Motherboard's Lorenzo Franceschi-Bicchierai spoke with Patrick Wardle, the ex-NSA hacker who's organizing a security conference exclusively dedicated to Macs. Despite what Apple has famously promoted in the mid 2000s that Macs don't get "PC viruses," Mac computers do in fact have bugs, vulnerabilities, and even malware targeted at them. From the report: "People are peeking behind the curtain and realizing that the facade of Mac security is not always what it's cracked to be," Wardle told Motherboard in a phone interview. "Any company that designs software is going to have issues -- but Apple has perfected the art of a flawless public facade that masks many security issues." Wardle would know. After hacking primarily Windows computers at Fort Meade, for the last few years Wardle been finding several issues in MacOS, so many that he considers himself a "thorn" on Apple's side. But his conference is not an exercise in shaming or finger pointing, Wardle said he hopes to educate and teach people about Mac security, especially now that so many companies are using Macs as their corporate computers.

The conference is called Objective By the Sea, a wordplay on Objective-See, the name of Wardle's suite of free Mac security products (which is itself a wordplay on Apple's main programming language called Objective-C.) It will be held in Maui, Hawaii on November 3 and 4. The conference will be free for residents of Hawaii, and for patrons of Objective-See. That's why Wardle said he can't afford to pay for all speakers to attend, but he had no trouble finding people who wanted to participate. One group that doesn't want to come to Maui, at least for now, is Apple. Wardle said he reached out to the company, essentially offering it carte blanche to talk about whatever it wanted. But the company, so far, has not responded, according to him.

Follow the revelations this morning that a hacker exploited a security flaw in a popular feature of Facebook to steal account credentials of as many as 50 million users, a class-action lawsuit has been filed on behalf of one California resident, Carla Echavarria, and one Virginia resident, Derick Walker. "Both allege that Facebook's lack of proper security has exposed them and additional potential class members to a significantly increased chance of identity theft as a result of the breach," reports The Verge. From the report: The lawsuit was filed today in U.S. District Court for the Northern District of California. The complaint alleges Facebook is guilty of unlawful business practices, deceit by concealment, negligence, and violations of California's Customer Records Act. The plaintiffs want statutory damages and penalties awarded to them and other class members, as well as the providing of credit monitoring services, punitive damages, and the coverage of attorneys' fees and expenses. Although Facebook says it has fixed the issue that resulted in the breach, it still has little to no information to provide on who is behind the attack or when the attack even occurred.

As it stands, in addition to this new lawsuit, Facebook is facing pressure from the New York State Attorney General Barbara Underwood, who announced on Twitter this afternoon that, "We're looking into Facebook's massive data breach. New Yorkers deserve to know that their information will be protected." Federal Trade Commissioner Rohit Chopra had a terse public reaction, releasing a simple three-line tweet reading, "I want answers." In addition to Underwood and Chopra, Sen. Mark R. Warner (D-VA) released a statement describing the hack is "deeply concerning" and calling for a full investigation.

An anonymous reader quotes a report from TechCrunch: U.S. government investigators have lost a case to force Facebook to wiretap calls made over its Messenger app. A joint federal and state law enforcement effort investigating the MS-13 gang had pushed a district court to hold the social networking giant in contempt of court for refusing to permit real-time listening in on voice calls. According to sources speaking to Reuters, the judge later ruled in Facebook's favor -- although, because the case remains under seal, it's not known for what reason. The case, filed in a Fresno, Calif. district court, centers on alleged gang members accused of murder and other crimes. The government had been pushing to prosecute 16 suspected gang members, but are said to have leaned on Facebook to obtain further evidence.

secwatcher shares a report from Threatpost: A passcode bypass vulnerability in Apple's new iOS version 12 could allow an attacker to access photos and contacts (including phone numbers and emails) on a locked iPhone. The hack allows someone with physical access to a vulnerable iPhone to sidestep the passcode authorization screen on iPhones running Apple's latest iOS 12 beta and iOS 12 operating systems. Threatpost was tipped off to the bypass by Jose Rodriguez, who describes himself as an Apple enthusiast and "office clerk" based in Spain who has also found previous iPhone hacks.

Rodriguez posted a video of the bypass on his YouTube channel under the YouTube account Videosdebarraquito, where he walks viewers through a complicated 37-step bypass process in Spanish. Threatpost has independently confirmed that the bypass works on a number of different iPhone models including Apple's newest model iPhone XS. The process involves tricking Siri and Apple's accessibility feature in iOS called VoiceOver to sidestep the device's passcode. The attack works provided the attacker has physical access to a device that has Siri enabled and Face ID either turned off or physically covered (by tape, for instance).

BitTorrent and Tron, following the acquisition, hope to successfully integrate blockchain technology with the popular file-sharing protocol. From a report: Both companies were built around decentralization, which makes for a good match. However, it doesn't stop there. BitTorrent and Tron plan to integrate blockchain technology into future releases of their torrent clients. In short, they want to make it possible for users to 'earn' tokens by seeding. At the same time, others can 'bid' tokens to speed up their downloads. The new plan is dubbed "Project Atlas" and BitTorrent currently has seven people working on it full-time. In theory, the incentives will increase total seeding capacity, improving the health of the torrent ecosystem.

