Private messages between Mensa forum members are leaked onto the internet

D’oh!

Graham Cluley
Graham Cluley
@

 @grahamcluley.com
 / grahamcluley

Private Mensa forum messages leak onto the internet

There’s still some confusion about precisely what has been going on at the British branch of Mensa, the club for people who have scored highly in an IQ test but who feel their social lives would be improved by hanging out with other people who chose to join a club after scoring highly in an IQ test.

As previously reported, Eugene Hopkinson is no longer the British Mensa board’s technology officer.

Whether that’s because he resigned the role or was kicked out depends on who you ask.

Sign up to our free newsletter.
Security news, advice, and tips.

But Hopkinson did tell the Financial TImes that he believed Mensa was storing sensitive information about members’ insecurely.

Mensa UK’s website has been offline ever since, claiming it is down for maintenance.

Mensa website

Obviously the news reports must have concerned many members of Mensa, who were sent an email by the British Mensa chairman, Chris Leek.

Mensa email

We apologise to anyone who has been inconvenienced while the Mensa website has been offline.

It was taken down to allow a full and uninterrupted investigation into a suggestion the Mensa database (that contains information about members) had been breached during a “brute force attack” on January 20.

Considerable efforts have been put in by all our IT contractors and an independent security company to establish whether any member data was accessed in that incident.

We can now tell you that the Mensa database was NOT accessed during that “attack”, and, it follows, no member data was accessed.

In the interests of transparency, we can confirm that there have been two separate incidents where limited personal data of a few members and officers of Mensa has been exposed for a short period of time in the forum area of our website.

It would be good to have a little more detail about these “two separate incidents,” but at the moment Mensa is keeping schtum.

However, over 35MB of files containing over 700 private conversations between members of the Mensa UK forum have been posted on computer underground websites.

From my examination of them, some contain strongly-held opinions about other Mensa members that I suspect the senders would not appreciate being made public.

Prat message

(I’ve redacted personal information from the screenshot to protect the innocent. I feel there’s no need to mention the name of the sender, the recipient, or the “prat”)

Some of the private messages contain personal information of Mensa members, including their email addresses and telephone numbers.

Amongst those who have had their private messages exposed is the unfortunately-named Chairman of Mensa UK, Chris Leek.

For further discussion, make sure to listen to this episode of the “Smashing Security” podcast:

0:00
0:00 0:00
0:00
Show full transcript
TranscriptThis transcript was generated automatically, probably contains mistakes, and has not been manually verified.
MARK STOCKLEY
If we were cleverer, all these pieces would fall into place, and then we would understand what we have to do.

Like, we have to look behind the picture, and then the sunlight will come through the window, through the crystal in the staff, and it'll illuminate a bit of the floor, and then we'll take up the carpet, and then there'll be a little effigy, and then we put that on the bag of sand, and then the portal opens, and we join Mensa.
CAROLE THERIAULT
I need a drink.
Unknown
Smashing Security, Episode 213: No Security Smart Zap Mensa, Long-Term Identity Theft, and GameStop's Share Frenzy with Carole Theriault and Graham Cluley.

Hello, hello, and welcome to Smashing Security, Episode 213. My name's Graham Cluley.
CAROLE THERIAULT
And I'm Carole Theriault.
GRAHAM CLULEY
And we're joined this week by a regular returning guest, it's Mark Stockley. Hello, Mark.
MARK STOCKLEY
Hi.
CAROLE THERIAULT
Hi. Thanks for coming on the show, Mark.
MARK STOCKLEY
Oh, it's fine. I had nothing else to do.
CAROLE THERIAULT
What have you been up to?
MARK STOCKLEY
I'm a teacher now.
CAROLE THERIAULT
Are you talking homeschooling? Yes. Yeah, I think Graham's doing some homeschooling as well. Every single parent I know is complaining about homeschooling. Tell us about it.
GRAHAM CLULEY
It's horrific.
MARK STOCKLEY
Oh, it's an opportunity to get to know your children in a way that you probably didn't want to.
CAROLE THERIAULT
Do you find it too hard? Is that the problem? You don't know the answers?
MARK STOCKLEY
It's just, there's a reason there are trained professionals. Like, people go to college to learn how to do this.

And the people who go to college to learn how to do this are the people who really want to learn how to do this. You know?

We were given about three minutes' notice this time, weren't we? By the way, tomorrow morning, you're a teacher again. Go tell all the people you work for.
GRAHAM CLULEY
I posted on Twitter that maybe I was going to crowdsource my son's maths homework, because it was beyond me how to do it. And I thought, you know what?

I'm just going to post these questions on Twitter and get other people to answer them for me.
MARK STOCKLEY
He's nine. He's nine, isn't he?
GRAHAM CLULEY
He's nine, yes. He must be nine.
MARK STOCKLEY
He's nine. Yeah. Nine seems to be the age when people go to Twitter and go, my child's maths homework is completely impossible.

I have a theory that nine is the age at which UK school maths exceeds the average parent's ability to do school maths because you start getting into things like perfect numbers and factors and stuff like that, which is useful everyday stuff.
CAROLE THERIAULT
Okay, let's first thank this week's sponsors, 1Password, CrowdSec, and Inside Security Intelligence Podcast from Recorded Future. Their support help us give you this show for free.

Now, coming up on today's Smashing Security show, Graham, what do you got?
GRAHAM CLULEY
I'm going to be talking to you about a completely mental cybersecurity issue.
CAROLE THERIAULT
Okay. And Mark, what about you?
MARK STOCKLEY
Well, I'm going to be talking about how difficult it can be to go and work in another country.
CAROLE THERIAULT
Okay. And I'm yakking all things GameStop. All this and much more coming up on this episode of Smashing Security.
GRAHAM CLULEY
Now, chums, chums, have you ever had your IQ tested? Have either of you ever had that done?
CAROLE THERIAULT
Does it count if you go to a website and do it? On Facebook, maybe.
GRAHAM CLULEY
The very fact that you're on Facebook tells me a lot about your IQ.
CAROLE THERIAULT
I've never been on Facebook like that.
GRAHAM CLULEY
Mark, you're a bit of a smarty pants. Have you ever had your IQ tested?
MARK STOCKLEY
Possibly. If I did, it was a very, very long time ago. So it can't have been on Facebook. I'm pretty sure it was not a very rigorous test.

And actually, I'm not actually convinced that IQ tests are worth anything or tell you anything useful anyway.
GRAHAM CLULEY
Would you join an organisation like Mensa?
MARK STOCKLEY
God, no.
GRAHAM CLULEY
The club for people who score 98th percentile or higher in an IQ test. No thickies allowed.
CAROLE THERIAULT
Okay, I kind of like the idea of Mensa.
GRAHAM CLULEY
Oh, do you? That's interesting. Why?
CAROLE THERIAULT
Yes.
GRAHAM CLULEY
What do you like about it, Claire?
CAROLE THERIAULT
I don't know. I like the idea that smarty pants hang out together and share smarty, smarty ideas and come up with even smarter ones and then share them with the world.

And everything's better. I like that.
GRAHAM CLULEY
So, there's something which makes me a little bit uncomfortable about the idea.
CAROLE THERIAULT
'Cause they don't want you in their club.
MARK STOCKLEY
I know.
CAROLE THERIAULT
No, well— I know.
GRAHAM CLULEY
It's just, it's just—
CAROLE THERIAULT
I know, honey.
MARK STOCKLEY
It's easy to turn down the knighthood you haven't been offered, isn't it, Graham?
GRAHAM CLULEY
What is it that makes people want to join a club? You know, they've scored highly in an IQ test, but they think, oh, you know what my social life needs?

