Password managers share a hidden weakness

An FBI informant helped run the Incognito dark web market and allegedly approved the sale of pills containing fentanylincluding that of a dealer linked to a confirmed death, WIRED reported this week. Meantime, Jeffrey Epstein’s ties to Customs and Border Protection officials resulted in a Justice Department investigation. Documents say CBP officers in the U.S. Virgin Islands remained friendly with Epstein years after his 2008 conviction, illustrating the notorious sex offender’s tactic of cultivating allies.

WIRED published a guide detailing experts’ tips and preferred tools for surveillance-resistant organizing and cooperation. In opsec failures, comments and other metadata left on a PDF detailing Homeland Security’s proposal to build “mega” detention and processing centers reveals the DHS staff involved in the creation of the plan. And the Department of Homeland Security is making moves to combine its facial and fingerprint technology into a centralized, searchable database across all its agencies.

Fears about possible drug cartel drone activity over Texas prompted a recent airspace shutdown in New Mexico and El Paso, Texas, but the episode eventually ended underlined the challenges of safely deploying anti-drone weapons near cities. A database that is left accessible to anyone online containing billions of recordsincluding passwords and social security numbers. The situation is far from unique, but it highlights ongoing potential identity theft risk as it appeared that some of the data had not yet been exploited by criminals.

If you want to earn $10,000, the Fulu Foundation – a non-profit organization that pays out bounties for removing user-hostile features – is looking for a way to use Ring cameras while preventing them from sending data to Amazon. And the Mexican city of Guadalupe, which will host portions of the 2026 World Cup, will deploy four new robot dogs to help provide security during matches at BBVA Stadium.

But wait, there’s more! Each week we round up the security and privacy news we haven’t covered in depth ourselves. Click on the headlines to read the full stories. And stay safe out there.

We at WIRED have recommended password managers for years. It’s probably the only practical and convenient system for creating and implementing unique, sufficiently strong passwords across every online account in your life. But the risk—at least when you use cloud-based password managers that back up your credentials and make them accessible across devices—is that the password manager company itself becomes a point of vulnerability. If one of these companies is breached or suffers a data breach, those flaws could expose an unprecedented number of secret credentials.

Password manager companies have responded to those fears with promises of “zero knowledge” systems in which they claim that credentials are encrypted so that even they cannot access them in an unencrypted state. But a new study from security researchers at ETH Zurich and USI Lugano shows how often those claims show cracks — or fail entirely if a malicious insider or hacker is sufficiently skilled to exploit cryptographic flaws.

The researchers specifically analyzed password managers from Bitwarden, Dashlane and LastPass — though they caution that their findings likely apply to others as well — and found that they were often able to gain access to users’ credentials. In some cases, they can gain access to users’ entire “vaults” of passwords or even gain the ability to write to those vaults at will. The cryptographic vulnerabilities they found varied between password managers and only existed when certain features were enabled, such as the key escrow systems that enable the backup and recovery of passwords. But they also say many of the flaws they found were relatively simple and show the lack of scrutiny surrounding password managers’ “zero knowledge” claims. Read the full research paper here.

Virtually no part of American society, it seems, has increasingly escaped mention in the newly released emails of the late convicted pedophile and sex trafficker Jeffrey Epstein—including the cybersecurity and technology community represented at the Defcon hacking conference. Defcon this week officially banned three people whose ties to Epstein were revealed in the Justice Department’s incomplete and highly redacted release of documents related to Epstein: cybersecurity entrepreneur Vincent Iozzo—who has already been removed from the review board on the website of Black Hat, Defcon’s more corporate sister conference—as well as former PaMIT Media Lab investor and Joichi It Media Lab investor Holman Holman. (A spokesperson for Iozzo told TechCrunch in a statement that the ban was “performative” and not based on any “infraction, while Holman and Ito did not respond to his requests for comment.) All three men had extensive interactions with Epstein, including long after he was exposed as a sex offender and trafficker, both in court and in extensive media reporting.

More than two decades ago, the government domain “freedom.gov” was used for news and “victory” information about the war in Iraq. Since the domain was re-registered on Jan. 12 after years of being offline, it has been part of a State Department effort to create an “online portal” against censorship, according to a Reuters reports this week.

The report says the portal may have been created to allow “people in Europe and elsewhere” to view content banned by their governments, citing hate speech and terrorism-related content as examples. The Website may include VPN technology to bypass geolocation blocks. The development of the site, which could help further break down different internet freedom regimes and political tensions between the US and Europe, comes at a time when much US government funding internet freedom programs are closed.