a specific topic and drill into it. “How do I start reversing malware?” “How do I do a pentest?” “How do I write shellcode?” – start with the ingredients, follow what seems fun/cool, and after you have 2-3 of those you’ll have an idea of what you want to do. Security is pretty broad, and there is more than just ‘redteam and blueteam’ to it. Get you hands dirty.
• Asking “what certs should I get” tells me “I want to be part of the problem. I like that shitty shit shit scenario you described above, and I want to live that dream!” – to which I say ‘holy shit, you made it this far in this post? you must be SUPER HIGH.’. Certs will definitely get you jobs – but just not interesting ones or ones you want or like. They get you jobs where the business leaders need to be compliant and “have to have at least one CISSP on staff” to meet some bullshit goal – they don’t want you because of you, your personality, your skills, or your experience – they need a person so sit in a chair wearing a hat that says “I HAVE A CISSP” so that they can point at you and say “see? we have a guy who has that”. If thats the job that you WANT, then fine – I can’t help you, but most people that do security LIKE WHAT THEY DO and I literally can’t think of a shitter job to be in than “a guy who has a cert because the business needed a guy who has a cert”.
• If the job title requires a cert, avoid it. Period. If the company wants a jr pentester, or a soc analyst or an entry level job, you don’t need a cert – no matter what they fucking say. It means THEY DON’T KNOW WHAT THEY WANT OR NEED. If they INSIST THAT YOU DO it means they do not understand the job or what it’s supposed to be, which spells “you’re gonna have a bad time”. If the people hiring you have no fucking idea what it takes to do the job, even at a high level, that’s a massive indicator that the job will be shitty and you will be miserable.
• If you think you need a cert to get a job, you’re looking at the wrong jobs. Doctors and Lawyers, PHDs, rocket scientists – those people NEED degrees. Science doesn’t change in 3 months. The law doesn’t change overnight because someone found an exploit. What we do as hackers is SUPER FLUID, and we ROUTINELY are the ones that are quoted in college curriculums, the news, blogs, and publications. To be a hacker or work in security you need EXPERIENCE. Anybody that tells you different is either trying to get you into a compliance role, or simply doesn’t have the experience enough themselves to understand.
• If you think you need to get a cert to make HR happy, you will be miserable if you get the job. Hacker jobs aren’t about obeying company policy and obeying HR. You’re probably in the wrong field. If you want to be a mindless robot that just obeys your boss for a living, I hear OPM and Sony are hiring.
• if you hack “getting the job” you will be rewarded for it. Hacking the job means getting the job without going through HR. This can be done several ways:
  • Meeting the hiring manager at a con, or anywhere else, and having a conversation outside of work. This basically serves as a casual interview.
  • Being selected for a job based on your hobby, your previous work, your experience, code on github, conference presentation, or social media contributions (legit ones, not just ranting).
  • Being the author of a tool.
  • doing a rad research project.
  • TL;DR – if you do awesome shit, the job will come to you, not the other way around. Do not presume that you have to get a job first to do awesome shit. If you “become interesting”, people/money/influence/etc will come to you.
  • Doing awesome shit, having videos of you presenting at cons, releasing tools and code and all of that stuff is WAY WAY WAY MORE VALUABLE to a legitimate security practice than any cert. You are showing the world what you can do WITH EVIDENCE – not because you paid isc2 or whoever 5 grand to “tell the world you’re legit”.

This system dies if you don’t feed it. This is the reason that we hear squealings from the government and large corps about “not enough qualified people”- there are organizations that have successfully ‘done all the things’ with compliance and can do it with their eyes shut – but they still get the fuck hacked out of them on a regular basis – and nobody they interview can do the things they need done to protect the place. Here’s why:

Because HR posts bullshit

Bullshit walks through the door, takes the job

Bullshit copy/pastes a vague, worthless policy from the internet into confluence

Auditors come to audit the bullshit, and its found to be ‘not so stinky’

Bullshit is released into the wild, and gets hacked to fuck.

People see that bullshit got hacked, decide they need an expert, and ask HR to post a job listing.

