If we were cleverer, all these pieces would fall into place, and then we would understand what we have to do. Like, we have to look behind the picture, and then the sunlight will come through the window, through the crystal in the staff, and it'll illuminate a bit of the floor, and then we'll take up the carpet, and then there'll be a little effigy, and then we put that on the bag of sand, and then the portal opens, and we join Mensa.

I need a drink.

Smashing Security, Episode 213: No Security Smart Zap Mensa, Long-Term Identity Theft, and GameStop's Share Frenzy with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security, Episode 213. My name's Graham Cluley.

And I'm Carole Theriault.

And we're joined this week by a regular returning guest, it's Mark Stockley. Hello, Mark.

Hi.

Hi. Thanks for coming on the show, Mark.

Oh, it's fine. I had nothing else to do.

What have you been up to?

I'm a teacher now.

Are you talking homeschooling? Yes. Yeah, I think Graham's doing some homeschooling as well. Every single parent I know is complaining about homeschooling. Tell us about it.

It's horrific.

Oh, it's an opportunity to get to know your children in a way that you probably didn't want to.

Do you find it too hard? Is that the problem? You don't know the answers?

It's just, there's a reason there are trained professionals. Like, people go to college to learn how to do this. And the people who go to college to learn how to do this are the people who really want to learn how to do this. You know? We were given about three minutes' notice this time, weren't we? By the way, tomorrow morning, you're a teacher again. Go tell all the people you work for.

I posted on Twitter that maybe I was going to crowdsource my son's maths homework, because it was beyond me how to do it. And I thought, you know what? I'm just going to post these questions on Twitter and get other people to answer them for me.

Okay, let's first thank this week's sponsors, 1Password, CrowdSec, and Inside Security Intelligence Podcast from Recorded Future. Their support help us give you this show for free. Now, coming up on today's Smashing Security show, Graham, what do you got?

I'm going to be talking to you about a completely mental cybersecurity issue.

Okay. And Mark, what about you?

Well, I'm going to be talking about how difficult it can be to go and work in another country.

Okay. And I'm yakking all things GameStop. All this and much more coming up on this episode of Smashing Security.

Now, chums, chums, have you ever had your IQ tested? Have either of you ever had that done?

Does it count if you go to a website and do it? On Facebook, maybe.

He's nine.

The very fact that you're on Facebook tells me a lot about your IQ.

He's nine, isn't he?

I've never been on Facebook like that.

Mark, you're a bit of a smarty pants. Have you ever had your IQ tested? He's nine, yes.

Possibly. If I did, it was a very, very long time ago. So it can't have been on Facebook.

He must be nine.

He's nine. Yeah. I'm pretty sure it was not a very rigorous test. And actually, I'm not actually convinced that IQ tests are worth anything or tell you anything useful anyway.

Would you join an organisation like Mensa?

Nine seems to be the age when people go to Twitter and go, my child's maths homework is completely impossible. God, no.

The club for people who score 98th percentile or higher in an IQ test. No thickies allowed.

Okay, I kind of like the idea of Mensa.

I have a theory that nine is the age at which UK school maths exceeds the average parent's ability to do school maths because you start getting into things like perfect numbers and factors and stuff like that, which is useful everyday stuff.

Oh, do you? That's interesting. Why?

Yes.

What do you like about it, Claire?

I don't know. I like the idea that smarty pants hang out together and share smarty, smarty ideas and come up with even smarter ones and then share them with the world. And everything's better. I like that.

So, there's something which makes me a little bit uncomfortable about the idea.

'Cause they don't want you in their club.

I know.

No, well— I know.

It's just, it's just—

I know, honey.

It's easy to turn down the knighthood you haven't been offered, isn't it, Graham?

What is it that makes people want to join a club? You know, they've scored highly in an IQ test, but they think, oh, you know what my social life needs? I need to hang out with other people who also chose to join the club after scoring highly in an IQ test.

Says the guy who's in a chess club. I mean, come on.

Maybe it's a public service. Maybe the rest of us need that for our social lives.

Get them out of circulation.

Yeah, we know where they all are. They're all happy in their little thing.

Is it a bit sad to be a member of Mensa, or is it just sour grapes that we're not members of Mensa? I don't know the answer to that.

I think maybe just 'cause you're not clever enough. If you were cleverer, you'd know the answer.

You don't know if I am a member of Mensa?

We'd know if Carole was a member, 'cause she'd tell us she was a member. All members of Mensa feel compelled to tell people, and they will put it in their email sig and say that they're members of Mensa.

What, they would have a t-shirt saying, "I'm a member of Mensa," "I'm the 11th best Briton in the entire universe"? Something like that?

Wow.

You think— okay, interesting.

I don't know. It's complicated. It's complicated. I don't know. But Mensa is in the news this week. Mensa is in the news with allegations that they haven't been very smart about their computer security. You may have spotted in the Financial Times—

No.

—a chap called Eugene Hopkinson. He was until recently the British Mensa Board's technology officer. And he says he has been trying to convince their leadership team for the last couple of years that they need to stop storing passwords unsafely. He says that their passwords are basically stored in plaintext. They're not salted, they're not hashed, and if someone got hold of them, they would be able to exploit them.

Oh my God, hold the phone for a sec. So they have an active technology officer on the Mensa board, the British board. Mm-hmm.

He's working there right now. Well, he's not, 'cause he's just quit. And he's gone to the press and said—

Oh, no, okay, but did he talk to the papers before he quit or after he quit, do you know?

Well, he wrote an open letter. Hopkinson says that sensitive data was being insecurely stored by Mensa, which included the IQ scores of members and failed applicants, Carole, as well. You wish.

I think, as we've already established, the IQ scores aren't secret, are they? Because they'll just tell you those.

