This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.

---

UNKNOWN. Smashing Security, Episode 333: Barbie and the Stalking Spouse, with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security, Episode 333. My name's Graham Cluley.

---

CAROLE THERIAULT. 333. And I'm Carole Theriault.

---

GRAHAM CLULEY. Half of the number of the beast.

---

CAROLE THERIAULT. Half of the number of the beast. I love that.

---

GRAHAM CLULEY. There was a virus called the number of the beast. I think it added 666 bytes to the end of your .com files. Blast from the past, Carole, you're still on a secret mission.

---

CAROLE THERIAULT. For a number of weeks. So I would love to get this show on the road.

---

GRAHAM CLULEY. But first, let's thank our sponsors this week, Collide Hunters and Moonlock from MacPaw. It's thanks to their support that we're able to bring you this podcast for free.

---

CAROLE THERIAULT. Now, coming up on today's show, Graham, what do you got?

---

GRAHAM CLULEY. I'm going to be spying on the spies.

---

CAROLE THERIAULT. Okay. And I'm not a Barbie girl, but I am stuck in a Barbie world. All this and much more coming up on this episode of Smashing Security.

---

GRAHAM CLULEY. Now, chum chum, lovely Carole, I thought it would be fun to have a little competition. We haven't had one of those for a while. A little bit of a quiz. So I'm going to ask you a question and you are going to try to answer correctly, okay? So we're going to play a game of Odd One Out. I'm going to name three things and you're going to tell me which is the odd one out.

---

CAROLE THERIAULT. Mm-hmm.

---

GRAHAM CLULEY. So that's phishing, squishing, or smishing. Which is the odd one out?

---

CAROLE THERIAULT. Well, obviously phishing. Obviously.

---

GRAHAM CLULEY. Why is phishing the odd one out?

---

CAROLE THERIAULT. Well, it starts with a P.

---

GRAHAM CLULEY. That unfortunately is the correct answer. I was really hoping you were going to say squishing as the other two are cybersecurity related. But unfortunately, you are ahead of me. All right. I'm going to bring out the big guns. I'm going to bring out the big guns.

---

CAROLE THERIAULT. Okay. Okay.

---

GRAHAM CLULEY. I'm surprised. The whole idea was for me to win this competition. But anyway, okay. So next one, next odd one out. I'm just going to lie about what the answer is. Stalkerware, spouseware, and Tupperware. Which is the odd one out?

---

CAROLE THERIAULT. Okay, I will say Tupperware, Graham. I will say Tupperware.

---

GRAHAM CLULEY. Oh, what a shame. Wrong answer. The answer is, of course, darn, stalkerware, because that is 11 characters long, and the other two are 10 characters long. So never mind. You did very well on the phishing. Anyway, I'm going to be talking about stalkerware today, also known as spouseware. It's often advertised as being a means for keeping a close eye on what your spouse is up to, maybe on their mobile device, where they're going.

---

CAROLE THERIAULT. I don't think close eye is the right word. I think it's actually spying.

---

GRAHAM CLULEY. You know, it is spying.

---

CAROLE THERIAULT. Invasion of privacy.

---

GRAHAM CLULEY. Well, I tend to agree with you. I find it really rather disturbing that people do this. People are installing secret software onto their spouse's smartphones. Maybe it's not always their spouse, of course. Could be someone else that they have an interest in. Silently watching who they're in contact with, scooping up their photos, grabbing their call logs, recording conversations, logging their location in real time.

---

CAROLE THERIAULT. If I found out someone was doing that to me, I would be incensed. Hi, Mark Zuckerberg.

---

GRAHAM CLULEY. You wouldn't— you wouldn't— you're in a relationship with Zuckerberg?

---

CAROLE THERIAULT. Hey, Geoff. Hey, Geoff Bezos.

---

GRAHAM CLULEY. You'd be so lucky. You wouldn't find that attractive. You wouldn't think, oh, he likes me so much. He likes to make sure that I'm safe at all times.

---

CAROLE THERIAULT. It's like that Sting song. Was it Sting or Police? Every Breath You Take.

---

GRAHAM CLULEY. Oh, yeah. Yes.

---

CAROLE THERIAULT. Basically stalking the woman completely and everyone's like, it's so romantic.

