WIRED tackled the big questions in security this week, starting with maybe the biggest: Why do so many people use "dragon" as their password? The answer actually says a lot about the psychology of passwords, and how those popular password lists are made in the first place. And there's a whole lot more.

Another surprising discovery? Why it makes at least some sense that Atlanta paid $2.6 million to recover from a ransomware attack that had demanded only $52,000. A less surprising one? That MSNBC host Joy Reid is far from the first person to blame hackers for things going awry online.. And in the least surprising development of the week, the House Intelligence Committee's report on Russian interference in the 2016 election was more than a little half-baked.

As for hacks, well, we've got those too. Security researchers figured out how to turn an Amazon Echo into an eavesdropping device, although Amazon has since fixed flaws in the system that allowed for it. Similarly, hotel rooms around the world are vulnerable to a hack that lets an intruder mimic a hotel's master key and open any door. And technologist Roy Ozzie has a plan to end the encryption debate, or at least shift the focus from technology to policy.

Plus there's more! As always, we’ve rounded up all the news we didn’t break or cover in depth this week. Click on the headlines to read the full stories. And stay safe out there.

Europol announced this week that it had shut down webstresser.org, a service that launched distributed denial of service attacks—which throws junk traffic at a site or service in an attempt to overwhelm them—for paying customers. The site reportedly had 136,000 registered users, and launched was behind as many as six million DDoS strikes. Packages cost as little as $19 per month, and members could summon attacks as strong as 350 Gbps. Shutting down webstresser.org won't put much of a dent in DDoS attacks overall, which continue to grow in scale and ingenuity.

A new Citizen Lab report finds that Netsweeper, software designed to filter internet content, has been deployed by at least 10 countries to limit people's access to information. That includes, the report says, religious sites in Bahrain and media sites in Yemen, among others. The report also notes that Netsweeper itself offers filtering terms that may be at odds with human rights, including an "Alternative Lifestyles" that blocks LGBTQ content. Citizen Lab actually found 30 countries in which Netsweeper was involved, but focused on the 10 where it seemed to be used in violation of human rights

The CIA has a card game that it uses to train analysts. No, it's true! And thanks to a fun FOIA request from Techdirt, which revealed the details of the rules with some redactions, you might be able to play it yourself. The site has made a few "changes, fixes and alternative rules" to the CIA's version, presumably to make it more fun and functional at parties, and has launched a Kickstarter campaign to fund actual production. It's already raised $44,000 from nearly 1500 backers at the time of publication, which suggests it'll actually get off the ground. So long, Settlers of Catan! There's a new, federal spy apparatus-inspired game in town.

While minors rightly have more privacy safeguards online than adults—or are supposed to, anyway, thanks to a law called COPPA—they're still vulnerable to all kinds of digital maladies, including identity theft. Javelin Strategy & Research this week reported that over a million kids in the US had suffered identity theft in 2017, leading to $2.6 billion in losses. As Fortune notes, the identity of someone 17 or under has more value on the black market, since they're essentially a clean slate, meaning credit card scams and more can go undetected for years.