Payment card details, passwords, email addresses, and home addresses. Now, Hopkinson, he fell out of Mensa last week. There was a board meeting where he raised his concerns again. And he wrote this open letter. He said, "If a breach is found to have taken place," because there were rumors that Mensa had maybe suffered some kind of security breach, he says, "I've got no faith that the board and the office will report it adequately or take sufficient action." Oh my God.

I wonder if he was recording that board meeting. For him to go to a board meeting and say, "Guys, guys, guys, we need to take this seriously." And they're like, "Yeah, no, no." And then he goes to the press?

Right. I'd be very, very disappointed if that recording isn't just people going, "Well, I don't understand. Could you explain that to me again?" "I said, no, look, the password is stored in plaintext." "Yeah, no, no, no."

Sorry, I'm on level 240 of Candy Crush. I can't pay attention to two things at once.

Multitasking is a sin. Now, I've been approached— You remember during Watergate that Woodward and Bernstein got approached by Deep Throat? Who gave, you know, and it's all top secret, you know, secret little meetings, right? I have been approached by my own Deep Throat from Mensa. In fact, two different Deep Throats who claim that they have inside information, which they've shared with me. One of whom says he has a recording of the board meeting and he's quite defensive of Hopkinson. He says, oh, you know, they're trying to frame Hopkinson. They're trying to say that he's bad. The other one says Hopkinson is a right pain in the ass. He's causing trouble. And that the board were all over this problem. And in fact, it was Hopkinson's own failure to fix these issues, which has now resulted in him basically being given the boot.

And you're covering it on the show because now you've got two little secret moles giving you information. Do they know of each other, do you think?

I don't know. Did you say, "Hey, Deep Throat—" Did you just say, "How am I gonna identify you?" And he says, "Deep Throat." And you go, "No, I've already got a Deep Throat. I've already got one."

Give me another name.

Is this just some very, very complicated initiation rite to get into Mensa? Is this actually—

Graham's applied. Exactly.

We're just not clever enough to figure this out. If we were cleverer, all these pieces would fall into place, and then we would understand what we have to do. We have to look behind the picture, and then the sunlight will come through the window, through the crystal in the staff, and it'll illuminate a bit of the floor, and then we'll take up the carpet, and then— There'll be a little effigy, and then we put that on the bag of sand, and then the portal opens and we join Mensa. I need a drink.

You've been homeschooling for too long, haven't you, Mark? It's begun to get to you. Now Mensa, they've told the Financial Times that the passwords were encrypted, and that they were now looking into hashing them as well. Now, of course, there is this misconception amongst the public about what encryption means, and possibly within the board of Mensa as well. Because encryption is sort of waved around as this magic talisman, isn't it? It's like, oh, the data's encrypted, then you're safe. You don't have to worry about things like that.

But— Well, I hope you heard me snorting derisively like a Mensa member when you said encryption. It was an involuntary— I think you're fine.

So if you simply encrypt a password, it will be possible to decrypt the password, right? Yeah. So if you use a standard encryption algorithm, the beauty of encryption is you can encrypt a message and then decrypt it to understand it at the other end. And what's a much better idea is to store a cryptographic checksum, often called a hash, of the password. And you can then, when someone goes to your website and enters their password, your website can generate another cryptographic checksum from what they've entered and compare those two checksums and say, oh, they must have entered the password. So you don't have to store the actual password. You can just store a hash or a checksum password. And even better, without getting too nerdy, you can apply a bit of salt to the hash or before you create the hash to make it harder to look up in what's called a rainbow table. Anyway, that's all nerdy stuff, which I'm sure Mensa are all over. Well, apparently not. Apparently not. But it doesn't sound Mensa was really following best practices. And if you visit Mensa's website right now, you will see that the website is down for maintenance. If you go to the British Mensa website, mensa.org.uk—

Well, because their technology officer is out on his ass.

Well, maybe, but— They're sitting ducks now. Maybe they would have been wise to get a technology officer who wasn't actually a member of Mensa, rather than just recruiting from that pool of people who choose to join the Mensa club. Maybe it'd be sensible as well to, oh, you know, this is quite important. Maybe we should bring in someone who understands technology and can properly protect this data rather than us decide what their data security practices should be.

You know what? Purely based on what you've said, right? I'm feeling really bad for Mr. Eugene Hopkinson, who seems to go to these meetings and go, dudes, look, we need to take this seriously. And they're going, yeah, yeah, yeah, you don't know enough. Aren't you a 142? Thanks, thanks, thanks, Eugene. Thanks, Eugene. Sit down. What we call a charity case.

Yeah, thanks, Eugene. Well, that's Eugene's story of what happened, of course. But Deep Throat number— was it number 2 or number 1? Anyway, one of my Deep Throats said it was the other way round and he was causing trouble. And in fact, the board were going, you should have fixed this, mate. You can't come here moaning about it.

Can I just say, this is exactly how I imagine Mensa would operate. So, so everybody knows that you're not supposed to store your passwords in plain— everybody who who cares to know, who has any business in this at all, understands that you shouldn't store your passwords in plaintext. And they have known that for a couple of decades. So we're not talking about best practice. We're talking about what was best practice many, many years ago. And I imagine that there has been— I fantasize that there has been a two-decade conversation going on at board level in Mensa about exactly what they should do. They're probably having arguments about which hashing algorithm to use.

Well, there's a slight— there is a slight twist in the tale because since Hopkinson's resignation, or was he booted out? It's unclear. Personal details of a couple of its directors have apparently been accessed and there's been information posted up on Pastebin as well, which appears to have come from Mensa's servers. And they've informed the ICO of security breach. Eyebrows are being raised regarding who might have been responsible for this. Maybe one of your Deep Throats. Maybe. I'm not going to point fingers in any particular direction, but there is a third-party security company, presumably they're not members of Mensa, who've been brought in to investigate, and maybe criminal charges will follow. We've got a real problem we need to solve.

