Smashing Security podcast #293: Massive crypto bungle, and the slave scammers

So they park it on your drive, right, with the keys. Is that then your car?

No.

You don't think you can just take it?

No, I don't.

But it's all right for you to take $10 million?

No, I don't think—

You're saying there's nothing to compel you? There's no legal requirement, you reckon?

Ladies and gentlemen, this is gaslighting. Exactly what's going on right now. Okay, this is called twisting one's words. All I'm saying is it should be the same way both ways.

Smashing Security, Episode 293: A Massive Crypto Bungle and the Slave Scammers with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security, Episode 293. My name's Graham Cluley.

And I'm Carole Theriault. Ah, Carole, you're back. Thank goodness. I got COVID.

You got COVID?

I tried really hard not to get COVID. But I suspect it's quite hard to do in a house with just one loo, right?

Oh, you didn't make him go out in the garden?

No, I didn't.

Or you go out in the garden.

Yeah, that's what I

Yeah.

I'm not as ill as him, of course, right?

Yeah.

Of course.

You sound all right at the moment, I'll be honest with you, but you were quite rough at the end of last week. Yeah, I know. I know.

should have done.

And you pulled out of the Smashing Security live event at NISC.

No, I chose very responsibly not to go over on the day that I tested very positive for COVID.

But it was okay because we had a puppet. We had a deepfake of you, which acted as though it were you, and people couldn't tell the difference really. Everyone seemed very happy.

Well, how about we get this show on the road? And before we kick off, let's thank this week's sponsors, Bitwarden and Collide. It's their support that helps us give you this show for free. Now, coming up on today's show, Graham, what do you got?

I'm going to be talking about how cryptocurrency bungles have really excelled themselves.

Okay, and I'm gonna ask you whether you would hire an ex-scammer.

Nope.

All this and much more coming up on this episode of Smashing Security.

Now, chum chum, do you consider yourself a lucky person?

Yes, I do think I'm fairly lucky.

Yeah, yeah, really? Yeah. Why?

I've got a pretty good life other than having COVID at the moment. Life's pretty sweet, right?

Okay.

So, and I'm thinking that's down to luck rather than talent, intelligence, charm, wit, bravery.

I definitely think that. I definitely don't think it can be anything to do with intelligence, charm, or wit. Fortune favors the brave goes the old adage, doesn't it? But it also favors the jammy, the lucky, the fluky. Whether you're lucky enough to be born into European royalty, which I wasn't.

I don't know if that's lucky.

You don't?

Well, no. Do you?

I think it'd be quite good to be like a second cousin, so you wouldn't have very many duties, but you'd have rich relatives to bail you out or give you a palace or something to live in. I think that'd be quite handy.

Okay, I didn't know that was something you were looking for, a palace. I'll keep my eyes peeled for you.

And also, if the FBI or someone wanted to question you about some serious offense, you'd be able to turn a blind eye to it.

They wouldn't know what door to use in your palace. Well, maybe. Maybe that's the thing stopping them. I think if you think luck is just wealth, then you're right on all these fronts.

Oh, okay. Well, sometimes good fortune can also fall into your lap from the strangest places. So, for instance, last year there was a bug in a cryptocurrency service called Compound. And what Compound managed to do was by accident, by mistake, they gave away $90 million worth of crypto to their users. They accidentally sent it to them.

Like to all of them? Like a little share?

Well, you know, lots of people got something. Yes, of different amounts. And then their founder, their CEO, went on to Twitter.

Guys, can you give it back, please? Seriously?

Yes, exactly. He begged them.

You would. You would. You would.

He said, would you mind awfully giving it back? He said, it'd really be helpful. And he said, if you do, I will give you a 10% bug bounty. If you'll do the honest thing and return most of it to us.

Right. So you got 10 grand. Okay, give me back, give me back 90 or give me back 9 and I'll give you 1 type thing.

Well, it's very quick maths, Carole, for someone who's still got COVID, isn't it? You're not that foggy headed, but yeah, perhaps.

My amazing constitution.

But he went on to say, look, otherwise, if you don't pay it back, it's going to be reported as income to the IRS. And most of you are doxxed because I know all of your names and addresses.

Okay.

I think he didn't realize that free money minus taxes is still better than no free money. So I don't think people would worry particularly that they had to pay taxes if they'd been given a large sum of money.