I need to hang out with other people who also chose to join the club after scoring highly in an IQ test.
CAROLE THERIAULT
Says the guy who's in a chess club. I mean, come on.
MARK STOCKLEY
Maybe it's a public service. Maybe the rest of us need that for our social lives.
GRAHAM CLULEY
Get them out of circulation.
MARK STOCKLEY
Yeah, we know where they all are. They're all happy in their little thing.
GRAHAM CLULEY
Is it a bit sad to be a member of Mensa, or is it just sour grapes that we're not members of Mensa? I don't know the answer to that.
MARK STOCKLEY
I think maybe just 'cause you're not clever enough. If you were cleverer, you'd know the answer.
CAROLE THERIAULT
You don't know if I am a member of Mensa?
GRAHAM CLULEY
We'd know if Carole was a member, 'cause she'd tell us she was a member.

All members of Mensa feel compelled to tell people, and they will put it in their email sig and say that they're members of Mensa.
CAROLE THERIAULT
What, they would have a t-shirt saying, "I'm a member of Mensa," "I'm the 11th best Briton in the entire universe"? Something like that?
GRAHAM CLULEY
Wow.
CAROLE THERIAULT
You think— okay, interesting.
GRAHAM CLULEY
I don't know. It's complicated. It's complicated. I don't know. But Mensa is in the news this week.

Mensa is in the news with allegations that they haven't been very smart about their computer security. You may have spotted in the Financial Times—
CAROLE THERIAULT
No.
GRAHAM CLULEY
—a chap called Eugene Hopkinson. He was until recently the British Mensa Board's technology officer.

And he says he has been trying to convince their leadership team for the last couple of years that they need to stop storing passwords unsafely.

He says that their passwords are basically stored in plaintext. They're not salted, they're not hashed, and if someone got hold of them, they would be able to exploit them.
CAROLE THERIAULT
Oh my God, hold the phone for a sec. So they have an active technology officer on the Mensa board, the British board. Mm-hmm.
GRAHAM CLULEY
He's working there right now. Well, he's not, 'cause he's just quit. And he's gone to the press and said—
CAROLE THERIAULT
Oh, no, okay, but did he talk to the papers before he quit or after he quit, do you know?
GRAHAM CLULEY
Well, he wrote an open letter.

Hopkinson says that sensitive data was being insecurely stored by Mensa, which included the IQ scores of members and failed applicants, Carole, as well. You wish.
MARK STOCKLEY
I think, as we've already established, the IQ scores aren't secret, are they? Because they'll just tell you those.
GRAHAM CLULEY
Payment card details, passwords, email addresses, and home addresses. Now, Hopkinson, he fell out of Mensa last week. There was a board meeting where he raised his concerns again.

And he wrote this open letter.

He said, "If a breach is found to have taken place," because there were rumors that Mensa had maybe suffered some kind of security breach, he says, "I've got no faith that the board and the office will report it adequately or take sufficient action." Oh my God.
CAROLE THERIAULT
I wonder if he was recording that board meeting.

For him to go to a board meeting and say, "Guys, guys, guys, we need to take this seriously." And they're like, "Yeah, no, no." And then he goes to the press?
MARK STOCKLEY
Right. I'd be very, very disappointed if that recording isn't just people going, "Well, I don't understand.

Could you explain that to me again?" "I said, no, look, the password is stored in plaintext." "Yeah, no, no, no."
CAROLE THERIAULT
Sorry, I'm on level 240 of Candy Crush. I can't pay attention to two things at once.
GRAHAM CLULEY
Multitasking is a sin. Now, I've been approached— You remember during Watergate that Woodward and Bernstein got approached by Deep Throat?

Who gave, you know, and it's all top secret, you know, secret little meetings, right? I have been approached by my own Deep Throat from Mensa.

In fact, two different Deep Throats who claim that they have inside information, which they've shared with me.

One of whom says he has a recording of the board meeting and he's quite defensive of Hopkinson. He says, oh, you know, they're trying to frame Hopkinson.

They're trying to say that he's bad. The other one says Hopkinson is a right pain in the ass. He's causing trouble. And that the board were all over this problem.

And in fact, it was Hopkinson's own failure to fix these issues, which has now resulted in him basically being given the boot.
CAROLE THERIAULT
And you're covering it on the show because now you've got two little secret moles giving you information. Do they know of each other, do you think?
GRAHAM CLULEY
I don't know.
CAROLE THERIAULT
Did you say, "Hey, Deep Throat—" Did you just say, "How am I gonna identify you?" And he says, "Deep Throat." And you go, "No, I've already got a Deep Throat.

I've already got one." I need another one. Give me another name.
MARK STOCKLEY
Is this just some very, very complicated initiation rite to get into Mensa? Is this actually—
CAROLE THERIAULT
Graham's applied. Exactly.
MARK STOCKLEY
We're just not clever enough to figure this out. If we were cleverer, all these pieces would fall into place, and then we would understand what we have to do.

We have to look behind the picture, and then the sunlight will come through the window, through the crystal in the staff, and it'll illuminate a bit of the floor, and then we'll take up the carpet, and then— There'll be a little effigy, and then we put that on the bag of sand, and then the portal opens and we join Mensa.

I need a drink.
GRAHAM CLULEY
You've been homeschooling for too long, haven't you, Mark? It's begun to get to you.

Now Mensa, they've told the Financial Times that the passwords were encrypted, and that they were now looking into hashing them as well.

Now, of course, there is this misconception amongst the public about what encryption means, and possibly within the board of Mensa as well.

Because encryption is sort of waved around as this magic talisman, isn't it? It's like, oh, the data's encrypted, then you're safe. You don't have to worry about things like that.
MARK STOCKLEY
But— Well, I hope you heard me snorting derisively like a Mensa member when you said encryption. It was an involuntary— I think you're fine.
GRAHAM CLULEY
So if you simply encrypt a password, it will be possible to decrypt the password, right? Yeah.

So if you use a standard encryption algorithm, the beauty of encryption is you can encrypt a message and then decrypt it to understand it at the other end.

And what's a much better idea is to store a cryptographic checksum, often called a hash, of the password.

And you can then, when someone goes to your website and enters their password, your website can generate another cryptographic checksum from what they've entered and compare those two checksums and say, oh, they must have entered the password.

So you don't have to store the actual password. You can just store a hash or a checksum password.

And even better, without getting too nerdy, you can apply a bit of salt to the hash or before you create the hash to make it harder to look up in what's called a rainbow table.

Anyway, that's all nerdy stuff, which I'm sure Mensa are all over. Well, apparently not. Apparently not. But it doesn't sound Mensa was really following best practices.

And if you visit Mensa's website right now, you will see that the website is down for maintenance. If you go to the British Mensa website, mensa.org.uk—
CAROLE THERIAULT
Well, because their technology officer is out on his ass.
GRAHAM CLULEY
Well, maybe, but— They're sitting ducks now.

Maybe they would have been wise to get a technology officer who wasn't actually a member of Mensa, rather than just recruiting from that pool of people who choose to join the Mensa club.

Maybe it'd be sensible as well to, oh, you know, this is quite important.

Maybe we should bring in someone who understands technology and can properly protect this data rather than us decide what their data security practices should be.
CAROLE THERIAULT
You know what? Purely based on what you've said, right? I'm feeling really bad for Mr.

Eugene Hopkinson, who seems to go to these meetings and go, dudes, look, we need to take this seriously. And they're going, yeah, yeah, yeah, you don't know enough. Aren't you a 142?

Thanks, thanks, thanks, Eugene. Thanks, Eugene. Sit down. What we call a charity case.
GRAHAM CLULEY
Yeah, thanks, Eugene. Well, that's Eugene's story of what happened, of course. But Deep Throat number— was it number 2 or number 1?