Can anyone here solve this problem? No. No. No smart people. We're going to get some outside people in with lower IQs to actually solve the problem, yes.

So, either of you tempted to join Mensa now? No. Having heard all this?

How do you know we're not members?

Carole, you can keep on protesting like that.

I'm not protesting.

I'm just asking, what is your evidence? I think most Mensa members are twats, so maybe you are a member, I don't know.

Wow.

That better make the edit. I feel like this story tells you everything that you need to know about IQ. The world is full of people who are demonstrably, obviously, patently clever, intelligent, thoughtful, productive, useful members of society who happen to not have very high IQ. I don't think the correlation between high IQ and actual, you know, success and usefulness and all the things we actually care about exists at all. So if you've got a high IQ—

You see, Graham, don't worry. That's great. That's cool.

Go and join the high IQ club. That's fine. But don't for a second think that that actually indicates or means anything other than that you did well on a specific kind of test.

Said like a true person spurned by the Mensa club. Yes. Damn it. Mark, what have you got for us this week?

I've got a question. I suspect one of you has a yes answer to this. Has either of you ever tried working in another country?

Yes. Many times.

So how did that go? Well, I'm still here.

Yeah, you are working in another country, aren't you?

Yeah. Did you get a job in the UK while you were still in Canada? Or did you move over to the UK and then get a job?

No, I've done both. I don't— I'm not sure how legal the first ones were, but I was basically waiting tables for £2 an hour. So I don't think anyone's gonna give a shit. But yeah.

Would you say it was an easy process? Was there a lot of admin bureaucracy?

Yes, yes, yes. Much, much, much. It was extremely difficult. And I didn't marry my way in, just for those that don't know.

I know, you married a Wookiee, so you— Yeah, exactly.

Well, you know.

So what about you, Graham? Have you ever tried to work in another country?

Well, not permanently. I mean, I do do work in other countries. In the old days, before all this, imagine me waving my arms around now. I used to go and do talks in other countries.

I imagine that's probably quite easy, isn't it? You just get on a plane, go over there, they write you a massive cheque, and then you give some presentation you've given 100 times before and then go home. More or less, yeah.

Have you seen it recently?

You need a work visa. I haven't obviously done one for about a year, but yeah.

So we've all had some experience of trying to do work with people in another country. And so we've all got some understanding about how difficult that can be. Hilarious stories, yeah. But I bet— I think it's going to be very hard for anybody on this podcast or listening to this podcast to beat the story of Nidhi Razdan. So Nidhi is a seasoned journalist working with NDTV in India. That's New Delhi TV. And in November 2019, Nidhi was invited to speak at an event organised by the illustrious Harvard Kennedy School. And Graham, you get a lot of speaking gigs. Have you ever done one for Harvard?

I haven't ever done one for Harvard, no. But I'm available if they want me.

Maybe if you had a higher IQ. Just saying. One of the organisers of the event contacted Nidhi to ask if she'd be interested in applying for a vacant position at the school. It offers a Master's of Liberal Arts Journalism degree. And that includes working journalists on the staff. So she thought, that sounds like me. And offers like that don't come along every day, so she submitted a CV and an application, and then a few weeks later she was invited to an online interview. And it obviously went well, because a few weeks after that she received her offer letter from HR, the human resources department.

And what's the name? What's the name of this school?

Harvard. You may have heard of it.

No, no, Stanford School? Which one in Harvard?

It was the Harvard Kennedy School.

Is that what it's called?

Is that the full name? I believe so. I stopped reading at Harvard, to be honest. Not that I'm a snob, but you know.

I think that would sound pretty cool. She'd say to— Oh yeah, I've got a job at Harvard. You know, you would, wouldn't you?

I would. Maybe it's like the Four Seasons.

The Four Seasons Landscaping Company. Four Seasons School of Journalism.

Anyway, anyway. So she's invited to this interview, online interview, obviously. Obviously goes well. A few weeks later, she got an offer letter from human resources. And while that was going on, her employers received, you know, the kind of correspondence that you know when you're going to get the job because the people start getting the requests for references and things like that. So all that's happening as well. So this is happening, right? The wheels of bureaucracy are turning. And yes, she did get the job offer. And then she decided she was going to make that life-changing decision. So in June 2020, she goes on Twitter and she announces to her fans that she's leaving NDTV after 21 years. Off to the green pastures of Harvard. How cool. Kennedy School. Harvard.

No one's going to pay attention to that bit, Carole. That's like Oxford Brookes, you know? It's Oxford. That's all you need to know.

Anyway, after many weeks of back and forth over her visa, which I'm sure you can understand, Carole. Then she had to get into the actual nuts and bolts of actually teaching. So she's getting documents about class schedules, details of her class, and what she's going to be teaching, and so on. She's so excited. And then, you know, it is a bureaucratic process, and everybody understands that. And bureaucratic processes get even worse during a pandemic. But by late 2020, she was starting to get very frustrated with all of this. There seemed to be an awful lot of administration to wade through. How much time had gone past then? So I believe she was approached at the back end of 2019. And I think— So a year.

She has no idea what she's talking about. My God, that's nothing.

So far, not impressed. Anyway, so we're coming to, I guess, kind of late 2020, and she's starting to get very frustrated. There seems to be a lot of administration to wade through, and her salary is being held up by IT failures brought on by the COVID pandemic. Of course. Now, it's fair to say things are harder in a pandemic. Nobody needs to be told that who's listening to this.

9 times 16, right, boys? Yeah.

But you still have to treat people the right way. And if you're a world-renowned institution, this is not how you welcome someone from another country into a new job when there's a pandemic on. So finally, she had enough of all of this. She'd had enough of these admin and not being paid. And so she decided she was going to escalate things to the head of HR at Harvard. It's "I want to speak to the manager" time.

