This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.

---

GRAHAM CLULEY. It wasn't helped, of course, because SolarWinds had been advising customers to disable any antivirus before installing its software. In retrospect, maybe not the best advice. Doesn't look that good.

---

CAROLE THERIAULT. Yeah.

---

UNKNOWN. Smashing Security, Episode 390: When Security Firms Get Hacked and Your New North Korean Remote Worker with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 390. My name's Graham Cluley.

---

CAROLE THERIAULT. And I'm Carole Theriault.

---

GRAHAM CLULEY. Ah, Carole, you sound in a much better voice this week. Are you feeling better?

---

CAROLE THERIAULT. I am, and I'm getting my sense of smell and taste back. That was a bit of a shocker. Not fun.

---

GRAHAM CLULEY. I didn't know you had any sense of taste ever. That's extraordinary.

---

CAROLE THERIAULT. Well, that's why I hang out with you.

---

GRAHAM CLULEY. Oh, oh, you got me on the boomerang.

---

CAROLE THERIAULT. Sorry, I don't mean to bully you.

---

GRAHAM CLULEY. Now, I've had a busy week. I went off to Norway.

---

CAROLE THERIAULT. Yes.

---

GRAHAM CLULEY. I performed on the stage at the Oslo Opera House.

---

CAROLE THERIAULT. I hear it's very beautiful.

---

GRAHAM CLULEY. It is stunning, the Oslo Opera House. It's an incredible piece of architecture. Really, really cool. Looks like a Bond villain's lair. But it was terrific being there and meeting some fans of the pod as well. Hope you enjoy your stickers.

---

CAROLE THERIAULT. High five to you all. Now, let's kick this show off and thank this week's wonderful sponsors: 1Password and Vanta. Now coming up on today's show, Graham, what do you got?

---

GRAHAM CLULEY. I'm going to be talking about when cybersecurity companies get hacked.

---

CAROLE THERIAULT. Ooh, and I'm going to talk about when a new remote hire does not work out as planned. All this and much more coming up on this episode of Smashing Security.

---

GRAHAM CLULEY. Now, chums, I'm going to start off today talking about a hack which happened a few years ago, the hack of SolarWinds. Carole, have you heard of SolarWinds?

---

CAROLE THERIAULT. Yes.

---

GRAHAM CLULEY. Yes, of course you have.

---

CAROLE THERIAULT. It was huge.

---

GRAHAM CLULEY. Huge. And they are a huge company. They're a $5 billion company. They manage network infrastructure for, well, just about everyone. Over 425 of the US Fortune 500 are using their software. That means the top 10 US telecoms companies, all branches of the US military, the Department of Justice, the US President's Office, the top 5 accounting firms, Microsoft, Intel, Google, the list goes on and on and on. And their problems began when some of their developers left their GitHub repository, the place where they put in their source code. They left it open to the public, to the entire world, which isn't a good idea, is it? Well, it can be all right leaving your source code open, but maybe not if your source code includes a hardcoded plaintext password for one of your company's update servers. That's not so good, is it? Not so wise.

---

CAROLE THERIAULT. No, you wouldn't want to do that if you were a company.

---

GRAHAM CLULEY. Now that's bad enough. What's even worse, though, than revealing your password is revealing it's a really, really bad password.

---

CAROLE THERIAULT. I can't remember what it was.

---

GRAHAM CLULEY. So the company's name is SolarWinds and they have a password to their update service. Just have a guess. Have a guess.

---

CAROLE THERIAULT. Is it SolarWinds with some zeros and ones?

---

GRAHAM CLULEY. You're so close. The password was SolarWinds123.

---

CAROLE THERIAULT. Aha.

---

GRAHAM CLULEY. Yeah, not that great. As we all know, to have a properly strong password, you'd need to add an exclamation mark on the end of that. And— So SolarWinds, they took an interesting approach when they were challenged about this.

In fact, a member of Congress Katie Porter. She went viral briefly when she spoke to SolarWinds CEO about the password.

---

CAROLE THERIAULT. Does this look familiar to you?

---

GRAHAM CLULEY. Yes.

