An FBI informant helped run the Incognito dark web market and allegedly approved the sale of fentanyl-laced pills, including those from a dealer linked to a confirmed death, WIRED reported this week. Meanwhile, Jeffrey Epstein’s ties to Customs and Border Protection officers sparked a Department of Justice probe. Documents say that CBP officers in the US Virgin Islands were still friendly with Epstein years after his 2008 conviction, illustrating the infamous sex offender’s tactics for cultivating allies.
WIRED published a guide detailing experts’ tips and preferred tools for surveillance-resistant organizing and collaboration. In opsec fails, comments and other metadata left on a PDF detailing Homeland Security’s proposal to build “mega” detention and processing centers reveal the DHS personnel involved in the plan’s creation. And the Department of Homeland Security is making moves to combine its face and fingerprint technologies into a centralized, searchable database across all its agencies.
Fears about possible drug cartel drone activity over Texas sparked a recent airspace shutdown in New Mexico and El Paso, Texas, but the episode ultimately underscored the challenges of safely deploying anti-drone weapons near cities. A database left accessible to anyone online contained billions of records, including passwords and Social Security numbers. The situation is far from unique, but it underscores ongoing potential identity-theft risk since it appeared that some of the data has not yet been exploited by criminals.
If you’re looking to make $10,000, the Fulu Foundation—a nonprofit that pays out bounties for removing user-hostile features—is on the hunt for a way to use Ring cameras while preventing them from sending data to Amazon. And the Mexican city of Guadalupe, which will host portions of the 2026 World Cup, will deploy four new robot dogs to help provide security during matches at BBVA Stadium.
But wait, there’s more! Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.
We at WIRED have recommended password managers for years. They are, arguably, the only practical and convenient system for creating and implementing unique, sufficiently strong passwords across every online account in your life. But the risk—at least when using cloud-based password managers that back up your credentials and make them accessible across devices—is that the password manager company itself becomes a point of vulnerability. If one of these companies is breached or suffers a data leak, those flaws could expose an untold number of secret credentials.
Password manager companies have responded to those fears with promises of “zero knowledge” systems in which they claim credentials are encrypted so that even they can’t access them in an unencrypted state. But a new study from security researchers at ETH Zurich and USI Lugano shows how frequently those claims are showing cracks—or failing altogether if a malicious insider or hacker is sufficiently skilled at exploiting cryptographic flaws.
The researchers specifically analyzed password managers from Bitwarden, Dashlane, and LastPass—though they warn their findings likely apply to others, too—and found that they could often gain access to users’ credentials. In some cases, they could access users’ entire “vault” of passwords or even gain the ability to write to those vaults at will. The cryptographic vulnerabilities they found varied between password managers and existed only when certain features were enabled, such as the key escrow systems that allow the backup and recovery of passwords. But they also say many of the flaws they found were relatively simple and show the lack of scrutiny around password managers’ “zero knowledge” claims. Read the full research paper here.
Virtually no part of American society, it increasingly seems, has escaped mention in the newly released emails of the late convicted pedophile and sex trafficker Jeffrey Epstein—including the cybersecurity and technology community represented at the Defcon hacker conference. Defcon this week officially banned three people whose ties to Epstein had come to light in the Justice Department’s incomplete and highly redacted release of documents related to Epstein: cybersecurity entrepreneur Vincent Iozzo—who had already been removed from review board on the website of Black Hat, Defcon’s more corporate sister conference—as well as former MIT Media Lab director Joichi Ito and tech investor Pablos Holman. (A spokesperson for Iozzo said the ban was “performative” and not based on any “wrongdoing,” in a statement to TechCrunch, while Holman and Ito didn’t respond to its requests for comment.) All three men had extensive interactions with Epstein, including long after he was exposed as a sex offender and trafficker both in court and in extensive media reporting.
More than two decades ago, the government domain “freedom.gov” was used for news and “victory” information about the war in Iraq. Since the domain was reregistered on January 12, after years being offline, it has been part of a State Department effort to create an anti-censorship “online portal,” according to a Reuters report this week.
The report says the portal may have been created to “enable people in Europe and elsewhere” to see content banned by their governments, citing hate speech- and terrorism-related content as examples. The website may incorporate VPN technology to get around geolocation blocks. The development of the site, which could help to further fracture differing internet freedom regimes and political tensions between the US and Europe, comes at a time when many US government-funded internet freedom programs have been shut down.