This is a share buying app or something

And it was when she did that that she discovered that every word of the entire process that she had been through had been a complete and utter lie. And that she had been scammed. So the approach was a lie, the rigorous 90-minute interview that she attended was a lie, the email correspondence from official Harvard email addresses was a lie, the work visa was a lie, the orientation event that she was invited to but couldn't go to because it was cancelled because of COVID was a lie, the request for references that her colleagues received were lies, the letters that she received that were signed by luminaries at Harvard were all lies. Oh my goodness. The only thing in the entire year-long episode that doesn't seem to be a lie is the original invitation to speak at an event. Anyone who's interested should go and check out Nidhi's own write-up of this on the NDTV website, because this is her story, and you should go read it in her words too. But I don't get the impression that she knows. So she's passed the details on to law enforcement, but I don't think she knows what happens other than that she now knows that she spent a year handing over personal information to a bunch of total strangers who were clearly very, very invested in this process. Interestingly enough, she's clearly a savvy individual. And after the initial approach, she went and did some Googling and said, is there actually a course at Harvard where they have people like me? Does this look like this exists? So, I think that that is what is most interesting.

you just put on your phone, right?

Well, two things about this story that really, really stand out, I think. The first one is the extraordinary lengths that the scammers went to. The length of time that they persisted with this, and the amount of effort that they must have put into this.

Yeah, it's a stock market app.

But I think what you're looking for is the wisdom of the crowd, and in order to get the wisdom of the crowd, the crowd isn't supposed to agree with itself in advance what it's going to say and then go and sort of act as a union.

You know, the share price is supposed to reflect the actual intrinsic value. All you're saying is, with the short sell, I don't see a future in GameStop. I don't see a future in a store that's run the way it's run, that sells physical media. And I agree with that. I don't see a future for that store. That store is, you know, that share price looks like it's going to go down and down and down and down.

And so bet you wished you'd invested if you had Mensa.

But the purpose of the share price is not to make me— it's not to make me rich.

Okay, good. So if I hear the sound of running water while I'm talking, I'll take that as an indication that my story wasn't interesting. So anyway, I want to tell you a story about— so when I left college, I had to make a decision. I knew I was going to go do something artistic with computers, and I wasn't sure if I was going to go and build websites or if I was going to go into game design. I really wanted to get into computer game design, but in order to do that, I had to have a very expensive computer and do 3D modeling and learn these insanely complicated 3D modeling computer programs. It was a huge, huge investment, and the computers were slow, and it took ages to get anything done, and the software was just terrifying. So I opted to go and work in websites, which were simple, and you didn't have to have a powerful computer because they were almost nothing. And it just seemed it was a low-risk option. I mean, an interesting one, but a low-risk option. Anyway, fast forward quite a long time. And the other day I was chatting to a friend of mine who is very good at woodwork. And I am building a new shed for my chickens, a roofed coop area for my chickens.

Yeah, just for a teacher, it's, you know, we just had someone on the show talking about high-value targets, right? That only this kind of stuff would only happen to CEOs or the rich or something, the notorious, where she's just—

It's for you and your chickens, isn't it, Mark? It's for my— It's not just for your chickens. Big enough to fit me in it. I can stand up in it, or it will be anyway. Well, she's a journalist.

Yeah, she's a TV personality.

The professorship is being dangled as a carrot. And so whoever has her identity effectively is then able to be her, this very, very connected individual. And I don't know if you've ever tried to do this, but if you phone people up and ask them for stuff, it's amazing how often they will give it to you. And so if you phone up and you say, you know, I am a famous journalist and I can prove it, you can talk your way into hotels, you can talk your way into bank accounts. It's a very privileged place to be, I think. So, but the interesting— I guess that's the open question about is how targeted was this? You know, is she one of a number of high-profile people who have been duped, or was this specifically aimed at her for a particular reason? And I don't think we even know what the fallout from this is yet or how they've used those details.

Someone else might be doing her job right now at Harvard Business School, right? Pretending to be her.

I wonder if she has confidential sources that somebody might want to— There are regimes that pay extraordinary amounts of money to put surveillance ware on particular people's phones, for example. So, you know, being a journalist can be a dangerous profession.

So has she got her job back at NDTV

You guys, anyone out there who

after all this?

wants to listen, The Office ASMR

Yes, yes, yes, she does seem to still be working for NDTV. She published this on the NDTV website. And yeah, it does say, I am still an NDTV journalist, or, you know, that was certainly the impression that I got.

Podcast. I think it's fun.

You're right, Mark. This is an extraordinary level of effort for the scammers to go to. We don't normally see this sort of, you know, this months and months of work.

But isn't that a very interesting choice of words? Because that's the other side of this. You said we don't normally see this, but how would we know? How would we know? If you had asked her halfway through this process, she wouldn't have told you she was being scammed because she didn't believe she was. Because what an extraordinary thing to discover and admit to yourself that that people are capable of doing this, that they're capable of this kind of devious behavior, and that you're capable of falling for it. And I do wonder how many people are subject to this kind of scam who never discover it, who never find out, who just continue to believe what they're told.

I wonder if one of us is being scammed right now. Maybe one of us believes we are just participating in a security podcast and either as an irregular contributor or as a regular co-host. And in fact, this is all subterfuge.

I have it on good authority that one of the people on this podcast has been approached by a couple of quote-unquote whistleblowers.

A whistleblowing Deep Throat is quite a trick, isn't it?

That is why Graham doesn't Depends where the whistle is, I suppose. have an ASMR channel.

Filthy. You guys.

He's doing great.

Carole, what have you got for us this week?