Anyway, one of my Deep Throats said it was the other way round and he was causing trouble. And in fact, the board were going, you should have fixed this, mate.

You can't come here moaning about it.
MARK STOCKLEY
Can I just say, this is exactly how I imagine Mensa would operate.

So, so everybody knows that you're not supposed to store your passwords in plain— everybody who who cares to know, who has any business in this at all, understands that you shouldn't store your passwords in plaintext.

And they have known that for a couple of decades. So we're not talking about best practice. We're talking about what was best practice many, many years ago.

And I imagine that there has been— I fantasize that there has been a two-decade conversation going on at board level in Mensa about exactly what they should do.

They're probably having arguments about which hashing algorithm to use.
GRAHAM CLULEY
Well, there's a slight— there is a slight twist in the tale because since Hopkinson's resignation, or was he booted out? It's unclear.

Personal details of a couple of its directors have apparently been accessed and there's been information posted up on Pastebin as well, which appears to have come from Mensa's servers.

And they've informed the ICO of security breach. Eyebrows are being raised regarding who might have been responsible for this. Maybe one of your Deep Throats. Maybe.

I'm not going to point fingers in any particular direction, but there is a third-party security company, presumably they're not members of Mensa, who've been brought in to investigate, and maybe criminal charges will follow.

We've got a real problem we need to solve.
MARK STOCKLEY
Can anyone here solve this problem? No. No. No smart people. We're going to get some outside people in with lower IQs to actually solve the problem, yes.
GRAHAM CLULEY
So, either of you tempted to join Mensa now? No. Having heard all this?
CAROLE THERIAULT
How do you know we're not members?
GRAHAM CLULEY
Carole, you can keep on protesting like that.
CAROLE THERIAULT
I'm not protesting.
GRAHAM CLULEY
I'm just asking, what is your evidence? I think most Mensa members are twats, so maybe you are a member, I don't know.
CAROLE THERIAULT
Wow.
MARK STOCKLEY
That better make the edit. I feel like this story tells you everything that you need to know about IQ.

The world is full of people who are demonstrably, obviously, patently clever, intelligent, thoughtful, productive, useful members of society who happen to not have very high IQ.

I don't think the correlation between high IQ and actual, you know, success and usefulness and all the things we actually care about exists at all. So if you've got a high IQ—
CAROLE THERIAULT
You see, Graham, don't worry. That's great. That's cool.
MARK STOCKLEY
Go and join the high IQ club. That's fine. But don't for a second think that that actually indicates or means anything other than that you did well on a specific kind of test.
GRAHAM CLULEY
Said like a true person spurned by the Mensa club. Yes. Damn it. Mark, what have you got for us this week?
MARK STOCKLEY
I've got a question. I suspect one of you has a yes answer to this. Has either of you ever tried working in another country?
CAROLE THERIAULT
Yes. Many times.
MARK STOCKLEY
So how did that go? Well, I'm still here.
GRAHAM CLULEY
Yeah, you are working in another country, aren't you?
MARK STOCKLEY
Yeah. Did you get a job in the UK while you were still in Canada? Or did you move over to the UK and then get a job?
CAROLE THERIAULT
No, I've done both. I don't— I'm not sure how legal the first ones were, but I was basically waiting tables for £2 an hour. So I don't think anyone's gonna give a shit. But yeah.
MARK STOCKLEY
Would you say it was an easy process? Was there a lot of admin bureaucracy?
CAROLE THERIAULT
Yes, yes, yes. Much, much, much. It was extremely difficult. And I didn't marry my way in, just for those that don't know.
GRAHAM CLULEY
I know, you married a Wookiee, so you— Yeah, exactly.
CAROLE THERIAULT
Well, you know.
MARK STOCKLEY
So what about you, Graham? Have you ever tried to work in another country?
GRAHAM CLULEY
Well, not permanently. I mean, I do do work in other countries. In the old days, before all this, imagine me waving my arms around now. I used to go and do talks in other countries.
MARK STOCKLEY
I imagine that's probably quite easy, isn't it?

You just get on a plane, go over there, they write you a massive cheque, and then you give some presentation you've given 100 times before and then go home. More or less, yeah.
CAROLE THERIAULT
Have you seen it recently?
GRAHAM CLULEY
You need a work visa. I haven't obviously done one for about a year, but yeah.
MARK STOCKLEY
So we've all had some experience of trying to do work with people in another country. And so we've all got some understanding about how difficult that can be.

Hilarious stories, yeah. But I bet— I think it's going to be very hard for anybody on this podcast or listening to this podcast to beat the story of Nidhi Razdan.

So Nidhi is a seasoned journalist working with NDTV in India. That's New Delhi TV.

And in November 2019, Nidhi was invited to speak at an event organised by the illustrious Harvard Kennedy School. And Graham, you get a lot of speaking gigs.

Have you ever done one for Harvard?
GRAHAM CLULEY
I haven't ever done one for Harvard, no. But I'm available if they want me.
MARK STOCKLEY
Maybe if you had a higher IQ. Just saying. One of the organisers of the event contacted Nidhi to ask if she'd be interested in applying for a vacant position at the school.

It offers a Master's of Liberal Arts Journalism degree. And that includes working journalists on the staff. So she thought, that sounds like me.

And offers like that don't come along every day, so she submitted a CV and an application, and then a few weeks later she was invited to an online interview.

And it obviously went well, because a few weeks after that she received her offer letter from HR, the human resources department.
CAROLE THERIAULT
And what's the name? What's the name of this school?
MARK STOCKLEY
Harvard. You may have heard of it.
CAROLE THERIAULT
No, no, Stanford School? Which one in Harvard?
MARK STOCKLEY
It was the Harvard Kennedy School.
CAROLE THERIAULT
Is that what it's called?
MARK STOCKLEY
Is that the full name? I believe so. I stopped reading at Harvard, to be honest. Not that I'm a snob, but you know.
GRAHAM CLULEY
I think that would sound pretty cool. She'd say to— Oh yeah, I've got a job at Harvard. You know, you would, wouldn't you?
MARK STOCKLEY
I would. Maybe it's like the Four Seasons.
GRAHAM CLULEY
The Four Seasons Landscaping Company. Four Seasons School of Journalism.
MARK STOCKLEY
Anyway, anyway. So she's invited to this interview, online interview, obviously. Obviously goes well. A few weeks later, she got an offer letter from human resources.

And while that was going on, her employers received, you know, the kind of correspondence that you know when you're going to get the job because the people start getting the requests for references and things like that.

So all that's happening as well. So this is happening, right? The wheels of bureaucracy are turning. And yes, she did get the job offer.

And then she decided she was going to make that life-changing decision. So in June 2020, she goes on Twitter and she announces to her fans that she's leaving NDTV after 21 years.

Off to the green pastures of Harvard. How cool. Kennedy School. Harvard.
GRAHAM CLULEY
No one's going to pay attention to that bit, Carole. That's like Oxford Brookes, you know? It's Oxford. That's all you need to know.
MARK STOCKLEY
Anyway, after many weeks of back and forth over her visa, which I'm sure you can understand, Carole. Then she had to get into the actual nuts and bolts of actually teaching.

So she's getting documents about class schedules, details of her class, and what she's going to be teaching, and so on. She's so excited.

And then, you know, it is a bureaucratic process, and everybody understands that. And bureaucratic processes get even worse during a pandemic.

But by late 2020, she was starting to get very frustrated with all of this. There seemed to be an awful lot of administration to wade through. How much time had gone past then?