No, well, you can pay taxes on illegal earnings or, you know, you just have to declare it. You just have to declare it and say, look, I have this money. I'm not going to tell you how, but here's the taxes and the taxman's happy.

Well, you could just say it's been given to me by crypto.com.

Exactly. As a gift.

I presume so. A loyalty payment of some kind. Anyway, word has now reached me from a land down under where women glow and men plunder—I'm talking about Australia—of something a little similar. The curious case of Jatinder Singh and his partner, Thevamanogari Manivel. Now, that couple are currently in jail.

Okay.

Not in the same jail cell. I think they've actually split up since. I'm not sure. But anyway, they are facing up to 20 years in an Australian prison. Oh my God. Of all the prisons to be in. Imagine being in one with no culture.

I'd be all right with that compared to others.

What, you think Australia is better? Yes.

Where do you want to be?

Have you not seen Cell Block H?

You've got to be in a Chinese prison.

Well, no, I haven't been in a Chinese prison. Or Russian.

Would you like to be there?

But I've seen enough soaps to know what being in an Australian women's prison can be like.

Right, good, yes.

Anyway, it doesn't matter. That's not relevant right now. Now you're wondering, you're wondering what they're doing in that prison. Well, they allegedly stole money from a cryptocurrency company called Crypto.com, a big cryptocurrency company. How did they allegedly steal the money, you ask? I'll tell you, Carole.

Okay.

They didn't hack in.

This is great.

Mm-hmm. They did. You don't have to ask questions.

No, it's good.

Because you've got COVID, you can take it easy.

Exactly.

They didn't hack in. They didn't burgle the HQ. Instead, they were given the money.

Okay.

So let me explain what happened. Jatinder Singh is a cryptocurrency trader.

Check.

He's been doing it for a while. He's amassed something like $49,000 worth of cryptocurrency on the Crypto.com trading site using his debit card.

Okay, so that's money from his hard-earned cash.

Yeah, he's doing all right. Yeah. Not done anything wrong there. Sounds like everything's going well. But then he wants to conduct some more trades, and for some reason or another, he uses his partner Manivel's debit card, creates another account.

Well, maybe she has a bigger balance.

Who knows?

Right.

Who knows? Maybe he sees a great opportunity, needs a different debit card. Now, Crypto.com doesn't like that. It says you should be using your own account, not someone else's, to trade and your own debit card. And when they find out that he's done this, they say, look, that's against our rules. You shouldn't have done that. What we'll do is we'll refund $100, which you've paid to set up this account and do whatever trades you've already done. We'll refund that to Jatinder's partner, Manivel, the one who he's taken the debit card from.

But she complained?

I don't think she's complained. I think Crypto.com have just identified that his username does not match that of the card. And I think probably for money laundering reasons or whatever, they try and do ID checks on who is using cryptocurrency websites. And they think, hang on, this doesn't match up with your card, therefore we have to close this account. Oh, you've spent $100 already. Don't worry, we'll refund that because, you know, we recognize that you're a trader in good faith, blah, blah, blah. We want you to carry on doing this.

Okay. Right.

So you would expect now to see $100 be transferred into Manivel's account.

Yeah, as to what they explained. Right.

Exactly.

Right.

But that's not what happened. Okay. Instead, Crypto.com says that an employee of theirs in Bulgaria — I don't know why that's relevant, but they say in Bulgaria — okay — made a mistake in the Excel spreadsheet.

Ah, good old — it's always Excel's fault. It's always Excel's fault.

And rather than paste in $100 —

It was just 1 cent.

Itself, right? They accidentally pasted in not 1,000 or 10,000. No, what they did was they pasted in the account number, the Crypto.com — pardon, the Crypto.com account number of the previous job that worker had been working on, right? So everyone who's on Crypto.com has an ID number. And so they pasted in the number, which was the user number into the field of how much money they were going to refund him.

So the little dollar sign wasn't a giveaway. So, right.

And it came to $10,474,143.

And then pressed, without double-checking, pressed the send now.

Yes, transfer. Right, exactly.

Bet they're in a bit of a pickle.

It strikes me that Crypto.com have just leaked one of their users' account numbers as well, which is 10,474,000.

Guys, maybe take that one offline if you haven't already, just in case.

Right.

Okay.