Oh, we're talking GameStop. We're talking GameStop. Now, today, right now, it's Tuesday, 2nd of February, 4 PM UK time. And the GameStop stock price is 91.69, right? So at the end of my segment, we're going to see what it is. And then you nerds out there can work out how long it took me to do this story. So we're yakking GameStop just to figure out what happened. We're going to go through a few basics first, right? And I— Mark, I know that you dabble with the stock market, so you need to dive in because you know more about this than I do. Graham, you just butt in because you butt in, right? So GameStop. GameStop is a company that sells games, it's a retail store. It sells related game paraphernalia. As the Bee put it, it's the thing you'd find between a donut shop and a makeup retailer in an American mall. Which I love.

Between a Blockbuster's and a Tandy. Right.

Well, would you say, Graham, it's what?

Oh, I don't know, but I've heard it's a bit rubbish. Isn't that right?

No, it's not rubbish. It's just been failing for a while now. So from a stock perspective, people would agree with you. It's a bit rubbish. But from a retailer point of view, that is where you go to buy your games. Now think about it. You guys have Switches and whatever consoles. Maybe 5 years ago, you guys would buy a hard physical copy of a game. You wouldn't just download it.

And you can follow us on Twitter @SmashingSecurity, no G, Twitter's not allowed to have a G, and we've also got Yeah. Well, that's why I say it's a bit rubbish because I think most people these days don't buy their games in a store, do they? They either buy them online and have them delivered to them, or they literally are inside the video game console's online store and it automatically downloads. a subreddit, go looking for Smashing Security up there. And don't forget, make sure you never miss another episode of the

And GameStop kind of suffered, I think, from that. There's been a kind of slow decline since January 14th. So then it was about $50 bucks a share, right?

show, subscribe in your favorite podcast app such as Apple Podcasts, Google Podcasts, and Spotify.

I think they were just, they were holding on for the turnaround when people suddenly realise that they can only download so many things and it's easier to go buy physical media.

Okay, so I know people that actually really, really want the physical media because they've had consoles break on them before. They don't like that it's in the cloud. They can't access, they don't remember a password and they just feel more comfortable owning the physical game. Like, it's—

Are they members who smoke pipes and have long beards?

Well, they're related to me, so I don't know. So on January 14th, GameStop was about $50 a share, okay? Cue pandemic. Now, since then, it's been going down slowly, slowly, slowly for all the reasons we've talked about, right? And pandemic hits an all-time low of like $5 per share. Yeah, right. And they're even set to close down 450 shops in 2021. They make this announcement. And, you know, like you say, the idea of the pandemic didn't help people 'cause they're forced to get real cozy with their homes and online gaming. So what are they doing? They're downloading games directly.

Yeah. And people don't want to buy physical media because other game players probably don't wash their hands. And Marie Kondo, right?

We don't want all that fussy, fussy, fuss, fuss stuff around our house anymore. We want it all spick and span.

Do you think there's a big overlap between the gamer world and Marie Kondo?

Well, you know. So, okay, so, so back to GameStop, right? So in bounce the short sellers, right? So short sellers, or short selling simply put, is like a trading technique for people like hedge fund managers or individual investors or speculators, or what I'd call gamblers personally. And the hedge funds, big hedge funds decided they were looking at GameStop's like failing, failing, failing stock price, and they were like, hey, maybe there's something here we can do. Maybe we can basically buy some shares or promise to buy shares at a price in the future, because they're definitely going to decline in price.

Yeah, they're making a bet basically that the share price is going to go down, and that's how they're going to make their money.

Okay, okay, I'm going to give an example. Okay, Mark, you have to pay very close attention. Tell me when I fuck up on this. Okay, okay, Graham, you're my, you're my guinea pig in this one.

All right, okay, interesting.

So let's say we're talking about a donut. I've got a donut.

Guinea pigs do not like donuts. I think you'll find it's carrots and lettuce is what we like.

Okay, and you're smart enough— not Mensa level, but you're smart enough to figure out that a donut in 5 days is going to be worth way less than a donut right now just out of the fryer. Yeah, right? Yeah, probably. And you see it as a sure thing that if you buy the option to sell the donut for $2 to somebody right? And you promise to buy it back later at whatever price it will be in 5 days' time, you might turn out a little coin. So let's take 5 days' time. Turns out someone values the donut at only 10 cents because it's all crusty, gross, gross. And you make $1.90 out of that sale.

You with me? I'm with you. Yeah. Okay.

But what happens if the donut improves with age because it's using a new fermented sourdough dough base, and people go nuts for it. And in 5 days, the price skyrockets to $10 per donut. But you've promised to buy it back at whatever price, you're now in a loss of $8.

Oh yes, yes. That's the part about short selling that you don't hear so much about, I think.

Yeah, because no one likes to advertise when they fuck up, right?

But what I mean is, if you buy a share and it goes down in value, the downside of buying a share is that it goes to zero. So there is a limit to how much you can lose. You know at the beginning, okay, if I spend this much money, I might lose all of it. And that's how much money you've lost. Whereas I think if you short something, the danger is that the price goes up. There isn't actually a cap on how high the price can go, so your risk is potentially much, much higher.

Yeah, because the short sale's infinite, right? So the stock price could continue to rise with no limit. So these hedge fund guys on Wall Street borrow shares in the company and sold them with the promise to buy them back at a later date, okay. You know, they're waiting for it to go down the poo-poo hole, yeah. And then they would collect their prize money because that was the game plan, that was their bet, yeah.

And they're not imagining that a horde of gamers are suddenly going to go to these shops and start buying physical media in the middle of a pandemic, right? It seems implausible that the share price is going to go up.

