Movie plot points that don't work if they had better security
What am I Doing Here?
AI Security
Pwned Starts with P
You Had One Job!
OWASP Top 10
100
In this movie, an underpaid contractor caused a disaster on a remote island and nearly got away with stealing company secrets because there were no peer reviews on his code commits.
What is Jurassic Park?
100
The room number you are in right now.
What is community classroom 4?
100
The term for when AI confidently states incorrect facts.
What is a hallucination?
100
This is when an attacker gains initial access with one account then increases their access level
What is privilege escalation?
100
LastPass had user data stolen from their backups when an attacker sent targeted emails to their devops in this type of social engineering attack.
What is spear phishing?
100
The vulnerability associated with this type of code
SELECT * FROM users WHERE name = 'bob' OR '1'='1';
What is injection/sql injection?
200
In this movie, the cold war nearly turned hot because a critical government system did not have any semblance of a password policy.
What is War Games?
200
This is your body's largest organ.
What is your skin?
200
When a chatbot is tricked into ignoring its original instructions by a clever user input, this type of attack is happening.
What is prompt injection, sometimes called jailbreaking?
200
Instead of brute-forcing one account with thousands of guesses, this attack tries a few common passwords across many accounts to avoid lockouts.
What is password spraying
200
In 2023, Norton LifeLock had many of their users’ passwords illegitimately accessed when attackers reused passwords of known customers in this method of attack.
What is credential stuffing?
200
A one-way hashing algorithm officially recommended by OWASP
What is Argon2, scrypt, bcrypt or PBKDF2?
300
In Superman (2025), Lex Luthor hacks into Superman’s lair which relied on this single factor of authentication.
What is biometric authentication by using a clone of superman?
300
This is the largest volcano on earth.
What is Mauna Loa?
300
This attack involves modifying training datasets so that the model behaves incorrectly later, like labeling spam emails as “safe.”
What is data/model poisoning?
300
This infrastructure issues, manages, and revokes digital certificates, ensuring that HTTPS connections can be trusted.
What is public key infrastructure
300
In 2017 CCleaner, was bundled with malware and downloaded by over 2 million users. This allowed the malicious actors to start this type of attack against CCleaner's customers.
What is a supply chain attack?
300
Changing the path in the URL from `/invoice/123` to `/invoice/124` and suddenly seeing someone else’s bill is an example of this access control flaw.
What is Insecure Direct Object Reference (IDOR)
400
In this movie, hackers used actual hard-wired telephones with no password required to enter into the computer system to liberate virtual prisoners
What is the Matrix?
400
The colors of the five Olympic rings.
What are blue, yellow, black, green, and red?
400
This is a control that should be implemented before an AI application performs powerful or risky actions.
What is a human in the loop?
400
This attack redirects users to fraudulent websites by tampering with DNS or host records, even if they type the correct URL.
What is (DNS) poisoning?
400
This messaging app is normally very secure and exclusively sends messages using end to end encryption. But apparently its security does not extend to protecting information about Houthi rebels.
What is the messaging app Signal?
400
What does OWASP stand for?
Open Worldwide Application Security Project
500
In this movie, a critical access point to a protected resource was secured only by asking challenge questions—some of which were overly simplistic or inconsistent. The entire mechanism failed under ambiguity and included no identity verification.
What is the bridge of death from Monty Python and the Holy Grail?
500
In which update were horses added to Minecraft?
a) 1.4
b) 1.5
c) 1.6
d) 1.7
What is c, 1.6?
500
In 2016, Microsoft unveiled a chatbot called Tay that learned from its interactions with the public. This is how long it took before it became blatantly racist forcing Microsoft to take it down and issue an apology.
What is 16 hours / less than 24 hours?
500
This base64-encoded format is commonly used to store and exchange cryptographic keys and certificates, often marked by
-----BEGIN PUBLIC KEY-----
What is PEM (Privacy Enhanced Email)
500
This network monitoring tool company was supposed to enhance security for the companies that deployed it. Instead, in December of 2020, through a malicious update downloaded by thousands of customers, attackers were able to completely subvert any vulnerable network.
What is SolarWinds?
500
When the next version of the OWASP Top 10 is supposed to be published.
What is November 2025, and they took their sweet time!