"By adding tokens we'll make it so that you can effectively earn per seeding and create incentives for users not only to seed longer but to dedicate more of their bandwidth and storage overall," Project Atlas lead Justin Knoll says. The idea to merge the blockchain with file-sharing technology isn't new. Joystream, previously implemented a similar idea and Upfiring is also working on incentivized sharing. BitTorrent itself also considered it before Tron came into the picture. "Even before the Tron acquisition, our R&D team was looking at ways to add blockchain based incentives to the protocol. Now with the addition of Tron's expertise, we can accelerate that effort," Knoll says. BitTorrent says it will start implementing the technology in its desktop clients, such as uTorrent. After that, it intends to bring it to mobile. The company is additionally encouraging developers of other BitTorrent clients to follow suit. "We'll release the details of our implementation and encourage third-party clients and the whole ecosystem to implement this," Knoll was quoted as saying.

After breaking into the top three most popular programming languages for the first time this month, behind C and Java, Python has also won the hearts of hackers and web nasties, according to attack statistics published this week by web security biz Imperva. From a report: The company says more than a third of daily attacks against sites the company protects come from a malicious or legitimate tool coded in Python. Imperva says that around 77 percent of all the sites the company protects, have been attacked by at least one Python-based tool. Furthermore, when the company looked at the list of tools that hackers used for their attacks, more than a quarter were coded in Python, by far the attackers' favorite tool. "Hackers, like developers, enjoy Python's advantages which makes it a popular hacking tool," the Imperva team says.

Facebook shared the following security announcement Friday: On the afternoon of Tuesday, September 25, our engineering team discovered a security issue affecting almost 50 million accounts. We're taking this incredibly seriously and wanted to let everyone know what's happened and the immediate action we've taken to protect people's security. Our investigation is still in its early stages. But it's clear that attackers exploited a vulnerability in Facebook's code that impacted "View As", a feature that lets people see what their own profile looks like to someone else. This allowed them to steal Facebook access tokens which they could then use to take over people's accounts. Access tokens are the equivalent of digital keys that keep people logged in to Facebook so they don't need to re-enter their password every time they use the app. Here is the action we have already taken.

First, we've fixed the vulnerability and informed law enforcement. Second, we have reset the access tokens of the almost 50 million accounts we know were affected to protect their security. We're also taking the precautionary step of resetting access tokens for another 40 million accounts that have been subject to a "View As" look-up in the last year. As a result, around 90 million people will now have to log back in to Facebook, or any of their apps that use Facebook Login. After they have logged back in, people will get a notification at the top of their News Feed explaining what happened. Third, we're temporarily turning off the "View As" feature while we conduct a thorough security review. The company added it has yet to determine whether these impacted accounts were misused or any information was accessed. Senator Mark Warner has issued a stern reprimand to Facebook over the security incident revelation today. "This is another sobering indicator that Congress needs to step up and take action to protect the privacy and security of social media users. As I've said before -- the era of the Wild West in social media is over," he wrote.

An indie Taiwanese hacker has proclaimed he'll broadcast an attempt to wipe out Mark Zuckerberg's Facebook page this Sunday -- live. From a report: Self-professed bug bounty-hunter Chang Chi-yuan, who ferrets out software flaws in return for cash, says he'll live-stream an endeavor to delete the billionaire's account at 6 p.m. local time from his own Facebook page. He didn't get into details or respond to an online query. "Broadcasting the deletion of FB founder Zuck's account," the lanky youngster, who turns 24 this year based on past interviews, told his 26,000-plus followers on Facebook this week. "Scheduled to go live." Cyber-enthusiasts from India to the U.S. routinely expose loopholes in corporate websites and software, earning small financial rewards. It's unusual however for so-called white-hat hackers to do so in real time. Chang, a minor celebrity at home who's gone on talk shows to discuss his exploits, was reportedly sued by a local bus operator after infiltrating their systems and buying a ticket for just NT$1 (3 cents). He's published a gamut of claims -- none of which could be independently verified -- including attacks on Apple and Tesla. And his Facebook account was listed among eight "special contributors" in Line's 2016 bug-hunters' hall of fame. Update: He has backpedalled on the claim.

In what Delta is calling the first "biometric terminal" in the country, they will reportedly use facial recognition at check-in, security and boarding inside the international terminal at Atlanta's Hartsfield-Jackson airport. Engadget reports: Passengers that want to use facial recognition can approach a kiosk in the lobby and click "Look," or approach a camera at the ticket counter, TSA checkpoint or when boarding. Once a green check mark flashes on the screen, they can proceed. Delta -- which plans to introduce fingerprint scanning to fold, too -- says passengers can use this system instead of the passports to get through these checkpoints, but you'll still need your passport for use in other non-biometric-equipped airports (although maybe one day we'll do away with passports altogether). Privacy advocates are concerned about the security risks present in facial scans, especially as it's an opt-out process. Others, however, say it makes air travel a more streamlined process.