Smashing Security podcast #213: No security smarts at Mensa, long-term identity theft, and GameStop’s share frenzy

If we were cleverer, all these pieces would fall into place and then we would understand what we have to do. We have to look behind the picture and then the sunlight will come through the window, through the crystal in the staff and it'll illuminate a bit of the floor and then we'll take up the carpet and then there'll be a little effigy and then we put that on the bag of sand and then the portal opens and we join Mensa. I need a drink.

Smashing Security, episode 213. No security smarts at Mensa, long-term identity theft, and GameStop's share frenzy with Carole Theriault and Graham Cluley.

Hello, hello, and welcome to Smashing Security, episode 213. My name's Graham Cluley. And I'm Carole Theriault. And we're joined this week by a regular return guest. It's Mark Stockley. Hello, Mark. Hi. Thanks for coming on the show, Mark.

Oh, it's fine. I had nothing else to do. What have you been up to? I'm a teacher now.

Are you talking homeschooling? Yes. Yeah, I think Graham's doing some homeschooling as well. Every single parent I know is complaining about homeschooling. Tell us about it. It's horrific.

Oh, it's an opportunity to get to know your children in a way that you probably didn't want to.

Do you find it too hard? Is that the problem? You don't know the answers?

There's a reason they're a trained profession. People go to college to learn how to do this. And the people who go to college to learn how to do this are the people who really want to learn how to do this. We were given about three minutes notice this time, weren't we? By the way, tomorrow morning, you're a teacher again. Go tell all the people you work for.

I posted on Twitter that maybe I was going to crowdsource my son's maths homework because it was beyond me how to do it. And I thought, you know what, I'm just going to post these questions on Twitter and get other people to answer them for me.

He's nine. He's nine, isn't he? He's nine, yes. He must be nine. He's nine. Nine seems to be the age when people go to Twitter and go, my child's maths homework is completely impossible. I have a theory that nine is the age at which UK school maths exceeds the average parent's ability to do their school maths. Because you start getting into things like perfect numbers and factors and stuff, which is, you know, useful everyday stuff.

Okay, let's first thank this week's sponsors, 1Password, CrowdSec and Inside Security Intelligence Podcast from Recorded Future. Their support help us give you this show for free. Now, coming up on today's Smashing Security show, Graham, what do you got?

I'm going to be talking to you about a completely mental cybersecurity issue.

OK. And Mark, what about you?

Well, I'm going to be talking about how difficult it could be to go and work in another country.

OK. And I'm yakking all things GameStop. All this and much more coming up on this episode of Smashing Security.

Now, chums, chums, have you ever had your IQ tested? Have either of you ever had that done?

Does it count if you go to a website and do it? On Facebook, maybe.

The very fact that you're on Facebook tells me a lot about your IQ. I've never been on Facebook. Mark, you're a bit of a smarty pants. Have you ever had your IQ tested?

Possibly. If I did it was a very long time ago so it can't have been on Facebook. I'm pretty sure it was not a very rigorous test and actually I'm not actually convinced that IQ tests are worth anything or tell you anything useful anyway.

Would you join an organization like Mensa? God no. The club for people who score 98th percentile or higher in an IQ test. No thickies allowed.

Okay, I kind of like the idea of Mensa.

Do you? That's interesting. Why? What do you like about it, Carole?

I don't know. I like the idea that smarty pants hang out together and share smarty ideas and come up with even smarter ones and then share them with the world and everything's better. I like that.

So it's something which makes me a little bit uncomfortable about the idea. Because they don't want you in their club.

I know. No, well. I know. It's just. I know, honey.

It's easy to turn down the knighthood you haven't been offered, isn't it, Carole?

What is it that makes people want to join a club? You know, they've scored highly in an IQ test, but they think, oh, you know what my social life needs? I need to hang out with other people who also chose to join a club after scoring highly in an IQ test.

Says the guy who's in a chess club. I mean, come on.

Maybe it's a public service. Maybe the rest of us need that for our social lives.

Get them out of circulation.

Yeah, we know where they all are. They're all happy in their little tent.

Is it a bit sad to be a member of Mensa? Or is it just sour grapes that we're not members of Mensa? I don't know the answer to that.

I think maybe just because you're not clever enough. If you were clever, you'd know the answer.

You don't know if I am a member of Mensa. We'd know if Carole was a member because she'd tell us she was a member. All members of Mensa feel compelled to tell people and they will put it in their email sig and say that they're members of Mensa.

They would have a T-shirt saying, I'm a member of Mensa, I'm the 11th best Briton in the entire universe? Something like that?

Wow. You think, okay, interesting. I don't know. It's complicated. I don't know. But Mensa is in the news this week. Mensa is in the news with allegations that they haven't been very smart about their computer security. You may have spotted in the Financial Times a chap called Eugene Hopkinson. He was until recently the British Mensa Board's technology officer. And he says he has been trying to convince their leadership team for the last couple of years that they need to stop storing passwords unsafely. He says that their passwords are basically stored in plain text. They're not sorted. They're not hashed. And if someone got hold of them, they would be able to exploit them.

