On The Brink with Castle Island - Jeff Lunglhofer on Cybersecurity at Coinbase (EP.511)
Episode Date: March 18, 2024Jeff Lunglhofer, the Chief Information Security Officer at Coinbase joins the show. In this episode we discuss: Jeff's background and what attracted him to joining Coinbase. How Coinbase approaches c...ybersecurity risk. The impact of the Bitcoin ETF and the custodial business at Coinbase. How users should protect themselves via multi-factor authentication. Phishing and how to protect oneself from this attack vector. Passkeys and how this is improving the log-in flow at Coinbase. How Coinbase uses bug bounty programs. To learn more about cybersecurity at Coinbase visit coinbase.com/security
Transcript
Discussion (0)
Today on the podcast, I sat down with Jeff Lungalhofer, the chief information security officer of Coinbase.
This was an informative chat that talked about the threat vectors facing cryptocurrency users
in the steps that Coinbase is taking to make their platform safe and resilient.
So without further ado, here's my conversation with Jeff Lunglehofer of Coinbase.
Matt Walsh and Nick Carter are partners at Castle Island Ventures.
All of these expressed by them or the guests on this podcast are solely their opinions
and do not reflect the opinions of Castle Island Ventures.
Guests and host may maintain positions in the assets discussed in this podcast.
not treat any opinion expressed by anyone on this podcast as a specific inducement to make a particular
investment or follow a particular strategy, but only as an expression of their personal opinion.
This podcast is for informational purposes only.
Brought down by bad mortgage investments, Lehman, which has 25,000 employees, will be liquidated.
The federal government loans American International Group, AIG, $85 billion.
This is a different kind of market, and the Fed is asleep.
The federal government is stepping it to stabilize Fannie Mae and Freddie Mac, the two mortgage giants
that have been threatened by the housing crisis.
The Bank of England has pumped 75 billion pounds more
to Britain's ailing economy
with a new round of quantitative easing.
You print a couple trillion dollars
and all of a sudden, people start to worry.
So out of this worry, we have something called the Bitcoin.
Bitcoin.
All right, Jeff, so welcome to On the Brink.
I'm really excited to chat about Coinbase
and information security today with you.
Awesome.
Looking forward to it.
So, Jeff, why don't we dive in
first with just the path that led you to Coinbase?
You come from a world that is very outside of crypto originally,
but would love to hear your background and what led you to this position?
Yeah, sure thing. I started my career for all intents and purposes working at a large
multinational, international consulting firm. We're with clients ranging from the U.S.
government to foreign governments to the military to commercial companies. So really gave me a lot
of insight and broad technical understanding of cybersecurity early on and throughout most of my career.
From there, I pivoted and went into financial services. And I joined one of the largest
custodian and institutional banks in the world. You can research it and figure out which one.
I just don't want to mention them here. But I was there for about seven years, which gave me a ton of
insights into the regulatory pressures, the cyber pressures that are faced by large financial
institutions today. From a personal growth perspective, though, I've always been big on learning new
things, breaking ground, understanding, and learning new technologies. And I found that the almost 27
years that I spent between the large bank I was at and the consulting firm, that my rate of
personal growth had slowed a bit in terms of technical understanding, new areas for cybersecurity
to explore. And that led me to start looking at blockchain and crypto, which is truly, I think,
obviously I wouldn't be here at Coinbase if I didn't believe this. I really do think it's the
future of finance. I think it's how we bank the unbanked across the world. It's how we break the
traditional systems that are so skewed towards large institutional wealth holders. And we get more
wealth and more control in the hands of individual consumers. So that's a mission that I know
Brian is really supportive of, and I'm certainly on board with that as well. I'm very excited about
it. Plus, the opportunity to learn a whole bunch of new technologies around Web3 blockchain that I
just wasn't going to get in my previous role. So here we are. I started shopping around.