So I believe she was approached at the back end of 2019. And I think— So a year.
CAROLE THERIAULT
She has no idea what she's talking about. My God, that's nothing.
MARK STOCKLEY
So far, not impressed. Anyway, so we're coming to, I guess, kind of late 2020, and she's starting to get very frustrated.

There seems to be a lot of administration to wade through, and her salary is being held up by IT failures brought on by the COVID pandemic. Of course.

Now, it's fair to say things are harder in a pandemic. Nobody needs to be told that who's listening to this.
CAROLE THERIAULT
9 times 16, right, boys? Yeah.
MARK STOCKLEY
But you still have to treat people the right way.

And if you're a world-renowned institution, this is not how you welcome someone from another country into a new job when there's a pandemic on.

So finally, she had enough of all of this. She'd had enough of these admin and not being paid. And so she decided she was going to escalate things to the head of HR at Harvard.

It's "I want to speak to the manager" time.

And it was when she did that that she discovered that every word of the entire process that she had been through had been a complete and utter lie. And that she had been scammed.

So the approach was a lie, the rigorous 90-minute interview that she attended was a lie, the email correspondence from official Harvard email addresses was a lie, the work visa was a lie, the orientation event that she was invited to but couldn't go to because it was cancelled because of COVID was a lie, the request for references that her colleagues received were lies, the letters that she received that were signed by luminaries at Harvard were all lies.

Oh my goodness. The only thing in the entire year-long episode that doesn't seem to be a lie is the original invitation to speak at an event.

Anyone who's interested should go and check out Nidhi's own write-up of this on the NDTV website, because this is her story, and you should go read it in her words too.

But I don't get the impression that she knows.

So she's passed the details on to law enforcement, but I don't think she knows what happens other than that she now knows that she spent a year handing over personal information to a bunch of total strangers who were clearly very, very invested in this process.

Interestingly enough, she's clearly a savvy individual.

And after the initial approach, she went and did some Googling and said, is there actually a course at Harvard where they have people like me? Does this look like this exists?

So, I think that that is what is most interesting. Well, two things about this story that really, really stand out, I think.

The first one is the extraordinary lengths that the scammers went to. The length of time that they persisted with this, and the amount of effort that they must have put into this.
CAROLE THERIAULT
Yeah, just for a teacher, it's, you know, we just had someone on the show talking about high-value targets, right?

That only this kind of stuff would only happen to CEOs or the rich or something, the notorious, where she's just—
MARK STOCKLEY
Well, she's a journalist.
GRAHAM CLULEY
Yeah, she's a TV personality.
MARK STOCKLEY
The professorship is being dangled as a carrot. And so whoever has her identity effectively is then able to be her, this very, very connected individual.

And I don't know if you've ever tried to do this, but if you phone people up and ask them for stuff, it's amazing how often they will give it to you.

And so if you phone up and you say, you know, I am a famous journalist and I can prove it, you can talk your way into hotels, you can talk your way into bank accounts.

It's a very privileged place to be, I think. So, but the interesting— I guess that's the open question about is how targeted was this?

You know, is she one of a number of high-profile people who have been duped, or was this specifically aimed at her for a particular reason?

And I don't think we even know what the fallout from this is yet or how they've used those details.
CAROLE THERIAULT
Someone else might be doing her job right now at Harvard Business School, right? Pretending to be her.
MARK STOCKLEY
I wonder if she has confidential sources that somebody might want to— There are regimes that pay extraordinary amounts of money to put surveillance ware on particular people's phones, for example.

So, you know, being a journalist can be a dangerous profession.
GRAHAM CLULEY
So has she got her job back at NDTV after all this?
MARK STOCKLEY
Yes, yes, yes, she does seem to still be working for NDTV. She published this on the NDTV website.

And yeah, it does say, I am still an NDTV journalist, or, you know, that was certainly the impression that I got.
GRAHAM CLULEY
You're right, Mark. This is an extraordinary level of effort for the scammers to go to. We don't normally see this sort of, you know, this months and months of work.
MARK STOCKLEY
But isn't that a very interesting choice of words? Because that's the other side of this. You said we don't normally see this, but how would we know? How would we know?

If you had asked her halfway through this process, she wouldn't have told you she was being scammed because she didn't believe she was.

Because what an extraordinary thing to discover and admit to yourself that that people are capable of doing this, that they're capable of this kind of devious behavior, and that you're capable of falling for it.

And I do wonder how many people are subject to this kind of scam who never discover it, who never find out, who just continue to believe what they're told.
GRAHAM CLULEY
I wonder if one of us is being scammed right now.

Maybe one of us believes we are just participating in a security podcast and either as an irregular contributor or as a regular co-host. And in fact, this is all subterfuge.
MARK STOCKLEY
I have it on good authority that one of the people on this podcast has been approached by a couple of quote-unquote whistleblowers.
GRAHAM CLULEY
A whistleblowing Deep Throat is quite a trick, isn't it?
MARK STOCKLEY
Depends where the whistle is, I suppose.
CAROLE THERIAULT
Filthy. You guys.
GRAHAM CLULEY
Carole, what have you got for us this week?
CAROLE THERIAULT
Oh, we're talking GameStop. We're talking GameStop. Now, today, right now, it's Tuesday, 2nd of February, 4 PM UK time. And the GameStop stock price is 91.69, right?

So at the end of my segment, we're going to see what it is. And then you nerds out there can work out how long it took me to do this story.

So we're yakking GameStop just to figure out what happened. We're going to go through a few basics first, right?

And I— Mark, I know that you dabble with the stock market, so you need to dive in because you know more about this than I do. Graham, you just butt in because you butt in, right?

So GameStop. GameStop is a company that sells games, it's a retail store. It sells related game paraphernalia.

As the Bee put it, it's the thing you'd find between a donut shop and a makeup retailer in an American mall. Which I love.
MARK STOCKLEY
Between a Blockbuster's and a Tandy. Right.
CAROLE THERIAULT
Well, would you say, Graham, it's what?
GRAHAM CLULEY
Oh, I don't know, but I've heard it's a bit rubbish. Isn't that right?
CAROLE THERIAULT
No, it's not rubbish. It's just been failing for a while now. So from a stock perspective, people would agree with you. It's a bit rubbish.

But from a retailer point of view, that is where you go to buy your games. Now think about it. You guys have Switches and whatever consoles.

Maybe 5 years ago, you guys would buy a hard physical copy of a game. You wouldn't just download it.
GRAHAM CLULEY
Yeah. Well, that's why I say it's a bit rubbish because I think most people these days don't buy their games in a store, do they?

They either buy them online and have them delivered to them, or they literally are inside the video game console's online store and it automatically downloads.
CAROLE THERIAULT
And GameStop kind of suffered, I think, from that. There's been a kind of slow decline since January 14th. So then it was about $50 bucks a share, right?
MARK STOCKLEY
I think they were just, they were holding on for the turnaround when people suddenly realise that they can only download so many things and it's easier to go buy physical media.
CAROLE THERIAULT
Okay, so I know people that actually really, really want the physical media because they've had consoles break on them before. They don't like that it's in the cloud.

They can't access, they don't remember a password and they just feel more comfortable owning the physical game. Like, it's—
MARK STOCKLEY
Are they members who smoke pipes and have long beards?
CAROLE THERIAULT
Well, they're related to me, so I don't know. So on January 14th, GameStop was about $50 a share, okay? Cue pandemic.

Now, since then, it's been going down slowly, slowly, slowly for all the reasons we've talked about, right? And pandemic hits an all-time low of like $5 per share. Yeah, right.

And they're even set to close down 450 shops in 2021. They make this announcement.

