Plus: An Apple lawsuit, a VPN audit, and more of the week’s top security news.

It was a big week for smartphone privacy, at least in various ways that external forces make your location data more or less secure. On the bad side of the ledger, most 5G connections in the US today aren’t actually full 5G, which means they’re susceptible to the sort of stingray surveillance that the next-generation standard was supposed to prevent. On the plus side, researchers have figured out a way to prevent your carrier from knowing where you are every single time you reconnect to a cell tower. The tricky part is getting any of them to actually implement it.

Privacy advocates this week also released documents showing that the NYPD has spent at least $159 million since 2007 to purchase surveillance tools, including stingrays, policing software, and biometric tools. 

Our colleagues in the UK took a look at new research that shows how and where extremists have set up shop on platforms like Steam and Discord. It’s a long-stewing problem, which makes it all the more frustrating that these well-resourced services haven’t managed to tackle it yet.

Google has made some changes to the Play Store, most of which matter for developers more than end users. But the switch from an Android application package to an Android app bundle does mean it should be harder for scammers to push through malware-laced sideloaded apps. 

It’s been quite a roller coaster for Poly Network, a decentralized finance system. A hacker stole over $600 million early in the week, only to begin returning it on Wednesday. By Thursday, they had returned $342 million of the funds, while another $33 million worth of Tether stablecoins had been frozen. The remaining crypto assets have been placed in a wallet that requires keys from both Poly Network and the hacker; their ultimate fate is still in the balance. 

Virtual private networks are nice in theory; they let you browse without your ISP knowing what you’re up to, and their encrypted connections make it harder for anyone to snoop on your activity. But a new investigation from the Markup shows that many VPNs still allow trackers from third-party sites, even if they themselves don’t log your activity. It’s a practice that undermines the whole privacy aspect of a VPN—and also something we factor into our best VPN recommendations.

In 2019, Apple sued a company called Corellium over its iOS virtualization software. Corellium’s products are popular among security researchers, who have limited insight into iOS itself; Apple claimed that the software violated the company’s copyright claims. The retreat comes at a time when Apple has come under fire from privacy advocates over its controversial new steps to find child sexual abuse materials in iCloud that involves iPhones themselves. It needs all the friends in the security community it can get; an unpopular lawsuit against a critical research tool wasn’t going to be the way to make them.

Over the last few months, Microsoft has dealt with a plethora of security issues tied to its Windows Print Spooler function, including more than one failed attempt to patch a vulnerability called PrintNightmare. This week, the company finally offered a way to end its printer-related woes, although it’s a bit of a workaround. Now, anyone who wants to use the Windows Point and Print feature to install drivers will need administrative privileges. That should stave off most PrintNighmare attacks—but it has already been demonstrated not to stop all of them.


More Great WIRED Stories

This post was originally published on Wired Top News