Exactly, Graham. In swagger, a Reddit community called WallStreetBets, okay, more than 4 million people follow this feed and sharing tips and tricks and thoughts on the market, been doing this for years. Amateur investors and diehards can all be found there. So they get together and they all say, we're going to save GameStop. We're going to have a movement and we're going to buy all the shares back, we're not going to let Wall Street kill these guys. And when you buy shares, the value ticks upwards. And when millions and millions of people invest and buy shares, the valuation skyrockets. So it went from the lowly fiver all the way up to $350 or almost $400 per share. Right, so if you bought 1,000 shares, $5,000... oh God, 9-year-old maths, right? Let's go, boys. 1,000 shares at $5 a share, and suddenly it's $347 per share. What do you got?

Way more money.

I'm on this podcast to get away from the maths homework.

$342,000.

Jesus, I have no maths left.

I left them all on the kitchen table. Okay, now the problem here with all this is this leaves the hedge funds heavyweights who attempted to cash in on GameStop failing, they're feeling the heat. Yeah, because they promised to buy it back at a future valuation, and now that valuation is way freaking higher. Oh, the poor hedge funds.

Oh, the poor little hedge funds. Won't someone think of the hedge fund managers? Melvin Capital Management was forced to seek a rescue package. Being at the center of the kerfuffle over GameStop, it lost 53% on its investment. I got some sand in my mouth.

Another one, Maple Lane Capital ended with a roughly 45% loss.

Could we get some black and white photos and like a PowerPoint and just have their names in like a really ornate font underneath, maybe with the dates, like those little bits they do at the Oscars? I think that'd be great. Well, there's loads of speculation as to why this happened. Was this a movement that was kind of spurned on by this Reddit community, or was it just people who were bored and they happened just to kind of glance past it and go, "This sounds fun, I'll try and get involved too because I've got £1,000 or $1,000 to burn"? Or maybe some people were starving, going, "Oh my God, I really need cash quick. This could be a way."

Crying foul. 'Cause they were out-gamed by a bunch of nerds, right? And it hurt their professional investor ego.

Had they not been warned that the price of shares can go up as well as down?

Have they not watched the ads?

Dare these people pool their assets and then use them to make money from the fluctuation of stocks? Exactly.

How dare people band together and manipulate the market? Do you own a three-piece suit? Do you own a Hermès scarf? Now, of course, this seems unfair to us, I think, because they're basically just bitching because someone's beating them because they're using new platforms that they hadn't thought about. And they did it rather cleverly. However, the upshot of when Wall Street kingpins whine in unison, people listen. So regulators in Washington are now keeping an eye on a possible market manipulation in social media groups. So we've got that. Thanks. We also have the digital investment app Robinhood. This was a central app in this whole, I don't know what to call it, a fiasco. And last week it restricted trades in GameStop, allowing investors to sell but not to buy. A surefire way of trying to push the prices down.

In unrelated news, I understand that one of the companies that stood to lose substantially from the increase in GameStop shares was quite a serious investor in Robinhood. Ah, interesting. Interesting. Although the CEO of Robinhood has been on TV telling everyone that'll listen that these two things are entirely unrelated.

According to The Guardian, the company insists that this was for technical reasons that they stopped the investors being able to buy, rather than a desire to protect the hedge funds. But of course, small investors are pissed off. So one, they've taken out a class action suit against Robinhood for knowingly manipulating the market, and they've been flooding the Robinhood app with 1-star ratings. And where it gets interesting is Google has salvaged the rating by removing more than 100,000 1-star reviews. So basically taking the side of the hedge fund. What do you guys think about that?

Were these automated bad reviews or were they done by hand by angry investors? I sort of think if they were legitimate bad reviews and we don't like what they did, then that's fair enough. But if it was an automated bot or something that was doing them, then Google feels it's within its rights to remove bad reviews.

Yeah, I feel these two things are quite separate because from Google's point of view, you have to think, what is the purpose of the reviews? Well, the purpose of the reviews is to help people choose things. Based on the opinions of others. So if I organize a campaign which is very obviously just meant to trash the reputation of a company by leaving 1-star reviews, those reviews are no longer really very useful to the people who are shopping for apps, I think.

Yeah, but if 100 people do it because they all feel they may be acting as a collective, Oh, bad people for being a community. Fuck, don't you realize you're ruining everything the company are trying to do? Does anyone else see the irony in the company being named Robinhood and then shutting down trading for individual investors? but they all feel that's the right thing.

That's cropped up, I think.

Markets are attempting to claw back, obviously, the losses that were felt early Monday, kicking off what's going to be a turbulent February month. And this is not the last of this. So there's already been forays into AMC, very similar story to this as far as I can see, and BlackBerry. So technology firms, slightly different story, but the idea of having failings and being propped up by the market and having individuals or this movement underpinned by this idea of let's save these companies. The question is, does GameStop value, you know, does it deserve this valuation that it currently has? Well, maybe now, currently, maybe it's a pretty good valuation, but on the weekend, 2 days ago, it was much, much more. Should we check what it is now?

Should we check what the valuation is?

I actually have the stock price in front of me. Yeah, I'm looking at the chart. The chart looks like, it's basically a horizontal line for several years and then a vertical line and it's coming down. So it's now $111 right now. So interesting, we'll see what's going to happen.

It's crazy, crazy time. I worry so much about the people that get caught up in this frenzy late in the game and are investing their life savings. And just be careful, folks. This is real money.

This is what worries me about this story, because I feel a lot of people were kind of declaring a victory lap. These people coming together on Reddit as if they all had exactly the same intention and they were all acting as one for the same reasons. And they all kind of taught the hedge fund managers a lesson. And maybe they did. And I hope that everybody gets out of this with their shirt? Well, they won't. Of course they won't.

It's impossible that everyone—

He just doesn't understand, Carole. He doesn't understand. You and me, we're all right with it. He can't get his head around it. It's a bit too troubling. Try and ask him about factorials.

The idea that anyone can say what that group is doing and speak for the whole group and say, this is the mind of the group, I find quite concerning. I mean, we don't know that there weren't hedge fund representatives in that group.

