I'm curious why, given the prior reports of security issues at Coinbase and the ongoing drama with Mt Gox, you guys didn't immediately hire, say, tptacek's company to do extensive penetration testing and a full security audit. It appears that not all API calls were rate-limited, as they probably should have been, and there certainly doesn't seem to be any sort of monitoring of brute-force attempts like this in place. With all the negative publicity around Bitcoin exchanges, you should have doubled down on security weeks ago, or at least explained the privacy tradeoffs in your design decisions clearly.
A few thoughts. I agree with you, which is why we are currently going through a third party security audit in addition to the impromptu peer review by Andreas the day MtGox went down and our normal reviews by accountants. We also hired a director of security from FB. Also, there were rate limits, just not well tuned enough. So it's definitely in focus for us.
What precautions have you taken against meatspace robbery? What's to stop 3 thugs with guns walking into your office(s) and cleaning out all the coins? Can you get insurance against this?
Do you also have measures to prevent evil janitor attacks like hardware keyloggers being planted at 4:00am? Do you have screens facing an open window to watch from across the street? Can I rent beside your offices, drill holes through the walls and set up spycams or gain entry? Not to sound alarmist but seems no exchange has given a thought to physical security meanwhile bank execs are dropped off at work by private guards specializing in counter-kidnapping operations, even though their money is fully insured and extremely difficult to steal. Bitcoin's are easy to steal.
> meanwhile bank execs are dropped off at work by private guards specializing in counter-kidnapping operations
Perhaps there are some bank executives for which this is true, but it is absolutely NOT the case for all banking executives. I work with some bank executives and they drive themselves to work in their own cars. The buildings DO have alarm systems and it is quite possible for the FBI to respond to physical threat incidents (because it is treated as a bank robbery) but otherwise there is little that is special in the way of physical security.
And for Coinbase, I believe the lack of special physical guards is appropriate. A high percentage ("up to 97%" according to https://coinbase.com/security ) of their coins are in cold storage and while I am not privy to the details of Coinbase's arrangements, keysharing and multiple physical storage locations that are off-premises are a reasonable precaution. They are vulnerable to hostage-taking or "3 thugs with guns" to the exact same extent (no greater) as any other company with a similar amount of protection.
I can't comment on protection against hardware keyloggers: it's a threat that they need to be prepared for. Cold storage is one major way of protecting against this threat, business insurance is another.
They should at least have a level of physical protection equal to a large bank branch.
An armed guard, 24/7 security cameras (obvious and hidden) actively being watched by a human being, established passphrases for when the security service calls to check in, etc.
They are at as least as much risk as a physical bank branch, it's a bit of denial on their part if they aren't treating it that way.
Any other company doesn't need to worry since robbing their head office and demanding online bank transfers is a waste of time. A cryptocoin fixed rate exchange with millions in storage you can instantly transfer is a different story. It's like Ft. Knox being located in a regular office building with gold piled on the desks. Bank vaults have physical security so why don't Bitcoin based businesses.
I did read through their security about the backups being spread around different locations, but those are backups. They would need access to the cold wallet on a regular basis if 97% of funds are truly in there. Unlikely to happen but then again police here didn't expect criminals would remove huge concrete barriers with a stolen tractor, ram a shopping mall entrance, drive through the mall and ram a gated jewelry store but they did.
> They would need access to the cold wallet on a regular basis if 97% of funds are truly in there.
Not true. First of all, that would only be true if their net daily turnover were more than 3% of their total amount stored -- which it may not be. Even then, I would expect graduated levels of cold wallets: imagine one with another 2% that is down the street in a bank safe deposit box, 5 wallets with 50% of the deposits stored in a way that can only be accessed with cooperation of 4 people in different parts of the country ... that sort of thing.
I am, of course, just speculating: I don't know how Coinbase runs their system, I just know that they seem competent and that this is how I would run such a thing.
Why wasn't any of that information in the earlier statements? When given a list that contains demonstrable flaws "we see your list and don't think it's a problem (thus by implication are not doing anything about it)" does not induce confidence, it sounds like hubris.
Simply writing that the rate limiting wasn't working correctly and you were fixing would have made all the difference in the world to me.
This is something that has always bothered me. I've worked in software for awhile now, but never in the financial sector, yet the vast majority of my clients and employers have had third party security audits run on their code and systems. I don't know why every exchange doesn't do this and talk about it publicly.
Everyone in the biz or following the biz knows its window dressing and pay to play. See Arthur Anderson and Enron and about a zillion other scandals over the years.