So they moved this money into Manivel's bank account in May 2021.

Right. They're just, job done, ticks it off the list.

And meanwhile, can you imagine? Can you imagine opening your banking app, checking your balance and going, hello, this is all right?

Honestly, I would call them up and go, they've obviously made a crazy-ass error. They're going to be freaking out. Wouldn't you?

Well, apparently the court has heard, right, is that Jatinder, her partner, said to her, oh well, that's what happened was the other day on the Crypto.com app, I received a notification saying that they were running a competition to give away $10 million. What? And maybe we've won it, he said to his partner.

Is he being honest or is he full of poo poo?

Well, that's for the court to decide, Carole. That's for the court to decide.

He sounds like he's part of this now. Why would he say that? I don't understand.

Well, this is the argument that is being given to court, is they say there was a notification in the app saying there was a competition, someone's going to win $10 million, and then suddenly $10 million turns up in their account from Crypto.com. Now, Crypto.com says we don't actually run competitions like that.

Yeah. Can you prove that? Where did you see that? Exactly. Yeah.

And we didn't send out a notification. So that's the first mistake that's happened, is Crypto.com has moved $10.5 million into someone's bank account rather than $100. The second mistake they made is that it then took them a full 7 months until they noticed that they'd made that blunder, that they'd moved the money. They didn't spot the $10.5 million had disappeared.

7 months. This is ridiculous.

So they didn't notice until December 23rd last year, just before Christmas. And of course, someone else is having a great Christmas.

Can you imagine?

It's alleged that Manivel transferred large amounts of this life-changing windfall into different accounts, transferred it to her friends, gave away some to her family, used it to buy a $1.2 million luxury home with a cinema, home gym, 4 bathrooms, made a down payment on another home.

Would you do that? Would you have done that? I mean, 7 months though, and they haven't come knocking for it. You just assume at one point they are going to.

Don't you kind of think finders keepers? Maybe if they haven't noticed by now, maybe—

I don't know.

My partner has told me I've won a competition. He said we won a competition, you know.

Don't worry about it, honey. Don't worry about it, Manny. We got this.

Another $4 million was transferred to a Malaysian bank account. That's where Manivel comes from, and her sister's based out there. Hundreds of thousands of dollars allegedly given to each of her daughters. Another friend has his $1.2 million mortgage.

Yeah, yeah. So they spread the wealth, blah, blah, blah, blah, blah, and get themselves—

Furniture, luxury cars, all sorts like that.

Like a gangster. Yeah.

And now Crypto.com, now they're hot on the case now, right? Now they've noticed this 7 months later.

Wait a minute.

They've sprung into—

Just hold on a second. I think something here is a little awry.

What's going on here?

Right.

Right. And so they are contacting the lawyers of Manivel and Jatinder Singh. And they're saying, "Could we have our money back, please?" And nobody's replying. No one's acknowledging receipt. And so, funny that, isn't it? Put your head in the sand.

La la la.

Hopefully they'll go away. Hopefully they'll lose interest.

Yeah, because 10 million is not enough for them to keep their—

So they also had not very much success contacting Manivel's sister in Malaysia. So she's not responding either. They just had a single, one line just saying, thank you, received, or something like that, just through an email, but they never went into any conversation. So Crypto.com say, well, there wasn't a competition. We don't send out push notifications. We would never have given away $10 million. Singh and Manivel are saying— If someone, Carole, left outside your house, I don't know, an Aston Martin car with the keys in it. What if they parked it on your drive because it's very convenient for your lugubrious neighborhood? So they park it on your drive.

No. Although we didn't notice for 7 months, weirdly, but yeah.

Manivel tried to leave the country. She was arrested at Melbourne Airport in March. They say she was trying to flee to Malaysia on a one-way ticket, and she had a large amount of money on her.

I do kind of think I agree with you. In the crypto world, if I accidentally gave you £10 million, right? Or 10 million bitcoin, or not you, some stranger, they're not going to give it back. And no one's going to help me source that and get it back. They're going to say, well, it's gone. You fucked up. Right?

But isn't there some responsibility on the recipient to say, did you mean? You don't think

Ethically, yeah.

you can just take it?

But I don't Right.

With the keys.

know about legally.

But it's all right for Is that then your car? you to take $10 million?

No, I don't.

Okay.

