Hacker News new | comments | show | ask | jobs | submit | FredEE's comments login

https://coinforcoffee.com/#how-it-works

This design looks strangely familiar... :)

-----


Ha, we tweaked it a bit since last time you guys saw it, but not much.

-----


A few thoughts. I agree with you, which is why we are currently going through a third party security audit in addition to the impromptu peer review by Andreas the day MtGox went down and our normal reviews by accountants. We also hired a director of security from FB. Also, there were rate limits, just not well tuned enough. So it's definitely in focus for us.

Hope this helps clarify

(edited for formatting)

-----


Thanks for coming here and addressing the community. It's a thankless job. But thank you for doing it.

-----


What precautions have you taken against meatspace robbery? What's to stop 3 thugs with guns walking into your office(s) and cleaning out all the coins? Can you get insurance against this?

Do you also have measures to prevent evil janitor attacks like hardware keyloggers being planted at 4:00am? Do you have screens facing an open window to watch from across the street? Can I rent beside your offices, drill holes through the walls and set up spycams or gain entry? Not to sound alarmist but seems no exchange has given a thought to physical security meanwhile bank execs are dropped off at work by private guards specializing in counter-kidnapping operations, even though their money is fully insured and extremely difficult to steal. Bitcoin's are easy to steal.

-----


> meanwhile bank execs are dropped off at work by private guards specializing in counter-kidnapping operations

Perhaps there are some bank executives for which this is true, but it is absolutely NOT the case for all banking executives. I work with some bank executives and they drive themselves to work in their own cars. The buildings DO have alarm systems and it is quite possible for the FBI to respond to physical threat incidents (because it is treated as a bank robbery) but otherwise there is little that is special in the way of physical security.

And for Coinbase, I believe the lack of special physical guards is appropriate. A high percentage ("up to 97%" according to https://coinbase.com/security ) of their coins are in cold storage and while I am not privy to the details of Coinbase's arrangements, keysharing and multiple physical storage locations that are off-premises are a reasonable precaution. They are vulnerable to hostage-taking or "3 thugs with guns" to the exact same extent (no greater) as any other company with a similar amount of protection.

I can't comment on protection against hardware keyloggers: it's a threat that they need to be prepared for. Cold storage is one major way of protecting against this threat, business insurance is another.

-----


They should at least have a level of physical protection equal to a large bank branch.

An armed guard, 24/7 security cameras (obvious and hidden) actively being watched by a human being, established passphrases for when the security service calls to check in, etc.

They are at as least as much risk as a physical bank branch, it's a bit of denial on their part if they aren't treating it that way.

-----


Any other company doesn't need to worry since robbing their head office and demanding online bank transfers is a waste of time. A cryptocoin fixed rate exchange with millions in storage you can instantly transfer is a different story. It's like Ft. Knox being located in a regular office building with gold piled on the desks. Bank vaults have physical security so why don't Bitcoin based businesses.

I did read through their security about the backups being spread around different locations, but those are backups. They would need access to the cold wallet on a regular basis if 97% of funds are truly in there. Unlikely to happen but then again police here didn't expect criminals would remove huge concrete barriers with a stolen tractor, ram a shopping mall entrance, drive through the mall and ram a gated jewelry store but they did.

-----


> They would need access to the cold wallet on a regular basis if 97% of funds are truly in there.

Not true. First of all, that would only be true if their net daily turnover were more than 3% of their total amount stored -- which it may not be. Even then, I would expect graduated levels of cold wallets: imagine one with another 2% that is down the street in a bank safe deposit box, 5 wallets with 50% of the deposits stored in a way that can only be accessed with cooperation of 4 people in different parts of the country ... that sort of thing.

I am, of course, just speculating: I don't know how Coinbase runs their system, I just know that they seem competent and that this is how I would run such a thing.

-----


Further, the security audit began this week before this issue. It was proactive, not responsive.

-----


Not to make anything awkward, but this is a far better reply than Brian's replies in this thread and on the blog.

-----


Why wasn't any of that information in the earlier statements? When given a list that contains demonstrable flaws "we see your list and don't think it's a problem (thus by implication are not doing anything about it)" does not induce confidence, it sounds like hubris.

Simply writing that the rate limiting wasn't working correctly and you were fixing would have made all the difference in the world to me.

-----


Because then it will be bad PR.

Now they can play it off so people who don't know any better won't move to another service.

-----


We are pushing some changes to rate limiting - this wasn't clear in the original post and I just edited. Thanks for the heads up.

-----


So why are you blowing this off and now all of a sudden writing rate limiting?

The only reason he got 1000+ emails is because you guys messed up.

Not even going into the whole idea of you releasing that end point with name leakage without somebody going 'oh hey.. do we have rate limiting?'.

