Thanks, adamC, in that I've seen a lot of reports concerning this issue, and there's lots of hysteria, and just plain misinformation out there. This bug does NOT mean that your traffic is unencrypted, but if someone takes the right steps, they could inject their own private key into the equation, and with the corresponding public key, could then potentially decrypt your network traffic. This write from Sophos is the best detailed analysis of the exploit I've seen: http://nakedsecurity.sophos.com/2014/02/24/anatomy-of-a-goto-fail-apples-ssl-bug-explained-plus-an-unofficial-patch/
Who invited the Ferengi to the shareholder meeting?
For those that just can't wait, here's instructions on how to apply an unofficial patch: https://gist.github.com/uberbrady/9192980
Here's a good summary of the coding error that caused the bug: https://www.imperialviolet.org/2014/02/22/applebug.html And a site where you can go to see if your browser suffers from this bug: https://gotofail.com/ Note at this point the bug hasn't been fixed under OS X, so be careful.
Well this is part of the fun of linking an article to a Twitter stream, in that it has grown to a point where there are many who now question the technology aspects (and specifically the security) of the invention. But I don't think anyone is looking for them to fail, just that they put a little more thought, or provide some transparency, into their security model. No doubt they are monitoring not only this thread, but the Twitters, to get some valuable input.
I'll have to respectfully disagree with the comment that people were looking for a way that the technology wouldn't work, but rather, that the security aspects of the device, based on their FAQ and other information, don't meet the rather loose standards that US credit/debit cards currently employ to protect against fraud. Whereas current payment cards employ various physical security measures, as well as practices (checking a signature on the card, UV watermark, hologram) to prevent fraud, it looks like the current Coin model doesn't take these into account. Based on many discussions, I certainly hope they put something in…
Thanks again for the heads-up, I've sent out a notification via Twitter and Facebook, and will mention on next show. Fortunately, their IMAP implementation didn't touch the POP3 stuff, so the worst that will happen is someone will get a bunch of unread messages when switching back. As for Yahoo, I recently found an account I hadn't used for a while, am not paying for, and when I entered my account information, OS X Mail.app found an IMAP server. As far as I can tell is production since there's no beta in the mail server name.
I switched from their beta IMAP server back to POP3, and since I had switched all of my clients over from POP3 to IMAP, no POP3 retrievals had occurred, and no messages were lost. They are again happily being retrieved by Gmail's POP3 pickup feature.
The page with the IMAP information has been removed, and I called Optimum to confirm that this is not a supported feature at this time. I fully understand what a beta is, and agree with the points that you made, except for my motivation for doing this being selfish, that that I somehow leaked this information. I'd argue that if they are running a beta program, making the information available for any customer to find via their support site, and allowing them to login with their current credentials, isn't the best way to control access. I did nothing more than…
I wish my facial hair had a Twitter account like Jim https://twitter.com/DalrymplesBeard