No, I don't think—

You're saying there's nothing to compel you? There's no legal requirement, you reckon?

Ladies and gentlemen, this is gaslighting. Exactly what's going on right now. Okay, this is called twisting one's words. All I'm saying is it should be the same way both ways. If someone makes a mistake and pays someone $100 million or £10 million or £5, can they go to the bank or to the bitcoin exchange or whatever exchange and say, oh, can we just, you know, let's go back in time, you know, rewind, rewind.

But in this case, they have to ask. You can't just undo it at the bank level because the money's been moved from place to place.

Exactly. You know, I get it. I get it. Okay, so what's happened?

Nothing.

We don't know.

Well, Crypto.com are asking for the house to be sold, all proceeds to be returned to them. They want all the money back. And this couple, if they're found guilty, of this theft and subterfuge, they could face up to 20 years in an Australian prison.

Says who though? Says just— I don't know where the law— where's the precedent on this one?

Well, because it's theft, Carole, allegedly.

Yeah. It's not theft though.

You're not giving back something which belongs to someone else. I mean, even if it was a goof. Yeah.

It was a goofy gift. I received lots of those in my life, Graham.

Okay. Oh, now you're admitting it. Now you're admitting it. Interesting. Carole, what's your story for us this week?

Okay, so question is, would you hire a person who boasted about having scammed people in the past to the tunes of thousands and thousands and thousands?

Oh, golly, no. No, absolutely not.

What about if the person didn't say a word, but you found out somehow later that they had been a successful scammer? Would you call them out and say, look, I'm not very happy?

Oh no, I'm a coward. I wouldn't necessarily confront them.

But they're your employee.

I might— well, I might fire them for another reason, body odor or something. I might find some other excuse to get rid of them. I don't know if I'd want to say you're right.

Right, because you'd be afraid for your life then, because scammers are killers.

Right. Well, they might be. You don't know. You don't know what lengths they'll go to.

Okay, well, I want to see if this story changes your mind on this any. Okay.

All right.

So we're going to the other side of the world, over to Thailand, and you are perusing Facebook as you do, right? And you see an ad for an admin job that's right up And it all looks good. And the job happens to be in Cambodia, which

Yeah.

your street. You're, that's a very nice weekly pay packet. is a different country, of course, but it's just an hour flight away, capital And plus you've got money, all the money you'll be making, you'll be able to travel back and forth.

So this is an in-person job. You actually will— I would have to go over there.

to capital. So it's not really a big deal. Exactly. Right. And everything's looking tickety-boo. And when you get there, things take an absolutely wild turn because there is no admin job. There is only a scammy, scammy scam job. So in short, you are told, okay, something along the lines of you need to target the pig, fatten the pig before butchering the pig.

Sorry, who's the pig in this story?

Which I've managed to translate Right?

No, I haven't been on it, obviously.

Sure, of course not.

No, I think we talked about it way back when, is the whole horror of Facebook introducing a dating component. But apparently it does.

to finding a target to And then woo the crap out of them until they're brimming with trust and then start hitting them up for moolah. These are their terms. This is according to The Guardian, links in the show notes. Yeah, you're ringing a bell. COVID fog.

Oh, a romance scam. When you say woo, woo, woo.

woo, to scam, right? And he'd say, I'd pretend to be a woman to flirt with guys, and after flirting back and forth to create trust in them, I'd lure them into buying stuff like a pyramid scheme. The deeper they got sucked in, the worse it'd be for them. Well, there is investment scams, any type of scam. Romance scams, investment scams.

But you're basically gaining the trust of someone in order to trick them out of money by some method. Okay, look, these guys have got the wrong idea. And that's your job.

Which guys?

The people who've been tricked into working at the scam company. Because rather than saying, oh, hi, I'm a woman, la la, I'm really interested in you, or I've great investment for you.

This is your job, right? And you're told your role is to scour the internet for victims you could trick into investing in an online scam.

So they're quite upfront about this, and they're advertising these jobs on Facebook. Why don't they say, hey, I'm stuck working for a scam operation where they're threatening to electrocute me?

Yes. Well, well. Not as this, right? Yeah, they're probably not checking any of the logs. Yeah, you won't even go to a scammer that you know is a scammer and say you're a scammer.

Ah, they're just saying it's an admin job, right? Right. But it's a great story. It's a great story. That's the one they should be using to pull on the heartstrings and saying, can you send me an airfare to get out of here?