---

GRAHAM CLULEY. Yeah, not really so much, is it? So I'm talking about a type of stalkerware, which is called Spyhide.

And it has a website, and it's advertised as a method for you to keep tabs on your romantic partner. So if you suspect they're having an affair or lying about where they are or in secret contact with someone else.

---

CAROLE THERIAULT. That's how they market it?

---

GRAHAM CLULEY. Yes. There is a fancy little video where you can see the scenarios.

---

CAROLE THERIAULT. So it's not like, hey, are you worried your partner is going to run into trouble? You can use this to locate them and find out where they are. They're actually just going for, you can just spy and spend your entire life watching someone else live their life.

---

GRAHAM CLULEY. To be honest, the clue is in the name. They actually call it Spyhide. They don't call it, you know, take care of your partner or something like that.

---

CAROLE THERIAULT. I'm such an idiot. I was thinking hide like cowhide. I didn't actually, yeah.

---

GRAHAM CLULEY. Oh, cowhide.

---

CAROLE THERIAULT. Yeah, I didn't— anyway, I can't explain why that happened in my brain. Maybe I'm losing it.

---

GRAHAM CLULEY. But you are right. Quite often stalkerware is promoted as a way of keeping an eye on a loved one in case they have a car accident or get lost and get in some spot of bother, rather like the software some people put on their kids' phones to see where they are and to keep an eye on them and helicopter around them.

---

CAROLE THERIAULT. Right, exactly.

---

GRAHAM CLULEY. So obviously this isn't something which people want on their phones. Spyhide hides on your Android smartphone, and it's really difficult for inexperienced users to tell that Spyhide is on their phone.

It disguises itself with an innocuous-looking icon, calls itself like Google Settings or something. It's hard to remove. It's not available on the Google Play Store. It's banned from there because they obviously don't like apps like this. You have to go and get it from Spyhide's own website.

---

CAROLE THERIAULT. Oh, right. So you would have to deliberately go to the Spyhide website or be tricked into going there or whatever to have it downloaded onto a third-party device you want to spy on?

---

GRAHAM CLULEY. Yeah, it seems like there's a variety of ways of getting it installed on people's devices. So it may be that, of course, your partner has had temporary access to your device and so they've installed it without you knowing and set it up.

But there may also be social engineering tricks which can be used.

---

CAROLE THERIAULT. 'Hey, here's the list for today's shopping.' Right.

---

GRAHAM CLULEY. Something like that. So the big problem with stalkerware is the huge amount of sensitive information it's scooping up about its targets, which can be obviously looked at and trawled through by your stalker or your jealous partner.

And that huge amount, the actual size of the data, that's a big problem as well, because that has to be stored somewhere. By the spyware firm. They're going to put that somewhere up in the cloud so that the stalker can access it via their dashboard, hopefully behind a secure password.

---

CAROLE THERIAULT. Oh, Lord.

---

GRAHAM CLULEY. Right. You're beginning to get the feel for what's going to happen here.

---

CAROLE THERIAULT. And you—

---

GRAHAM CLULEY. It may surprise you to know that some of the developers of stalkerware in the past have been a little bit lax when it comes to their own security. You would think, as their work in this field, that they would take a little more care.

But surprisingly, a number of these stalkerware, spouseware companies have come a cropper in the past. Now, a Swiss-based security researcher has just recently blogged about how the makers of Spyhide—not to be confused with cowhide or moosehide or any other kind of hide—Spyhide accidentally left part of their backend exposed. Dun dun dun!

---

CAROLE THERIAULT. Pull your trousers up, people!

---

GRAHAM CLULEY. Right, right, yes, exactly. If your backend's exposed, it's not always easy to know, is it?

I mean, quite often someone will tell you, "By the way, just sort that out, give them a yank up." If you do leave your backend exposed, as the developers of Spyhide did, someone of course may be able to find a way in.

And this researcher did exactly that. They were able to access the source code—the actual source code for the app's web-based dashboard, the thing which was running the dashboard. Jesus.

And that in turn spilled out plenty of secrets about how the Spyhide app operated and Spyhide's infrastructure. And as an article in TechCrunch explains, what they found were bugs in the dashboard's code, and that allowed the researcher to gain unfettered access to the backend database, revealing much of Spyhide's operations and even spilling details of its suspected administrators.

