An FBI informant helped run the Incognito dark web market and allegedly approved the sale of fentanyl-laced pills, including those from a dealer linked to a confirmed death, WIRED reported this week. Meanwhile, Jeffrey Epstein’s ties to Customs and Border Protection officers sparked a Department of Justice probe. Documents say that CBP officers in the US Virgin Islands were still friendly with Epstein years after his 2008 conviction, illustrating the infamous sex offender’s tactics for cultivating allies.

WIRED published a guide detailing experts’ tips and preferred tools for surveillance-resistant organizing and collaboration. In opsec fails, comments and other metadata left on a PDF detailing Homeland Security’s proposal to build “mega” detention and processing centers reveal the DHS personnel involved in the plan’s creation. And the Department of Homeland Security is making moves to combine its face and fingerprint technologies into a centralized, searchable database across all its agencies.

Fears about possible drug cartel drone activity over Texas sparked a recent airspace shutdown in New Mexico and El Paso, Texas, but the episode ultimately underscored the challenges of safely deploying anti-drone weapons near cities. A database left accessible to anyone online contained billions of records, including passwords and Social Security numbers. The situation is far from unique, but it underscores ongoing potential identity-theft risk since it appeared that some of the data has not yet been exploited by criminals.

If you’re looking to make $10,000, the Fulu Foundation—a nonprofit that pays out bounties for removing user-hostile features—is on the hunt for a way to use Ring cameras while preventing them from sending data to Amazon. And the Mexican city of Guadalupe, which will host portions of the 2026 World Cup, will deploy four new robot dogs to help provide security during matches at BBVA Stadium.

But wait, there’s more! Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

We at WIRED have recommended password managers for years. They are, arguably, the only practical and convenient system for creating and implementing unique, sufficiently strong passwords across every online account in your life. But the risk—at least when using cloud-based password managers that back up your credentials and make them accessible across devices—is that the password manager company itself becomes a point of vulnerability. If one of these companies is breached or suffers a data leak, those flaws could expose an untold number of secret credentials.

Password manager companies have responded to those fears with promises of “zero knowledge” systems in which they claim credentials are encrypted so that even they can’t access them in an unencrypted state. But a new study from security researchers at ETH Zurich and USI Lugano shows how frequently those claims are showing cracks—or failing altogether if a malicious insider or hacker is sufficiently skilled at exploiting cryptographic flaws.

The researchers specifically analyzed password managers from Bitwarden, Dashlane, and LastPass—though they warn their findings likely apply to others, too—and found that they could often gain access to users’ credentials. In some cases, they could access users’ entire “vault” of passwords or even gain the ability to write to those vaults at will. The cryptographic vulnerabilities they found varied between password managers and existed only when certain features were enabled, such as the key escrow systems that allow the backup and recovery of passwords. But they also say many of the flaws they found were relatively simple and show the lack of scrutiny around password managers’ “zero knowledge” claims. Read the full research paper here.

Virtually no part of American society, it increasingly seems, has escaped mention in the newly released emails of the late convicted pedophile and sex trafficker Jeffrey Epstein—including the cybersecurity and technology community represented at the Defcon hacker conference. Defcon this week officially banned three people whose ties to Epstein had come to light in the Justice Department’s incomplete and highly redacted release of documents related to Epstein: cybersecurity entrepreneur Vincent Iozzo—who had already been removed from review board on the website of Black Hat, Defcon’s more corporate sister conference—as well as former MIT Media Lab director Joichi Ito and tech investor Pablos Holman. (A spokesperson for Iozzo said the ban was “performative” and not based on any “wrongdoing,” in a statement to TechCrunch, while Holman and Ito didn’t respond to its requests for comment.) All three men had extensive interactions with Epstein, including long after he was exposed as a sex offender and trafficker both in court and in extensive media reporting.

More than two decades ago, the government domain “freedom.gov” was used for news and “victory” information about the war in Iraq. Since the domain was reregistered on January 12, after years being offline, it has been part of a State Department effort to create an anti-censorship “online portal,” according to a Reuters report this week.

The report says the portal may have been created to “enable people in Europe and elsewhere” to see content banned by their governments, citing hate speech- and terrorism-related content as examples. The website may incorporate VPN technology to get around geolocation blocks. The development of the site, which could help to further fracture differing internet freedom regimes and political tensions between the US and Europe, comes at a time when many US government-funded internet freedom programs have been shut down.

President Trump is adding a new 10 percent tariff on nearly all imports to the United States, following a Supreme Court ruling that overturned most of the levies imposed by the US government last year.

In an executive order signed Friday evening, Trump outlined a few exceptions, including imports of critical minerals, beef and fruits, cars, pharmaceuticals, and products from Canada or Mexico. The new tariffs will take effect on February 24, 2026.

In a press conference Friday afternoon, Trump was fired up about the Supreme Court decision and resorted to personal attacks, calling the six justices who ruled against his trade policies “a disgrace to our nation.” Answering a reporter’s question about how two of the justices he nominated, Neil Gorsuch and Amy Coney Barrett, voted for the overturn, Trump called them “an embarrassment to their families.”

The new trade policy is based on Section 122 of the Trade Act of 1974, which allows the president to single-handedly and immediately charge tariffs of up to 15 percent if there are “large and serious” trade deficits. These tariffs only last 150 days unless Congress authorizes an extension. Like the International Emergency Economic Powers Act (IEEPA), the statute has never before been used by a US president in this way.

Once the 150-day deadline arrives, it’s possible for Trump to keep re-issuing Section 122 tariffs. But the administration could also use this time to prepare other forms of tariffs, essentially switching legal justifications to get the same regulatory effects, says Gregory Husisian, a partner and litigation attorney at Foley & Lardner LLP, which has helped over one hundred companies file requests for tariff refunds. “[Section 122 tariff] is for a limited time period, so it’s going to be a bridge authority,” Husisian says.

In the meantime, the Trump administration could rush through the process of conducting trade investigations based on concerns of national security or unfair trade practices abroad, which are a requirement for launching Section 301 and Section 232 tariffs. “We are also initiating several Section 301 and other investigations to protect our country from unfair trade practices of other countries and companies,” Trump said at the press conference, referring to these other tariff options that take longer to launch.

In a separate executive order, the administration confirmed that despite IEEPA tariffs being overturned, the de minimis exemption—which is used to exempt e-commerce packages under $800 in value from being taxed—remains suspended. The end of de minimis last year caused massive package processing backlogs at the US border as well as price increases on budget shopping platforms.

At the press conference, Trump didn’t specify what exactly would happen to companies seeking refunds on their tariff payments. The Supreme Court decision did not specify whether and how the tariffs should be refunded. Answering a reporter’s question on the topic, Trump said he expected the issue to be litigated in court.

Experts tell WIRED that they expect the refund process to be messy and long, since it might require companies to file complaints and calculate the amount of money they believe they are entitled to receive. The government could also then push back on the calculated amount. The process could last anywhere from a few months to more than two years.

The Supreme Court decision specified that the IEEPA gives the president significant power during emergencies, but noted this power doesn’t extend to taxation. Trump, at the press conference, repeatedly distorted the ruling: “But now the court has given me the unquestioned right to ban all sorts of things from coming into our country, to destroy foreign countries … but not the right to charge a fee,” he said. “How crazy is that?”

At times, the press conference turned into a rant about issues unrelated to tariffs, like how the president thinks Europe is too woke or how much he hates the Federal Reserve chair Jerome Powell. Speaking about how the court interprets the literal meaning of the IEEPA, Trump suddenly started bragging about his reading comprehension skills. “I read the paragraphs. I read very well. Great comprehension,” he said.