Comment by chaps
3 months ago
Once did some programming/networking work for a company that did the networking of a office sharing building that Coinbase was running out of. Early in my work there I noticed that the company had its admin passwords written on a whiteboard -- visible from the hallway because they had glass for walls. So I sent them an email to ask that they remove it (I billed them for it).
Their fix was to put a piece of paper over the passwords.
What a time.
This doesn’t surprise me at all.
Bitcoin, and really fintech as a whole, are beyond reckless.
You say that but I work in fintech (granted, one of the larger more corporate ones, after an acquisition) and we are heavily regulated, and audited.
You're almost there. Think to yourself now: what was it that happened in the past that necessitated the need for a large regulatory apparatus, auditors, etc.?
Wall Street is heavily regulated and audited, and still is 'beyond reckless', causing global financial calamities multiple times.
FWIW, I work for a major financial organization in the UK as a software architect and I've brought it up more than once over the years in various roles: not a single bank in the UK supports Yubikeys or custom Authenticator apps.
Not one (I last checked about a month ago!)
Security, while pretty good, is still lacking imo!
5 replies →
>You say that but I work in fintech (granted, one of the larger more corporate ones, after an acquisition) and we are heavily regulated, and audited.
I have seen some toe curling shit in fintech.
6 replies →
funniest thing I read this year on HN - well played mate, well played!!!
6 replies →
How big was it when you joined?
Bitcoin is a crypto-currency/blockchain. Coinbase is a corporation that allows users to buy/trade crypto-currencies.
With Bitcoin you do not get government bailouts like what happened with the beyond reckless banks in 2008.
"With Bitcoin you do not get government bailouts" -- yeah maybe not yet? Is it beyond belief that a government with leadership deeply invested in crypto currencies might take action if something super disruptive happens?
21 replies →
> With Bitcoin you do not get government bailouts like what happened during the beyond reckless banks in 2008
It is not beyond imagination that the most popular Bitcoin blockchain (and thus, the label of being the "real" Bitcoin) could change at some point in the future.
"Bitcoin" is not immune from the implications of political fuckery.
20 replies →
There was a government* bailout in Ethereum, however. https://en.wikipedia.org/wiki/The_DAO
The government of Ethereum is not the US government.
6 replies →
I would be willing to bet the current administration would in fact do whatever they could to undermine the dollar's value, including propping up a digital currency when it should fail.
Its sad they call it cryptocurrency when its just dumb ass finance but with play money that idiots ascribe real value to and the old saying holds true... the rich get richer and the poor are born without assholes. I'll die happy having never participated.
In traditional fintech, you can at least sue your money back.
Ah yes, I remember all the times they hacked bitcoin
It's been a while, but it has happened:
https://nvd.nist.gov/vuln/detail/CVE-2010-5139
lol monero in username
[dead]
There's a great index of hacks here https://www.web3isgoinggreat.com/?theme=hack
It's breathtaking how frequent these are.
6 replies →
I very much doubt the veracity of this claim. I worked at Coinbase for many years and this runs completely afoul of the culture there.
Even leaving your laptop unlocked for seconds in the office would have someone /pwn it in slack and get flagged by security.
If there’s one thing they took extremely seriously it was data security.
You're misreading my post with Coinbase-tinted glasses. My post is about the building that Coinbase operated out of. Not Coinbase itself.
That is a great ancedote.
Not saying it is untrue, but it is definitely true that Coinbase has never lost customer funds while operating in an environment with 0 safety nets and being one of the most lucrative targets.
This leak over customer data suggests that they should treat that with as much obsession as they do with their private keys.
That's not actually true, back in the day Coinbase used Bitfinex. They were using them when Bitfinex got all that BTC stolen. Technically everyone, including Coinbase, lost assets in that hack. They were large and scary enough at the time to force Bitfinex to keep them whole instead of applying the 36% haircut, but I'd argue that amounts to recovery rather than failure to lose in the first place. [1, 2]
[1] https://www.kalzumeus.com/2019/10/28/tether-and-bitfinex
[2] https://x.com/nathanielpopper/status/933130228175552513
That's a pretty big stretch of definitions. Whatever operations Coinbase had with Bitfinex were either to support market making activity or as a service for Coinbase's institutional customers to directly access bitfinex via their platform.
As I said, they have never lost customer funds in their custody.
2 replies →
Your post reads like something a lawyer would write to convey something that while (maybe) technically true, misses the point by a hundred miles.
Yeah you're right, Coinbase is definitely insecure as evidenced by this.
The fact that lax security has never caused them to loose billions of dollars of customer funds is just luck and paper covering passwords on a whiteboard.
1 reply →
> So I sent them an email to ask that they remove it (I billed them for it)
Sending unsolicited bills for unrequested services is a great way to make sure nobody takes your email seriously
GP is saying that they were already one of Coinbase's vendors (they did the networking/IT setup for Coinbase's office). Whether you'd tolerate that kind of behavior from a vendor is one thing, but for an existing vendor relationship I think adding a few billable hours for "I found this issue in your network and documented and reported it for you" to an existing contract is not particularly unreasonable.
More likely, this is a spectacular version of CYA. By billing the hours, there is a paper trail so that when the inevitable breach occurs, you can point to having done the appropriate thing.
> but for an existing vendor relationship I think adding a few billable hours for "I found this issue in your network and documented and reported it for you" to an existing contract is not particularly unreasonable.
Billing for random things outside of the agreed upon scope of work is actually unreasonable. It’s something covered in every contracting agreement I’ve ever been a part of.
Maybe they could point to some contract that maybe would have covered it, but when your contractors start billing you for sending quick emails about unrelated things you didn’t ask them to look into, it’s not a good sign. When contractors bill for quick emails they don’t bill for the 3.7 minutes it took to write, they round up to some bigger number like an hour.
Anecdotally, every time I’ve encountered contractors who started billing per individual communication that they initiated (not something requested) or started finding new things to bill us for that we didn’t ask, it was a sign that we were a target being milked for billable hours. Some contractors have a lightbulb moment when they think nobody is scrutinizing their billing and think they discovered an almost infinite money glitch by initiating new things that they can bill for. None of the good contractors I’ve worked with over the years would even think to bill for an individual short email.
4 replies →
s/cloudflare/coinbase/
7 replies →
They are lucky they just got a bill and not a terminated contract. Consulting companies I have worked for would have dropped them immediately because we don't want clients with that kind of risk. Massive red flag that signals management is non-existent, incompetent, or checked out. That is egregious negligence.
[flagged]