20 GOTO 10.

Rinse and repeat.

They found that they have a problem, and they UTTERLY REFUSE to solve it. They insist on miring themselves into this cycle because it’s what they know, and they refuse to let outside folks in. The military has shit pay and requires clearance, big business requires ivy league education and degrees or roots in a wealthy family/community, large industry requires certifications that are irrelevant – NONE OF THEM put a person down in front of metasploitable and say ‘get me a shell’. NONE OF THEM put people on front of a cisco switch and say ‘put port 12 on vlan 2, and give vlan 2 an ip of 10.10.10.1’.

They all rely on certs to tell them who can do shit and who can’t because, and I shit you not: THEY SIMPLY CANT BE TROUBLED TO DO IT THEMSELVES.

People have heard me say in the past “If you don’t give a fuck about your own security, then nobody will give a fuck for you”. This is the embodiment of that sentiment. These are people who do not give a fuck about security, trying to hire people to give a fuck FOR THEM, hiring the wrong people which perpetuates the problem.

OR, they hire the RIGHT people, but because the system is designed to perpetuate itself and not actually solve any problems, the right people cannot get a foothold into a budget, they cannot hire talented subordinates, they cannot institute change in policy, and therefore they cannot effect any change whatsoever – so they quit. The cycle repeats yet again. It’s like the election cycle for senators, congress people, and the president. They spend the ENTIRETY of their first term doing NOTHING but trying to get re-elected. It’s exactly the same routine. They spend all their time trying to get the same budget, avoid fines, and stave off auditors and NOTHING ELSE.

It’s like that fucking plant from little shop of horrors, Audrey II. Every time a new person gets a CISSP, or a CEH – every time an ex pentester takes a job doing compliance – all I hear in my head is FEED ME SEYMOUR!

The way to fix this is ugly, but it’s the only way I have been able to come up with: Let them fend for themselves.

It sounds shitty, but it’s the truth. If these people refuse to acknowledge that their own refusal to ‘do something different to fix the problem’ is what’s CAUSING the problem and there’s nothing we can do to change their minds – even watch them be publicly burned at the stake like sony or ashley madison. Let them get hacked, let companies implode, let them wither on the vine. It’ll serve as a warning to others of “what happens if you willfully ignore security in favor of compliance”.

Focus your energy on people and companies that DO CARE and you’ll have a truly welcoming experience and grow as a person and in your career. Take the time to find out WHO IT IS YOU’RE WORKING FOR before taking the job. Don’t take the job just for the money (that makes you part of the problem). Research the place you want to go work, they’ll respect you for it, and you’ll have a much MUCH better time for it, while avoiding the shitshow shops I described earlier.

Otherwise you’ll end up just another CISSP/CEH, part of the problem, perpetuating the trapezoid of fuck.

I’d mentioned on the twitters a while ago that I got asked to do a review for the movie  “BlackHat”. I turned it in and it went into editing, but it came out only having something like a quarter of what I wrote still left in – and since I promised the twitters that they’d get to see me go all George Carlin style, I’m posting the original version of my writeup, before changes were made. I’ll link the edited one if it sees the light of day here as well.

So the reviews are in. Opening day weekend at the box office Blackhat
opened up earning 23 times less in the box office than American Sniper.
I think the movie was a thought experiment. A 70 million dollar one, at
that, but the tl;dr here is that I think they missed the forest for the
trees. The movie felt like a series of social-justice-warrior-esque ‘hat
tips’ and ‘m’ladys’ strung together by a tattered paper towel’s worth of
“movie”. They tried so hard to hat tip and compliment the ‘hackers’ they
forgot they were making a movie that was supposed to have characters, a
plot arc, and any sense of continuity or immersion.

Last week in San Francisco a movie theater was bought out and security
experts from a variety of big-name companies were invited for a sneak
preview. The reviews came in as thought the movie was a smashing success
– though I suspect that would be the case when they were asked while
stood right next to Chris Hemsworth and Miachael Mann who were there for
a meet and greet during the sneak preview.