Mistakes like this are signs of amateur hour.

-----


Suppose they limit it to 100 emails before blocking your account. The guy can just sign up with 10 accounts. Or 5. This "attacker" would still post it and make a big fuss.

Most likely they're implementing rate-limiting to appease people and prevent an ongoing spam issue. Or perhaps it was on their list for a while and just hasn't been an issue until now.

-----


In regards to rate limiting, it would be a much smaller number prior to block.

If it's IP based at let's say 10 over X attacker would have to lease 100 IP's.

In any case, rate limiting is the quickest mitigation prior to actual fix of the data leak in question.

-----


Update - blog post here: http://blog.coinbase.com/post/81407694500/update-on-coinbase...

-----


"You’ll find that user enumeration is possible on Facebook, Google, Dropbox, and nearly every other major internet site."

I love this. Look these silly free social sites do it, so it must be ok. Anyone know if BofA or WellsFargo allow user enumeration?

-----


> Anyone know if BofA or WellsFargo allow user enumeration

You're correct. They don't. Not even to authorities without a warrant. Which is the point I was trying to make in my earlier comment.[0]

[0] https://news.ycombinator.com/item?id=7510524

-----


BofA and Wells Fargo suffer from account number enumeration.

Wells Fargo has 10-11 digit (depending on if it's WF or previously Wachovia) account numbers. One portion defines the bank branch where the account was opened, another portion defines the account type, and the last digit is a check digit. You can guess at an account number by attempting a deposit (in person or online).

There's also the fact that BofA and Wells Fargo have account numbers displayed in cleartext on pieces of paper that are handed to strangers.

I'm not arguing the merits of Coinbase's security, but traditional banks don't fare well either. Coinbase can improve. Traditional banks are limited by standards that they can't change.

-----


I haven't personally seen the system, or tested it, but I'm pretty sure if I tried to enumerate all Bank Of America account numbers I'd get shut down pretty quick.

-----


Two months ago I was able to enumerate all accounts from a local bank (Paraguay), they used document number and numeric passwords for login. They were showing different error messages when you tried to login with a nonexistent ID.

So I started generating random numbers between common document number ranges (1000000-4000000).

Our public health system has a web app that lets you check your enrollment status by entering an document #, and there are no CAPTCHAs! So the attack was like this: generate a random document number, send a request to the public health app and get the target's info (name, date of enrollment and other info). The most interesting thing was that I tried to login into all accounts by using the birth date of the target as a password (the bank's password policy: just numbers, a min. of 6 numbers...). Around 40% of the clients were vulnerable.

-----


isn't this roughly the sort of thing that got weev thrown in jail?

-----


Yes, probably. I have communicated the public health app problem (actually they just need to put a CAPTCHA) many times but it seems that nobody cares. About the bank, I was working as a data science consultant at that time, so it was easy for me to knock the door of the security department and tell them about my attack.

-----


Your customers are upset and losing faith. Stop trying to defend yourself and take action.

-----


I remember a story here a few months ago about a person who had deposited tens of thousands of dollars with Coinbase, and they refused to give the customer his coins. That was a clear sign that the systems and processes at Coinbase were broken.

The fact that they didn't help the customer until they took their grievances public indicated to me that either Coinbase don't care about their customers, or they were too busy trying to balance their books because of some proprietary trading gone wrong.

Thus I think it was foolish of Coinbase to release the letter condemning MtGox. Now anything that happens to Coinbase makes them look like total hypocrites. People, glass houses, stones etc.

It's one thing for a magic card trading company to morph into a Bitcoin exchange and have problems... but for a hot-shot start-up in San Francisco with self-proclaimed tech superstars at the helm and millions in the bank to screw up royally, well, it's just embarrassing.

-----


UPDATE: For anybody following Bitcoin news, this is obviously satire, replacing MtGox with CoinBase. Surprised people downvoted this.

There are rumors that a joint statement will be released at 5PM Pacific Time...

Joint Statement Regarding CoinBase

Apr 1st, 2014

The purpose of this document is to summarize a joint statement to the Bitcoin community regarding CoinBase.

This tragic violation of the trust of users of CoinBase was the result of one company’s actions and does not reflect the resilience or value of bitcoin and the digital currency industry. There are hundreds of trustworthy and responsible companies involved in bitcoin. These companies will continue to build the future of money by making bitcoin more secure and easy to use for consumers and merchants. As with any new industry, there are certain bad actors that need to be weeded out, and that is what we are seeing today. CoinBase has confirmed its issues in private discussions with other members of the bitcoin community

We are confident, however, that strong Bitcoin companies, led by highly competent teams and backed by credible investors, will continue to thrive, and to fulfill the promise that bitcoin offers as the future of payment in the Internet age.