---

CAROLE THERIAULT. SolarWinds123. Is it true that some servers at your company were secured with this crackerjack password, SolarWinds123?

I've got a stronger password than SolarWinds123 to stop my kids from watching too much YouTube on their iPad.

---

GRAHAM CLULEY. And the SolarWinds CEO, he responded by saying, well, it wasn't really our fault, and he blamed it on an intern. No.

---

CAROLE THERIAULT. Congressman, I believe that was a password that an intern used on one of his GitHub servers back in 2017, which was reported to our security team, and it was immediately removed. That's gross.

It's really gross.

---

GRAHAM CLULEY. Not good. And the problem was these Chinese hackers broke into SolarWinds.

They exploited their access to the update server and created a malicious software update called Sunburst. And that malware was installed via the booby-trapped SolarWinds software update.

It then sat around waiting for around about two weeks before doing anything malicious. And then when it triggered, it disabled all antivirus software and forensic tools to try and stay undetected.

And it started looking for other vulnerabilities to exploit on your network. And ultimately, as many as 18,000 of some of SolarWinds' 300,000 customers installed this malicious update, and they were now compromised with a remote access Trojan.

Now, 18,000, you may think, could have been much worse.

---

CAROLE THERIAULT. Uh-huh, but I remember the companies.

---

GRAHAM CLULEY. Yeah, the organizations, there's NATO, the UK government, the European Parliament, Microsoft, big organizations. And the hackers, hung around undetected for up to 9 months.

---

CAROLE THERIAULT. That's so gross.

---

GRAHAM CLULEY. In all of these organizations, stealing information, gaining unauthorized access to data and email accounts. Huge data trove.

This is one of the biggest hacks in history, one of the most serious security breaches. And it wasn't helped, of course, because SolarWinds had been advising customers to disable any antivirus before installing its software.

In retrospect, maybe not the best advice. Maybe not the best advice.

Doesn't look that good. Yeah, doesn't look that good.

---

CAROLE THERIAULT. No, but also you can understand how big companies have been working in a certain way for decades potentially, and everything's gone tickety-boo, and they have these certain little back doors in place, and they're there for a very good reason, as long as they're kept stum and all this. And I'm sure many companies do this.

And it's not smart, you know, because when this happens, it's a real shit show, you know?

---

GRAHAM CLULEY. Well, yeah, and it's certainly not smart publishing your password, particularly dumb password.

---

CAROLE THERIAULT. But that was obviously an error, you know, that wasn't by design.

---

GRAHAM CLULEY. Yes, I'm not saying it was deliberate by any means. And of course, organizations like governments, like big companies, like the US President's office, whatever, they do rely upon security companies and cyber companies pushing out updates And sometimes they will kind of greenlight those updates rolling out.

We saw that with the big CrowdStrike outage earlier this year.

---

CAROLE THERIAULT. We're basically saying that companies need to be paranoid all the time, but how paranoid can you be and run a business? So it's complicated.

---

GRAHAM CLULEY. It's difficult, but we're putting a lot of trust in these companies. So this happened back in 2020, this huge data breach caused by this supply chain attack. So why am I talking about this today, Graham?

Is it that you haven't found any other good stories in the last four years? Well, the reason is because there's been a development.

---

CAROLE THERIAULT. Mm-hmm.

---

GRAHAM CLULEY. Because although the breach happened in 2020, there are now some other big cyber firms which have been caught with their trousers down as a result of this breach. Cybersecurity firms like Avaya, Check Point, Mimecast, and Unisys have just been fined by the SEC, which says they tried to brush the impact of the SolarWinds hack, the impact that hack had on their companies, under the carpet.

So they were customers of SolarWinds who got affected by this. They were breached, but they weren't fully transparent about what happened, and they are now facing millions of dollars worth of fines as a consequence.

---

CAROLE THERIAULT. So they got data stolen as well and didn't report it.

---

GRAHAM CLULEY. Exactly. Or they didn't reveal all of the details as to what was going on.

They tried to sweep it under the rug, hoping no one would notice the giant lump of digital doo-doo that they would hide in there. So it's a bit like hiding a corpse. I don't know if you've ever hidden a corpse, Carole.