---

CAROLE THERIAULT. Were they able to access the information, of course, that was being stored on the poor victims that were being spied upon?

---

GRAHAM CLULEY. Oh yes, yes, yes. Oh dear.

In all, they were able to gather records of 60,000 Spyhide-compromised Android devices. Dating back to 2016, including call logs, text messages, precise location history dating back years, as well as information about every file, when every photo or video was taken and uploaded, when calls were recorded, how long for.

Just one smartphone in the US, which had been compromised by Spyhide, had quietly uploaded more than 100,000 location data points going back years. Fuck off. Oh my God.

So this just all spilled out.

---

CAROLE THERIAULT. So, so did they contact—were they able to identify which phones had been, this install, this was installed on and contact the owner?

---

GRAHAM CLULEY. Well, they don't have details of the victims. So they have details of where the victims have been.

They have details of what the victims have been saying and their photographs and their conversations and all of that. What they don't have is the contact details for their victims.

Okay, well, what details would they have? Well, I don't know.

---

CAROLE THERIAULT. I'm assuming—I don't know, I'm assuming there'd be information, breadcrumbs inside the information to be able to identify who it is.

---

GRAHAM CLULEY. Well, yeah, quite possibly, both photographic and in the messages. Yeah, I agree with you that there certainly would be information there, but I think with this amount of information, that'd be an awful lot to go through.

Besides which, if you sent a message saying, "Hey, someone's been spying on your phone for ages and I've got the information about it," most people are probably going to treat such a communication arriving in their inbox with suspicion or put it in the spam folder or delete it. What they do have is a record of the people who actually signed up with Spyhide, of the stalkers.

And there's a record of 750,000 people who registered an interest in Spyhide, although most of them didn't go on to pay for the actual spyware and install it on someone's phone. But they do have 3.29 million text messages containing highly personal information.

They've got two-factor codes, they've got password reset links, they've got more than 1.2 million call logs, they've got recordings of 312,000 phone calls, contact lists, addresses. It's a huge amount of information.

---

CAROLE THERIAULT. It sucks though, because, you know, if you're listening to this story wherever you are in the world, you might go, "Hmm, I wonder if that happened to me." I wonder. So is there a way that someone can check on their phone?

---

GRAHAM CLULEY. Well, I'm going to tell you in just a minute how to do that.

---

CAROLE THERIAULT. Okay, brilliant.

---

GRAHAM CLULEY. And how to protect yourself. So one thing this research can do— so normally when you find a vulnerability in a piece of software or a weakness or someone's left loads of data lying around, you want to tell them, right?

You want to tell them responsibly so that problem gets fixed because you don't want this data falling into the wrong hands. The people who run Spyhide, however, don't particularly want to be identified because what they're doing is, you know, with the very best will in the world, is distinctly shady.

So they don't announce who they are or give them easy means to contact them. But this researcher who broke into Spyhide's backend and looked at the source code found embedded in the source code the names of two developers based in Iran who appears had actually written the code.

They haven't replied to requests for comment from TechCrunch or from the researcher, but it was also found that the app is communicating with a server based in Germany. And so they've been in contact with the people who run the server, the web host, and that server's now been shut down because it's against their terms of service.

---

CAROLE THERIAULT. Yeah, I would argue though that the coders may be just contracted in to write code and had nothing to do with the actual company. Is that possible or is there distinct because I know loads of people that code and then leave a little signature inside saying, "This is my code."

Yeah, it's always possible, isn't it?

---

GRAHAM CLULEY. It's always possible that that's the case. Someone has hired someone else or someone's name has been left in a piece of code. It's a possibility.

It certainly requires further investigation to know for sure. The researcher has named these two people, or at least he's pseudonymized the names, but you can see at least their first name and their initial of their surname in his report should you wish to go and look it up.

So what can you do about this? Well, what the recommendation is, is to enable a feature which is available on Android called Google Play Protect. And this is something which Google introduced a while ago to protect against malicious Android apps like spyware.

You can go into the settings menu in Google Play to turn it on, and it will check apps when you install them and also periodically scan your device. Because of course if it was your jealous partner who installed this thing, they're just going to ignore any warning which pops up then.