It took me a while to find and settle with Coinbase, but I'm so glad that it happened and it's
been a great experience for me so far. That's awesome. Well, it's great to align with the mission of the
company. And obviously, a lot of that has happened with Coinbase being really a key backbone on
stable coins and Bitcoin and ETH. So it sounds like a fascinating role. Folks in the audience might
not have a great understanding of what a chief information security officer actually does.
So I'd love to understand what that role is at Coinbase and how you think about it.
Yeah, absolutely. So Chief Information Security Officer or CSO, for short, you've probably heard
that acronym before. There are different types of CSOs that you'll encounter across different
industries and different companies. Here at Coinbase, the CSO position that I sit in is a full
scope operational and governance type role. So what does that mean? That means I own and drive
our security operations, the folks that are watching our networks, that are watching our blockchains
that we participate in like Base, our L2 on the Optimism Network that we launched. We're watching
that blockchain. We're looking for any potential malicious actors, things that might be going
wrong that would negatively affect our business on chain. We're monitoring our AWS instances,
our GCP instances. We are the eyes on glass. We are the threat intelligence team looking to
understand what our adversaries are doing. We also look out for our customers. So I own trust and
safety. So that's a specialized team of folks who helps customers when they're having potentially
a bad day. They have an account takeover. They have malware on their local machines. Their
Gmail accounts have been compromised. We help them when they're having what some might say is some
the worst days of their lives when they potentially are losing money because of a threat actor.
So I own all of that, all of those operational pieces, and that's not to mention application
security, managing our CICD pipeline in a secure way, all of that sits in my remit.
Similarly, I also help write policies and standards that set the tone from a security perspective
across the company. I sit on a number of councils that help implement and guide those policies.
I sit on panels where we accept risks formally for the company.
So it's a mixed role of sort of that policy and governance side that I mentioned there
towards the end and that operational security side that I talked about in the beginning.
Now, I do want to be clear, a CSO at one company can be very different than a CSO at another
company.
At Coinbase, it's what I consider to be a full scope CSO role.
It was the same way at the bank that I was at previously.
But there are CSOs out there that are predominantly on the governance side.
They really focus on the policies, the standards, the risk accepts, things like that.
And there are CSOs that are more on the operations side.
They don't get involved in that.
They focus on operations.
Personally, for me, it's most rewarding if I get to see both sides of that coin.
That makes a ton of sense.
I'd imagine it's a really challenging role in a lot of respects when you interface with
the product side of the organization.
So Coinbase has a million great product ideas.
Obviously, there are other companies in the industry that have really pushed the risk limits
on some of the products that they've rolled out.
So maybe talk a little bit about what that looks like
when a new product idea comes up
and how you interface with whether or not
that's actually a good idea to roll out to full-scale customers.
Yeah, sure thing.
First off, I firmly believe that it is the CSO's role
and the cybersecurity team's role to enable our business.
That is our number one function.
We have to enable the business to continue to roll products
that our customers want.
Otherwise, we have no customers to protect
because they've all left the platform, right?
So you really can't put one before the other.
I think it's a really important thing.
And I do think that's where some security professionals may fall down a bit.
At the same time, we have a large customer base here at Coinbase.
We have, I don't know the exact numbers right now, but by assets under custody,
we are the largest exchange by a pretty significant margin.
So that's a lot to protect.
So what I'm pleased to say is we've come to a pretty happy medium here at Coinbase.
Our product teams are always pushing the envelope on releasing new services for our customers,
new products for our customers launching base, the L2 network that I mentioned a little bit ago,
which is based on the optimism stack. What a great playground that is for developers and builders
and anybody in the crypto community to stretch their wings in a really diverse and highly
functional ecosystem. When we launch new initiatives, I mean products like that, though,
our product teams know that they need to first capture their technical requirements, capture their
designs, and my team is involved in the review process for those. So when I do,
is first instantiated. We're involved. We're looking at it. Hey, are you thinking about the right
controls? Are you thinking about authentication? Our ability to monitor. Our ability to stop if something
really bad happens in that ecosystem, our ability to respond, I should say. So those are all
things that we're considering. And then as they go through the build and development process,
we're there with them doing code checks, Penn tests, red teams, making sure they're using the right
code frameworks. So it's a very back and forth kind of relationship. And that
I think it's very productive and it's a very healthy relationship here at Coinbase.