And, you know, like you say, the idea of the pandemic didn't help people 'cause they're forced to get real cozy with their homes and online gaming. So what are they doing?

They're downloading games directly.
GRAHAM CLULEY
Yeah. And people don't want to buy physical media because other game players probably don't wash their hands. And Marie Kondo, right?
CAROLE THERIAULT
We don't want all that fussy, fussy, fuss, fuss stuff around our house anymore. We want it all spick and span.
MARK STOCKLEY
Do you think there's a big overlap between the gamer world and Marie Kondo?
CAROLE THERIAULT
Well, you know. So, okay, so, so back to GameStop, right? So in bounce the short sellers, right?

So short sellers, or short selling simply put, is like a trading technique for people like hedge fund managers or individual investors or speculators, or what I'd call gamblers personally.

And the hedge funds, big hedge funds decided they were looking at GameStop's like failing, failing, failing stock price, and they were like, hey, maybe there's something here we can do.

Maybe we can basically buy some shares or promise to buy shares at a price in the future, because they're definitely going to decline in price.
GRAHAM CLULEY
Yeah, they're making a bet basically that the share price is going to go down, and that's how they're going to make their money.
CAROLE THERIAULT
Okay, okay, I'm going to give an example. Okay, Mark, you have to pay very close attention. Tell me when I fuck up on this.

Okay, okay, Graham, you're my, you're my guinea pig in this one.
GRAHAM CLULEY
All right, okay, interesting.
CAROLE THERIAULT
So let's say we're talking about a donut. I've got a donut.
GRAHAM CLULEY
Guinea pigs do not like donuts. I think you'll find it's carrots and lettuce is what we like.
CAROLE THERIAULT
Okay, and you're smart enough— not Mensa level, but you're smart enough to figure out that a donut in 5 days is going to be worth way less than a donut right now just out of the fryer.

Yeah, right? Yeah, probably. And you see it as a sure thing that if you buy the option to sell the donut for $2 to somebody right?

And you promise to buy it back later at whatever price it will be in 5 days' time, you might turn out a little coin. So let's take 5 days' time.

Turns out someone values the donut at only 10 cents because it's all crusty, gross, gross. And you make $1.90 out of that sale.
GRAHAM CLULEY
You with me? I'm with you. Yeah. Okay.
CAROLE THERIAULT
But what happens if the donut improves with age because it's using a new fermented sourdough dough base, and people go nuts for it.

And in 5 days, the price skyrockets to $10 per donut. But you've promised to buy it back at whatever price, you're now in a loss of $8.
MARK STOCKLEY
Oh yes, yes. That's the part about short selling that you don't hear so much about, I think.
CAROLE THERIAULT
Yeah, because no one likes to advertise when they fuck up, right?
MARK STOCKLEY
But what I mean is, if you buy a share and it goes down in value, the downside of buying a share is that it goes to zero. So there is a limit to how much you can lose.

You know at the beginning, okay, if I spend this much money, I might lose all of it. And that's how much money you've lost.

Whereas I think if you short something, the danger is that the price goes up. There isn't actually a cap on how high the price can go, so your risk is potentially much, much higher.
CAROLE THERIAULT
Yeah, because the short sale's infinite, right? So the stock price could continue to rise with no limit.

So these hedge fund guys on Wall Street borrow shares in the company and sold them with the promise to buy them back at a later date, okay.

You know, they're waiting for it to go down the poo-poo hole, yeah. And then they would collect their prize money because that was the game plan, that was their bet, yeah.
GRAHAM CLULEY
And they're not imagining that a horde of gamers are suddenly going to go to these shops and start buying physical media in the middle of a pandemic, right?

It seems implausible that the share price is going to go up.
CAROLE THERIAULT
Exactly, Graham.

In swagger, a Reddit community called WallStreetBets, okay, more than 4 million people follow this feed and sharing tips and tricks and thoughts on the market, been doing this for years.

Amateur investors and diehards can all be found there. So they get together and they all say, we're going to save GameStop.

We're going to have a movement and we're going to buy all the shares back, we're not going to let Wall Street kill these guys. And when you buy shares, the value ticks upwards.

And when millions and millions of people invest and buy shares, the valuation skyrockets. So it went from the lowly fiver all the way up to $350 or almost $400 per share.

Right, so if you bought 1,000 shares, $5,000... oh God, 9-year-old maths, right? Let's go, boys. 1,000 shares at $5 a share, and suddenly it's $347 per share. What do you got?
MARK STOCKLEY
Way more money.
GRAHAM CLULEY
I'm on this podcast to get away from the maths homework.
CAROLE THERIAULT
$342,000.
MARK STOCKLEY
Jesus, I have no maths left.
CAROLE THERIAULT
I left them all on the kitchen table.

Okay, now the problem here with all this is this leaves the hedge funds heavyweights who attempted to cash in on GameStop failing, they're feeling the heat.

Yeah, because they promised to buy it back at a future valuation, and now that valuation is way freaking higher. Oh, the poor hedge funds.
MARK STOCKLEY
Oh, the poor little hedge funds. Won't someone think of the hedge fund managers?
CAROLE THERIAULT
Melvin Capital Management was forced to seek a rescue package. Being at the center of the kerfuffle over GameStop, it lost 53% on its investment. I'm not crying, you're crying.

That's according to the Wall Street Journal.
MARK STOCKLEY
I got some sand in my mouth.
CAROLE THERIAULT
Another one, Maple Lane Capital ended with a roughly 45% loss.
MARK STOCKLEY
Could we get some black and white photos and like a PowerPoint and just have their names in like a really ornate font underneath, maybe with the dates, like those little bits they do at the Oscars?

I think that'd be great. Well, there's loads of speculation as to why this happened.
CAROLE THERIAULT
Was this a movement that was kind of spurned on by this Reddit community, or was it just people who were bored and they happened just to kind of glance past it and go, "This sounds fun, I'll try and get involved too because I've got £1,000 or $1,000 to burn"?

Or maybe some people were starving, going, "Oh my God, I really need cash quick. This could be a way." Now, of course, the big investors started freaking the fuck out, right?

Crying foul. 'Cause they were out-gamed by a bunch of nerds, right? And it hurt their professional investor ego.
GRAHAM CLULEY
Had they not been warned that the price of shares can go up as well as down?
CAROLE THERIAULT
Have they not watched the ads?
MARK STOCKLEY
Dare these people pool their assets and then use them to make money from the fluctuation of stocks? Exactly.
CAROLE THERIAULT
How dare people band together and manipulate the market? Do you own a three-piece suit? Do you own a Hermès scarf?

Now, of course, this seems unfair to us, I think, because they're basically just bitching because someone's beating them because they're using new platforms that they hadn't thought about.

And they did it rather cleverly. However, the upshot of when Wall Street kingpins whine in unison, people listen.

So regulators in Washington are now keeping an eye on a possible market manipulation in social media groups. So we've got that. Thanks.

We also have the digital investment app Robinhood. This was a central app in this whole, I don't know what to call it, a fiasco.
GRAHAM CLULEY
This is a share buying app or something you just put on your phone, right? Yeah, it's a stock market app.
CAROLE THERIAULT
And last week it restricted trades in GameStop, allowing investors to sell but not to buy. A surefire way of trying to push the prices down.
MARK STOCKLEY
In unrelated news, I understand that one of the companies that stood to lose substantially from the increase in GameStop shares was quite a serious investor in Robinhood.

Ah, interesting. Interesting. Although the CEO of Robinhood has been on TV telling everyone that'll listen that these two things are entirely unrelated.
CAROLE THERIAULT
According to The Guardian, the company insists that this was for technical reasons that they stopped the investors being able to buy, rather than a desire to protect the hedge funds.