But because it then periodically scans your device again, warning if it finds a potentially harmful app, that could warn you that this is going on. What you then do is really up to you, because you could find yourself in a difficult situation where you maybe are sharing a house with someone who's actually spying and stalking upon you.

So tread carefully as to what you may wish to do then. It's a really unpleasant thing.

And there are a lot of security researchers these days who are putting a lot of effort into trying to raise awareness of stalkerware and help people learn more ways to better protect themselves. So we'll put some useful links in the show notes.

---

CAROLE THERIAULT. And you know what? This could also be someone's boss doing this for their employees, using it as a type of bossware.

---

GRAHAM CLULEY. That certainly has happened as well in the past. I've heard of people who've actually lost their jobs because they refused to run stalkerware or spyware on their phones, which was logging how busy they were and whether they were on the premises in time. People just need to get a life.

---

CAROLE THERIAULT. Stop spying on other people. Do your own thing.

---

GRAHAM CLULEY. We do wonder if you're spying that much, how you actually have time to get on with your own life.

---

CAROLE THERIAULT. Yeah, you're just sitting there eating pot noodles and hot noodles.

---

GRAHAM CLULEY. You're ridiculous. Carole, what's your story for us this week?

---

CAROLE THERIAULT. Well, what do you know about Barbie, Graham?

---

GRAHAM CLULEY. I know she's about 6 foot 4 tall, has 38-inch legs, and doesn't she have an 18-inch waist and a 40-inch bust? She has ridiculous vital statistics.

---

CAROLE THERIAULT. Do you know what company?

---

GRAHAM CLULEY. Is it Mattel who produced Barbie, or is that Cindy? No, it's Mattel. Correct. It is. And Cindy is the British version of Barbie, is that right? I don't— you wouldn't probably know.

---

CAROLE THERIAULT. I'm not an aficionado in anything other than Barbie right now. For a tiny little moment.

---

GRAHAM CLULEY. You are supposed to have British citizenship. You should really know that. That would have been a question I would have asked you.

---

CAROLE THERIAULT. Well, let's see what you know about Barbie, shall we? Oh, God. Okay. What's her name? What's her name?

---

GRAHAM CLULEY. Her name is Barbara Bolognese. I don't know. What's her name? Barbara.

---

CAROLE THERIAULT. You're right. It is Barbara Millicent Roberts is her name.

---

GRAHAM CLULEY. Barbara Millicent Roberts.

---

CAROLE THERIAULT. That's how you should refer to her unless you were a good friend of Barbie. Apparently, this is— yeah, only friends can call her Barbie. How old is she? How old is she?

---

GRAHAM CLULEY. Well, by now she must be about 75.

---

CAROLE THERIAULT. She's 66, I think. Right? Yes, you did 333. Here's 66.

---

GRAHAM CLULEY. Look at this. It's all coming together.

---

CAROLE THERIAULT. What do you think? What does she do for a living?

---

GRAHAM CLULEY. Is she an Instagrammer? Is she an influencer? Doesn't she just mostly drive a little convertible around having a gay old time with Ken? Is that what you think?

---

CAROLE THERIAULT. Yeah. Actually, I think you'll find, Graham, she has the most impressive resume in history. More than 200 careers, including paleontologist, Desert Storm medic, McDonald's cashier, zoo doctor, business exec, secretary, Catwoman, and even a Canadian Mountie.

She's been to space twice and has run for president 6 times. Did she win? I don't know the answer to that.

---

GRAHAM CLULEY. Do we know which party she runs for? She run her own party, the Barbie Party?

---

CAROLE THERIAULT. I don't think, I think she'd be quite smart to stay away from politics. She probably just runs for president of the world or something.

But of course, as you mentioned, Barbies are controversial, right? She has impossible measurements. Feminists are not necessarily big fans of Barbie and what she portrays. And of course, there is a new movie that's come out.

---

GRAHAM CLULEY. You've probably heard. I haven't seen it. I've heard about it.

I heard people are watching both Barbie and Oppenheimer at the same— well, not at the same time, but sort of on the same day.

---

CAROLE THERIAULT. Yeah, it's Barbenheimer weekend or something.

---

GRAHAM CLULEY. Yes.

---

CAROLE THERIAULT. Yeah. And the reason for that is because there's a writers' strike right now in good old Hollywood.