So you may, you may at this point kind of go, uh, Can I just say my story isn't done yet? My story is not done because these two, how do we know about their stories? Because they got out. You want to know how they got out? And apparently this attitude of yours does not go down so well. This is according to Lai Thi Lan, okay? She's a woman who found herself in exactly this situation, and she explained in The Guardian that if she refused to do the work she would be told that she'd be taken to the 8th floor of the building compound to be beaten or electrocuted. hey, I think there's been some kind of mix-up.

What the f— What? What? Yes! They dug a tunnel.

Crazier than that, I would argue. I'm not a scammer. I just want to do a bit of paperwork, right?

Okay, let's hear it.

Okay, so most would have remained captive until the authorities had enough to raid the compounds. And the only way, of course, to leave the compound was by paying a huge ransom fee, which neither, you know, Tuana or Lan could afford. Yes! Okay? 8th floor. Weird. Okay? Lan was then told later by other workers that she had been sold to this criminal gang that was running this enterprise, and that she was now owned by the company.

You're kidding me.

But they do manage to get out, and they get out by literally breaking free with a dozen other colleagues. Okay, according to The Guardian, some male staff fired Molotov cocktails to startle the work compound security officers. Nope. Lan says she would work between 14 and 16 hours a day with only short toilet breaks. If you spent more than 10 minutes in the bathroom, your pay would be docked. Then dozens raced from the building. Okay, so men in dark uniforms chasing frantically after them, waving sticks.

Sorry, I'm still

Lan and Tuan and others jump into the water along Cambodia-Vietnam border and swam for their lives. Okay, there's even a video of this that's been shared widely online.

upset about the Because sometimes— 10-minute toilet break.

Things can take a while for some people, right?

Is this true? Is all of this true?

How do I know? It's according to The Guardian.

They can. Exactly.

I wasn't there personally. I was not there. I have it on very good, reliable sources. Links in the show notes. One 16-year-old boy drowned during this escape. Especially if she's stressed out, which she would be.

Oh my God.

And not all of them made it. Another man who couldn't swim was dragged back and was seen being beaten.

If I've got a copy, you know, if I've got the newspaper and things, or the cricket on, it's going to take longer than that. Okay, so that's nasty.

So Lan and Tuan are two of the lucky ones. They were able to break away from the gang and eventually get back home to Thailand. She was told she had to earn 300 million dong, or $12,000 for the company each month. Now, I ask you again, before I carry on with the story, if you heard this and they were the employees that you were hiring, they were saying, actually, well, once, yeah, I kind of did, but I didn't want to. This is what happened to me.

That's a lot of dong.

Would you hire them then? We had a lot of dong. Every 5 days, she had to attract 2 new customers to be tricked into sending money. If she didn't meet her targets, her pay would be deducted and the bosses would threaten her with violence.

And there's, yeah, there's a constant threat of being taken up to this mythical 8th floor where they have the electrodes. Oh, would I hire one of these people who's escaped? I'm still slightly dubious about this story, to be honest, Carole. Yeah, for electrocution. Exactly. Now you kind of think, oh, you know, this must be a one in a million story. I'm not sure I believe it all because it's extraordinary.

Well, it's kind of complicated because Thailand, who has actually raised the alarm on this, saying this is definitely happening, and estimate that there's 3,000 more Thai workers trapped in these conditions. And the issue became so acute that in August, the US downgraded Cambodia to the worst level possible in its trafficking in persons annual report. And a UN special rapporteur likened the conditions in these compounds to a living hell.

Well, it's slave— it sounds like slavery, doesn't it, really?

So put that in your pipe and smoke it. But when you get back home, you think your problems might be over. You know, mom and dad going, "Oh, God, thank God you're back. Yes, doesn't it? Just Lan's colleague, if I can use that term colleague, he was forced to work on romance scams. So Tuan was stuck in the same compound, and the romance-style scams centered around a fake online shop. We were worried about you. We didn't hear from you," and everyone hugging and kissing. But in fact, no.

Oh, they do. It's the most horrendous.

The majority of people that have returned from such compounds, about 70%, have been prosecuted, according to the Royal Thai Police. Oh, right. See?

Because they scammed people in Thailand.