Oh my God. Hold the phone for a sec. So they have an active technology officer on the Mensa board, the British board. He's working there right now.

Well, he's not because he's just quit.

He's gone to the press and said, oh, no, okay. But did he talk to the papers before he quit or after he quit? Do you know?

Well, he wrote an open letter. Hopkinson says that sensitive data was being insecurely stored by Mensa, which included the IQ scores of members and failed applicant scroll as well. You wish.

I think as we've already established, the IQ scores aren't secret, are they? Because they'll just tell you those.

Payment card details, passwords, email addresses and home addresses. Now, Hopkinson, he fell out with Mensa last week. There was a board meeting where he raised his concerns again. And he wrote this open letter. He said, if a breach is found to have taken place, because there were rumours that Mensa had maybe suffered some kind of security breach. He says, I've got no faith that the board and the office will report it adequately or take sufficient action.

Oh, my God. I wonder if he was recording that board meeting. For him to go to a board meeting and say, guys, guys, guys, we need to take this seriously. And they're saying, yeah, no, no. And then he goes to the press.

Right. I'd be very, very disappointed if that recording isn't just people going, well, I don't understand. Could you explain that to me again? The password is stored in plain text. Sorry, I'm

on level 240 of Candy Crush. I can't pay attention to two things at once. Multitasking

is a sin. Now, I've been approached. You remember during Watergate that Woodward and Bernstein got approached by Deep Throat? And it's top secret in those little meetings, right? I have been approached by my own deep throat from Mensa. In fact, two different deep throats who claim that they have inside information, which they've shared with me. One of whom says he has a recording of the board meeting. And he's quite defensive of Hopkinson. He says, oh, you know, they're trying to frame Hopkinson. They're trying to say that he's bad. The other one says Hopkinson is a right pain in the arse. He's causing trouble. And that the board were all over this problem. And in fact, it was Hopkinson's own failure to fix these issues, which has now resulted in him basically being given the boot.

And you're covering it on the show because now you've got two little secret moles giving you information. Do they know of each other, do you think?

I don't know.

Did you say, hey, deep throat, how am I going to identify you? And he says deep throat and you go, no, I've already got a deep throat. I've already got one. I need another one. Give me another name.

Is this just some very, very complicated initiation right to get into Mensa? Graham's applied, exactly. We're just not clever enough to figure this out. If we were cleverer, all these pieces would fall into place. And then we would understand what we have to do. We have to look behind the picture. And then, you know, the sunlight will come through the window through the crystal in the staff. And it'll illuminate a bit of the floor. And then we'll take up the carpet. And then there'll be a little effigy and then we put that on the bag of sand and then the portal opens and we join Mensa.

I need a drink. You've been homeschooling for too long, haven't you, Mark? It's begun to get to you. Now, Mensa, they've told the Financial Times that the passwords were encrypted and that they were now looking into hashing them as well. Now, of course, there is this misconception amongst the public about what encryption means and possibly within the board of Mensa as well. Because encryption is sort of waved around as this magic talisman, isn't it? It's oh, the data's encrypted, then you're safe. You don't have to worry about things.

Well, I hope you heard me snorting derisively like a Mensa member when you said encryption. I was an involuntary. I think you'll find.

So if you simply encrypt a password, it will be possible to decrypt the password, right? So if you use a standard encryption algorithm, the beauty of encryption is you can encrypt a message and then decrypt it to understand it at the other end. And what's a much better idea is to store a cryptographic checksum, often called a hash, of the password. And you can then, when someone goes to your website and enters their password, your website can generate another cryptographic checksum from what they've entered and compare those two checksums and say, oh, they must have entered the password. So you don't have to store the actual password. You can just store a hash or a checksum password. And even better, without getting too nerdy, you can apply a bit of salt to the hash or before you create the hash to make it harder to look up in what's called a rainbow table. Anyway, that's all nerdy stuff, which I'm sure Mensa are all over. Well, apparently not. But it doesn't sound like Mensa was really following best practices. And if you visit Mensa's website right now, you will see that the website is down for maintenance. If you go to the British Mensa website, mensa.org.uk. Well, because—

Their technology officer is out on his ass. Well, maybe. They're sitting ducks now.

Maybe they would have been wise to get a technology officer who wasn't actually a member of Mensa. Rather than just recruiting from that pool of people who choose to join the Mensa Club, maybe it'd be sensible as well to, you know, this is quite important. Maybe we should bring in someone who understands technology and can properly protect this data rather than us decide what the data security practices should be.

You know what? Purely based on what you've said, right? I'm feeling really bad for Mr. Eugene Hopkinson, who seems to go to these meetings and go, dudes, look, we need to take this seriously. And they're like, yeah, yeah, yeah. You don't know enough. Aren't you a 142? Thanks, Eugene. Thanks, Eugene. Sit down.

