WIRED published a guide detailing experts’ tips and favorite tools for counter-surveillance organizing and collaboration. In OpSec failures, comments and other metadata left on a PDF detailing Homeland Security’s proposal to build a “mega” detention and processing center reveal DHS personnel involved in the creation of the plan. And the Department of Homeland Security is taking steps to combine its facial and fingerprint technologies across all its agencies into one centralized, searchable database.
Fears about potential drug cartel drone activity in Texas recently led to airspace closures in New Mexico and El Paso, Texas, but the episode ultimately underlined the challenges of safely deploying anti-drone weapons near cities. The database, left accessible to anyone online, contained billions of records, including passwords and Social Security numbers. The situation is not unique, but it highlights the ongoing potential identity-theft risk as it appears that some of the data has not yet been exploited by criminals.
If you’re looking to earn $10,000, the Fulu Foundation – a non-profit that pays bounties for removing anti-user features – is looking into a way to use Ring cameras to stop them from sending data to Amazon. And the Mexican city of Guadalupe, which will host parts of the 2026 World Cup, will deploy four new robot dogs to help provide security during matches at BBVA Stadium.
But wait, there’s more! Each week, we round up security and privacy news that we haven’t covered in depth ourselves. Click on titles to read full stories. And stay safe there.
At WIRED we’ve recommended password managers for years. Arguably, they are the only practical and convenient system for creating and applying unique, sufficiently strong passwords to every online account in your life. But the risk – at least when using cloud-based password managers that backup your credentials and make them accessible across devices – is that the password manager company itself becomes a point of vulnerability. If one of these companies is breached or suffers a data leak, those flaws could expose countless secret credentials.
Password manager companies have responded to those fears with the promise of “zero knowledge” systems in which they claim credentials are encrypted so that they cannot be accessed even in an unencrypted state. But a new study from security researchers at ETH Zurich and USI Lugano shows how often those claims appear to crack — or fail altogether if a malicious insider or hacker is sufficiently skilled at exploiting cryptographic flaws.
The researchers specifically analyzed password managers from Bitwarden, Dashlane, and LastPass — though they cautioned that their findings probably apply to others as well — and found that they could often gain access to users’ credentials. In some cases, they can access entire “vaults” of users’ passwords or even have the ability to write to those vaults at will. The cryptographic weaknesses they found varied between password managers and were only present when certain features were enabled, such as key escrow systems that allow backup and recovery of passwords. But they also say that many of the flaws they found were relatively simple and reflect a lack of scrutiny around “zero knowledge” claims of password managers. Read the full research paper here.
It seems that virtually no segment of American society has escaped mention in the newly released emails of the late convicted pedophile and sex trafficker Jeffrey Epstein – including the cybersecurity and technology community represented at the Defcon hacker conference. DefCon this week officially sanctioned three people whose ties to Epstein were revealed in the Justice Department’s incomplete and highly redacted publication of Epstein-related documents: cybersecurity entrepreneur Vincent Izzo — who had already been removed from the review board on the website of DefCon’s more corporate sister conference, Black Hat — as well as former MIT Media Lab director Joichi Ito and tech investor Pablo Holman. (A spokesperson for Iozzo said in a statement to TechCrunch that the ban was “demonstrative” and not based on any “wrongdoing,” while Holman and Ito did not respond to requests for comment.) All three men had extensive conversations with Epstein, including both in court and through extensive media reporting long after he was exposed as a sex offender and trafficker.
More than two decades ago, the government domain “freedom.gov” was used for news and “victory” information about the war in Iraq. Since the domain was re-registered on January 12 after being offline for years, it has been part of a State Department effort to create an anti-censorship “online portal,” according to a Reuters report this week.
The report said the portal was created to “enable people in Europe and elsewhere to view content restricted by their governments”, citing hate speech and terrorism-related content as examples. The Website may incorporate VPN technology to bypass geolocation blocks. The development of the site, which could help further break down differing internet freedom regimes and political tensions between the US and Europe, comes at a time when several US government-funded internet freedom programs have been shut down.
<a href