Because they may have scammed people in Thailand, and there are some bona fide scammers out there. But there are also people who get sucked into this scammy world, and it's a bit of a hornet's nest, because if you get it wrong, you either let a scammer go free, or you make a victim pay double time for being a victim.

So if I was a scammer in Cambodia and I did that for a couple of years and made myself enough million dong, I could then go pop over to Thailand and say, "Oh, I've had a terrible time. Oh my goodness, I had to jump in a river. Oh, Molotov cocktails, electrodes, etc.," in order to try and get some sympathy rather than be prosecuted. Is that what you're saying? Some people might be pretending to—

But presumably, people also fall for it. And there would be a record, right? There would be evidence that she clicked on the link of the ad. There would be an ad, there'd be a paper trail somewhere. There'd be the emails back and forth. There'd be the buying the plane ticket.

Facebook would definitely have tracked everything. Let's be honest.

Exactly.

Facebook would have stopped it.

I could call them. They will explain everything.

Why are Facebook allowing these ads from dodgy people to occur?

Right? Does Facebook even exist anymore? I don't even know.

It's rebranded.

Is it Facebook by Meta or is it Meta Meta?

Meta's the parent company. Facebook, the website, exists. Yes, I'm afraid so.

Okay. And on top of all that, okay, on top of that—

Have you got more?

No, I was just going to say on top of all this, you won't hire them.

Oh yeah, because that's the biggest of their problems that I won't hire them.

Well, it's just the icing on the cake. The straw that breaks the camel's back.

"Graham Cluley won't hire me. Oh my goodness. My life is ruined." Yes.

I see more clearly now in this COVID fog.

If you're considering a third-party audit like SOC 2 or ISO 27001, then you should be prepared to answer some tough questions about endpoint security. Auditors want to know that you have a system in place to monitor and maintain compliance across your fleet, which means showing that your staff are using things like disk encryption, screen locks, password managers. If you're not quite sure how you'd go about proving all that, then you need Kolide. Kolide's an endpoint security tool for Mac, Windows, and Linux devices that gives you the visibility you need to meet your third-party and internal compliance goals. Best of all, Kolide doesn't resort to spying on workers or locking down devices. Instead, it works with end users to resolve issues and relies on their cooperation and informed consent. You can meet your security goals and pass your audit without compromising on privacy. Visit kolide.com/smashing to find out how. If you follow that link, they'll also give you a goodie bag just for activating a free trial. That's K-O-L-I-D-E dot com slash smashing.

Smashing Security listeners, did you know that Bitwarden is the only open-source, cross-platform password manager that can be used at home, on the go, or at work? Bitwarden's password manager securely stores credentials spanning across personal and business worlds. And every Bitwarden account begins with the creation of a personal vault, which allows you to store all your personal credentials. These are unique and secure passwords for every single account you access, and it's easy to set up. It's easy to use. I honestly love Bitwarden. I use it at home, use it at work, use it on the go. Get started with a free trial of a Teams or Enterprise plan at bitwarden.com/smashing, or you can even try it for free across devices as an individual user. Check it out at bitwarden.com/smashing. And thanks to Bitwarden for sponsoring the show.

And welcome back. And you join us at our favorite part of the show, the part of the show that we like to call Pick of the Week.

Pick of the Week.

Pick of the Week. Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. It doesn't have to be security-related necessarily.

Better not be.

Well, my pick of the week this week is not security-related. My pick of the week is a board game, a board game which doesn't have a board, a board game that I have been playing called Zerts. Oh, okay. I thought it would be the tortilla water full-mouth slapping. You can play tortilla slap. I'm actually going to a 50th birthday party at the end of the month. So I will set it up for that place. Well, Zertz, Z-E-R-T-Z, is an abstract two-player strategy game played with marbles, white, gray, and black. Very nice feeling marbles, by the way. All the pieces in this game really feel nice. It's just like, oh, I like to touch these. Oh yes. Thank you very much. It's a bit like a Bakelite telephone. You know how nice that feels?

Yeah, I like those.

Yeah, exactly. That's what we're talking about. So you get these lovely marbles and you start off, you build a hexagon made out of marble holders, which come in the pack. And each go you put a marble down and you take one of the holders away from the hexagon, one of the ones which isn't occupied. So over time, the area of play gets smaller and the number of marbles increases and the marbles can jump over each other a bit like in draughts or checkers.