What we call a charity case. Yeah, thanks, Eugene. Well, that's Eugene's story of what happened, of course. Can I just say, this is exactly how I imagine Mensa would operate. So everybody knows that you're not supposed to store your passwords in plain text. Everybody who cares to know who has any business in this at all understands that you shouldn't store your passwords in plain text. And they have known that for a couple of decades. So we're not talking about best practice. We're talking about what was best practice many, many years ago. And I imagine that there has been, I like to fantasize, that there has been a two-decade conversation going on at board level in Mensa about exactly what they should do. They're probably having arguments about which hashing algorithm to use.

Well, there is a slight twist in the tale because since Hopkinson's resignation, or was he booted out, it's unclear, personal details of a couple of its directors have apparently been accessed and there's been information posted up on pastebin as well which appears to come from Mensa's servers and they've informed the ICO of security breach. Eyebrows are being raised regarding who might have been responsible for this maybe one of your deep throats. Maybe I'm not going to point fingers in any particular direction but there is a third-party security company presumably they're not members of Mensa, who've been brought in to investigate and maybe criminal charges will fire.

We've got a real problem we need to solve. Can anyone here solve this problem? No, no. No smart people. We're going to get some outside people in with lower IQs to actually solve the problem. Yes.

So, either of you tempted to join Mensa now? No. How do you know we're not members? Carole, you can keep on protesting that.

I'm not protesting. I'm just asking, what is your evidence?

I think most Mensa members are twats, so maybe you are. I don't know.

Wow. That better make the edit. I feel this story tells you everything that you need to know about IQ. The world is full of people who are demonstrably, obviously, patently clever, intelligent, thoughtful, productive, useful members of society who happen to not have very high IQ.

Said a true person spurned by the Mensa Club. Damn it. Mark, what have you got for us this week?

I've got a question. I suspect one of you has a yes answer to this. Has either of you ever tried working in another country? Yes, many times. So how did that go? Well, I'm still here.

Yeah you are working in another country aren't you Carole?

Yeah did you get a job in the UK while you were still in Canada or did you move over to the UK and then get a job?

No I've done both I don't I'm not sure how legal the first ones were but I was basically waiting tables for two pounds an hour so I don't think anyone's gonna give a shit but yeah.

Would you say it was an easy process. Was there a lot of admin bureaucracy? Yes,

Yes, yes. Much, much, much. It was extremely difficult. And I didn't marry my way in, just for those that don't know.

Well, no, you married a Wookiee. Yeah, exactly.

So what about you, Graham? Have you ever tried to work in another country?

Well, not permanently. I mean, I do do work in other countries. In the old days, before all this, imagine me waving my arms around now. I used to go and do talks in other countries.

I imagine that's probably quite easy, isn't it? Just get on a plane, go over there. They write you a massive check and then you give some presentation you've given a hundred times before and then go home.

More or less, yeah. Have you seen it recently? You need a work visa. I haven't obviously done one for about a year, but yeah.

So we've all had some experience of trying to do work with people in another country. And so we've all got some understanding about how difficult that can be. Hilarious stories, yeah. But I bet, I think it's going to be very hard for anybody on this podcast or listening to this podcast to beat the story of Nidhi Razdan. So Nidhi is a seasoned journalist working with NDTV in India, that's New Delhi TV. And in November 2019 Nidhi was invited to speak at an event organised by the illustrious Harvard Kennedy School and Graham you get a lot of speaking gigs have you ever done one for Harvard?

I haven't ever done one for Harvard no but I'm available if they want me maybe.

If you had a higher IQ just saying one of the organisers of the event contacted Nidhi to ask if she'd be interested in applying for a vacant position at the school. It offers a Masters of Liberal Arts Journalism degree, and that includes working journalists on the staff. So she thought, that sounds like me. And offers like that don't come along every day, so she submitted a CV and an application. And then a few weeks later, she was invited to an online interview. And it obviously went well, because a few weeks after that, she received her offer letter from HR, the Human Resources Department. And

What's the name of this school?

Harvard. You may have heard of it.

No, no. The Stanford School. Which one in Harvard? It was the Harvard Kennedy School. Kennedy School. Is that what it's called? Is that the full name?

I believe so. I stopped reading at Harvard, to be honest. Not that I'm a snob, but you know.

I think that would sound pretty cool. You'd say to her, oh yeah, I've got a job at Harvard. You know, you would, wouldn't you? I would.

Maybe it's like the Four Seasons.

The Four Seasons Landscaping Company.