Oh, totally. It could have been a pump and dump scheme.

Exactly, exactly. There could well be institutional investors taking advantage of this collective thing. And it's true of every stock bubble and every stock market bubble in history is they happen because the people in them say, this one is different. For whatever reason, they say, "This one's different. It's a different kind of bubble. It's happening for different reasons. It's got different kind of people involved. We're teaching the man a lesson," or whatever. And they are all the same, always. And they always have the same outcome. And eventually, the share price will come back down and somebody will lose. So the story isn't over yet. Do you do yoga? I haven't since the pandemic started. Can you tell?

Hey, Cluley, did you hear my CrowdSec special interview that I did? Yes, yes.

Yeah, I've heard it. Yeah. Did you?

Yeah. Okay. I don't know if I believe you. Tell me everything you know about CrowdSec.

Go. Oh, okay. CrowdSec, they're building a community where you, SecOps and DevOps can join forces around the world. And actually make a difference against all the new attacks which are coming out. Because no matter what your business size is, CrowdSec offers an adaptive response to security issues such as credential stuffing, port scans, password brute forcing, and much, much more.

Okay. Tell me how they analyze visitors' behaviors. What do they do with malicious traffic, for example?

Okay. Yeah, they analyze your visitors' behavior. They deal with the malicious traffic and— oh, yes. They automatically share details across the community to ensure everyone is protected. So the more data that CrowdSec aggregates, the stronger it gets.

Okay, that's great, except you forgot the most important thing. It's free and it's open source, so anyone can benefit from this. So join the CrowdSec community and let's make the internet safer together. Find out more at crowdsec.net/smashingsecurity.

And Smashing Security listeners, there's a special offer just for you. Go and join the user community and you could win a Google Pixel 5. Just go to crowdsec.net/smashing.

And thanks to CrowdSec for supporting the show. Hey, Graham. Hey. Now that it's 2021, are you ready to admit that maybe your brain is turning to mush?

Why are you saying that? You thinking I'm getting forgetful? Yes.

Often. Very. And I'm a little bit worried about it. I suppose most of us, you know, working from home all the time. I mean, how the heck do you even remember a password in these scenarios? Nice segue, eh?

Yeah, well, I use a good password manager. I, in fact, use 1Password. 1Password.

That's one with a one, right? That's right. 1Password.

It's a great password manager. It works for home use, it works for families, it works for business. So I run a little business here at home and it means— and imagine I worked in a bigger business, right? Imagine I was a part of the remote workforce. I could still work safely online, make it really easy for me to create and use strong passwords or share them with my colleagues.

Oh, and tell you what, now that all of us are working from home and your computer's being used not just for work but also for home stuff more often than ever before, this kind of stuff keeps everything nicely segregated.

Yeah, and listeners can find out more and they can try 1Password for free for 14 days at 1Password.com. And thanks to them for supporting the show. Recorded Future delivers the world's most technically advanced security intelligence to disrupt adversaries, empower defenders, and protect organizations. Well, their podcast, Inside Security Intelligence, takes a deep dive into the world of cyber threat intelligence. They share stories from the trenches operations floor, they give you the lowdown on established and emerging adversaries. Whether it's the SolarWinds breach, 5G conspiracy theories, or Russian election interference, Inside Security Intelligence gives you a fresh take from a variety of industry experts. Search for the Inside Security Intelligence podcast in all good podcast apps, and thanks to Recorded Future for sponsoring the show. And welcome back, and you join us at our favorite part of the show, the part of the show that we like to call Pick of the Week. Pick of the Week.

Pick of the Week.

Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. Doesn't have to be security-related necessarily.

Better not be.

Well, my Pick of the Week this week is not security-related. My Pick of the Week is a TV show, another TV show I've been binging on this time, a documentary. And it is a documentary about the rise of the Murdoch dynasty, the extraordinary story of how Rupert Murdoch has managed to really have so much influence over world events, things going on.

I watched some of this at your behest. I loved it.

It's pretty good, isn't it? It's absolutely fascinating. It's 3 episodes and it's— If you saw, there was another BBC documentary called The House of Trump, and it reminds me rather of that because you get these figures in the public eye, people like Alastair Campbell, who used to be Tony Blair's right-hand man. Yeah. Nigel Farage and others speaking very, very frankly and honestly, which often, you know, you don't always get in documentaries about somebody and about his family. And it's very much about the machinations that have gone on behind the scenes. For political influence, sometimes to the benefit of the Murdoch family, and also how his children have been battling to gain control of his empire when he eventually pops his clogs. And of course, there's a fair bit as well about the phone hacking scandal too. And people like Rebekah Brooks—

Can I interrupt? I noticed that they kind of skipped over the pie slap in the face during the hearing. Yes. Which I thought was a little bit uncool because that is a memory that you and I share. Because I think I had a really bad back or something, and you actually came to do a sympathy visit. That's right. And we were watching it live on TV, and that happened, and it was a—

Is that the one where Rupert Murdoch's then-wife lands a serious right hook on someone?

Yes, that's right. Yes! Wendy Deng. Wendy Deng.

It was curious how they edited around that in the show, because they sort of suggested it but didn't— They didn't talk— I mean, I don't think it's meant to be the— I mean, it is, to be honest, it's a bit of frippery. It's not important to the story, but— Oh, really? Frippery? Yes, but they— It was bizarre, because they did have a little bit of footage around it, but it was—

That should be our show name, Security Frippery. Yeah, frippery. Anyway, it is a marvellous documentary. I can really recommend it. It is— Seconded. What's it on?

It is available on BBC iPlayer. Don't know if it's available anywhere else, but go and check it out. The Rise of the Murdoch Dynasty. Links in the show notes. Mark, what's your pick of the week?

My pick of the week is a website called SketchUp. And I'm going to tell you why. I'm going to tell you a little story. So gather round. Yeah, we've got time for this. Do you need a pee, Graham?

