Smashing Security podcast #109: Grinches target Amazon and Reddit, stealing Christmas from the poor

Some have bought physical ads above urinals. So when people go for a wee... Above what? Urinals.

Urinals. What? Urinals. What is a urinal? What do you call them? Urinals. Oh. Urinal, that sounds like a creature next to the elephants at the zoo.

Smashing security. Episode 109. Grinches target Amazon and Reddit. Stealing Christmas from the poor. With Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security, episode 109. My name is Graham Cluley.

Ho, ho, ho, Graham. I'm Carole Theriault.

Is that how you introduce yourself now? Yes, and now I am. Ho, ho, ho. Yeah. You've got two sisters. It's on our business card, yeah. We're joined by our special seasonal guest, Dave Bittner from the Cyber Wire podcast. Hello, Dave. Hello. Welcome back, Dave. Thank you. Thank you.

I'm everyone's second favourite recurring guest.

Oh, well, certainly not first, right? No, no, no. Don't get too confident there. Always a bridesmaid. Probably in the top four.

How's it going, bros? My name is PewDiePie.

And in the other corner, we have the Bollywood Indian music label channel T-Series. And they both want to be the first to get to 80 million subscribers.

So that would make them the biggest channel on YouTube if they had 80 million. Yep. And PewDiePie has been the most popular for quite some time, but T-Series has been zooming up and growing much, much faster. And so the fight is on who can get to 80 million first. Sorry, before you start, how many subscribers were they kind of starting with? Are we talking that they have 30 million and they have to get to 80? Well, they started with zero, Carole. Everyone starts with zero.

Now, Graham, has this affected you? Because you're sort of the poster child for printer security. I think you're referring to when my wife began to print out a long document. Have at it, listeners.

Yeah, thank you. But anyway, the messages which are being printed out tell people to unsubscribe from T-Series, subscribe to PewDiePie instead, and share awareness with the hashtag Save PewDiePie. How do you know it's PewDiePie and not PewDiePie? Because this guy is a social media star Carole. Anyone who's... I live under a rock.

I know it because I have kids so I hear his name thrown around every now and then.

Do you have any opinions on him? Do your kids watch him or anything like that? Do you know?

Well, no. I'm not a fan. I think they find him annoying. Yes, tick. And he certainly had lots of controversy. He was the one who did the whole thing with the suicide forest? That was him, wasn't it? No, that was another YouTuber, I think. Yeah, the guy who found the... It was really grizzly, wasn't he? He found a body hanging in the forest. I think that was a different YouTuber, but certainly PewDiePie has had his share of controversy which we will be coming to.

thought you were trying to do the ad, ship my pants. No, no. Are you sure you didn't misunderstand it?

Shit my pants if he gets to $500 per month. That's his pants, I think, rather than my pants.

Who would want him to do that?

Will he do it on YouTube?

Will he take a picture? I don't think he's being literal.

I mean, I think he is. I think we

found what's going to put him over the top here, right?

Anyway, the point is, PewDiePie fans are going out of their way to promote their YouTube hero. Some have bought physical ads above urinals. So when people go for a wee... Urinals.

What? Urinals. What is a urinal? What do you call them? Urinals. Oh.

Yeah, I don't like the word either.

Urinal, that sounds like a creature next to the elephants at the zoo. Urinal. Rhinos. Anyway, those.

So some have bought ads there. Another guy called MrBeast, he's another YouTuber, he's bought local TV spots and billboards based in New York's Times Square.

Are you kidding me? No, I'm not. This is the most famous billboard in all of Times Square. And it's the biggest one, the biggest advertising billboard in all of Times Square. It's about to say subscribe to PewDiePie on it. This is cool. We're about to break the internet. There! Oh, my gosh, it's on the internet. No! We did it! We did it! It's up there! Subscribe to PewDiePie right now, guys! Oh, we did this! Oh, my gosh! Another guy has done the same in Mumbai, so he's bought ads. So, you know, you have to think, why are these people doing this? Why are these people spending all this money and time? Well, there's going to be a huge amount of money. It's got to be money.

Okay so it must cost a ton of money to have an ad in Times Square. You would think so, wouldn't you?