---

CAROLE THERIAULT. No, no, no.

---

GRAHAM CLULEY. Don't try and hide it under the carpet.

---

CAROLE THERIAULT. Not even for Halloween.

---

GRAHAM CLULEY. No, because you'll stumble over it. It's tricky.

You've got to hide it properly. So, for instance, Avaya, they played it cool. They said a few internal emails were accessed.

---

CAROLE THERIAULT. Yeah.

---

GRAHAM CLULEY. Actually, the hackers had helped themselves to at least 145 files in their cloud storage. So whoops-a-daisy, a bit more serious.

---

CAROLE THERIAULT. Right, so they never told customers either that their data had been leaked.

---

GRAHAM CLULEY. Right.

---

CAROLE THERIAULT. Which is super naughty too.

---

GRAHAM CLULEY. So then there was Mimecast as well. They apparently didn't even realize that it'd been hacked until a year after everyone else.

So security company obviously had heard about the SolarWinds breach, didn't recognize that even though it were a customer, didn't recognize that it had actually fallen foul of it till 2021, a whole year later.

---

CAROLE THERIAULT. Oh, you should see my face. It's painful.

---

GRAHAM CLULEY. You don't like this kind of thing, do you? You don't enjoy this. You find this really uncomfortable.

---

CAROLE THERIAULT. No.

---

GRAHAM CLULEY. So, in the case of Check Point, it's said that they tried to minimise the attack. They failed to disclose the nature of the code which the hackers had stolen, and the quantity of encrypted credentials they'd accessed as well.

---

CAROLE THERIAULT. You see? People go too far.

---

GRAHAM CLULEY. Well, the hackers went too far.

---

CAROLE THERIAULT. Yes!

---

GRAHAM CLULEY. It's their fault, right? Oh, it is ultimately their fault.

---

CAROLE THERIAULT. Of course it is.

---

GRAHAM CLULEY. It's then the security company's fault for not being honest about what happened, because that's what we preach to other victims. Be transparent with your customers.

Hope they don't beat you up too much. That's better than doing a cover-up. Unisys, they described the risks of the cybersecurity breach as hypothetical.

---

CAROLE THERIAULT. Hypothetical?

---

GRAHAM CLULEY. Well, this particular hypothetical breach at Unisys actually stole gigabytes and gigabytes of data which walked out the door.

---

CAROLE THERIAULT. Unhypothetically.

---

GRAHAM CLULEY. It's a bit like standing in a volcano and saying, you know, oh, this fire thing, that's a bit of a hypothetical risk, isn't it? No, it's not a hypothetical risk when you're surrounded by flames and fire and lava. It's a bit more than that.

But now they are paying the price. Unisys have been told to pay $4 million in civil penalty, Avea $1 million, Check Point, $995,000. I don't know why they get a $5,000 rebate in that. Mimecast are gonna have to pay $990,000.

---

CAROLE THERIAULT. Yeah.

---

GRAHAM CLULEY. But there's also been damage done to their brand reputation, of course, and there will be customers who will have found out about this after the fact, who will be very knocked off.

---

CAROLE THERIAULT. Yeah. Because you put a lot of trust in security companies because, you know, they also sit at a low level on your systems. They have access to a lot of information in order to make sure that it's safe.

---

GRAHAM CLULEY. And they're supposed to be the experts, these companies, right? They're the ones we trust to keep our data safe, and yet they don't seem to know how to handle a security breach themselves.

---

CAROLE THERIAULT. I think most companies would try and downplay it. And it's sad, but I'm trying to think they would want to just skate that line between honesty and keeping everyone calm so they don't have to deal with a huge, you know, employee going crazy and customers going crazy.

---

GRAHAM CLULEY. But unfortunately, it's one of those things where you kind of should be telling people, shouldn't you? Even if it's bad news, it's, I'm sorry, there's some bad news.

It's a bit if granddad dies, right? If granddad dies, it's upsetting to everybody. But you've got to tell the grandchildren at some point that granddad isn't going to be around anymore. You can't do a weekend at Bernie's and pretend that he's still alive.