Four Seasons School of Journalism. Anyway, so she's invited to this interview, online interview, obviously. Obviously goes well, a few weeks later, she got an offer letter from Human Resources. And while that was going on, her employers received the kind of correspondence that you know when you're going to get the job? Because the people you know start getting the requests for references and things like that. Yeah. So all that's happening as well. So this is happening, right? The wheels of bureaucracy are turning. And yes, she did get the job offer. And then she decided she was going to make that life-changing decision. So in June 2020, she goes on Twitter and she announces to her fans that she's leaving NDTV after 21 years off to the green pastures of Harvard. How cool. Kennedy School. Kennedy, Harvard Landscape and Gardening. No one's going to pay attention

To that bit, Carole. That's like Oxford Brookes. You know, it's Oxford. That's all you need to know.

Okay. Anyway, after many weeks of back and forth over her visa, which I'm sure you can understand, Carole. Yes. Then she had to get into the actual nuts and bolts of actually teaching. So she's getting documents about class schedules, details of her class and what she's going to be teaching and so on. She's so excited. And then, you know, it is a bureaucratic process and everybody understands that. And bureaucratic processes get even worse during a pandemic. But by late 2020, she was starting to get very frustrated with all of this. There seemed to be an awful lot of administration to wade through.

How much time had gone past that?

So I believe she was approached at the back end of 2019. So a year. Yeah.

She has no idea what she's talking about. My God, that's nothing.

So far, not impressed. Anyway, so we're coming to, I guess, kind of late 2020. She started to get very frustrated. There seems to be a lot of administration to wade through. And her salary is being held up by IT failures brought on by the COVID pandemic.

Of course, of course. It's

Fair to say things are harder in a pandemic. Nobody needs to be told that who's listening to this. Nine times

16, right, boys? Shush, yeah. But you still have to treat people the right way. And if you're a world-renowned institution, this is not how you welcome someone from another country into a new job when there's a pandemic. Yeah, just for like a teacher. You know, like we just had someone on the show talking about high value targets, right? And that only this kind of stuff would only happen to like CEOs or the rich or something. The notorious where she's just like... Well, she's a journalist. Yeah, she's a TV personality. The professorship is being dangled as a carrot. Someone else might be doing her job right now at Harvard Business School, right, pretending to be her.

I wonder if she has confidential sources that somebody might want to. You know, there are regimes that pay extraordinary amounts of money to put surveillance on particular people's phones, for example. So, you know, it's a, being a journalist can be a dangerous profession. So

Has she got her job back at NDTV after all this? Yes. Yes. She does seem to still be working for NDTV. Okay, good. You're right, Mark. This is an extraordinary level of effort for the scammers to go to. We don't normally see this sort of, you know, this months and months of work.

Isn't that a very interesting choice of words? Because that's the other side of this. You said we don't normally see this, but how would we know? How would we know? If you had asked her halfway through this process, she wouldn't have told you she was being scammed because she didn't believe she was. Because what an extraordinary thing to discover and admit to yourself that people are capable of doing this, that they're capable of this kind of devious behaviour, and that you're capable of falling for it. And I do wonder how many people are subject to this kind of scam who never discover it, who never find out, who just continue to believe what they're told.

I wonder if one of us is being scammed right now. Maybe one of us believes we are just participating in a security podcast either as an irregular contributor or as a regular co-host. And in fact, this is all subterfuge.

I have it on good authority that one of the people on this podcast has been approached by a couple of quote-unquote whistleblowers.

A whistleblowing deep throat is quite a trick, isn't it?

Depends where the whistle is, I suppose.

You guys, Carole, what have you got for us this week? Oh we're talking GameStop, we're talking GameStop now today right now. It's Tuesday 2nd of February 4pm UK time and the GameStop stock price is $91.69 right. So at the end of my segment we're going to see what it is and then you nerds out there can work out how long it took me to do this story. Okay, so we're yakking GameStop just to figure out what happened.

Between a Blockbuster and a Tandy. Yeah.

Right. Would you say, Graham, it's what? I don't know, but I've heard it's a bit rubbish. Isn't that right? No, it's not rubbish. It's just been failing for a while now. So from a stock perspective, people would agree with you. It's a bit rubbish. But from a retailer point of view, that is where you go to buy your games. Yeah. Well, that's why I say it's a bit rubbish, because I think most people these days don't buy their games in a store, do they? They either buy them online and have them delivered to them, or they literally are inside the video game console's online store and it automatically downloads.

And GameStop kind of suffered, I think, from that. There's been a kind of slow decline since January 14. So then it was about 50 bucks a share, right?

I think they were holding on for the turnaround when people suddenly realize that they can only download so many things and it's easier to go buy physical media.

Okay, so I know people that actually really want the physical media because they've had consoles break on them before. They don't that it's in the cloud. They can't access, they don't remember a password. And they just feel more comfortable owning the physical game. It's there rather than loaned.

Are they members of Mensa who smoke pipes and have long beards? Well, they're related to me, so I don't know. So in January 14, GameStop was about 50 bucks a share. Okay. Queue pandemic.

And people don't want to buy physical media because other game players probably don't wash their hands.

And Marie Kondo, right? We don't want all that fussy stuff around our house anymore. We want it all spick and span.

Do you think there's a big overlap between the gaming world and Marie Kondo?