But of course, small investors are pissed off.

So one, they've taken out a class action suit against Robinhood for knowingly manipulating the market, and they've been flooding the Robinhood app with 1-star ratings.

And where it gets interesting is Google has salvaged the rating by removing more than 100,000 1-star reviews. So basically taking the side of the hedge fund.

What do you guys think about that?
GRAHAM CLULEY
Were these automated bad reviews or were they done by hand by angry investors?

I sort of think if they were legitimate bad reviews and we don't like what they did, then that's fair enough.

But if it was an automated bot or something that was doing them, then Google feels it's within its rights to remove bad reviews.
MARK STOCKLEY
Yeah, I feel these two things are quite separate because from Google's point of view, you have to think, what is the purpose of the reviews?

Well, the purpose of the reviews is to help people choose things. Based on the opinions of others.

So if I organize a campaign which is very obviously just meant to trash the reputation of a company by leaving 1-star reviews, those reviews are no longer really very useful to the people who are shopping for apps, I think.
CAROLE THERIAULT
Yeah, but if 100 people do it because they all feel they may be acting as a collective, but they all feel that's the right thing.
MARK STOCKLEY
But I think what you're looking for is the wisdom of the crowd, and in order to get the wisdom of the crowd, the crowd isn't supposed to agree with itself in advance what it's going to say and then go and sort of act as a union.
CAROLE THERIAULT
Oh, bad people for being a community. Fuck, don't you realize you're ruining everything the company are trying to do?

Does anyone else see the irony in the company being named Robinhood and then shutting down trading for individual investors?
MARK STOCKLEY
That's cropped up, I think.
CAROLE THERIAULT
Markets are attempting to claw back, obviously, the losses that were felt early Monday, kicking off what's going to be a turbulent February month. And this is not the last of this.

So there's already been forays into AMC, very similar story to this as far as I can see, and BlackBerry.

So technology firms, slightly different story, but the idea of having failings and being propped up by the market and having individuals or this movement underpinned by this idea of let's save these companies.

The question is, does GameStop value, you know, does it deserve this valuation that it currently has?

Well, maybe now, currently, maybe it's a pretty good valuation, but on the weekend, 2 days ago, it was much, much more. Should we check what it is now?
GRAHAM CLULEY
Should we check what the valuation is?
MARK STOCKLEY
I actually have the stock price in front of me. Yeah, I'm looking at the chart.

The chart looks like, it's basically a horizontal line for several years and then a vertical line and it's coming down. So it's now $111 right now.

So interesting, we'll see what's going to happen.
CAROLE THERIAULT
It's crazy, crazy time. I worry so much about the people that get caught up in this frenzy late in the game and are investing their life savings. And just be careful, folks.

This is real money.
MARK STOCKLEY
This is what worries me about this story, because I feel a lot of people were kind of declaring a victory lap.

These people coming together on Reddit as if they all had exactly the same intention and they were all acting as one for the same reasons.

And they all kind of taught the hedge fund managers a lesson. And maybe they did. And I hope that everybody gets out of this with their shirt? Well, they won't. Of course they won't.
CAROLE THERIAULT
It's impossible that everyone—
MARK STOCKLEY
You know, the share price is supposed to reflect the actual intrinsic value. All you're saying is, with the short sell, I don't see a future in GameStop.

I don't see a future in a store that's run the way it's run, that sells physical media. And I agree with that. I don't see a future for that store.

That store is, you know, that share price looks like it's going to go down and down and down and down.
CAROLE THERIAULT
And so bet you wished you'd invested if you had Mensa.
MARK STOCKLEY
But the purpose of the share price is not to make me— it's not to make me rich.
GRAHAM CLULEY
He just doesn't understand, Carole. He doesn't understand. You and me, we're all right with it. He can't get his head around it. It's a bit too troubling.

Try and ask him about factorials.
MARK STOCKLEY
The idea that anyone can say what that group is doing and speak for the whole group and say, this is the mind of the group, I find quite concerning.

I mean, we don't know that there weren't hedge fund representatives in that group.
CAROLE THERIAULT
Oh, totally. It could have been a pump and dump scheme.
MARK STOCKLEY
Exactly, exactly. There could well be institutional investors taking advantage of this collective thing.

And it's true of every stock bubble and every stock market bubble in history is they happen because the people in them say, this one is different.

For whatever reason, they say, "This one's different. It's a different kind of bubble. It's happening for different reasons. It's got different kind of people involved.

We're teaching the man a lesson," or whatever. And they are all the same, always. And they always have the same outcome.

And eventually, the share price will come back down and somebody will lose. So the story isn't over yet. Do you do yoga? I haven't since the pandemic started. Can you tell?
CAROLE THERIAULT
Hey, Cluley, did you hear my CrowdSec special interview that I did? Yes, yes.
GRAHAM CLULEY
Yeah, I've heard it. Yeah. Did you?
CAROLE THERIAULT
Yeah. Okay. I don't know if I believe you. Tell me everything you know about CrowdSec.
GRAHAM CLULEY
Go. Oh, okay. CrowdSec, they're building a community where you, SecOps and DevOps can join forces around the world.

And actually make a difference against all the new attacks which are coming out.

Because no matter what your business size is, CrowdSec offers an adaptive response to security issues such as credential stuffing, port scans, password brute forcing, and much, much more.
CAROLE THERIAULT
Okay. Tell me how they analyze visitors' behaviors. What do they do with malicious traffic, for example?
GRAHAM CLULEY
Okay. Yeah, they analyze your visitors' behavior. They deal with the malicious traffic and— oh, yes.

They automatically share details across the community to ensure everyone is protected. So the more data that CrowdSec aggregates, the stronger it gets.
CAROLE THERIAULT
Okay, that's great, except you forgot the most important thing. It's free and it's open source, so anyone can benefit from this.

So join the CrowdSec community and let's make the internet safer together. Find out more at crowdsec.net/smashingsecurity.
GRAHAM CLULEY
And Smashing Security listeners, there's a special offer just for you. Go and join the user community and you could win a Google Pixel 5. Just go to crowdsec.net/smashing.
CAROLE THERIAULT
And thanks to CrowdSec for supporting the show. Hey, Graham. Hey. Now that it's 2021, are you ready to admit that maybe your brain is turning to mush?
GRAHAM CLULEY
Why are you saying that? You thinking I'm getting forgetful? Yes.
CAROLE THERIAULT
Often. Very. And I'm a little bit worried about it. I suppose most of us, you know, working from home all the time.

I mean, how the heck do you even remember a password in these scenarios? Nice segue, eh?
GRAHAM CLULEY
Yeah, well, I use a good password manager. I, in fact, use 1Password. 1Password.
CAROLE THERIAULT
That's one with a one, right? That's right. 1Password.
GRAHAM CLULEY
It's a great password manager. It works for home use, it works for families, it works for business.

So I run a little business here at home and it means— and imagine I worked in a bigger business, right? Imagine I was a part of the remote workforce.

I could still work safely online, make it really easy for me to create and use strong passwords or share them with my colleagues.
CAROLE THERIAULT
Oh, and tell you what, now that all of us are working from home and your computer's being used not just for work but also for home stuff more often than ever before, this kind of stuff keeps everything nicely segregated.
GRAHAM CLULEY
Yeah, and listeners can find out more and they can try 1Password for free for 14 days at 1Password.com. And thanks to them for supporting the show.

Recorded Future delivers the world's most technically advanced security intelligence to disrupt adversaries, empower defenders, and protect organizations.

Well, their podcast, Inside Security Intelligence, takes a deep dive into the world of cyber threat intelligence.

They share stories from the trenches operations floor, they give you the lowdown on established and emerging adversaries.

Whether it's the SolarWinds breach, 5G conspiracy theories, or Russian election interference, Inside Security Intelligence gives you a fresh take from a variety of industry experts.

Search for the Inside Security Intelligence podcast in all good podcast apps, and thanks to Recorded Future for sponsoring the show.

And welcome back, and you join us at our favorite part of the show, the part of the show that we like to call Pick of the Week. Pick of the Week.
CAROLE THERIAULT
Pick of the Week.
GRAHAM CLULEY
Pick of the Week is the part of the show where everyone chooses something they like.

Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. Doesn't have to be security-related necessarily.
CAROLE THERIAULT
Better not be.
GRAHAM CLULEY
Well, my Pick of the Week this week is not security-related. My Pick of the Week is a TV show, another TV show I've been binging on this time, a documentary.

And it is a documentary about the rise of the Murdoch dynasty, the extraordinary story of how Rupert Murdoch has managed to really have so much influence over world events, things going on.
CAROLE THERIAULT
I watched some of this at your behest. I loved it.
GRAHAM CLULEY
It's pretty good, isn't it? It's absolutely fascinating.

It's 3 episodes and it's— If you saw, there was another BBC documentary called The House of Trump, and it reminds me rather of that because you get these figures in the public eye, people like Alastair Campbell, who used to be Tony Blair's right-hand man.

Yeah. Nigel Farage and others speaking very, very frankly and honestly, which often, you know, you don't always get in documentaries about somebody and about his family.

And it's very much about the machinations that have gone on behind the scenes.

For political influence, sometimes to the benefit of the Murdoch family, and also how his children have been battling to gain control of his empire when he eventually pops his clogs.

And of course, there's a fair bit as well about the phone hacking scandal too. And people like Rebekah Brooks—
CAROLE THERIAULT
Can I interrupt? I noticed that they kind of skipped over the pie slap in the face during the hearing. Yes.

Which I thought was a little bit uncool because that is a memory that you and I share.

Because I think I had a really bad back or something, and you actually came to do a sympathy visit. That's right.

And we were watching it live on TV, and that happened, and it was a—
MARK STOCKLEY
Is that the one where Rupert Murdoch's then-wife lands a serious right hook on someone?
CAROLE THERIAULT
Yes, that's right. Yes! Wendy Deng. Wendy Deng.
GRAHAM CLULEY
It was curious how they edited around that in the show, because they sort of suggested it but didn't— They didn't talk— I mean, I don't think it's meant to be the— I mean, it is, to be honest, it's a bit of frippery.

It's not important to the story, but— Oh, really? Frippery? Yes, but they— It was bizarre, because they did have a little bit of footage around it, but it was—
CAROLE THERIAULT
That should be our show name, Security Frippery.
GRAHAM CLULEY
Yeah, frippery. Anyway, it is a marvellous documentary. I can really recommend it. It is— Seconded. Fascinating. The rise of the United Kingdom.
CAROLE THERIAULT
What's it on?
GRAHAM CLULEY
It is available on BBC iPlayer. Don't know if it's available anywhere else, but go and check it out. The Rise of the Murdoch Dynasty. Links in the show notes.

Mark, what's your pick of the week?
MARK STOCKLEY
My pick of the week is a website called SketchUp. And I'm going to tell you why. I'm going to tell you a little story. So gather round. Yeah, we've got time for this.

Do you need a pee, Graham?
GRAHAM CLULEY
I've got a little bucket here I can go in. I'm fine.
MARK STOCKLEY
Okay, good. So if I hear the sound of running water while I'm talking, I'll take that as an indication that my story wasn't interesting.

So anyway, I want to tell you a story about— so when I left college, I had to make a decision.

I knew I was going to go do something artistic with computers, and I wasn't sure if I was going to go and build websites or if I was going to go into game design.

I really wanted to get into computer game design, but in order to do that, I had to have a very expensive computer and do 3D modeling and learn these insanely complicated 3D modeling computer programs.

It was a huge, huge investment, and the computers were slow, and it took ages to get anything done, and the software was just terrifying.

So I opted to go and work in websites, which were simple, and you didn't have to have a powerful computer because they were almost nothing.

And it just seemed it was a low-risk option. I mean, an interesting one, but a low-risk option. Anyway, fast forward quite a long time.

And the other day I was chatting to a friend of mine who is very good at woodwork. And I am building a new shed for my chickens, a roofed coop area for my chickens.

It's for you and your chickens, isn't it, Mark? It's for my— It's not just for your chickens. Big enough to fit me in it. I can stand up in it, or it will be anyway.
CAROLE THERIAULT
So, an outfit that you wear.
MARK STOCKLEY
Now, I have done a sort of beautiful hand drawing of what this thing is going to look— trying to work out which bits of wood I need.

And I did, I drew this pen and paper, pencil and paper drawing.

And I was saying to my friend, you know, what I really need is I need something that I can kind of build this chicken run in online.

You know, just to kind of work out whether or not the bits of wood actually fit together. And he said, well, lots of people use SketchUp.

And I thought, "Oh, go and have a look at that." Anyway, SketchUp— Have you never used it before for anything? No. Oh, okay. I had never heard of it until last week.

And I went to this website, and it is my— it's the sort of circle of my career, if you like. So, it is a website which contains a 3D modelling app. Yeah, for free.

It is completely free. 3D modeling thing built entirely using website technology.

And it blows my mind that that's where we are, that the thing that was too expensive, too scary, too difficult to do, required too powerful a computer for me to do 25 years ago, and so I took the route of going into websites instead, is now possible in the website.

And it's brilliant. It's brilliant. So I have actually— I have built my chicken coop virtually.

So I've kind of extruded out all the pieces of wood that are exactly the right size and stuck them all together in the right way. And I've built myself a corrugated plastic roof.

It's— I'm not saying the coop's amazing. The app's amazing. The coop is— you know, the app can do more than my chicken coop.
CAROLE THERIAULT
It's glorious hearing this. I've known about SketchUp for 10 years. Really? I've used it. Yeah, because I've used it to model kitchens. And new bathrooms and all kinds of stuff.

And yeah, I'm surprised, I guess, that people don't know about it. I kind of—
GRAHAM CLULEY
Yeah, I've heard you talking about it before, Carole, yeah.
MARK STOCKLEY
Yeah. But this is the wonderful thing about the internet, isn't it? That it's too vast.

Someone can just say to you in passing, "Oh, there's a complete 3D modeling package available in a small HTML canvas over there." I don't know.
CAROLE THERIAULT
How'd you— 148, 149, you might've figured it out.
GRAHAM CLULEY
I'm sorry.
CAROLE THERIAULT
It's okay, Graham. Don't worry.
MARK STOCKLEY
That's too quick. Yeah. That was above his head, Carole Theriault.
CAROLE THERIAULT
What's your Pick of the Week? Anybody having trouble sleeping these days? You guys, you're a good sleeper, Graham. I don't sleep. I don't sleep.
GRAHAM CLULEY
I tend to sleep for about 45 minutes to an hour each week if I find—
MARK STOCKLEY
Yeah. I find it's just a matter of getting— of balancing out the caffeine with the alcohol. Yeah, exactly. You get those two levels right, then it's fine, it's easy.
CAROLE THERIAULT
Yeah, exactly. And you know, it sucks.

And the other day I couldn't— I couldn't sleep all week actually, and I got a bit desperate and I was looking for a pod kind of sleepy, sleepy distraction, right?

And there's a lot of kind of lame, dirty— I don't know, just inappropriate. I don't— not for me trying to sleep because I'm frustrated, right? It's 3 in the morning.