---

CAROLE THERIAULT. I agree.

---

GRAHAM CLULEY. Carole, what's your story for us this week?

---

CAROLE THERIAULT. Okay, okay. So no big surprises. No surprise, the whole COVID pandemic thing revolutionized remote working. And there's a huge increase in remote workers.

An Owl Labs report says that 60+ percent of workers aged 22 to 65 in the States say they work remotely at least occasionally. And that's a huge increase from pre-pandemic times. And remote workers are also apparently more productive. They attribute it to fewer distractions, reduced commuting time, and a comfortable working environment. Would you agree with that? Do you think you're more productive in a home environment than you would be in an office environment?

---

GRAHAM CLULEY. It's been so long since I've worked in an office environment. I mean, it's been over 10 years for me at home. I love working at home, but maybe I love all the distractions and being able to nip out for a walk around the park whenever I rather than having a boss breathing down my neck.

---

CAROLE THERIAULT. Well, there's a thing, employees it too. Another report found that 98% of remote workers would to continue working remotely at least part of the time for the rest of their careers.

---

GRAHAM CLULEY. Yeah.

---

CAROLE THERIAULT. And it seems it's good for employers too, because remote work has enabled companies to tap into the global talent pool. A Gartner survey indicated that 74% of CFOs plan to shift some employees to remote work permanently just to leverage the benefits of diverse and widespread talent.

---

GRAHAM CLULEY. And less office space to have to rent, or maybe you can downsize your office because people only come in once a week and you could stagger them for different days. You know, there's all kinds of big financial reasons why this could be attractive to businesses too.

---

CAROLE THERIAULT. Absolutely. So all this gives employees more choice over where they can live without having to compromise their careers because they can work from anywhere, while employers no longer need to stop their search for talent at the national borders. So win-win-win.

When a firm finds an international candidate for a contractor position they have open, and this person has the right profile and the right skill set, it's really smart to get your skates on because that resource won't be sitting on the sidelines for long. But despite best intentions, things can go wrong and sometimes very, very wrong as it did in this case. So a company based in either the US, UK, or Australia, they've chosen to be anonymous internationally for reasons that will maybe become clear.

---

GRAHAM CLULEY. Okay. So a company on planet Earth.

---

CAROLE THERIAULT. A company on planet Earth.

---

GRAHAM CLULEY. I don't know why they narrow it. Why did they bother narrowing it down that much?

---

CAROLE THERIAULT. It's so interesting, isn't it? So they find this strong candidate for a position, for an IT position, an IT role, and they go through all the interview hoops and checks to onboard this promising new consultant. And then, of course, tools, tech, and access is shared, and work begins, and the initial months pass.

And it's sometimes around this point, if you're an employer, that you might realize that the candidate might not work out. And this might be because despite the employer's best intentions, they're just not a good fit. That might be work quality is low, or there's poor communication, or they show up naked for a video call and break the rules or whatever.

---

GRAHAM CLULEY. Yeah, one of those, I won't say which one, but one of those has often been the issue with me when I've started a new job.

---

CAROLE THERIAULT. Now, in this specific case, the company cites poor performance, and this led to the contractor's dismissal. Fair enough.

And the firm seems to have decided to cut its losses and terminate the relationship with the consultant because he wasn't doing the work properly. And that should have been the end of that, except that following the contractor's dismissal, the company starts receiving emails with attachments containing evidence of stolen data, stolen data from their very own systems. And then the firm receives an email demanding a six-figure sum in cryptocurrency for the information not to be published or sold online.

---

GRAHAM CLULEY. Right.

---

CAROLE THERIAULT. Oh, and did I mention that this contractor's employment history and CV were totally bogus? Turns out the contractor, or the person posing as the contractor, was actually from North Korea.

---

GRAHAM CLULEY. Ah, ah, now that makes things a bit— so this isn't just a disgruntled employee who's a bit peeved that he's been given the boot. This is someone who maybe came into the organization with a certain intention right at the beginning.

---

CAROLE THERIAULT. It's very well said. Yeah, so basically this company accidentally hired a North Korean IT worker for a remote job. The worker stole data and then tried to hold the company to ransom after being fired.