Well, you know. So, okay. So, back to GameStop, right? So, in bounds the short sellers, right? So, short sellers or short selling, simply put, is a trading technique for people hedge fund managers or individual investors or speculators or what I'd call gamblers, personally. And hedge funds, big hedge funds decided they were looking at GameStop's failing, failing, failing stock price. And they were, hey, maybe there's a short here we can do. Maybe we can basically buy some shares or promise to buy shares at a price in the future. And because they're definitely going to decline in price.

Yeah, they're making a bet basically that the share price is going to go down and that's how they're going to make their money.

Okay. I'm going to give an example. Okay. Mark, you have to pay very close attention. Tell me where I fuck up on this. Okay.

Yep.

Okay, Graham, you're my guinea pig in this one.

All right. Okay. Interesting.

So let's say we're talking about a donut. I've got a donut.

Guinea pigs do not donuts. I think you'll find it's carrots and lettuce is what we.

Okay. And you're smart enough, not Mensa level, but you're smart enough to figure out that a donut in five days is going to be worth way less than a donut right now just out of the fryer. Yeah. Right?

Yeah, probably.

And you see it as a sure thing that if you buy the option to sell the donut for two bucks to somebody, right, and you promise to buy it back later at whatever price it will be in five days time, you might turn out a little coin. So let's take in five days time. It turns out someone values the donut only 10 cents because it's all crusty, gross. And you $1.90 out of that sale. You with me?

I'm with you. Yeah.

Okay. But what happens if the donut improves with age? Because it's using a new fermented sourdough base. And people go nuts for it. And in five days, the price skyrockets to $10 per donut. But you've promised to buy it back at whatever price. You're now in a loss of $8.

Oh, yes. Yes. That's the part about short selling that you don't hear so much about, I think.

Yeah, because no one to advertise when they fuck up. Right?

But what I mean is if you buy a share and it goes down, the downside of buying a share is that it goes to zero. So there is a limit to how much you can lose. You know at the beginning, okay, if I spend this much money, I might lose all of it. And that's how much money you've lost. Whereas I think if you short something, the danger is that the price goes up. There isn't actually a cap on how high the price can go. So your risk is potentially much, much higher.

Yeah, because the short sale's infinite, right? So the stock price could continue to rise with no limit. So these hedge fund guys on Wall Street borrow shares in the company and sold them with the promise to buy them back at a later date. You know, they were waiting for it to go down the poo-poo hole. And then they would collect their prize money because that was the game plan. That was their bet.

Yeah, and they're not imagining that a horde of gamers are suddenly going to go to these shops and start buying physical media in the middle of a pandemic. Right? It seems implausible that the share price is going to go up.

Exactly, Graham. In swagger, a Reddit community called WallStreetBets, more than 4 million people follow this feed and sharing tips and tricks and thoughts on the market, been doing this for years, amateur investors and diehards can all be found there. So they get together and they all say, we're going to save GameStop. We're going to have a movement and we're going to buy all the shares back. We're not going to let Wall Street kill these guys. And when you buy shares, the value ticks upwards. And when millions and millions people invest and buy shares, the valuation skyrockets. So it went from the lowly fiver all the way up to 350 or almost 400 bucks per share. Right? So if you bought a thousand shares, 5,000 bucks. Oh God, nine-year-old maths. Right. Let's go, boys. 1,000 shares, 1,000 shares at five bucks a share. And suddenly it's 347 bucks per share. What do you got? Way more

money. I'm on this podcast to get away from the maths homework. 342,000. Jesus Christ.

I have no maths left. I left them all on the kitchen table.

Okay, now the problem here with all this is this leaves the hedge funds heavyweights who attempted to cash in on GameStop's failing. They're feeling the heat. Because they promised to buy it back at a future valuation. And now that valuation is way freaking higher.

Oh, the poor hedge funds. Oh, the poor little hedge funds. Won't someone think of the hedge fund managers?

Melvin Capital Management was forced to seek a rescue package being at the centre of the kerfuffle over GameStop. It lost 53% on its investment. I'm not crying, you're crying. That's according to the Wall Street Journal.

I've got some sand in my hand.

Another one, Maple Lane Capital ended with a roughly 45% loss.

Can we get some black and white photos and a PowerPoint and just have their names in a sort of you know, a really ornate font underneath maybe with the dates, those obits they do at the Oscars? I think that'd be great.

Well there's loads of speculation as to why this happened. Was this a movement that was kind of spurned on by this Reddit community or was it just people who were bored and they happened just to kind of glance past it and go sounds fun I'll try and go get involved too because I've got a thousand pounds or a thousand bucks to burn? Or maybe some people were starving going oh my god I really need cash quick this could be a way. Now of course the big investors started freaking the fuck out right crying foul because they were outgamed by a bunch of nerds right and it hurt their professional investor ego.

Have they not been warned that the price of shares can go up as well as down?