That makes a lot of sense.
Now, one of the products that has just been massively successful here over the past quarter
is the rollout of these Bitcoin ETFs where Coinbase obviously has a large role as custodian
and facilitating some of the liquidity around this.
How has that changed what your role looks like just based on all of this new AUM and these
new customers that have come on board?
Yeah.
So I don't think it's actually changed at all what my role looks like.
but it has certainly changed the pressures that come along with the levels of AUC that we're dealing with now
at Coinbase. Our AUC has always been high, but it's certainly gone up measurably since we've
become, what I would say is the custodian of choice for these ETFs. First of all, I want to say,
it's amazing that we're the custodian of choice. And I think that really demonstrates our
commitment to being the most trusted name in crypto. That's something that I'm very passionate about.
Brian is passionate about it. Everyone up and down the executive committee is super passionate about it.
I really do think that that dedication to security is what makes us the obvious choice when a
company is looking for a custodian partner as it relates to their Bitcoin ETF that they may be
launching.
So I would say a couple of things that have affected our security program.
One, obviously, nation state actors and other threat actors have always been very interested
in Coinbase and they're even more interested in us now.
What does that mean?
we are being extra diligent about who we hire, being obviously concerned about insider threat,
people being planted within our environment, they can potentially do the company harm.
Every company, particularly those in the defense industrial base or the dib, as we call it,
in the inner circles, they've always been concerned about that.
Financial services has become concerned about that in the last, I would say, 10 or 15 years,
and that's certainly on our radar here at Coinbase.
It doesn't make us unique, but it certainly is something that we're extra focused on now,
given the levels of exposure around the ETS. So that's one area. The second area is really understanding our
adversaries and how they're attacking us and understanding how we can implement sort of leapfrog controls
within our environment. As an example, we've experienced a lot of social engineering type situations
over the last several years where our help desk, our customers, you know, social engineering is a
great way to gain access to a company. We've seen it with, not to get too geeky with you in the cyberspace,
but like scattered spider, octopus, you know, these cool names that these security companies come up with
for groups that target companies like Octa, like telco providers, Coinbase, all kinds of companies
in an attempt to gain a foothold. We saw a situation where we knew we were being targeted.
We saw that targeting ratcheting up and we made the decision to eliminate duo push as a two-factor
authentication mechanism. So no longer does it just beep on my phone when somebody's trying to try and log in and I say,
okay. I actually have to have a physical token now to log into Coinbase. Slightly less convenient,
but it's impossible to fish, almost impossible to fish that. So we're continuously evaluating
the control ecosystem against the threats and trying to leapfrog what we expect to see from
an attack vector perspective to keep our customers safe and of course to protect all the AUC that's
on deposit here at Coinbase. Every time I speak with a cybersecurity person and they mention a
vulnerability like the one you just mentioned with the duo push, I always get
worried about the places where I use those products. So that's good to know.
I can help you with that. If you want a five-minute tutorial, I can tell you how to prevent that
from being a problem for you. Well, you'd be surprised how many large entities still use that,
which is kind of scary. You know, Matt, one of the things I tell people is on the social
engineering front, everyone can be social engineered. If you think you can't be,
you don't know what you're talking about. You are the problem because everyone can be
social engineered in the right set of circumstances. And so as a C-So, as a security professional,
I need to account for that. None of this. Oh, no, that could never happen to me. You're stupid if that
happens to you. No, you're stupid if you think that couldn't happen to you because in the right
set of circumstances, I guarantee it could. So it's a scary world. Well, that's a great dovetail
into where I want to go next, which is you guys are taking all of these precautions, but the user is
ultimately a big attack factor here. And so just the things that people that use your platform are doing. And so
how do you think about the biggest risks to just the everyday retail Coinbase user and the things
that they should be thinking about in terms of protecting themselves? Absolutely. Every time I get
a chance to speak directly to our customers, and I will bet you that there will be Coinbase customers
listening to this podcast. So I'll speak to them directly for a second. Coinbase offers a wide
variety of authentication technologies. The vast majority of our users continue to use SMS-based
multi-factor authentication. That's where it texts you a code. You put that text code into the website
and you are granted access to your Coinbase account. That is certainly better than a username and a
password, but it is also the weakest form of multi-factor authentication that's out there.