So all eyes are on these two movies and Barbie is killing it at the box office. I mean, if you open any newspaper, you read about that, don't you? They have actually served up the biggest week in history for Warner Bros. movie, almost $600 million in the first week.

---

GRAHAM CLULEY. And it keeps going strong. I imagine it's quite a good movie, but it's not the sort of thing which would compel me to go to the cinema.

I think I'd wait a few months until it appeared for free on a streaming service.

---

CAROLE THERIAULT. I'm not sure you're their target market, really.

---

GRAHAM CLULEY. I mean, no judgment, but just, you know. Okay.

---

CAROLE THERIAULT. So basically, the pic is basically assured of joining the billion-dollar club, right? Movie club.

I didn't even know such a thing existed. And, you know, the stars are aligned, right? The kids are out of school, there's a writers' strike, and moviemakers went on a huge media offensive, these moviemakers, the Barbie moviemakers, ensuring that everyone and their dog, and even me, wrote about Barbie in some capacity.

---

GRAHAM CLULEY. There has been a huge publicity campaign around it.

---

CAROLE THERIAULT. Yeah. Right?

Massive. I mean, think of the zillions of entertainment journos and bloggers and TikTokers who have column inches and podcasts and videos to make. If there's not much going on, let them talk Barbie.

---

GRAHAM CLULEY. And it feels there's a lot of love towards Barbie. There aren't many people who, at least from what I've seen, who are pointing out, is this really a good role model?

I mean, other than running for president 6 times.

---

CAROLE THERIAULT. Well, they've kind of tried to switch it all up. You know, the movie is kind of Barbie, the essence of the movie is Barbie is going to the real world, right?

So she comes out of her fantasy area. I think one of the big things is her feet go flat, finally, right? So she's no longer having to wear high heels everywhere. Anyway, and of course, it was directed by Greta, right? I can't remember her last name now for some reason.

---

GRAHAM CLULEY. Is it Greta Gerwig?

---

CAROLE THERIAULT. I can't remember how you pronounce it. I think it's Gedwig. No, Gerwig. Gerwig. Thank you. Yeah, Greta Gerwig. So, you know, that's also big news that she's done that. Yeah. So we have this huge Barbie media storm. It's killing it at the box office. And what's a scammer to do? What's a scammer to do, Graham? You're sitting at home.

---

GRAHAM CLULEY. In scam HQ. Okay. In scam HQ. If I were in scam HQ, there's a number of things I would do. First of all, I would put up a malicious torrent claiming to be a pirated version of the movie so you didn't have to go to the cinema and catch COVID. By the way, I read Boris Johnson went to my local cinema. To watch the Barbie movie, which makes me never want to go to that cinema ever again. He announced that's where he had gone. So yes, that's one thing I'd do.

---

CAROLE THERIAULT. Well, you're actually — let me just say that's actually happened according to McAfee. So, you know, if you were being targeted, there's more than 100 different attacks that they've seen so far. So one of them, as you say, is a link to a Discord server or website promising a movie download, right? And you're prompted to download a large .exe file, but wouldn't you know it, the file is loaded with malware, including Redline Stealer spyware, they say. And that gathers up personal information, login information, all manner of stuff you don't want baddies to have.

---

GRAHAM CLULEY. Yeah. Okay. Well, okay. Yeah. Well, that sounds — but I've got some other ideas. Yes, please. I'm thinking — so again, with my malicious hat on, I'm thinking maybe I'd create a Barbie screensaver or a Barbie game people could download, and that would again, maybe infect you. Maybe I could create a Barbie artificial intelligence girlfriend simulator. So if I was Ken and trusted—

---

CAROLE THERIAULT. Oh, I thought you were trying to say that she was a lesbian.

---

GRAHAM CLULEY. I don't know. I have no idea what she does, but good luck to her. But yeah, she's probably fluid. She probably is. But yeah, so maybe something like that that people can just—

---

CAROLE THERIAULT. A Barbie simulator.

---

GRAHAM CLULEY. Yeah, why not? I didn't read about that.

