A busy ~ this week in security ~ just went out, with stories on the U.K. dropping its Apple backdoor demand, the first Scattered Spider hacker getting jail time, Workday becomes the latest tech giant to have its Salesforce database stolen, feds seize a massive DDoS-for-hire botnet, and a lot more.

Sign up for free, or read online: https://this.weekinsecurity.com/this-week-in-security-august-24-2025-edition/

Hey internet friends, I somehow landed myself a neat new gig heading up research at @vulncheck (there goes the neighborhood)!

We're doing a webcast next Tuesday, August 26 on 1H 2025 vulnerability and exploitation insights, including:

• 400+ CVEs were exploited for the first time and added to the VulnCheck KEV.
• 32% of VulnCheck KEVs had exploitation evidence on or before the day a CVE was disclosed.
• 180+ CVEs were newly attributed to known threat actors, but the vast majority of these had exploitation evidence (but no public attribution) before 2025.

If that sounds like we're threatening you with a good time, we are! Register here: https://wwv.vulncheck.com/1h-state-of-exploitation-webinar

Heads up, folks:

Michael Kan reports that National Public Data is back under new owners: https://www.pcmag.com/news/site-behind-major-ssn-leak-returns-with-detailed-data-on-millions-how-to

Here is the direct link to their opt-out page instructions:
https://nationalpublicdata.com/optout.html

I had opted out previously after their humongous #databreach last year. When I checked my name now, it did not find my profile, so if you opted out before, you may still be opted out, but better safe than sorry: check and opt-out if needed.

#NPD #NationalPublicData #OptOut #DataBroker #Privacy

When you're not sure what's happening, but it looks fun, and you want to be a part of it.

#dog #dogs #puppy #puppies #jumprope #soundon #funny #humor #cute #fun

PSA to people who've been using gzip bombs to deter crawlers: I was wrong. It works.

At least to some extent: I started noticing recently that some of the disguising bots set accept-encoding: identity, likely to avoid those gzip bombs, for every request, including HTML. You made them play catch up! CONGRATS, genuinely!

Sadly, contrary to my previous assumption, a header like this in itself is not a good indicator, because there are legit cases where a real browser will send it: such as when requesting a video, for example.

However, there's no good reason to set identity;q=1, *;q=0.