I strongly encourage everyone if you have any level of assets on our platform to at least use
time-based one-time password tools such as Google Authenticator, get the mobile carriers out of the
equation of getting those codes. I want that code coming up directly on your phone where only you
can see it. Another step up from that would be to use a pass key. Let's get rid of passwords altogether.
And I think we're just starting to launch this on Coinbase.com. If not, it's coming soon.
But let's get rid of the passwords altogether. Let's use a pass key to grant access to your account.
Even the best case, though, if you're a customer and you have large volumes of assets available on
Coinbase. So lots of Bitcoin, lots of ether, it's really meaningful to you as an investor and in
your professional world, please use a Ubikee, a physical token to gain access to your Coinbase account.
That will save you from 99% of phishing attacks and social engineering attacks out there.
We track our users by the type of authentication that they're using, how many account takeovers
or ATOs that we see. Once you get to the users that are using physical tokens, the number of
ATOs that we see is precipitously low. It's almost zero. So I encourage folks,
please use the strongest form of authentication available at Coinbase. Then I would take it a step
further, Matt, your Gmail account, the account that you use as sort of the basis of your
other accounts, look at your multi-factor authentication schema there. Because if I get access to your
Gmail, what does that do for me in terms of being able to unlock your personal ecosystem of
finance? It does a lot.
So enable a Ubikee there, enable a hardware-based authentication solution there as well.
That gives you multiple layers of protection for Coinbase and your other financial providers.
You said so many interesting things in that answer that I'd love to dig into.
The first is around SMS two-factor authentication and the role of the carriers and some of these
frankly bad things that have happened over the course of this industry.
It seems to me like this should be a national scandal.
I can't believe that we are still living in a world where this is happening with sim swapping.
So what is kind of the fundamental issue with the carriers here?
And why is this an unsolved problem still?
So I'm going to give you two really important data points on this.
One, forget the carriers.
The SMS standard as it was developed and instantiated was never intended to be a secure
standard for communication.
That's not how it was designed.
It was designed for me to say, hey, Matt, what's up?
Where are we having lunch today?
It was not designed to say, hey, I'd like access to millions of
of assets. Okay, cool, I'll do that securely for you. It was never designed that way. I do
interface with some of my peers at some of the large teleco providers that are out there. And I think
the vast majority of them would agree, they don't want to be involved in that. Of course, they can't
control how their SMS networks are used, but they don't want SNS to be used in the way that it has
been used, unfortunately, across the cybersecurity industry. So I think that's answer number one.
Answer number two is remember back in the day when if you change your cell phone provider or any of your phone providers, you lost your phone number.
Like you just didn't get to speak with you.
And then the government came along and passed something called, I think, the Portability Act.
I forget the exact name, but it was a law or it may have been an FCC regulatory action.
I don't remember which one that made it such that carriers were required to make phone numbers portable.
And as a result, it's much easier to port phones, phone numbers, even from one carrier.
to another. They've implemented multiple things like pin numbers and things like that that they can use
to protect your phone. But the reality is consumers demand the ability to go into a Verizon store or
T-Mobile store or AT&T store or whichever you're a carrier of choice and say, I'd like a new phone.