In order to re-establish the trust squandered by the failings of CoinBase, responsible bitcoin exchanges are working together and are committed to the future of bitcoin and the security of all customer funds. As part of the effort to re-assure customers, the following services will be coordinating efforts over the coming days to publicly reassure customers and the general public that all funds continue to be held in a safe and secure manner: Kraken, BitStamp, Circle, and BTC China.

We strongly believe in transparent, thoughtful, and comprehensive consumer protection measures. We pledge to lead the way.

Bitcoin operators, whether they be exchanges, wallet services or payment providers, play a critical custodial role over the bitcoin they hold as assets for their customers. Acting as a custodian should require a high-bar, including appropriate security safeguards that are independently audited and tested on a regular basis, adequate balance sheets and reserves as commercial entities, transparent and accountable customer disclosures, and clear policies to not use customer assets for proprietary trading or for margin loans in leveraged trading.

The following industry leaders stand by this statement:

Jesse Powell — CEO of Kraken

Nejc Kodrič — CEO of Bitstamp.net

Bobby Lee — CEO of BTC China

Nicolas Cary — CEO of Blockchain.info

Jeremy Allaire — CEO of Circle

p.s. Yes, this is the MtGox letter... who will be the last man standing? :-)

-----


The possibility of this being misinterpreted as valid is rather high. I think your point could have been made well with a single explaining sentence up front and without the name substitution in the actual content.

-----


These guys stuck the knife into MtGox... when they themselves are no better.

Check the forums over at BitcoinTalk, for months now, people using Kraken have been unable to withdraw their money, and deposits have been going 'missing'. The fact that support is conducted over a public forum, out of sheer desperation on the customers part, tells you something.

If CoinBase did go down, would you bet against the other providers crafting a public relations message to drum up business for themselves? It's dog eat dog out there - the idea that there is a community of Bitcoin businesses looking out for each other is a joke.

-----


What does that have to do with what I said? I think the manner in which you made your point has too high a chance of being misinterpreted to be acceptable here, which is probably why it was being downvoted.

-----


I get your point, yet somebody misinterpreting a joke should have no impact on the company...

Unless the company actually had inadequate reserves to meet customer withdrawals, thus leaving the solvency of the company at risk of a good old-fashioned fractional reserve style bank-run...

-----


Oh, I could care less about the company, but I do care about the integrity of HN as a whole. That doesn't mean I don't like the occasional joke on here either, but since that story seemed a bit light on details and people were looking for information, posting satire that looks very much like valid information can be unintentionally misleading.

-----


Fred from Coinbase here.

There is no full list, and there is no leak. We're drafting a more formal response now.

-----


Would you include in your response the reason why you're ignoring Homakov's security flaw reports, which were emailed to you at your whitehat@coinbase.com email address?

https://news.ycombinator.com/item?id=7505757

A lot of people are getting nervous that you're not taking security seriously at Coinbase. Ignoring whitehat reports would seem to be a serious issue.

-----


Hi, Ryan here - We've moved over to hackerone.com/coinbase, and emailed everyone at the whitehat@ address about the transition. We'll be getting in touch for the details and will get an autoresponder up on whitehat@. We don't view missed reports as a good thing, we'll do better and have already made improvements.

-----


They mentioned something about it on the thread that they were transitioning to a new system - plus the fact that nobody saw it as a vulnerability. I guess that's the reason

-----


Apropos nothing else and without judging the actual report you're referring to: if you set up a "whitehat@yourdomain" or "security@yourdomain" alias, you need to be responsive. You can't ignore good-faith messages because you don't think they're valid. You have to act like all good-faith messages are urgent.

Those aliases are cheap insurance, but they aren't free: they'll cost you some tech support cycles.

-----


They're actually downright expensive addresses to maintain, and they don't cost tech support cycles, they cost security engineer time.

A basic tech support person might be able to fend off the dozens of word salad "security notifications" sent by ESL students, but as they get more complicated and no less often irrelevant, you need people who actually know how your infrastructure works.

On top of the technical hassle comes the customer experience hassle of keeping a bunch of wanna be hackers happy as they demand rewards and their name on your site for their idea of a CRSF vulnerability that happens to have no basis in reality.

-----


The backlash against these aliases is perceptible, but remember that the worst-case scenarios we're talking about today, when those addresses aren't properly staffed, was the default case before they became a common feature of startups.

-----


Cheap, sure, but they'll cost you plenty in "lost face" when we journos write that you ignored inbound alerts from the person who later published something out of frustration.

Not just emails, either. See also event logging: https://www.schneier.com/blog/archives/2014/03/details_of_th...

-----


Seriously, this. They are being nonchalant about this whole thing, but it may be damaging their most valuable asset - the community's trust in them. Just don't ignore repeated attempts to contact your whitehat address.