---

CAROLE THERIAULT. But one interesting thing is because it's taken the world by storm, there may be some places where it's difficult to get it in your own language. So baddies are targeting certain areas. This has seen this in India where you can get the Barbie movie in your preferred language. When you click on the link, it prompts the victim to download a zip file, which is packed with malware, says McAfee. So they say there's at least 100 new instances of Barbie-related malware. And the thing is, what do you do to protect yourself? Do you want to have a go at that?

---

GRAHAM CLULEY. I imagine McAfee are going to say that you should run McAfee security software on your computer.

---

CAROLE THERIAULT. That was point 6, but I took that out of my list.

---

GRAHAM CLULEY. Well, don't download pirated software would be one recommendation, right? Yeah. Go to legitimate sources for your stuff. Trusted retailers and streamers, yes. That'd be a good idea as well. If you do install anything, don't give it exceptional permissions to access sensitive information on your phone, perhaps.

---

CAROLE THERIAULT. Yeah. Don't click on ads and Facebook, yes. Watch out for dodgy promos or offers or giveaways.

---

GRAHAM CLULEY. Yeah, and also, why not just get on something which was trending 20 or 30 years ago, like the Furbies or something like that? Why not think, actually, rather than watching Barbie, we are going to watch Teenage Mutant Ninja Turtles? Because probably there aren't any scammers.

Blast from the past. Yeah, all the scammers have moved up. Because I'm sure these scammers, they're simply looking for what is trending at the moment. They may even have this done algorithmically and say, right, this movie's hot, therefore that'll be the disguise du jour, exactly.

---

CAROLE THERIAULT. And what are people saying about this film? It does seem from my echo chamber position that most people online seem to be quite impressed with the film. But there are a few naysayers. There's one TikToker influencer named Brooke James, who was unimpressed. And 1.2 million people saw her video saying, you know, if I had to scale it from 1 to 10, I'd give it a 3. And being kind when she advised that people, you know, shouldn't waste their money going to see it. And apparently they're calling this a viral video because it's one of the only naysaying videos.

---

GRAHAM CLULEY. You know, why did they have to say that? Someone has poured their heart and soul for years into making this movie. You've never ever bitched about anything that anyone has ever created, but some bloody TikToker who creates a 90-second video saying, oh no, don't waste your time watching the Barbie movie. It's, oh yeah, but watch 30,000 TikToks.

---

CAROLE THERIAULT. I'm not worried about Barbie losing out here. It's about to be a box office record hit, so I think everyone's fine. Someone else actually spoke out against the film. I'm not going to tell you who it is, but I'm going to say what they said and see if you can guess.

---

GRAHAM CLULEY. Piers Morgan. You're right. Was I?

---

CAROLE THERIAULT. Quote, quote, if I made a movie mocking women as useless dunderheads constantly attacking the matriarchy and depicting all things feminist as toxic bullshit, I wouldn't just be canceled, I'd be executed. He's just calling the Sun and New York Post after seeing the Barbie movie.

---

GRAHAM CLULEY. So desperate for attention, isn't he? What a pillock.

---

CAROLE THERIAULT. Maybe I should just go see the movie to spite him. Or maybe he's using reverse psychology. Maybe he's in on it. Oh my God.

---

GRAHAM CLULEY. Mindscrew Up. Mac users might come off as overconfident, and not only because they use beautiful Apple devices. 28% of them believe that Mac computers don't have malware. 35% name Safari as a secure browser, and 22% use the same password in multiple online accounts. These are the results of a security survey produced by MoonLock, the cybersecurity team at MacPaw dedicated to deliver anti-malware tech that anyone can use. The entire MoonLock report is up for grabs for everyone. So visit moonlock.com and see how Mac users can navigate the ever-changing cybersecurity landscape today.

---

CAROLE THERIAULT. Your IT and your company has Okta. This message is for you. For the past few years, the majority of data breaches and hacks you read about have something in common. It's employees. Hackers absolutely love exploiting vulnerable employee devices and credentials. But imagine a world where only secure devices can access your cloud apps. Here, credentials are useless to hackers, and you can manage every OS, even Linux, from a single dashboard. Best of all, you can get employees to fix their own device security issues without creating more work for IT. The good news is you don't have to imagine this world. You can just start using Kolide. Kolide is a device trust solution for companies with Okta, and it makes sure that if a device is not trusted or secure, it can't log in to your cloud apps. Visit kolide.com/smashing to watch a demo and see how it works. That's k-o-l-i-d-e.com/smashing.