Turn it in. They give you a $50 credit. You get your new phone and it's working before you walk out
the door. If you can do that, you can sim swap. So it's a combination of what consumers are demanding,
the regulations require and the fact that the protocol is just inherently so insecure in the first
place. It just makes it very poorly suited for, unfortunately, the way a lot of companies are forced
to use it, which is SMS as a multifactor form of authentication. I guess it wouldn't be an issue
if everyone just had a ubiquit or everyone had a personal signing device, but we don't really live
in the world. Those devices cost money. It's 30 bucks or something like that for a ubiquit. I'm just using
them as one example. There are a number of U2F tokens that you can choose from. But for example,
Google Authenticators free.
Anybody can download that.
There's a number of free TOTP solutions that are out there that are available that use the FIDO
standards that are widely published and used across different security-minded organizations
that you can use for free.
Consumer adoption is hard, Matt.
It's hard to get people to change the way they do things.
That's one of the most challenging things in security.
We often say users are the weakest link in the security chain.
And that is unfortunately a lot of times true because people get comfortable with a way of
interacting with technology and they don't want to change. I understand that, but at the same time,
I am always encouraging our customers use the strongest form of authentication available in every
case. It's just ultimately better. And I think ultimately, as the technologies improve, it's going to
be more and more convenient to do that as well. Well, one area where the technology obviously has
improved is on pass keys. And so you guys have rolled that out. And the user experience, let's say,
is pretty delightful. It's a lot better from what I remember. Like a couple of years ago, the user
lows that looked a lot different. So could you maybe talk a little bit about just how past keys
work and how you see this factoring into the way that you guys approach security?
Sure, absolutely. So a pass key, think of it as a, and I'm going to use cryptographers and
real hardcore security folks will cringe at this analogy, but think of it as a cryptographic
key that's stored on your local device. And in most cases, for example, on a modern laptop or a
phone, it's stored in the hardware security chip on the device itself. So it may be stored in
your Google account, your Apple account, but it's also loaded for day-to-day use into that hardware
module on your phone. And when you try and interface with a website that uses a pass key,
it's going to present to you a challenge that it expects you to sign with that cryptographic
key that's on your local device. And then it's passed over to the server. The server can determine
immediately whether the actual secret key was used to sign that or not. If it was,
then it goes ahead and allows the connection because it can confirm that not only that you,
you're Matt Walsh, but that you're Matt Walsh using your iPhone or your Android device or your PC
or whatever it may be, and you have access to that past key material, and you've unlocked
your device to enable that to work. So it can confirm all of that from one single exchange.
Note that exchange does not require you to enter in a password. And so that is super important
because that password piece is where this exposure to fishing comes into play. So for example,
let's use the most common scenario for a bad actor harvesting credentials from someone.
Matt, I'm going to blow up your phone with text messages saying, hey, I'm bank of X.
I'm just going to make up a bank.
And we see unauthorized transfers.
We know you're a customer.
Please log in and confirm these transactions.
There's a login link.
And it's like Bank of X dash account dash security.com or something like that, right?
And you click on that.
And it comes up.
It looks exactly like your bank.
And what do you do?
you put in your credentials and bam, you just got fished because that was a malicious domain.
Now let's imagine that you're using a pass key and you go to Bank of X.
You click on that link and it takes you to this website.
Your browser is going to go, yeah, no.
This pass key is not going to be used here.
It's never going to even try and use that pass key to authenticate.
In fact, you're going to see a username and a login prompt probably and you're going to go,
what the heck is that?
I haven't used that in a couple years.
And you couldn't enter anything in there, even if you're going to see.
you wanted to. So it takes away from the adversaries the most common attack pattern that they have.
Now, it's not perfect. If I have an insecure device, an old Android device, a laptop or a
PC that doesn't have a trusted processing model, I believe it's TPM on it, that hardware security
module on it, and I completely take over your device and I steal that pass key. Well, that's not good.