Now, it's not new that North Korea workers attempt to secure jobs in the West. The FBI previously said that there are thousands of North Korean IT workers posing as non-North Korean to get remote jobs in the US in order to funnel money back to the North Korean state.

---

GRAHAM CLULEY. Yeah, I've been reading just recently on my little ebook reader, I've been reading The Lazarus Heist by Geoff White. And there's so much about this, of their attempts to, I mean, this is obviously on a smaller scale perhaps than some of the other hacks which they've attempted, but it is all about getting the cryptocurrency in, isn't it?

---

CAROLE THERIAULT. Well, SecureWorks told Business Insider that its counter-threat unit uncovered the activity after the unnamed firm from UK, US, or Australia received the extortion demand.

---

GRAHAM CLULEY. They identified the activity, but they aren't too sure as to which country it happened in. Yeah, right, great.

---

CAROLE THERIAULT. And we don't know if the company paid or not. There's no information on that.

But you see, many companies would be prohibited from paying a ransom because of the international sanctions on North Korea.

---

GRAHAM CLULEY. Yes.

---

CAROLE THERIAULT. However, salaries received via North Korean fraudulent IT worker schemes are attempts to bypass these sanctions and generate revenue for the country.

---

GRAHAM CLULEY. Right. So how does it work?

Is it that they would, for instance, set up a bank account in the US, UK, Australia, and they get paid into that, and then they convert that into cryptocurrency for transportation back into North Korea, perhaps.

---

CAROLE THERIAULT. Or you may have a handler, a middleman, right, to collect the— you might have a U.S. address and say, yeah, send me all the tech here to this U.S. address, thank you very much.

---

GRAHAM CLULEY. Yep, yep.

---

CAROLE THERIAULT. Now, this specific instance, however, was slightly different, said SecureWorks. No longer are they just after a steady paycheck, they say they're looking for higher sums more quickly through data theft and extortion from inside the company's defenses.

And they recommend that companies implement rigorous identity verification procedures, conduct face-to-face or video interviews, and be vigilant for suspicious requests, such as efforts to redirect corporate IT equipment to a purported home address.

---

GRAHAM CLULEY. But this is the thing, isn't it? Even if you do an interview with somebody, it may be a different person who's actually doing the job.

So they may have some sort of front person. Whether it be on a Zoom call or less likely, perhaps these days, doing it across a desk, who passes the interview.

Oh, thank you. You're absolutely wonderful.

And then the North Korean chap takes over for the actual hacking and the exfiltration of the data.

---

CAROLE THERIAULT. And, you know, the thing is, it opens up another can of worms because there are scams on both sides. Employees can be scammed, right, by fake companies that are trying to get their details, and employers can be scammed by fake employees.

So, you know, employees are told to be very careful about sharing details with new companies until they're completely sure the company's legit. I've seen advice like check the company has a legit website, check that it has a company email address, check its LinkedIn profile.

These are all easy to create illegitimately.

---

GRAHAM CLULEY. Yes.

---

CAROLE THERIAULT. And on the other side, we've got firms who are wary of hiring scammers, and they're told to vet much more stringently. And while these additional steps are necessary, it hampers good people from finding good jobs at legit organizations.

Do you see what I mean? Because both sides are going, verify your identity, send me your passport, send me your banking details.

And the employee's like, no way, are you mad? Show me you're legit.

---

GRAHAM CLULEY. Yeah, I think you or I, if we were being interviewed for a job and they asked us to jump through too many hoops, at a certain point we're gonna say, you know what? No, we're not doing this.

You're just too hard to work with. You know, we wanna be your, we wanna be a bit more relaxed, guys.

---

CAROLE THERIAULT. Yeah, apparently Amazon has mandated by January 2025, every worker has to be back in the office. Full-time, and there's a huge outcry.

Something like 70% are saying they're looking for new work because of it.

---

GRAHAM CLULEY. Yeah. Well, can you imagine what it's like working in an Amazon office?

---

CAROLE THERIAULT. No, I mean, yeah, I think most people are now going, God, how did we work full-time in offices before? How did that happen?

---

GRAHAM CLULEY. There'll be time in your loo breaks.

---

CAROLE THERIAULT. So the whole point here is remote working has its costs too, especially when you're splashing around in international waters. Everything gets a little bit more complicated. So, you know, I don't know, I guess the advice is take heed.

---

GRAHAM CLULEY. Whether you're starting or scaling your company's security program, demonstrating top-notch security practices and establishing trust is more important than ever. Vanta automates compliance for SOC 2, ISO 27001, and more, saving you time and money while helping you build customer trust.

Plus, you can streamline security reviews by automating questionnaires and demonstrating your security posture with a customer-facing trust center, all powered by Vanta AI. Over 7,000 global companies like Atlassian, FlowHealth, and Quora use Vanta to manage risk and prove security in real time.

Get $1,000 off Vanta when you go to vanta.com/smashing. That's vanta.com/smashing for $1,000 off.

Quick question: do your end users always, and I mean always without exception, work on company-owned devices and IT-approved apps? I didn't think so.

So my next question is, how do you keep your company's data safe when it's sitting on all of those unmanaged apps and devices? Well, 1Password has an answer to this question, and it's called Extended Access Management.

1Password Extended Access Management helps you secure every sign-in for every app on every device because it solves the problems traditional IAM and MDM can't touch. Go and check it out for yourself at 1password.com/smashing.

That's 1password.com/smashing. And thanks to the folks at 1Password for supporting the show.

And welcome back. Can you join us at our favorite part of the show, the part of the show that we like to call Pick of the Week.

---

CAROLE THERIAULT. Pick of the Week. Pick of the Week.

---

GRAHAM CLULEY. Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book they've read, a TV show, a movie, a record, a podcast, a website, or an app, whatever they wish.

It doesn't have to be security-related necessarily.

---

CAROLE THERIAULT. Better not be.

---

GRAHAM CLULEY. Well, my pick of the week this week is not security-related. My pick of the week this week is a documentary which I watched on Channel 4.

The documentary is called Undercover: Exposing the Far Right. And this was a fascinating documentary film I watched last night following the work of the campaigning anti-fascist organization Hope Not Hate and their members track down far-right extremists, go undercover, and infiltrate organizations.

Wow. And this is the first time Hope Not Hate has allowed cameras to follow its undercover team.

And I found it really interesting because it's easy to think of far-right protesters in stereotypical terms, right? I imagined someone, you know, a bit skinheaded, angry louts marching around shouting abuse at people who aren't white.

But one of the things that came across to me while watching this documentary is the puppet masters of the movement, the people at the top, who in some cases were sort of Cambridge University educated, very well spoken, who weren't necessarily beating up people on marches, but instead were trying to form an elite group of people obsessed with eugenics, with the potential to influence people in power. And in this particular investigation, these people were looking for like-minded millionaires to fund their right-wing racist agenda.

And so we had this young journalist, Harry Shookman. He went undercover.

He'd never used a hidden camera before. But he went undercover.

He posed as someone who'd come into a lot of cash and was looking to invest it. And he pretended to be racist and tried to find out more about how this far-right group was operating and structured, what they're up to.

And crucially, and critically, who their mystery other mega-million tech investor was. So there was someone else who had also put a lot of money behind this particular movement.

---

CAROLE THERIAULT. It's kind of like social engineering, what these investigative journalists are doing in this case.

---

GRAHAM CLULEY. A little bit.

---

CAROLE THERIAULT. You know, this whole undercover stuff. It's basically the same thing.

---

GRAHAM CLULEY. Yes. Not social engineering digitally, perhaps, but in real life.

But I would imagine absolutely petrifying. It was nail-biting to watch.

And of course, we recently had an outbreak of racist riots in the UK, which this movie covers as well. And this organization, Hope Not Hate, helped identify some of the people behind that.

So, really interesting documentary. As I said, I watched it on Channel 4 streaming in the UK.

It was supposed to be shown in the last few days at the London Film Festival, and it was pulled at the last moment due to safety concerns because threats had been made. From, you can imagine, the usual suspects about the airing of this documentary.

Anyway, I would recommend it. Really good documentary, which was quite enlightening.