-----


Not saying it was a good reason. Just that they did address the question.

-----


http://blog.shubh.am/full-disclosure-coinbase-security/

According to the original researcher, he mailed them and got no response, and got no response at all from several other attempts at contact,.

I wouldn't be surprised one bit to find that the inbox for that address is full of spam and crackpots, but, like 'tptacek said, if you're going to have the list you had better dedicate resources to reading it.

-----


Their official response did not give any reason for ignoring the reports, nor did it even acknowledge that this happened. Disappointing.

-----


Then how am I on the list with an email I only use at coinbase? With my full email and name, and i'm getting spammed non-stop by this "non-important" security flaw in your system.. multiple times today and counting.

-----


Fred, some advice: make your public notice more sympathetic than that post.

-----


Didnt you run Iraqi ministry of information back in the day?

-----


You are a fucking dick for ignoring that guy..just saying

-----


(Fred from Coinbase)

Agree, strikes me as a good idea.

-----


Fred from Coinbase here - this isn't true. Would be interested to hear why you'd think this though!

-----


Fred from Coinbase here.

There are still a few lingering issues, which we've been working hard to fix and will be looking at again today. To those affected, I'm very sorry for the wait. Funds are safe, it's just a question of opening the pipes properly to let them flow normally.

-----


I think you guys will pull through in the end, but your communication is honesty bewildering.

You guys are still:

* Waiting until the last minute (after they've been waiting a week!) to tell people their accounts have been flagged as 'high risk'

* Not updating your blog with problems as they arise

* Being completely untransparent about the obviously-a-lie "24 hour rolling limit".

* Letting emails about people's already confirmed bitcoins being locked into your "wallet" go unanswered.

* Generally being completely opaque about both what is going on, and why people are getting flagged at the last minute.

My recommendation: charge more for your services and fucking hire some people to do some damage control--AND BE TRANSPARENT. It's great that you are in the reddit threads, and now on here.. but for the love of god, you are pissing EVERYONE off. There are people falling over each other to be your "customer support specialist" or whatever you were hiring for the other day; have them do some friggin' support.

-----


Some good reminders for all of us. Case study material, in fact (hopefully it won't turn into a full-blown, "oops, where did all the money go" case study).

-----


Just to chime in with that Fred said, very sorry for the delays. We added a blog post here: http://blog.coinbase.com/post/45976220890/pending-transactio...

Several pieces of the site scaled up about 10x in the past month or two, and this exposed some lingering performance problems. Somebody told us an analogy one time of rebuilding a car while trying to drive it down the freeway at 60MPH. That is a good approximation of what we're doing right now - in short, we are doing so carefully and with the help of great test coverage to make sure nothing breaks along the way.

Thank you your bearing with us. I wish I could say this is the last time we'll experience scaling problems in the next year, but it seems unlikely with the growth of bitcoin right now. If this seems like something interesting to work on, we are also hiring: https://coinbase.com/jobs

We'll post updates to Twitter as we come closer to a resolution. Thank you!

-----


Can you please describe the implementation of this system, and the problems encountered recently, in more detail?

Which database systems are involved in the "database migration" described in the support center article? Please list at least the product names and versions.

What was the nature of the "refactor"? What programming languages and implementations were involved, for instance?

What exactly happened during the "database migration"? Was there any data loss?

What sort of backup infrastructure is in place?

-----


Im a Coinbase customer. I'm waiting for my pending transaction to go through, and for USD to hit my bank account. And I'd rather have Fred and the rest of Coinbase working on solving that problem than explaining what, exactly, the glitch is, and while they're at it, what their entire infrastructure looks like. There will be time for explanations later.

-----


False dichotomy. I'm sure someone in the entire company has five minutes while fixing the problem to explain to us what's going on.

-----


You may be overestimating how many people 'the entire company' is ;)

-----


Judging by the design, two? :P

-----


maybe if enough people get sick of losing real money, we will finally be able to put some regulation around ecomerce sites security, privacy and data protection

-----


i second eof's reply, especially the high risk issue, I "bought" 14 coins at 34.50, emailed support as soon as it flagged and you basically responded with "whoops, I'm Sorry".... Meanwhile I had left the funds in escrow for a week waiting for the order to clear when I could have bought them through another source at a slightly higher rate and still profited in a large way. Then I emailed support again when I found that another customer had posted they had actually had the order forced through by support due to the issue being on Coinbase's end. That was two weeks ago and I still have not received a response as to why the order was covered for another customer but not for me.

-----


Unfortunately you guys hit a Satoshi Perfect Storm time to commence Beta - still, trial by fire, hang in there, lotsa Diet Dr Pepper/red bull!

-----


Applications are open for YC Summer 2016

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact

Search: