gotofail bug: articles about its minimal *real-world* effects?
February 26, 2014 6:49 AM   Subscribe

I'm trying to help a relative who's in a full panic about computer security, brought on both by the alarmist mainstream reporting about the gotofail bug and by some coincidental hardware issues with her OS X machine. My reassurance isn't going to cut it this time -- is there somewhere online where she can read, in lay terms, that although the bug was severe in theory / in its implications, there's very little evidence of real-world exploits?

Media coverage seems to consist of calm specialist articles and alarmist mainstream articles. Is there a calm, reassuring mainstream article?

She has two devices that were vulnerable to this bug, an iPhone and a recent (mfd jan 2014) MBAir which she's used exclusively on public wifi networks since she has no home internet.

The Air has been having issues like spontaneous black-screening; from her descriptions I'd guess she might have a bad logic board (and definitely has bad local salesguys telling her there's nothing wrong... she's not near a Genius Bar). But all unexplained computer issues feel potentially connected and equally suspicious to her.

She's also now very upset because she updated the iPhone to 7.0.6 over public wifi, and then found "a news story saying not to be so stupid as to update via public WiFi since the flaw itself could USE the process of the updating itself to completely take over your phone in ways even worse than it already was." Again, while that's true in theory, am I right to assume there's virtually no real-world chance she actually downloaded a malicious fake version of 7.0.6? Any evidence or reports of such a version surfacing anywhere?

She has a very all-or-nothing view of security (she writes, "Once everything is compromised, it doesn't matter if you change passwords or anything because those changes ALSO are known by the invader" -- I'm not clear whether she thinks the gotofail bug *itself* was about other users being able to achieve that degree of systemwide compromise, or whether it's just another sign that we can't trust computers and their manufacturers).

She has no local expert she'd trust to just wipe her devices so she can start fresh, and even if she did, she is really convinced that she'll be globally 'compromised' whatever she does now. (For broader reference, this is someone who documentably has been harassed and stalked and has had previous houses broken into -- but it's possible her history of compromise IRL may be fueling too-global fears about computer security.)

I would love pointers to *either* the kind of article on the gotofail bug I described above *or* excellent broader articles about security for lay users.
posted by anonymous to Computers & Internet (6 answers total) 1 user marked this as a favorite
It's fixed. She should download the security update. If she had it, it would have meant that hackers could access her system, not failing screens (see here)
posted by TheRaven at 7:02 AM on February 26, 2014

Mac Security is easy. Use a login code for the phone or iPad, and turn on FileVault on the iBook. Set up a Firmware password or Master password in addition to the user password. Or better yet use an Apple ID. Don't use Public networks without passwords. Easy Peasy.
posted by Gungho at 7:13 AM on February 26, 2014

She should download the security update.

According to the original question, she already downloaded the security update and is concerned that the update itself could have been compromised because she used public wifi to get it.

This Ars Technica piece might help assuage her fears:
Since news of the goto fail bug broke on Friday, some people have noted the apparent irony of relying on Apple-implemented encryption to download a fix for a critical iOS and Mac crypto bug. Fortunately, those concerns turned out to be misplaced, since goto fail does nothing to break the code signing protections Apple uses to ensure only authentic updates get installed.
That's only one line in the middle of a longer article but I haven't found anything else that is as clear. IMO, Ars Technica generally has very measured and detailed coverage of technical issues related to Apple products (see their 24-page review of Mavericks, for instance) and is trustworthy.
posted by bcwinters at 7:20 AM on February 26, 2014 [1 favorite]

Macworld has an article about how the NSA secures its Macs. Some of these tips may give her piece of mind. Also put a piece of tape over her webcam. Install Firefox or Chrome and some ad-blocking software like and Flashblock.

Anything more than that and you're starting to get into Howard Hughes OCD territory. There's only so much we can do.
posted by RobotVoodooPower at 6:03 PM on February 26, 2014

Well, it sounds like she's worried about the wrong thing, but she's not wrong to be worried. I know people for whom running arpspoof and dsniff down at the local coffeeshop, just to see what happened, would sound like a good idea. Has someone infected her computer? Almost certainly not. Has someone grabbed her banking username and password? Less certainly not. I mean, it's pretty unlikely, and probably people using other browsers would have been saying things like "why am I getting security warnings about google?" in her hearing if she were in a place where an attacker was working. But it's not "you're completely overreacting; you have absolutely nothing to worry about" territory.
posted by hades at 6:27 PM on February 26, 2014

Here is another article on code signing. Explain that Apple software updates are signed with a certificate that came "built in" to her computer, and never touched the internet. If it installs, it's authentic. I didn't understand this myself, until I did my research this week.
posted by ecmendenhall at 9:55 PM on February 26, 2014

« Older Where can I find a list of all college tuition...   |   Where should New Yorkers and Washingtonians meet... Newer »
This thread is closed to new comments.