I don't think it does, actually. I think there's one of the video screens that just shuffles through different content. I think they have a way you can buy basically a 10-second happy birthday kind of, put any kind of message up there. And so the idea is you schedule that and then you stand in front of it and you take your picture in front of it and it says, happy birthday, Graham and Carole, congratulations on your 80 millionth YouTube subscriber, whatever.

Well, if you want to make it to number one spot, Dave, I have an idea. Yes.

Don't tell Maria. She's probably, she's logged on right now. She might be listening. She might be. Anyway, so PewDiePie is featuring them in his own videos. And that's, of course, encouraging even more craziness.

This whole thing is just a pile of stink. It is. Right? The whole idea, the 80 million subscribers, who cares? Who cares? Yeah. Right. Yeah. Exactly. Who cares? What a strange celebrity they enjoy. Can I just say it wouldn't? It wouldn't. It wouldn't to you? No.

I'll tell you what really annoys me. The hacker giraffe doing this thing, right? This isn't a new technique. This isn't exploiting any new flaws. There is a problem, as we all recognize, of people leaving their printers open. But I don't think what he was doing was very cool. And I don't think it's very cool that he's now getting paid to do it, $500 a month, when all these bug bounties for much more complex things sometimes don't offer even that much money.

How is it not breaking the law? Right. That's what

I was going to say. Does it run afoul of the Computer Fraud and Abuse Act? If you have unauthorized access to someone's computing device, that's not cool. It would seem like that to me. You could

say theft of ink, theft of paper, couldn't you, as well? Right.

We're just taking control. It's like, you know, it's taking control of a device that doesn't belong to you. Correct. And of. So, yes, hacking

giraffes, we don't like you. Yeah. Next. Clear off. Dave, what's your story for us this week?

Well, before I get to my story this week, I have a question for you, Graham. Oh, yes. Yesterday, I was over in the linguistics building on the Cyber Wire campus.

Were you mongering a little sandwich of avocado and roasted eggplant? Yeah. You travelled over there on your Segway, because it's quite a distance. Actually, I took the monorail. And this is a long walk and it's cold out there this time of year. So you can probably guess half of it. Are you familiar in the United States? Half chicken. Are you familiar with the residents of Wimbledon Common in London over in the United States? I'm sorry, what? No. So you aren't familiar with Wombles? Wombles are a British institution. Okay. need a few of those in the States right now. This is a series of

children's books and a wonderful TV show way back in the 70s. My favourite Womble was, of course, Orinoco. That's woken Orinoco up.

what's that what's that it's a wild animal roaring oh oh it must have been a dream oh dear

but yeah they're they're lovable creatures and somehow this is a portmanteau word which is used in britain to suggest a person maybe of dubious character someone who we don't have a very high opinion of is a cockwomble. And you would say

it like, Graham, you're such a cockwomble.

Yeah, exactly. Exactly like that. Yes. We do have that explicit tag, don't we? Yes. Right.

Good. Okay. Well, next time I'm over on that side of the cyberwar campus, I'll be sure to check in and let them know.

Don't use it at passport control at Heathrow, though. Try not to use cockwomble. Don't greet, don't pretend you're Dick Van Dyke. Oh, Michael. Blimey, governor. How are you going, all you cockwombles? How are you all doing today?

Right, got my Cockney rhyming slang all at the ready. Yeah, very good. Shall I move on to my story, then?

Yes, what's your story for you? Please, please. So this story comes courtesy of Danny Bradbury from the Sophos Naked Security blog. This is about a programmer who found an interesting behavior in the way that YouTube analyzes uploaded videos. No, no. Demonstrating vulnerabilities, you'll do a simple little video showing it off. Now, he had marked this video as unlisted, which means it doesn't come up in search results. But he discovered that moments after he uploaded the video, that there was a URL that appeared on screen in the video. The URL didn't appear in any of the metadata. It wasn't in the file name. This URL got crawled within minutes of the video being uploaded. Well, this is fascinating, isn't it?