Have they not watched the ads?

Dare these people pull their assets and then use them to make money from the fluctuation of stocks and shares. Exactly.

How dare people band together and manipulate the market? Do you own a three-piece suit? Do you own a Hermes scarf? Now, of course, this seems unfair to us, I think, because, you know, they're basically just bitching because, you know, someone's beating them because they're using new platforms that they hadn't thought about. And they did it rather cleverly. However, the upshot of when Wall Street kingpins whine in unison, people listen. So regulators in Washington are now keeping an eye on a possible market manipulation in social media groups. So we've got that. Thanks. We also have the digital investment app Robinhood. This was a central app in this whole, I don't know what to call it, a fiasco?

This is a share buying app or something you can just put on your phone, right?

Yeah, it's a stock market app. And last week it restricted trades in GameStop, allowing investors to sell but not to buy. A surefire way of trying to push the prices down.

In unrelated news, I understand that one of the companies that stood to lose substantially from the increase in GameStop shares was quite a serious investor in Robinhood.

Ah, interesting. Although the CEO

of Robinhood has been on TV telling everyone that will listen that these two things are entirely unrelated.

According to The Guardian, the company insists that this was for technical reasons, that they stop the investors being able to buy rather than a desire to protect the hedge funds. But of course, small investors are pissed off. So one, they've taken out a class action suit against Robinhood for knowingly manipulating the market. And they've been flooding the Robinhood app with one star ratings. And where it gets interesting is Google has salvaged the rating by removing more than 100,000 one-star reviews, so basically taking the side of the hedge fund. What do you guys think about that? Were

these automated bad reviews or were they done by hand by angry investors? I sort of think if they were legitimate bad reviews saying we don't like what they did, then that's fair enough. But if it was an automated bot or something that was doing them, then Google feels like it's within its rights to

remove bad reviews. I feel like these two things are quite separate because from Google's point of view, you have to think, what is the purpose of the reviews? Well, the purpose of the reviews is to help people choose things based on the opinions of others. So if I organize a campaign, which is very obviously just meant to trash the reputation of a company by leaving one-star reviews, those reviews are no longer really very useful to the people who are shopping for apps, I think. Yeah, but if 100

people do it because they all feel they may be acting as a collective, but they all feel that's the right thing.

But I think what you're looking for is the honest, so the wisdom of the crowd. And in order to get the wisdom of the crowd, the crowd isn't supposed to agree with itself in advance what it's going to say and then go and sort of act as a union.

Oh, bad people for being a community. Fuck, don't you realize you're ruining everything the company you're trying to do? Does anyone else see the irony in the company being named Robinhood and then shutting down trading for individual investors?

That's cropped up, I think.

Markets are attempting to claw back, obviously, the losses that were felt early Monday, kicking off what's going to be a turbulent February month. And this is not the last of this. So there's already been forays into AMC, very similar story to this as far as I can see, and BlackBerry. So technology firms, slightly different story, but the idea of having failings and being propped up by the market and having individuals or this movement underpinned by this idea of let's save these companies. The question is, does GameStop value, you know, does it deserve this valuation that it currently has? Well, maybe now, currently, maybe it's a pretty good valuation. But on the weekend, two days ago, it was much, much more. Should we check what it is now? I actually have the stock

price in front of me. Yeah. I'm looking at the chart. The chart looks like it's basically a horizontal line for several years and then a vertical line. And it's coming down. So it's now $111 right now. So

interesting. We'll see what's going to happen. It's crazy, crazy time. I worry so much about the people that get caught up in this frenzy late in the game and are investing their life savings. And just be careful folks. This is real money.

This is what worries me about this story because I feel like a lot of people were kind of declaring a victory lap. These people coming together on Reddit as if they all had exactly the same intention and they were all acting as one for the same reasons and they all kind of taught the hedge fund managers a lesson and maybe they did. And I hope that everybody gets out of this with their shirt. Well, they won't. Of course they won't. It's impossible that everyone... You know, the share price is supposed to reflect the actual intrinsic value. All you're saying is with the short sell, I don't see a future in GameStop. I don't see a future in a store that's run the way it's run that sells physical media. And I agree with that. I don't see a future for that store. That store is... You know, that share price looks like it's going to go down and down and down and down. And so... Bet you wished you'd invested if you had, Mensa. But the purpose of the share price is not to make me rich.

He just doesn't understand, Carole. He doesn't understand. You and me, we're all right with it. He can't get his head around it. It's a bit too troubling. Try and ask him about factorials.

The idea that anyone can say what that group is doing and speak for the whole group and say, this is the mind of the group, I find quite concerning. I mean, we don't know that there weren't hedge fund representatives in that group. Oh, totally. It could have been a pump and dump scheme. Exactly. Exactly. There could well be institutional investors taking advantage of this collective thing. And it's true of every stock bubble and every stock market bubble in history. They happen because the people in them say this one is different. For whatever reason, they say this one's different. It's a different kind of bubble. Or it's happening for different reasons. It's got different kind of people involved. We're teaching the man a lesson or whatever. And they are all the same, always. And they always have the same outcome. And eventually the share price will come back down and somebody will lose. So the story isn't over yet. Do you do yoga? I haven't since the pandemic started. Can you tell?