Or is that a Parcheesi? Isn't something like that?

I don't know.

Okay.

Anyway, you can jump over. In fact, you have to take if you can take. And slowly the board gets smaller. And after a few plays, you begin to understand the strategy is much deeper than you initially imagined. Because you can lay traps for people. You can force them to take your pieces in order to get the colours that you want in order to win the game. And it's really fun. It's a— I was playing with my son and he said to me, I like this game, Dad, because first of all, I'm able to beat you. But secondly, secondly, it's using his brain in an interesting way. He said it's a bit like chess. He doesn't like playing chess with me because I beat him. But it's a good brain strategy game. It's part of something called the GIPF Project, G-I-P-F, which is a series of abstract strategy games by a German designer called Kris Burm. I've been curious to try the other games. I haven't played them yet. I've only played Zertz so far, but I expect that they will be equally good. And that is why Zertz is my pick of the week. Great fun.

Okay, well, there you go. Well done.

It's good. Do you play any intelligent games, Carole?

Do I play any intelligent games?

Yeah, simple yes or no would have sufficed.

Yes, of course I do.

Such as?

I play Quirkle.

Yeah, it's not that intelligent.

It's pretty intelligent.

No, it's not really. It's just dominoes, isn't it, Quirkle?

I play Scrabble.

Yeah, I like Scrabble. Yeah.

I play Wordle.

Okay. Yeah. What's your pick of the week?

Okay, maybe blame COVID, but mine is slightly security related. Oh. And I know, I know. Well, you know, be gentle.

Amusing, isn't it?

My pick of the week is The Capture, a BBC show that just released its second series. And many a folk tweeted and emailed us asking us to cover this one. And now I am. Graham, I can't remember if you watched it or not. I remember telling you about it.

I've seen the first series. I believe there's now a second series out as well.

Yes, there's a second series. Okay, I'll give a quick description for listeners. Just quick, quick. But basically, you have an inspector, Rachel Carey, played by Holliday Granger. She's drafted in to investigate a case, but quickly learns that, you know, disentangling misinformation from the truth is not going to be easy. That's probably the best way to put it. And it basically seems video footage is not as reliable as one would think. Maybe think deepfakes and that kind of thing. And trying to get to who's behind all these shenanigans is an equally rocky road full of pitfalls and all kinds of stuff. It's a bit MI5, right? Not 9 to 5.

Is it plausible? Do you think they stretch it too much, or do you think it's rooted in reality? I pass. No, I didn't think it was rooted in reality. But maybe it's not reality now, but it might be in 10 years' time if deepfakes continue the way they are going, for instance.

Oh, sure, sure. But not on CCTV cameras, I don't think.

Okay, I thought that was a bit, I don't know.

Anyway, whatever.

I don't know. What do I know? I don't know. But you liked it? You liked the show? Yes, yes. But I mean, no, I don't have a lot of energy at the moment. Why have you not got it yet?

Oh, stop it. So my pick of the week is The Capture. It's produced by Peacock, available currently on the BBC iPlayer. Links in the show notes. Enjoy.

Well, that just about wraps up the show for this week. You can follow us on Twitter @SmashInSecurity, no G, Twitter doesn't allow us to have a G, and we also have a Smashing Security subreddit. And don't forget to ensure you never miss another episode, follow Smashing Security in your favorite podcast app. And while you're at it, maybe you want to give us a review, give us a 5-star review, say something nice about us. I don't know if it changes the algorithm, but it sure makes us feel a whole lot better. Lot better if you could do something like that. What the fuck was that?

Just give us a review if you like to. Don't worry about that. Huge thank you to this episode's sponsors, Bitwarden and Kolide, and to our wonderful Patreon community. Thanks to them all that this show is free. For episode show notes, sponsorship information, guest lists, and the entire back catalog of more than 292 episodes, check out smashingsecurity.com.

Until next time, cheerio, bye-bye, bye.

We didn't even

We didn't this week.

We didn't have a guest this week. Did you notice? I didn't notice. talk about not

Carole, we didn't have a We did have a guest this week until about half an hour before we started recording.

Yes. Don't worry guys, this will not be a normal thing. It won't just be the two of us. having a guest this week.

guest this week.

We wouldn't be able to stand it either. Yeah. All right, pause.

Hit and stop.