as is tradition, I just published my commentary on this year's Verizon Data Breach Investigations Report (aka #DBIR): https://kellyshortridge.com/blog/posts/shortridge-makes-sense-of-verizon-dbir-2025/

In the post, I include the following sections covering what I felt were the most notable insights and facets in the report:

🌍 So, what?

💃 Espionage: fast fashion or couture?

👻 APTs go BWAA-haha >:3

💸 How do the money crimes generate money?

🤖 Attackers are still not really using GenAI

👩‍🍳 If you can’t make your own 0day, store-bought creds are fine

🔓 #Security was the real supply chain threat all along

🍄 Things Rot Apart

🕵‍ Scooby Doo's Spooky Kooky Corporate IT Caper

🌈 At least some things are improving somewhere

Go forth and enjoy my commentary, and then make sure to find me at #RSAC to tell me what you loved or hated Tuesday 14:30 at the @fastlydevs booth (where you'll also get a free copy of my book ✨)

thanks @alexcpsec for the early copy <3

The #GoogleDrive incident is the latest digital #security lapse for the #Trump admin. Last month, top officials inadvertently included the editor in chief of the Atlantic magazine in an unclassified chat used to discuss highly sensitive #military planning, & Trump’s #NationalSecurity adviser & his staff used personal #Gmail accounts for government communications, which experts described as insufficiently secure, The Post reported.

I see a couple online news sources stating that CISA has extended the funding. They are using statements such as the following:

CISA says the U.S. government has extended funding to ensure no continuity issues with the critical Common Vulnerabilities and Exposures (CVE) program.

They leave out the sourcing on this. Who said it? How was it said? Via direct email requesting a comment? X post? Was it official or OTR? Like, I believe them but please provide SOME form of indication of provenance when claiming statements are made by the US Gov.

The Perl 5 Porters have released #Perl versions 5.40.2 and 5.38.4 to address CVE-2024-56406. It is believed that this #security #vulnerability can enable Denial of Service or Arbitrary Code Execution attacks on platforms that lack sufficient defenses.

You can soon download both from your favorite #CPAN mirror or find them at:

https://metacpan.org/release/SHAY/perl-5.40.2/

https://metacpan.org/release/SHAY/perl-5.38.4/

Changes are listed in their respective “perldelta” documents:

https://metacpan.org/release/SHAY/perl-5.40.2/view/pod/perldelta.pod

Privacy Guides is formally taking a stand against dangerous and frightening technologies.

Security-focused developers and misguided "advocates" have long attempted to convince those involved in privacy and security that E2EE is an advanced security measure designed to protect your sensitive data, and Privacy Guides has stood by for far too long not setting the record straight.

https://www.privacyguides.org/articles/2025/04/01/the-dangers-of-end-to-end-encryption/

On VPN usage...

Hypothetically, any system on the web that you interact with can "know" you. And while it is true that VPNs are no different, the reality is that using a paid ProtonVPN or similar non-US based service would require that service to cooperate internationally with a warrant. Proton does not store where you visited. Good luck getting that info operationally into the hands of ICE as part of a dragnet.

❌ No safe message scanning technology exists.

⚠️ These powers would force a cybersecurity weakness onto apps like WhatsApp and Signal.

‼️ Hackers, predators and spies could crowbar their way into everything you send.

✍️ Tell Ofcom: End-to-end Encryption Means Online Safety ➡️ https://action.openrightsgroup.org/48-hours-tell-ofcom-practice-safe-text

⏰ CLOSES Monday 10 March at 5pm.

#PracticeSafeText 💬

🚨 Time is Running Out to Save Encryption 🔐

Ofcom is consulting on implementing message scanning powers in the UK Online Safety Act.

This would break end-to-end encryption on the messaging apps we all use!

⏰ CLOSES Monday 10 March, 5pm.

Use our tool to tell Ofcom #PracticeSafeText 💬

ACT NOW ⬇️

https://action.openrightsgroup.org/48-hours-tell-ofcom-practice-safe-text

Well, that was quick!

I wrote about about my disappointment with @mozillaofficial changes:

https://mastodon.social/@BjornW/114032743031437841

Seems they were just starting 🙄

Read
https://blog.mozilla.org/en/products/firefox/firefox-terms-of-use/

Check
- https://www.mozilla.org/en-US/about/legal/terms/firefox/

- https://www.mozilla.org/en-US/privacy/firefox/#notice

Consider other Open Source apps you may use: aren't you sad that these lack ToS & Privacy legalese?

My advise: move away from Mozilla.

They have lost my trust.

1/N

Read this:

https://blog.mozilla.org/en/mozilla/mozilla-leadership-growth-planning-updates

👀 at this:

https://www.mozilla.org/en-US/about/leadership

I'm baffled about the myriad of @mozillaofficial structures, amount of directors / C-level people & how to rhyme 'investing in privacy-respecting advertising; with 'draw a bigger circle of supporters over the long run.'

As a long time Mozilla supporter, I was already unhappy about the direction of the last years & this does certainly not bode well for the future. 😞 😩

#Firefox #Mozilla #Thunderbird #Tech #OpenSource

France is about to pass the worst surveillance law in the EU.

Here's how you can stop them: 👉 https://tuta.com/blog/france-surveillance-nacrotrafic-law

If you’re a Windows user, I can help you switch to Linux. Please stop supporting an insecure and privacy-intrusive operating system. What’s stopping you from switching to Linux/macOS? Ask all your questions, and I’ll answer everything.

Today I learned that the alarm system that came with our house – a very popular one here in Ireland – can be disarmed via Siri.

The default command?

“Hey, Siri, disarm.”

I shit you not.

#security #smartHome #youGottaBeFuckingKiddingMe

This is *the most malicious, brutal* malicious compliance I've seen in quite some time, possibly ever, and I am HERE FOR IT. Thank you, @jwz

https://www.jwz.org/xscreensaver/google.html

Any device that needs to be off because it can't be trusted with your conversations should not exist in the first place.

Wel treurig dat ook hier weer gesuggereerd wordt dat een cloud veilig is omdat het door grote bedrijven geleverd wordt. Als je de contracten bekijkt wentelen PaaS leveranciers alle verantwoordelijkheid af op de afnemers. Als jij vulnerabilities laat zitten in je code, wordt die code echt niet automagisch veilig door het in de cloud te hosten.

🇬🇧 Security company Assist Security exposed over 100,000 sensitive files publicly.

If you're curious what kind of wild excuses I get from companies, this one tried to claim only the file structure was exposed. Apparently I look at filenames and paths and figure what's there from the names only and report this to companies :blobwizard:

https://jltee.substack.com/p/security-company-assist-security-exposed-data