Hey Cluley, Cluley, did you hear my CrowdSec special interview that I did?

Yes, yes, yeah I've heard it. Yeah, did you? Yeah okay.

I don't know if I believe you. Tell me everything you know about CrowdSec. Go.

Okay, CrowdSec, they're building a community where you, SecOps and DevOps can join forces around the world and actually make a difference against all the new attacks which are coming out. Because no matter what your business size is, CrowdSec offers an adaptive response to security issues such as credential stuffing, port scans, password brute forcing, and much, much more.

Okay, tell me how they analyze visitors' behaviors. What do they do with malicious traffic, for example?

Okay, yeah, they analyze your visitors' behavior. They deal with the malicious traffic and, oh yes, they automatically share details across the community to ensure everyone is protected. So the more data that CrowdSec aggregates, the stronger it gets.

Okay, that's great, except you forgot the most important thing. It's free and it's open source, so anyone can benefit from this. So join the CrowdSec community and let's make the internet safer together. Find out more at crowdsec.net slash smashing.

And Smashing Security listeners, there's a special offer just for you. Go and join the user community and you could win a Google Pixel 5. Just go to crowdsec.net slash smashing. And thanks to CrowdSec for supporting the show. Hey, Graham. Why are you saying that? Are you thinking I'm getting forgetful?

Yes, often, very. And I'm a little bit worried about it. I suppose most of us, you know, working from home all the time. I mean, how the heck do you even remember a password in these scenarios? Nice segue, eh?

Yeah, well, I use a good password manager. I, in fact, use 1Password.

1Password, that's 1 with a 1, right?

That's right, yeah. 1Password. It's a great password manager. It works for home use, it works for families, it works for business. So I run a little business here at home, and it means... And imagine I worked in a bigger business, right? Imagine I was a part of the remote workforce. I could still work safely online, make it really easy for me to create and use strong passwords or share them with my colleagues.

Tell you what, now that all of us are working from home and your computer is being used not just for work, but also for home stuff more often than ever before, this kind of stuff keeps everything nicely segregated. Yeah, and listeners can find out more and they can try 1Password for free for 14 days at 1password.com. And thanks to them for supporting the show. I've watched some of this at your behest. I loved it.

It's pretty good, isn't it? It's absolutely fascinating. It's three episodes. And if you saw, there was another BBC documentary called The House of Trump. And it reminds me rather of that because you get these figures in the public eye. People like Alistair Campbell, who used to be Tony Blair's right-hand man. Nigel Farage and others speaking very, very frankly and honestly, which often you don't always get in documentaries, about somebody and about his family. And it's very much about the machinations that have gone on behind the scenes for political influence, sometimes to the benefit of the Murdoch family. And also how his children have been battling to gain control of his empire when he eventually pops his clogs. And of course, there's a fair bit as well about the phone hacking scandal too. And people like Rebecca Brooks.

Can I interrupt? I noticed that they kind of skipped over the pie slap in the face during the hearing. Which I thought was a little bit uncool because that is a memory that you and I share because I think I had a really bad back or something and you actually came to do a sympathy visit. That's right. And we were watching it live on TV and that happened.

Is that the one where Rupert Murdoch's then wife lands a serious right hook on someone?

Yes, that's right. Yes, Wendy Deng. It was curious how they edited around that in the show because they sort of suggested it but didn't talk. I mean, I don't think it's meant to be the – I mean, it is, to be honest, it's a bit of frippery. It's not important to the story.

Oh, really? Frippery. Yes, but it was bizarre because they did have a little bit of footage around it. That should be our show name, Security Frippery.

Yeah, Frippery. Anyway, it is a marvellous documentary. I can really recommend it. It is...

Seconded.

Fascinating. The Rise of the Murdoch...

What's it on?

It is available on BBC iPlayer. Don't know if it's available anywhere else, but go and check it out. The Rise of the Murdoch Dynasty. Links in the show notes. Mark, what's your pick of the week? My pick of the week is a website called SketchUp and I'm going to tell you why. I'm going to tell you a little story so gather round.

Do you need a pee, Graham?

I've got a little bucket here I can go in. I'm fine, okay, good. So if I hear the sound of running water while I'm talking I'll take that as an indication that my story wasn't interesting. It's for you and your chickens, isn't it, Mark? It's not just for your chickens. It is big enough to fit me in it. I can stand up in it or it will be anyway.

Do you have a chicken outfit that you wear? Now I have done a sort of beautiful hand drawing of what this thing is going to look, trying to work out which bits of wood I need. And I drew this pencil and paper drawing. And I was saying to my friend, you know, what I really need is I need something that I can kind of build this chicken run in online. You know, just to kind of work out whether or not the bits of wood actually fit together. And he said, well, lots of people use SketchUp. And I thought, oh, go and have a look at that. Anyway, SketchUp.