But think about it. That increases the cost to an adversary. They now have to,
have to catch you on an insecure device, completely compromise your device, claw out your
pass key in order to attempt to then use unauthorized activity on your accounts. That is so much
harder than just sending you a couple text messages and sending up a simple little website.
So what we're doing with these types of technologies is we're making it easier on the customer
and making it harder on the adversaries. And that's our objective whenever we were all at any
security control. So I've heard the objections, oh, it's not perfect. You can still steal the
key in certain circumstances. I'm like, well, sure you can. It's not perfect, but it's so much better
than what we're doing right now that by God, everybody ought to be doing it, in my opinion.
And I'm sure in 10 years and five years, there'll be even better solutions, but this is definitely
a step in the right direction, and I'm really excited about it. And I would just say that it's actually
a better user experience, too. So it feels like a more seamless way to access Coinbase.
It's a way better user experience. A hundred percent agree with you on that. Yeah.
So you guys probably get a lot of inbound from customers that are saying things like, I think,
I just clicked on a malicious link, what do I do? I want to make sure that nothing happens.
How do you generally think about diagnosing the situation when someone actually has gone through
that process and clicked on a link and maybe put in their bank account details to some
nefarious website? Yeah, so I'll answer in general first, and then I'll answer for Coinbase
specifically because I can't speak to the controls of imaginary bank. I was just using it as an example.
I can speak to Coinbase controls and what you would want to do here. So in general, if you had
believe that you've put your username and probably your email address is your username and your
password into a fraudulent website. There's two things you need to do right away. First is they were
probably impersonating Bank of X or some financial institution. You need to immediately log in to
that account and change that password, scrub your transactions, make sure everything is okay.
That's the first thing that you need to do. Immediately take that action. The second thing that you
need to do is you need to think hard about that password. Have you used it and, you've used it,
anywhere else. Because unfortunately, people do use the same password or some very small iteration
of the same password over and over and over again. That is very dangerous because once your
credentials are exposed, they are put into these what we call combo lists on the dark web,
which is here's a person's name, here's their physical address, here's their email address,
here's their phone number, here's the passwords they use. They literally will add that into that
repository, and they'll use that to grind against every financial institution, every online
service that's out there, they're just going to start guessing that credential pair. And if they find a
hit, they're going to exploit that to the maximum extent possible. So that's the second thing you need
to do as a user. Think through where have you used that credential before, and anywhere that you've
used that credential, you need to change it immediately. So for Coinbase specifically,
obviously you're going to do all those things as well. But for Coinbase specifically,
we have a number of services that you can find through our online help forums that will allow you
to rapidly secure and lock your account. Once your account is secured, it means it's completely
shut down. We will lock any outbound transfers, will prevent anybody from logging in. The only thing
I would say is sometimes those features are actually part of the fishing campaign. In other words,
I will say, oh my gosh, Matt, you've been compromised. Someone's in your Coinbase account. Here's the links
to secure your account.
Don't click on those links, Matt.
Don't click on those links, right?
Go to coinbase.com,
independently in your browser
or pull up Coinbase's app
and do all of your activities that way.
There you can lock your account
and things like that.
You can do all those take hold of those actions from there.
But I would say that is a concern.
Any control or option that we put out there like that
can often become part of the fishing campaign.
So we have those tools.
Just make sure you're using the real tools,
not something that someone else has set up
to look like the real tools.
That makes a ton of sense.
One of the things that you talked about was just the insider threat.
And obviously, this has been in the news quite a bit over the past few weeks with the high
profile incident at Google.
So I'm curious just how you think about this from a modeling the architecture of the organization.
Do you almost have to assume that there's an infiltration and then just build your scaffolding
accordingly to make sure that it's not exposed to just one actor?
Yeah.
Unfortunately, I do think that any company that's truly security-minded,
you just have to assume that there may be either a malicious intentional insider or, frankly,
someone may become an accidental insider.
They may be operating under duress.
They may be do something that they shouldn't do and without really thinking about it because
they're being social engineered or who knows what.
So I think that we have to work under the assumption that every company could have an insider
at any point.