---

GRAHAM CLULEY. Relying on a SIEM in 2023 is like living in a college dorm room post-graduation. You're operating in an environment you've outgrown. Well, the Hunters SOC platform is purpose-built to help your security operations mature to the level where you need to be. With Hunters, you can ingest and normalize as much data as you have at a predictable cost without having to compromise on visibility and retention. You can also automatically cross-correlate data logs from your entire security and IT stack to connect and track events throughout your organization without switching screens, and you can leverage out-of-the-box and always up-to-date detections that cover 80% of the most common security use cases.

ChargePoint, the world's largest network of electric vehicle charging stations, uses Hunters SOC platform to leverage its out-of-the-box detection content to more efficiently respond to new threats and vulnerabilities. So it's time for your security team to move beyond SIEM with Hunters. Visit hunters.security to learn more, and thanks to them for supporting the show.

And welcome back. Can you join us at our favorite part of the show? The part of the show that we like to call Pick of the Week.

---

CAROLE THERIAULT. Pick of the Week. Pick of the Week.

---

GRAHAM CLULEY. Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app, whatever they wish. It doesn't have to be security-related necessarily. Better not be.

Well, my Pick of the Week this week is not security-related. My Pick of the Week is, it's been recommended to me actually by someone who is on the Smashing Security Reddit. A chap called Robster. Hi, Robster.

Well, actually, his name is R085TA, but I'm going to read that as Robster. And he recommended a site which I thought was rather interesting.

So, Carole, what do you think of— what do you think of when you are watching a movie, maybe the Barbie movie, and it says based on a true story? What do you think of when you— what's your reaction?

---

CAROLE THERIAULT. Based on a true story? And it was the Barbie movie? Well, maybe Barbie.

---

GRAHAM CLULEY. I don't know. You saw the Tetris movie recently. You know, there are other movies you've seen. You know, what do you think?

---

CAROLE THERIAULT. Well, maybe documentary or, you know, docudrama.

---

GRAHAM CLULEY. Do you ever think, "Yeah, right. Based on a true story. Wonder how much of this is made up." Well, I don't think that means anything, to be honest.

---

CAROLE THERIAULT. I don't think it means anything. You know, I could have— what does it mean? I've talked about this with friends before. It means nothing. It gives you full license to do anything, both tell exact stories and tell fake stories, doesn't it?

---

GRAHAM CLULEY. Exactly. But I'm often interested how much is really true. You know, there was that movie about Freddie Mercury and Queen, Bohemian Rhapsody, right? Which I haven't seen.

But the Elton John one, or the Eddie the Eagle movie, which I did see. I saw that one. And I think, you know, well, how much of this is really true? How much is this dramatic license? How much they sort of changed the characters or amalgamated people?

Well, for irritating people like me who want to know that kind of detail, there is now a website recommended to me by Robster via the Smashing Security Reddit. The website is called historyversushollywood.com. And what it does is it lists recent movies which claim to be based upon a true story, and it analyzes them.

It not only shows you the actor with a real picture of the person they were portraying. So you can say, oh, that's a pretty good likeness, or whatever. But it also looks at plot points and elements and story beats.

---

CAROLE THERIAULT. Deviations from actual truth as well, I bet.

---

GRAHAM CLULEY. It either confirms or denies whether things happened, and it gives you the real story. So if you watched, for instance, have you seen Weird: The Al Yankovic Story yet? No, I haven't.

---

CAROLE THERIAULT. And I was a very big Weird Al Yankovic fan when I was little.

---

GRAHAM CLULEY. I know. Well, Harry Potter's Daniel Radcliffe plays Weird Al. And if you were to watch that, you could then go to History vs Hollywood and find out, no, he didn't date Madonna in real life. And he didn't come up with his breakout hit of My Bologna based on My Sharona while making sandwiches.

It's not true. There's a different story of how he came up with these things.

---

CAROLE THERIAULT. Yeah. And you know the real truth thanks to Hollywood vs. History. Okay, exactly, right.

---

GRAHAM CLULEY. If I were to go and see the Barbie movie, I would go straight on History vs. Hollywood afterwards and see, well, how well does this match the true story of Barbara Millicent Roberts?