Let me get right into the meat of things – the stuff the movie got
right. There were something like half a dozen scenes that made me point
at the screen and go “HAH!” in a good way – one of which was literally
EXACTLY the same as one I performed while on a redteam assessment in
2010 for a finance company.

Doing a WHOIS on an IP: Admittedly, a real whois query will give you
something like 3 pages of output, in the movie it gave only the
administrative contact info. Okay – I can see that for the sake of
clarity and making sure the non technical folks in the crowd get it.
Having 3 pages scroll by would be silly. But good on them for actually
using a legitimate tool in a real way.

Looking at a hex dump of a file: Again, legit, except when the camera
zoomed in more the actual dump looked something like this:

;lkjasd;fkljas;dklfj;alsdjf;lkasjdf;kljasd;fkljasdf A sentence in plain
clear english laksd’fka’sdlfjk’asdklf;lkajsdklf;jas;dlfj

Another dump screenshot:

<a bunch of nonprintable chars and little blocks>[ GPG ENCRYPTED MESSAGE ]<more nonprintables, and what the hex dump SHOULD have looked like>

It’s like they used the first hex dump and then thought ‘no that doesn’t
look right’ so they tried it again.

Almost, guys. Almost. Good try though. Sigh.

They mention an “onion router”, I chuckled. That was the only mention of
tor at all, and its surprising they didn’t say “tor”. Only security
experts know what an ‘onion router’ is, but EVERYONE knows tor –
especially because of the news. Kind of bizzare there.

The scene where the pretty asian actress walks into a bank dressed
sharply and says “hey, I spilled coffee on my presentation document, can
you print me out another one?” – I’ve done EXACTLY THAT during a red
team assessment, except it was a resume, not a preso. And she looks way
better in a pencil dress than I do.

Lastly the male cop who was firing a single stack .45 m1911 clone with
godlike accuracy. This and the last one were probably the two most
‘accurate’ scenes in the movie which pertain to hacking. The rest felt
sort of forced, as though you sat the marketing intern down for a
weekend, tried to fill his brain with “hacker stuff”, and then asked him
about it the following Monday and graded his responses. He’d get it
“mostly right” – not enough to be actionable in a security role – not at
ALL – but enough to make the hackers in the room feel like he gave it a
good strong shot, and their efforts in training the guy were worth it.
If he did it 2-3 more times he’d be pretty solid to at least talk like
he had a clue. The rest felt as though the movie was a waiter who had
spilled coffee in my lap, and was so distraught over it that he went
across the parking lot to TJ Maxx, bought $1000 of random clothing, then
came back into the place and while sobbing profusely and apologizing,
crumpled up the clothing and threw it at me from several feet away in an
effort to “fix it”. It was just awkward, and I couldn’t tell if I was
being trolled or not.

And now for the dumb. I hope you’ve got a helmet.

Speaking as a security researcher that has worked for a bit in the field
of ICS and SCADA equipment, I can say flat out that – yes – using
malware (or literally just a straight up python script you can do some
SERIOUS damage to industrial control equipment. Look into pymodbus. It’s
super easy) you can tell the control center one thing and the scada gear
another. It’s not really surprising at all – modbus is a really old,
really simple protocol. Think of it kind of like ARP – you can just spam
whatever to the network and computers just ‘obey’. It’s certainly not
rocket science. All the super technical looking graphics of electricity
flying around and whatever – I have no idea why they bothered keeping
that in. They could have used that time more wisely (I’ll get to that
later). The control displays wouldn’t ‘twitch’ or make noise like they
did in the movie, there would be no clues. For as hard as they tried,
there were still those typical hollywood “bleepy bloopy computer noises”
for every scene.

The idea that a badguy hacker would abuse both the stock market and
industrial control equipment for the sake of stock gains is not a new
idea at all, though it really is giving them quite a lot of credit. The
dependency here is that doing it all from Jakarta would imply that there
is enough stable internet connectivity between all the moving parts to
establish even the loosest plotline involving conducting hackery over
the internet. A reactor in China connected to the internet? Not overtly
surprising. A series of dams in Jakarta, out in the middle of nowhere?
Highly unlikely. I spent a couple years researching ‘random things on
the internet’, and I found thousands of ICS and SCADA devices. The vast
majority of them were things like electrical and air conditioning
controls for office buildings and apartments, as well as many consumer
grade and low enterprise grade solar power collectors. I found four
hydroelectric plants, but they were all in France (bizzare. All in
France. No clue on that.), and literally nothing in Jakarta. It’s
plausable from a hardware standpoint but again it seems like they tried
so hard to be clever it broke the actual movie.

There’s a scene where Hemsworth walks into the destroyed powerplant and
is told the temperature has “gone down to 130” or so and it’s safe
enough to go inside. The scene depicts a server rack that’s been sprayed
with some kind of thick white residue which has dried and begun to
flake. The room is a complete wreck, but somehow the servers are okay?
There are no labels of any kind, and Hemsworth simply picks what appears
to be a random hard drive and removes it for recovery. I’m reminded of
when the datacenter at 1Wilshire in Los Angeles had a power failure
something like ten years ago – it was where Myspace was housing their
equipment. The facility had forgotten to put the A/C on the backup
power, so when the power failed the datacenter literally cooked itself
and parts of the server chassis melted. Millions of dollars worth of
servers were physically destroyed – from their own heat! We’re supposed
to believe that a nuclear power plant produces less heat than the
servers themselves would with no A/C? Insert your finest condescending
wonka jpeg here.

As far as the characters go, they all have the depth of a spoon. I’m
reminded of the Red Letter Media review of the Star Wars movies where
the narrator asks several people to describe characters from the
original Star Wars and the new Star Wars movies, and the volunteers are
unable to describe characters like Quai Gon Gin or Annakin other than
their simple physical appearances – they struggle to produce adjectives
to describe the characters, because they are empty or hollow. This is
what I was talking about in regards to ‘using time wisely’. They did
ZERO character development. There was zero plot development. The only
reason “the sister” is in the movie at all is so that Hemsworth could
have a romantic interest, and so that violence later in the movie could
add some artificial tension. Easy bake plot devices. Safe for ages 3 and up.

And when did Hemsworths character suddenly learn advanced hand to hand
combat? Was it while he was in prison? Was it while he was carding? I
guess I missed the part where the movie turned into a Jason Bourne
spinoff. I know a few hackers that have a few of these kinds of skills,
but it’s because they specifically went to get training for them, or
they had some lengthy military experience and actually saw combat. I
took 18 months of Systema training (it’s what they teach the Spetznaz)
for fun instead of signing up for a gym, and what I saw in the movie was
just as advanced, if not more.

Lastly, the foley. Foley is all the sound post processing work that’s
done on a movie. In many cases the actors have to re-voice themselves in
a studio after shooting so that the audio guys have more to work with.
In this case, it seems like the foley guy gave an ipad to his infant son
and the kid did all the foley for the movie. It was ATROCIOUS. Lips
moving not matching the words being spoken happened at least ten times.
It destroyed the immersion every time. Hemsworth walks into a datacenter
that he’s just crashed a truck into as a diversion, it’s dead quiet, you
can hear the clack clack of the plastic hard drive enclosure he puts it
down on the crash cart, and you can hear his keystrokes. I’m sorry but
NO. Anyone that’s ever walked into a datacenter will easily be able to
call BS on that. Other bits where there’s a lot of shakeycam action
going on and you can hear the audio quality click back and forth from
“the camera for the shot” and “the foley guys studio”, the background
noise randomly comes and goes – it literally broke the movie. You’d be
better off watching the whole thing on mute.

So in closing, Blackhat felt like an awkward, forced, identity crisis of
a movie. If the foley guys weren’t drunk I would have said ‘it’s
amusing, go see it – but not for the plot’. The real linux terminals and
real ssh prompts and mount commands were appreciated, but it felt like
the rest of the movie suffered greatly because of it. I wouldn’t say
it’s so bad you’d want to saw off your own head, but it’s definitely a
forgettable movie that will disappear once all the press it’s been
getting dies down.