Have you never used it before for anything?

No.

Oh, okay. I had never heard of it until last week, and I went to this website, and it is my, it's the sort of circle of my career, if you like. So it is a website which contains a 3D modelling app for free. It is a completely free 3D modeling thing built entirely using website technology. And it blows my mind that that's where we are, that the thing that was too expensive, too scary, too difficult to do, required too powerful a computer for me to do 25 years ago. And so I took the route of going into websites instead is now possible in the website. And it's brilliant. It's glorious hearing this. I've known about SketchUp for 10 years. Really? Yeah, because I've used it to model kitchens and new bathrooms and all kinds of stuff. And yeah, I'm surprised, I guess, that people don't know about it.

Yeah, I've heard you talking about it before, Carole, yeah.

But this is the wonderful thing about the internet, isn't it? It's too vast. Someone can just say to you in passing, oh, there's a complete 3D modelling package available in a small HTML canvas over there.

I don't know. Had you 148, 149, you might have figured it out.

I'm sorry. It's okay, Graham. Don't worry. It's too quick.

That was above his head, Carole. Carole, what's your pick of the week?

Anybody having trouble sleeping these days? You guys, you're a good sleeper, Graham.

I don't sleep. I tend to sleep for about 45 minutes to an hour each week if I find.

I find it's just a matter of getting a balancing out the caffeine with the alcohol.

Yeah exactly you'd get those two levels right then it's fine, it's easy. Yeah exactly and you know it sucks and the other day I couldn't, I couldn't sleep all week actually and I got a bit desperate and I was looking for a pod kind of sleepy sleepy distraction right and there's a lot of kind of lame, dirty, I don't know, just inappropriate. Not for me trying to sleep because I'm frustrated, right? It's 3 in the morning. I'm pissed off.

Are you assuming sexually? No, you're the one who said dirty. You said there's a lot of dirty stuff. And then you said you're very frustrated. Okay, not in that way. Just I've got too much stuff in my head that is unimportant and it won't go away. So it's like an audio—

Do you remember what I said about how—

One at a time, boys.

Get quick. Mark, do you remember what I said just now about the internet being amazing?

Yeah, totally take it back. Graham.

No, I say this works, does it?

The entire magic that makes the show the show has been hoovered out of it, right? Like completely. It's a husk of the show. But it's so dull and quiet and familiar because you know the episodes you fall asleep so there's more than one episode of this oh yeah he's done four seasons

Why I wonder all four I wonder how he manages to stay awake

And you know what he has 215 followers on Twitter so you know throw him a bit of love. Throw him a bit of love because, you know, it's a cute idea and he does it well. And the Office ASMR podcast helped me- How do you know he does it well? How do you know? He has effort to sleep.

Once you're asleep, you don't know if he's doing it well.

It's the point. His whole line is, the podcast narrated in the office so you can fall asleep.

It's his job. I feel like you're telling us it's boring, and yet somehow you're also claiming the moral high ground. Exactly. And that is why it's my pick of the week. It's so boring, I fall asleep. It's amazing. It's successfully boring. Yeah, that sounds really boring, Crop. No, you're wrong. Successfully so.

Wouldn't it be more boring to listen to the same episode over and over again? Why do you need four seasons of it?

Well, I don't want to sound sexual, Graham, but maybe that'd get frustrating. It sounds amazing can we wrap this baby up you guys anyone out there who wants to listen the office ASMR podcast I think it's fun but not fun enough to keep you awake

And that just about wraps it up for this week ASMR voice please and that just about wraps it up for this week Mark I'm sure lots of our listeners would that

Is why Graham doesn't have an ASMR chat You're doing great. You're doing

Great. Mark, I'm sure lots of our listeners would like to follow you online. What's the best way for folks to do that?

Oh, you can follow me at Mark Stockley on Twitter, or you can follow my chickens at Internet of Hens on Twitter.

And you can follow us on Twitter at Smashing Security. No G, Twitter and last have a G. And we've also got a subreddit. Go looking for Smashing Security up there. And don't forget, make sure you never miss another episode of the show. Subscribe in your favourite podcast apps, such as Apple Podcasts, Google Podcasts and Spotify.

Huge thanks to this week's sponsors, 1Password, the Inside Security Intelligence podcast from Recorded Future and CrowdSec. And to our wonderful Patreon community. Thanks to all of these people, the show is free for all. For episode show notes, sponsorship info, guest lists, and the entire back catalogue of more than 200 and now 12 episodes, check out smashingsecurity.com. 2013. Well, this one's not up yet.

Until next time cheerio bye bye bye bye

I wish we'd stick with the ASMR voice I was looking forward to trying huge thank you to this week's do it do it I don't want to know. I just did it. I got bored, did you?