I've got a little bucket here I can go in. I'm fine.

So, an outfit that you wear. Now, I have done a sort of beautiful hand drawing of what this thing is going to look— trying to work out which bits of wood I need. And I did, I drew this pen and paper, pencil and paper drawing. And I was saying to my friend, you know, what I really need is I need something that I can kind of build this chicken run in online. You know, just to kind of work out whether or not the bits of wood actually fit together. And he said, well, lots of people use SketchUp. And I thought, "Oh, go and have a look at that."

It is completely free. 3D modeling thing built entirely using website technology. And it blows my mind that that's where we are, that the thing that was too expensive, too scary, too difficult to do, required too powerful a computer for me to do 25 years ago, and so I took the route of going into websites instead, is now possible in the website. And it's brilliant. It's brilliant. So I have actually— I have built my chicken coop virtually. So I've kind of extruded out all the pieces of wood that are exactly the right size and stuck them all together in the right way. And I've built myself a corrugated plastic roof. It's— I'm not saying the coop's amazing. The app's amazing. The coop is— you know, the app can do more than my chicken coop.

It's glorious hearing this. I've known about SketchUp for 10 years. Really? I've used it. Yeah, because I've used it to model kitchens. And new bathrooms and all kinds of stuff. And yeah, I'm surprised, I guess, that people don't know about it. I kind of—

Yeah, I've heard you talking about it before, Carole, yeah.

Yeah. But this is the wonderful thing about the internet, isn't it? That it's too vast. Someone can just say to you in passing, "Oh, there's a complete 3D modeling package available in a small HTML canvas over there." I don't know.

How'd you— 148, 149, you might've figured it out.

I'm sorry.

It's okay, Graham. Don't worry.

That's too quick. Yeah. That was above his head, Carole Theriault.

What's your Pick of the Week? Anybody having trouble sleeping these days? You guys, you're a good sleeper, Graham. I don't sleep. I don't sleep.

I tend to sleep for about 45 minutes to an hour each week if I find—

Yeah. I find it's just a matter of getting— of balancing out the caffeine with the alcohol. Yeah, exactly. You get those two levels right, then it's fine, it's easy.

Yeah, exactly. And you know, it sucks. And the other day I couldn't— I couldn't sleep all week actually, and I got a bit desperate and I was looking for a pod kind of sleepy, sleepy distraction, right? And there's a lot of kind of lame, dirty— I don't know, just inappropriate. I don't— not for me trying to sleep because I'm frustrated, right? It's 3 in the morning. I'm pissed off. You're the one— are you assuming sexually?

You're, you're the one who said dirty. You said there's a lot of dirty stuff, and then you said you're very frustrated.

Okay, not in that way. Just I've got too much stuff in my head that is unimportant and it won't go away. So anyway, I'm on— I'm Googling, Googling, looking around, and I find The Office ASMR show. Which is literally a podcast narrating The Office so you can fall asleep. So here I was thinking, I see this and I'm thinking, okay, so this guy, this girl's got a script and they're going to reenact it as a one-man or one-girl show. But no, this guy basically watches the episode and then very calmly, without any glee or enjoyment, tells you what's happening in real time. Pam walks into the meeting and sits down. She doesn't look very happy. Dave tells Gareth he's immature. Pam walks out, still unhappy. That kind of thing.

Do you remember what I said about how—

One at a time, boys.

Mark! Do you remember what I said just now about the internet being amazing?

Yeah, totally take it back. Grim.

No, I— So you're— This works, does it?

The entire magic that makes the show the show has been hoovered out of it, right? Completely. It's a husk of the show. But it's so dull and quiet and familiar because you know the episodes, you fall asleep.

So there's more than one episode of this?

Oh yeah, he's done 4 seasons.

Why? He's done all 4. I wonder how he manages to stay awake.

And you know what? He has 215 followers on Twitter.

Oh, he's doing all right.

Throw him a bit of love. Throw him a bit of love because it's a cute idea and he does it well. And The Office ASMR Podcast helped me—

How do you know he does it well? How do you know?

Because I went to sleep. You don't.

Once you're asleep, you don't know if he's doing it well.

It's the point. So— His whole line is the podcast narrated in the office so you can fall asleep.

It's his job. I feel like you're telling us it's boring, and yet somehow you're also claiming the moral high ground.

Exactly. And that is why it's my pick of the week. It's so boring I fall asleep. It's amazing! It's successfully boring. Yeah, that sounds really boring, Carole.

No, you're wrong. Successfully so.

Wouldn't it be more boring to listen to the same episode over and over again? Why do you need 4 seasons of it?

Well, I don't want to sound sexual, Graham, but maybe that'd get frustrating.

It sounds amazing. Can we wrap this baby up?

But not fun enough to keep you awake.

And that just about wraps it up for this week.

ASMR voice, please.

And that just about wraps it up for this week. Mark, I'm sure lots of our listeners would— You're doing great. Mark, I'm sure lots of our listeners would like to follow you online, what's the best way for folks to do that?

Oh, you can follow me @MarkStockley on Twitter, or you can follow my chickens @InternetOfHens on Twitter.

Huge thanks to this week's sponsors, 1Password, the Inside Security Intelligence Podcast from Recorded Future and CrowdSec. And to our wonderful Patreon community. Thanks to all of these people, the show is free for all. For episode show notes, sponsorship info, guest lists, and the entire back catalog of more than 200 and now 12 episodes, check out smashingsecurity.com.

230. Well, this one's not up yet. Until next time, cheerio. Bye-bye.

Bye.

Bye.

I wish we'd stick with the ASMR voice. I was looking forward to trying. Huge thank you to this week's—

Do it. Do it. Do it.

I don't want to now. I just did it.

I got bored. Did you?