And that is why Undercover: Exposing the Far Right is my pick of the week. Not a lot of laughs there, Carole, I'll be honest with you.

---

CAROLE THERIAULT. Yeah, and yeah, okay.

---

GRAHAM CLULEY. A worthy one though. I think you'd find it interesting.

Go and watch it. Carole, what's your pick of the week?

---

CAROLE THERIAULT. Okay, I may be breaking the rules today, and I'm doing it with the full knowledge that I have had this pick of the week before. What?

Yes.

---

GRAHAM CLULEY. What?

---

CAROLE THERIAULT. Yes, deal, deal.

---

GRAHAM CLULEY. Sound the klaxon, sound the klaxon.

---

CAROLE THERIAULT. But Halloween's coming upon us, spooky time of year, and you know, the elections in the States are coming, also pretty scary.

---

GRAHAM CLULEY. Pretty spooky, yes.

---

CAROLE THERIAULT. So now I was thinking, what is the scariest movie that I've ever seen? Do you have an answer if I ask you?

---

GRAHAM CLULEY. Scariest movie I've ever seen? Oh, probably something like Doctor Who and the Seeds of Doom from 1976, I think it was.

That was pretty scary.

---

CAROLE THERIAULT. Okay.

---

GRAHAM CLULEY. What's the scariest movie you've ever seen? The Shining?

---

CAROLE THERIAULT. Thank you for asking. No, the 1973 movie The Exorcist. Definitely the scariest movie I ever saw.

---

GRAHAM CLULEY. Oh gosh.

---

CAROLE THERIAULT. Hands down. It may have been to do— when I saw it, I was way too young. But I've rewatched it and it's utterly chilling.

But even more chilling than The Exorcist is the BBC documentary that I watched last year about the making of The Exorcist. The Fear of God: 25 Years of The Exorcist. This is with Mark Kermode.

He's a talented and engaging UK-based film and culture critic. The documentary blew my mind because a lot went wrong in the making of the film.

And if you watch the film, it is scary, right? And you're "She looks petrified." And when you watch the documentary, you realize that, yes, she really was, and you realize why.

---

GRAHAM CLULEY. 'Cause the director was bonkers. Was it William Friedkin? He was meant to be bonkers, wasn't he?

---

CAROLE THERIAULT. Yeah, utterly bonkers. So this was my pick of the week back in episode 294.

It's my pick of the week again on 390 because it's that good a documentary. But as a bonus, I've also put a link to a short 8-minute essay on The Exorcist from Mark Kermode's podcast, Kermode and Mayo's Take.

It's a great resource for film buffs. There's 500 episodes or more, so they're podcast veterans us, Clue.

---

GRAHAM CLULEY. So I've never watched The Exorcist quite intentionally. I've avoided it because I've heard it doesn't really appeal, and I'm a little—

---

CAROLE THERIAULT. Watch the documentary.

---

GRAHAM CLULEY. I'm a little bit scared. I am interested in the documentary. Documentary would be great, but I wanted to know, okay, you say that's scary. Have you seen Doctor Who and the Seeds of Doom?

No. Plants taking over the world. It's really scary.

Well, that just about wraps up the show for this week. You can follow us on Twitter @SmashingSecurity, no G, Twitter and mouse, type a G.

And don't forget to ensure you never miss another episode, follow Smashing Security in your favorite podcast app, such as Apple Podcasts, Spotify, and Pocket Casts.

---

CAROLE THERIAULT. And thank you to our episode sponsors, Vanta and 1Password, and of course to our wonderful Patreon community. It's their support that helps us give you this show for free.

Episode show notes, sponsorship info, guest list, and the entire back catalog of more than 289 episodes. Sorry, back catalog of more than 389 episodes. Check out smashingsecurity.com.

---

GRAHAM CLULEY. Until next time, cheerio. Bye-bye. Bye.

---

CAROLE THERIAULT. God, I almost cut off 100 episodes just that. Just boom.

Oh yeah. Slip of the tongue. We've lost 100 shows.

---

GRAHAM CLULEY. Data loss.

-- TRANSCRIPT ENDS --