---

CAROLE THERIAULT. And then bore everyone senseless, right? Every dinner party or place of gathering going, "actually, I think you'll find—" I understand.

---

GRAHAM CLULEY. Is really the story of my life. That refrain, me saying— Isn't it? I think you'll find that isn't actually what happened. Well, for me at least, and I'm sure for some of our listeners, they would love to be able to do that as well. Make themselves popular at dinner parties.

History vs Hollywood is my pick of the week. Brilliant. Carole, what's your pick of the week?

---

CAROLE THERIAULT. Well, I don't want to disappoint, obviously. So I have a podcast for my pick of the week. Do my autocorrect just change that to "The Crowd Goes Mild"? It's from Tortoise. This is a podcast channel and it's called The News Meeting.

I think I told you about it a few weeks ago, Graham, in part because the host, James Harding, sounds an awful lot like your older brother. Let me tell you the gist of the podcast. So you have 3 journalists from different backgrounds representing different papers. And they all take turns to pitch a story as a front pager. So they take topical events of that week and build a case around a particular story as to why it should be the lead story.

---

GRAHAM CLULEY. I like the sound of this.

---

CAROLE THERIAULT. And then the other journalists may ask questions, you know, and try and poke holes into it. The host will ask questions and probe. And then at the end, the host makes a call as the kind of editor-in-chief and says which one he chooses of the 3 stories and explains why he's done so. It's great. I think James Harding's voice is just perfect for radio. And I like all the journalists he's had on. He gets a different bunch every week.

---

GRAHAM CLULEY. Hang on. You think my brother's voice is perfect for radio? You don't think—

---

CAROLE THERIAULT. I do. I've told you that already, actually.

---

GRAHAM CLULEY. But you don't think his brother, who has a successful cybersecurity podcast, which he co-hosts, you don't think that he has a great voice for radio?

---

CAROLE THERIAULT. Well, he has a podcast already. The other brother, which I'll remain nameless. It's a really neat— this is why I'm mentioning it. It's a really neat way for people to see how a story might be selected to be on the front page.

You know, we've got a background in PR and communications and all that. So we kind of have an inside view on that. And I think it's pretty true to form. So you can hear a variety of intelligent arguments as to, you know, for or against running a story. And I really like it. I've been listening to it every week.

So if it sounds like your cup of tea, I'd say check out the News Meeting podcast from Tortoise. Find it wherever you get your podcasts from. And that's my pick of the week.

---

GRAHAM CLULEY. Who's it from? Is it Tortoise?

---

CAROLE THERIAULT. Yeah, it's like a podcast channel.

---

GRAHAM CLULEY. And tortoise is as in the animal.

---

CAROLE THERIAULT. Yes. What am I saying it weirdly? T-O-R-T-O-I-S-E.

---

GRAHAM CLULEY. No, you weren't saying it. Some people say tortoise, don't they?

How do we feel about those people? People who say tortoise.

I feel fine with them. You're fine with them.

Well, that's good, Carole. That's good.

We embrace everybody here. And that just about wraps up the show for this week.

You can follow us on X. We're not allowed to call it Twitter anymore.

@SmashingSecurity, no G. X wouldn't allow us to have a G.

That sounds ridiculous. We also have a Mastodon account and look up Smashing Security on Reddit, where maybe you've got some suggestions for Picks of the Week as well.

And don't forget to ensure you never miss another episode. Follow Smashing Security in your favorite podcast apps, such as Overcast, Spotify, and Apple Podcasts.

---

CAROLE THERIAULT. And huge, huge thank you to this episode's sponsors, Kolide, Hunters, and Moonlot from MacPaw. And of course, to our wonderful Patreon community.

It's thanks to them all that this show is free. For episode show notes, sponsorship information, guest lists, and the entire back catalog, of more than 330 episodes, check out smashingsecurity.com.

---

GRAHAM CLULEY. Until next time, cheerio.

---

CAROLE THERIAULT. Bye-bye. Bye-bye.

---

GRAHAM CLULEY. Well, Carole, enjoy the rest of your permission. Oh, I will, I will.

---

CAROLE THERIAULT. There's already been a number of exciting events which I will share with you offline.

-- TRANSCRIPT ENDS --