Yeah. So it seems as though YouTube is performing OCR on the video. And whenever they see a URL, they go out and crawl it. So what's the problem here, right? So Austin, he did a blog describing this, and he said, Imagine a security researcher has found a critical vulnerability in a site and has crafted a URL that will trigger it, causing harmful effects to the website. So during a video that was uploaded to YouTube, if YouTube sees this URL, they go and crawl the site, trigger the SQL injection, and break the site. So what's interesting, I think, about this is that evidently private on YouTube doesn't mean private from YouTube. Quelle surprise.

Yeah. So who would be guilty of the exploitation then? It sounds like Google has just basically exploited a vulnerability on somebody else's site. They trip the bear trap. Yeah.

I don't think I'm following. OK, so on my video, I display a URL. Correct. It's a private video. Google, through OCR, grabs that URL and tags it in what?

The URL isn't for the private video crawl. The URL is the SQL injection vulnerability. So it'll be a URL to a particular web server, which demonstrates a vulnerability. Right. Google is watching the video just like a human would, and it converts it into a URL, and it then tells its search engine, oh, look, here's a URL we haven't been to before. Let's go and check it out. Right. And when they do, that triggers the SQL injection. Right, yeah.

So you can imagine that Google would want to look for those sorts of things. You could imagine child pornography, things like that. They want to make sure that people aren't posting those links. So I think there's a reasonable explanation for why Google is doing this. But you also have to wonder, is Google reading things like license plates or protest signs or T-shirts? If they're automatically OCRing everything in the videos, that's just sort of an interesting thing to know about, isn't it?

Or what, Dave, if I was sending you a private message and it was burn on receipt. So you only get one chance to look at it. So I'm sending you, for instance. What would it say?

I hate crawl. One replacer.

Yes, exactly. A secure message and say, look, you've just got one time to read this. And before you even get to look at it, I don't know why I would have included this URL in a video. But anyway, Google would have gone to it and it would have been zapped.

Yes, chances are they would have gotten to it first.

But from a security standpoint, there is some advantages to trying to stop misinformation from being spread.

And I suppose the lesson is if you're going to share a video, don't do it on YouTube. Private on YouTube doesn't mean private from YouTube. Exactly. Exactly. Yes.

Though I think many people who are doing anything on the Google platform must understand that privacy is, you know.

And that's true of so many sites, Facebook or LinkedIn. It's not just their raison d'être. Any of these things, potentially, if you say something is private, you mean private from other people on the Internet. You don't necessarily mean private from the service which you're actually using. Yeah, that's probably true 99.99999%

No, they haven't. And in his blog, Austin Burke goes and looks into it and basically says that Google has said very little about this. I'm sure it's probably buried somewhere in their terms of use, you know, in the EULA that they can do this. Well, they clearly have the ability to. I wonder if you were, for instance, to be going down the street just videoing stuff out of your car window and you passed by a shop or you passed by a poster which had a URL on it as well, whether Google has the ability to pick that up, scrape it and visit it. I'm sure they do. Yeah, why not? Yes. It's kind of spooky the way the world's going, isn't it? Incredible how they can gather so much information. I think of things like if you upload a video that has metadata, that has location metadata. Let's say you upload, like we see all these Russian dashcam videos. And there's dashcam videos from all over the world. Well, if they have location metadata and you can cross-reference that with license plate data, suddenly here's another way for you to gather data about where people are when.

It's a bit like that TV show from America, isn't it? Is it Person of Interest? Yes.

You are being watched. The government has a secret system. A machine that spies on you every hour of every day. I know because I built it. I designed the machine to detect that.

Best intro ever. Zoom in. Magnify. Enhance. Yeah, Enhance. That's my favourite. Enhance.

Yeah. I saw one once where, I can't remember what the show was, it might have been Spooks or something, one of the BBC shows, where they had a satellite image of two people meeting. And unfortunately, the bad guy had his sort of back turned to the satellite, so you couldn't see his face, but you could see the sunglasses of the person he was speaking to. So they went to the sunglasses. And then they got the reflection. Was it CSI?

Yeah, CSI Miami. I remember the episode.

And they got the reflection from the sun.

Yeah. Remember, it's a mirror image. I remember this was years ago, and it's a shame Maria's not here because she'd enjoy this.

I think it's a shame she's not here as well, Dave.

Yeah. She's number one. Remember that.

Our listeners wish she was here. Every episode that she's not on, all the listeners say, it's really a shame Maria's not here. Shame. How do you hold a moonbeam in your hand? Ask Maria. She'll know. But someone said every episode of Star Trek The Next Generation, someone would alert them that there was a ship nearby. And Captain Picard would say, on screen. And this little tiny dot would show up on the screen and he'd say, magnify. And then they would show up. But just once they wanted him to say, on screen so I can see it, damn it. If he had to say magnify every single time, you'd think Commander Data would know. Okay, great. Anyway. I digress.

Carole, what's your story for us this week?

Well, okay, to start this story, Dave, I want you to imagine that you have fallen on hard times.

I'm there.

Okay, you've drunk bleach, thinking it was elderflower cordial or something, thereby losing your voice. Bye-bye radio career. Rather than a dulcet-toned singer and podcaster, you sound more like Gollum gargling gummy bears. Okay, really not pleasant. And your family, of course, are very sad. Very sad. Right? They miss their papa belting out the show tunes in the shower.

That is true.

But they know it's also Christmas time and the big day is just around the corner. And little Ricky so wanted a Sudoku book. You know, little toddler Frank will go crazy for glow-in-the-dark stars.

It's like you're in my house.

And even these tiny little presents are out of your financial reach. Because Cyber Wire and the campus have outed you, right? Because you can't work anymore. So yes, it's all boo-hoo-hoo in the Bittner household.

As you all would say, I've been sad.

Exactly. And there's not a twig of hope. But wait, wait, Dead Voice Dave. There's this little thing on Reddit called Santa's Little Helpers. Now, Santa's Little Helpers is a kind of Reddit wiki dedicated to helping out others with non-monetary gifts during the holiday season. Reddit coordinators called mods volunteer to help coordinate people who request gifts and people who want to donate gifts. So as an idea, it's pretty sweet, right? Okay. So here's how it works. So you would create an Amazon wishlist with the Christmas items you're hoping for, and you'd make it public. You would then register this wishlist with Santa's Little Helpers. And once approved, you can make your appeal on their wiki. So you would write about your bleach problem, your Gollum voice. You might showcase your kids and say how great they are. And then you'd provide finally a link to your kid's Amazon wishlist. And the game plan will be that someone might feel for your story and want to help you out. Everyone with me?

Yeah, that sounds like a nice idea. Right?

Yeah. So, Dead Voice Dave, you would publish your request, and then you would check in on your wishlist to see if any items had been hopefully purchased by a secret santa of sorts. And then, of course, you can woohoo rather than boohoo, right? Because some kind stranger has bought your prezzies if you see that they're missing from your wishlist. So every few hours, you're checking your list, Dead Voice Dave, and then one day, the presents for your kids are listed as purchased. Boom. Sudoku book and glow stars on the way. Happy days and you can't believe how great the world is. Good people exist. You go to the subreddit Santa's Little Helpers and you publicly thank the giver and that giver could be anonymous or not, but still you might do a public shout out for the presents and Christmas is back on baby.

It's so refreshing to get a happy positive heartwarming story. Here we are just before Christmas and I think this is nice. I like this. What a great incentive. So you're going to include the link on the show notes so we can all donate or put up our messages? Or is it? Dun, dun...

Dun! Plot twist? It turns... I did not see that coming. It turns out that rather than purchasing your items, someone visited your wishlist and tagged the items as purchased by another seller. Graham, will you help me demonstrate what I mean here? We had a little exercise this morning. So here I am opening up Graham's wishlist, and I can see that he wants a personal massager. Sorry. It's on your list.

Is it?

And so I – well, if you want to share your list with everyone, go ahead. But I see it right here.

Is that a cockwomble?

And so I could go ahead and buy this for him and get it sent over to him, or maybe instead, to mess with him, I could click the Buy This Gift Elsewhere button, which opens up a pop-up and says, yes, cancel this request. Mark this item as purchased.

Oh, so you haven't bought it from Amazon. You've said you've bought it down the local personal massage shop where you have an account already. And so it gets taken off my wishlist so no one else purchases me one because I'd obviously only need one.

Exactly. You go in, Dead Voice Dave or Graham, and you're thinking, wow, someone's answered my prezzy prayers. But then after a bit of digging, you realize that someone has just, and here's the word du jour, Grinched you. You're a mean one, Mr. Grinch. Effectively cancelling Christmas, stealing Dead Voice Dave's Christmas. So the Grinch is stealing Christmas from the poor needy. Mr. Grinch. Oh, you're a monster.

Why would people do this?

Because the Grinch who stole Christmas. I think it's just a meme.

By the way, Dead Voice Dave, how nicknames get started.

Now, this Grinching has caused no end of problems. So people are having to repost their items. They have to retract preemptive thank yous. They have to re-register with the Santa Little Helper program because they were ticked off as done and, you know, fulfilled. And it's getting very close to Christmas now. So the chances of getting the goods delivered in time is fast disappearing.

So you don't have to do this via Reddit. If you had an arch enemy, you can search for their wishlist. You can search for public wishlists on Amazon. Yeah, go check yours out now. And you can mark everything as already bought. And then their auntie or their grandmother or whoever doesn't buy it for them for Christmas. And they end up with socks and pants and things they don't want.

Well, and the other thing is I could imagine someone having fallen on hard times trying to reassure the children. Well, kids, I know there's no food to eat, but good news. Yeah. Christmas presents are on their way. So and then they're not. This is rather heartless, Carole.

Oh, yeah, it is. And it's causing a huge storm on Reddit, right? There's people writing things like this Redditor called Seagoing Cook wrote, whoever did this, I hope you're aware that you've destroyed the hopes and dreams of innocent children. Children have done nothing to you. You might think by doing this, you're hurting the parents who have no other way to provide Christmas. But you're wrong. You hurt the children. This makes you scum of the lowest degree. I'd like nothing better than to take you out to sea and throw you overboard. And then he gets supportive replies, I'll wrap the anchor, drive the boat. I've got another theory. Yes, well, that's what I wanted to go into. I wanted to go into theories. Why are people doing this? So

Go ahead. Number one, can I be terribly cynical and say that if I was competing with lots of other people on this Reddit forum to get a Santa's Little Helpers game, maybe I would get more sympathy and get people more likely to buy Tiny Tim his cartoon book or whatever it is if I said, oh, people have been removing them and all the rest of it. My Christmas is... I mean, that's really cynical of me. And I hate to think like that. But that surely is a possibility.

I mean, I think the most likely one for me is it's a lulz thing. It's a riffing off The Grinch Who Stole Christmas and it's going to be bored kids just being douchey. But it's not that funny, is it? It's not like you go, look what I've done.

You know, it's not that... Sorry for the laugh. But it's not that amusing, is it?

Well, what if you're miserable, miserable, miserable, and you want to share your misery? Because misery loves company, right? So spread the hate. I don't know. Never

Underestimate the destructive impulse of a teenage boy.

Exactly. The sub's mods are desperately trying to sort out the problem. Registered givers need to tell Reddit when a gift has been purchased so they can cross-check everything. And they're also telling people to contact Amazon support, I guess to try and stop the culprits that are doing it because presumably there's going to be a record of who actually cancelled the gift.

Right, oh yeah and Amazon support are definitely going to follow up on those. They're going to handle that and say well let's find out who's friends with who, did you give him a present, who's it... It's a worldwide secret Santa competition, Carole. No one's awful. No, if it was a legitimate purchase they bought it somewhere and even if this idea of registering your gift giving on Reddit that's irrelevant, you can still go to Amazon and cause the chaos, surely.

Well, I gotta say, Dave, at least this grinchy tale of life and woes has not fallen on you, right, or your family. And you can still shout out and belt out Christmas show tunes.

I am not planning on drinking any bleach anytime soon. I think

Dave should sing us out. Go on, you want to be number one? Let's go. You're not gonna get it by sitting on the sidelines, sugar face.

Okay, let's see. You're a mean one, Mr. Grinch. How's that? And welcome back. And you join us at our favourite time of the show, the part of the show that we like to call Pick of the Week. Pick of the Week is the part of the show where everyone chooses something they like. It could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website or an app. Whatever they like. It doesn't have to be security-related necessarily. Let's not be.

Well, you would have been pretty disappointed had McCartney not been there after paying for tickets.

Slightly, yes. I'd have been even more delighted if the other two had been there, but they unfortunately have other commitments.

I would have run the other way.

Anyway, if you get the chance, because chances are he won't still be doing this in 20 years' time, go and see Paul McCartney in concert.

The way science is going today.

His tour will be resuming in South America in March, so I'm telling our Argentinian listeners about that now, before moving on to North America in May. And it was fantastic. And I haven't really got much more to say about that other than it was terrific. Oh, and Ronnie Wood, he caught the tube on the way home. Just like we tried to, but it was all jammed. And then we tried to get an Uber, and that failed. And they charged us, even though they didn't give us an Uber ride. And me and my seven-year-old child had to walk for about an hour to get back to our hotel. But that's a fantastic night. And that's why McCartney is my pick of the week.

His carpool karaoke was pretty delightful as well, if you haven't seen that.

I have to say, I'm more of a John Lennon fan, but I'm warming more and more to Paul McCartney as he gets older. And I'm thinking, he's an all right chap. He's obviously a musical genius. He can't help it that he's the second greatest Beatle. But second greatest.

At least second, not fourth. Right, you mean behind Ringo?

Second greatest is still pretty impressive, I have to say. And it was thrilling for me and my young son to see Ringo on stage as well. It's just very, very cool. Loved it. There you go, cool. Dave, what's your pick of the week?

My pick of the week is a podcast.

Oh, podcast too, how embarrassing.

Hopefully they're not the same. Are you really having to plug your podcast on our show? That's right, yeah.

We kindly produce a Christmas special without sponsored ads, and you have to go and screw it all up.

Yeah, yeah. No, it's not my podcast. Let me ask you guys. What is the name of your podcast, by the way, Dave? It's The Cyber Wire. Oh, very good. Yeah, thecyberwire.com. Yeah. Yeah. I have to ask, over on your side of the pond, what is the most well-known mythical beast? Oh, Nessie. Loch Ness Monster. Yeah. Yes. Loch Ness. All the Wombles, of course. Probably Nessie. Probably Nessie. Nessie. Yeah, I think that's probably right. Well, over here in the Pacific Northwest, and that includes Canada, Carole, we have Bigfoot.

Yes, we do. That's true.

Also known as Sasquatch. Has the Sasquatch been spotted since Carole left Canadian soil? That's interesting, isn't it? Have they ever been seen in the same place? She is quite a Bigfoot. I'm saying nothing. This is a podcast called Wild Thing, and it is hosted by a woman who discovered that a distant relative of hers was actually one of the most well-known Sasquatch researchers in the world. Is this Auntie Jean? That's right. Her name is Laura Krantz, and it's a series about the search for this mythical beast, but it's also about our search for mysteries. Why, after all these years, is this still appealing? Why do we find, what drives our desire to look for these things that go bump in the night, these mysterious creatures in the woods or in Loch Ness or other places? And it's a good listen. It's got lots of good notice around the web and I highly recommend it. It's called Wild Thing and you can find it where all the best podcasts are hosted.

You know, my husband's uncle quit his life at one point and went and lived to try and spot the Loch Ness Monster for about 10 years. Wow. He lived in a caravan. Is this weird, Uncle? Right on the lake. Yeah, mad Uncle, yeah. I'm going to cut that bit out.

How did it work out for him?

Well, he returned home, said, thought it was dead. Oh. Oh, dear. Yeah, there you go.

Fair enough. Funny story, Carole. Thanks. That's the anecdote.

His uncle didn't die. He's still going strong. Okay, good. Jeez.

It's just 10 years. It's funny because your husband, I mean, he's not mistaken for a Sasquatch, but sometimes people have thought he's a bit of a Wookiee. He does look like one and sound like one sometimes.

So my pick of the week, last year actually, you might remember my pick of the week, was Rare Exports, a Finnish Christmas horror film. Oh, yes. That is just awesome. And for those of you out there who don't like subtitles, it's mostly in English. So don't let that put you off. I actually just watched it again in our friend's movie shed. So shout out to the Carhole Cinema. Now, guys, guys, do you remember the Zimbardo Stanford prison experiment? Oh, gosh, yes. Remember it? Dave was in it. He's doing it. I still have the scars to... So it was basically the guards got more violent if they were left unchecked? Yes. Right. And then there was the marshmallow effect. Do you remember that one?

Yes. Oh, yeah. The kids, yeah.

Resisting temptation. That's right. Yeah. Well, these are fairly well-known results. I certainly learned about them from textbooks in high school and uni and all that. What if I told you that there were huge question marks over the tests and their results and whether they're actually valid? Because when they have tried to replicate some of these tests, the results are radically different. And these two tests are not alone. It seems that many, many, many psychological tests that we have come to trust may not be valid. It seems the problem is that journals tend to want to publish things with flashy titles and equally flashy results. Surely not. So psych researchers who want to succeed can be very tempted to skew results. I know you want to hear more. So basically, you can go check out a podcast called Analysis. It's from the BBC. And this particular episode is called The Replication Crisis. And I've heard many, many of these podcasts, and it's great. So it's a total subscribe for the inquisitive mind. So, Graham, maybe not bother.

This is interesting, though. I mean, there is, for instance, a scientific theory that the Loch Ness monster may actually have died after swallowing bleach and choking on a marshmallow.

Well, I think it was despair that finally did him in when other people had clicked on his gifts and there were no gifts in front of the tree for the little baby Loch Ness monster.

Oh, it's kind of cool, though, because this consortium of psychologists have got together to try and re-replicate the results of famous tests just to make sure that we're actually learning from, you know, real stuff rather than potential happenstance or something that might have been a little bit skewed. Really well produced, really well researched, really well covered. Just a great, great podcast. And we'll put a

link in the show notes. I will. I will do that. All right. Well, that just about wraps it up. And it just about wraps it up for Smashing Security for 2018.

Oh, break it to them gently. Jeez, it's our last show of the year, guys. It's our last show. I know, I know, I know.

We're going to take a couple of weeks off.

But we'll be back in January. It's a shame you couldn't have gotten Maria.

Don't worry, she's opening the show for us, 2019. Of course she is. Of course she is. Cannot wait.

Dave, if people want to find out about... I can't even speak today. Dave, if people want to find more about you or about The Cyber Wire, what's the best way to do that?

You can go to thecyberwire.com and it's all right there.

Fantastic. It's a great podcast, guys. You can follow – well, I've heard some of the guest correspondents are very good. From you, at least, Carole, is what you told me. Not a cockwomble among them. That's right. You can also follow us on Twitter at Smash Insecurity. Twitter wouldn't allow us to have a G.

Thank you, of course, to all our listeners for your continued support throughout the year. It would be a futile experiment without you guys. We're going to be off the next few weeks, as Graham said. We have a lot of eating to do, right, Cluley? Charming. But if you want to give us a little extra Christmas cheer, submit a few lovely sentences as a review wherever you get your podcasts. It'll take you about a minute, but it'll make the world of difference to us. And to our wonderful sponsors who help give us enough pennies so that we can deliver the show to you for free weekend workout. So thank you. You all rock. Until next time. Cheerio. Bye-bye. Bye. Bye-bye. Bye, cockwobblers.

Not wobblers. A cockwobble is something else entirely. It normally happens when you're in your mid-50s. Yeah, yeah. But there's a pill for you.

It's a great time to be alive.

Isn't it just? High five.

Of course we didn't forget. We have a little Christmas present for you too. Check out this little bonus track.

By the way, I noticed you guys aren't bleeping. You're not bleeping anymore. We're explicit now. We sometimes bleep. If we say the C word because you Americans don't like it. No we don't. That's the one word that still has some punch over here.

It was more kind of just the themes of what we talk about sometimes. It just became so difficult deciding, is this explicit or not? It's just like, why don't we just label them all as explicit? Do you know what?

If This American Life can be explicit and you swear words, like I just think, you know, yeah, why not?

So, free reign, Dave. Go crazy ape bonkers with your cunty piss flaps if you want to.

I just like you're reading my mind, Graham. I've been holding on to that exact phrase waiting to come on this show. Well, there's our teaser at the end. I'm not going to get that image out of my mind. Happy holidays, everyone.