I'm pissed off. You're the one— are you assuming sexually?
GRAHAM CLULEY
You're, you're the one who said dirty. You said there's a lot of dirty stuff, and then you said you're very frustrated.
CAROLE THERIAULT
Okay, not in that way. Just I've got too much stuff in my head that is unimportant and it won't go away.

So anyway, I'm on— I'm Googling, Googling, looking around, and I find The Office ASMR show. Which is literally a podcast narrating The Office so you can fall asleep.

So here I was thinking, I see this and I'm thinking, okay, so this guy, this girl's got a script and they're going to reenact it as a one-man or one-girl show.

But no, this guy basically watches the episode and then very calmly, without any glee or enjoyment, tells you what's happening in real time.

Pam walks into the meeting and sits down. She doesn't look very happy. Dave tells Gareth he's immature. Pam walks out, still unhappy. That kind of thing.
MARK STOCKLEY
Do you remember what I said about how—
CAROLE THERIAULT
One at a time, boys.
MARK STOCKLEY
Mark! Do you remember what I said just now about the internet being amazing?
CAROLE THERIAULT
Yeah, totally take it back. Grim.
GRAHAM CLULEY
No, I— So you're— This works, does it?
CAROLE THERIAULT
The entire magic that makes the show the show has been hoovered out of it, right? Completely. It's a husk of the show.

But it's so dull and quiet and familiar because you know the episodes, you fall asleep.
GRAHAM CLULEY
So there's more than one episode of this?
CAROLE THERIAULT
Oh yeah, he's done 4 seasons.
MARK STOCKLEY
Why? He's done all 4. I wonder how he manages to stay awake.
CAROLE THERIAULT
And you know what? He has 215 followers on Twitter.
MARK STOCKLEY
Oh, he's doing all right.
CAROLE THERIAULT
Throw him a bit of love. Throw him a bit of love because it's a cute idea and he does it well. And The Office ASMR Podcast helped me—
GRAHAM CLULEY
How do you know he does it well? How do you know?
CAROLE THERIAULT
Because I went to sleep. You don't.
GRAHAM CLULEY
Once you're asleep, you don't know if he's doing it well.
CAROLE THERIAULT
It's the point. So— His whole line is the podcast narrated in the office so you can fall asleep.
MARK STOCKLEY
It's his job. I feel like you're telling us it's boring, and yet somehow you're also claiming the moral high ground.
CAROLE THERIAULT
Exactly. And that is why it's my pick of the week. It's so boring I fall asleep. It's amazing!
CAROLE THERIAULT
It's successfully boring. Yeah, that sounds really boring, Carole.
MARK STOCKLEY
No, you're wrong. Successfully so.
GRAHAM CLULEY
Wouldn't it be more boring to listen to the same episode over and over again? Why do you need 4 seasons of it?
CAROLE THERIAULT
Well, I don't want to sound sexual, Graham, but maybe that'd get frustrating.
MARK STOCKLEY
It sounds amazing. Can we wrap this baby up?
CAROLE THERIAULT
You guys, anyone out there who wants to listen, The Office ASMR Podcast. I think it's fun.
MARK STOCKLEY
But not fun enough to keep you awake.
GRAHAM CLULEY
And that just about wraps it up for this week.
CAROLE THERIAULT
ASMR voice, please.
GRAHAM CLULEY
And that just about wraps it up for this week. Mark, I'm sure lots of our listeners would—
MARK STOCKLEY
That is why Graham doesn't have an ASMR channel. He's doing great.
GRAHAM CLULEY
You're doing great. Mark, I'm sure lots of our listeners would like to follow you online, what's the best way for folks to do that?
MARK STOCKLEY
Oh, you can follow me @MarkStockley on Twitter, or you can follow my chickens @InternetOfHens on Twitter.
GRAHAM CLULEY
And you can follow us on Twitter @SmashingSecurity, no G, Twitter's not allowed to have a G, and we've also got a subreddit, go looking for Smashing Security up there.

And don't forget, make sure you never miss another episode of the show, subscribe in your favorite podcast app such as Apple Podcasts, Google Podcasts, and Spotify.
CAROLE THERIAULT
Huge thanks to this week's sponsors, 1Password, the Inside Security Intelligence Podcast from Recorded Future and CrowdSec. And to our wonderful Patreon community.

Thanks to all of these people, the show is free for all.

For episode show notes, sponsorship info, guest lists, and the entire back catalog of more than 200 and now 12 episodes, check out smashingsecurity.com.
GRAHAM CLULEY
230. Well, this one's not up yet. Until next time, cheerio. Bye-bye.
CAROLE THERIAULT
Bye.
GRAHAM CLULEY
Bye.
CAROLE THERIAULT
I wish we'd stick with the ASMR voice. I was looking forward to trying. Huge thank you to this week's—
MARK STOCKLEY
Do it. Do it. Do it.
CAROLE THERIAULT
I don't want to now. I just did it.
GRAHAM CLULEY
I got bored. Did you?


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and hosts the popular "Smashing Security" podcast. Follow him on TikTok, LinkedIn, Bluesky and Mastodon, or drop him an email.

9 comments on “Private messages between Mensa forum members are leaked onto the internet”

  1. P S

    Concerned Mensa member here. This is after Leek emailed members to categorically deny there was any leak. They're obviously just lying through their teeth at this point. Can you share any more info about what exactly was leaked – private messages, but in what format? Your screenshot appears to show a messaging app of some kind – what is that? Does the data contain any indication of the source?

    1. lol · in reply to P S

      "Leek" lol. l2spell nerd

      1. IJS · in reply to lol

        The "Leek" that you are claiming was misspelled was actually a reference to "…the British Mensa chairman, Chris Leek." The word "leak" was spelled properly when referring to any data that may have been leaked.
        Perhaps you should read the entire article before posting snarky remarks.

        1. Anthony · in reply to IJS

          I agree. I could tell it was someone’s name or a media business as there was a proper noun defined by the capital letter. But I did notice that I should probably be allowed to join Mensa. Because there are misspells. I noticed one two words into the quoted website and the original as the article quoted it. Apologize spelling is with a “Z”. Not sure who does Mensa’s site. But yeah….that was a cringe word to misspell

          1. a · in reply to Anthony

            British Mensa, so British spelling. Apologise is a correct usual spelling in the UK.

    2. FP · in reply to P S

      The screenshot is from the private messaging feature of the Mensa forums.

      The source isn't clear, but other members who have seen the leaked files have said the code in the files implies that an account with admin access on the website was used to collect them. Whether an actual admin or an attacker isn't known yet.

      Chris Leek's account was previously used to post member data on the forum. However, I don't see why he would have admin access to the website.

  2. Kelly

    I'm a member of Mensa. I've been in the LinkedIn groups and the Facebook groups and I've seen the discussions. There is nothing particularly juicy or salacious that will be exposed by seeing private group conversations. They're all basically filled with same prattle you'd see on any other open forum on the internet, just with bigger words used.

  3. Aksha

    Whoever wrote this doesn't like mensa most likely because they couldn't get into it. They tried their best to make the mensa society sound pretty by calling it a "club for people who scored highly on an IQ test". The secondhand shame from watching someone get bitter on a literal news blog. Oof

    1. Graham CluleyGraham Cluley · in reply to Aksha

      From Mensa's own website:

      "In order to join Mensa, you have to take an approved intelligence test – one which has been properly administered and supervised; and in that test, you need to attain a score within the upper two percent of the general population."

      So, I think my description of Mensa is correct. Isn't it?

      FWIW, no I have never applied for Mensa membership and cannot see any situation where I would – regardless of my ability or otherwise to make the grade.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.