[londons_explore]

Coinbase should be hiring pentesters and giving them employee level access - even access to commit and deploy code.

Any insider shouldn't be able to steal more than the hot wallet, and even that should be hard.

I actually wouldn't put much effort into border security. At coinbases level of risk, evildoers will have no qualms bribing an employee to install a backdoor in their machine.

[staticassertion]

Given how quickly coinbase managed to respond to an advanced attacker I think they know what they're doing.

Insider threat is also really difficult. Working from a point of "I don't trust my employees" is very painful for many reasons.

[AmericanChopper]

> Working from a point of "I don't trust my employees" is very painful for many reasons.

It’s probably the hardest problem to solve in general, but it’s exactly what a well designed separation of duties is supposed to address.

[tptacek]

I have never even heard of an internal site-wide pentest that failed.

[dmix]

I'm guessing Coinbase hiring a pentester and giving them 'employee level access' would be a needless formality?

[tptacek]

People do internal pentests even though everyone knows the pentesters will win; you still learn something from the experience.

[AmericanChopper]

You’ll never be able to prevent privileged insiders, or their accounts, from being able to cause damage. But I have worked with organisations where internal tests were not able to compromise the most critical assets, and where the outcome of the tests was those assets become even more well protected. Which is really the best outcome you could be hoping for with these kinds of engagements, imo.

[dmix]

Of course, I was just being cute.

[ssalka]

To me it shouldn't be a question of whether you trust your employees - obviously it makes for a better working relationship if you do, but I think there's a more fundamental issue here, which is "I don't trust my system"

If you fully trust the system you're building (and that trust is well-placed, meaning you can _prove_ the lack of significant exploits/vulnerabilities) then you should have no issue allowing others to try and poke holes in it

The usual caveat is that untrusted employees with sufficient access could potentially wreak havoc, but I would argue that if you really trust your system, and define the boundaries of your system well enough (i.e. to also encapsulate the issuance and management of all permissions relating to the system), then you can effectively limit the ability of malicious actors to break things or otherwise amass control

[lvh]

Why do you believe that is not the case?

[ryacko]

The trouble is finding someone to bribe who won’t suddenly start buying new things.

[momokoko]

The bribe is so that you are now a party to the crime and less likely to try and turn them in after the fact. The threats to your life and the lives of your family is actually what gets the job done.

[bravoetch]

To follow through on that though, what makes you think that would be anything noticeable? Suddenly a coinbase employee buys a cool car or other new toy... So what? Nobody would think that was exceptional.

[ryacko]

I think this is why investigations require low levels of evidence to start, but high levels of evidence to end.

Just because it isn’t exceptional doesn’t mean that it isn’t worth looking into. People who are greedy are impulsive and are unlikely to hide an inflow of cash.

[ALittleLight]

Theft isn't restricted to impulsive people though. It's mostly restricted to people who think they'll get away with it. Clever and cautious people may actually be able to.

[ryacko]

Uh.

Yes.

But things don’t disappear do they?

[johnisgood]

I read this as putting people's behaviors under scrutiny because "just in case". You could use your reasoning to expand the surveillance state, etc. I cannot say I like the idea.

[ggg3]

the problem is finding security pundits that know that crime can force people to do things in other ways than money...