So how do we deal with that here at Coinbase?
we take the safety and control of assets extremely seriously here at Coinbase.
In order to gain access to funds, to be able to gain access to functions that would allow for
the exfiltration of Coinbase or customer funds, there is an incredibly rigorous amount of
control that's required in order to gain that level of access.
Almost no individual has access to that.
You need to get your manager to approve, sometimes multiple layers of
management to approve to get access to those functions within the company.
So those are some of the most protected services that we have internal to the company.
And we establish an environment where no one has sort of standing access to those types of
functions. Now, those functions would only allow you to operate on customer accounts and
various things. Sometimes you do have to go in and make changes to customer accounts, right?
But the impact of that is somewhat limited to a subset of customers. So we could see losses
if we had a bad actor there, but they would be limited. We would be limited to a handful
of customer accounts before we would catch that and shut it off. The real trick with cryptocurrency
is maintaining control of the keys, the keys to our omnibus wallets, which is where those ETFs,
or the bitcoins that we hold for those ETFs are stored. And there we have an incredibly rigorous
control environment. Our cold wallets, for example, we have a whole ceremony that we run to generate
those cold wallet secrets, to generate those cold wallets, I should say, those wallets, those wallets
and those secrets are then sharded amongst various different shards.
They're broken up.
And at no point do all of those come together,
except under the control of very rigorous ceremony.
We call it a key ceremony that we run.
Well, we will bring, I'm not even against the details,
certain people together that are known by a very limited number of people
who can come together with some of that key material, rehydrate it,
then we're able to reconstitute a cold wallet,
make moves in and out of those cold wallets,
in a way that's very, very safe and secure. But the amount of rigor that then controls that we have
around our wallets is such that there is no one, two, or three, or four people who could do it.
It would require a vast conspiracy of individuals, and that's the way we like it,
because the probability of that happening at a place like Coinbase is very, very low.
One of the cool things to dovetail onto that ETF point that you made is you have at least one
issue where Bitwise, who's a portfolio company of ours, that's actually pretty pretty
the wallets in partnership with you to prove that the Bitcoin are actually in the account.
So I guess that's an added level of security for an investor to just view,
okay, I'm investing in this product. And here's the actual wallet address at Coinbase.
And yes, the funds are still there. So that was a pretty cool initiative.
That's the beauty of blockchain. It's all public. So if you know the wallet address,
you can always check and monitor it in real time. You can see in near real time what's happening
with the assets. So it is a powerful thing about these L1 and L2 networks that are available
out there, very powerful. One of the other really interesting things about this industry is just the
amount of open source developers and just people in the ecosystem that are finding some of these
issues. And I know you guys have a bug bounty program. So maybe talk a little bit about how you
see the role of just pulling others into this infrastructure of identifying threats.
Yeah. So you touched on two topics there, open source and bug bounty. We are big fans of open source.
We support the open source community here at Coinbase. We have sponsored and launched several
open source programs. So clearly something that we're invested in. I think when you can get the best
and brightest developers from across the world to work on a software product, ultimately you get
better and more secure results. I firmly believe that as to see so. And I think that the company's
leadership is also very on board with that perspective. When it comes to bug bounty programs,
another thing I'm a huge fan of. So we partner with a company called Hacker One. And what that lets us do
is have a small army, as I call it, of white hat hackers who sign up are members of this platform
who are continuously assessing our entire ecosystem of services and products.
So every minute of every day, I'll bet you there is some hacker one researcher out there
poking away at our infrastructure, looking at new product launches, looking at account recovery
flows, looking at all the things that could generate risk for a company like Coinbase.
They know it, we know what they are, and they really do hone in and focus on those things.
And I'm happy to say that we have a great relationship with our Hacker One community.
We regularly give shoutouts to our lead reporters, and we regularly make payments as appropriate,
depending on the severity, when one of them does find a security bug.
We want our white hats to find those before any adversary would report them in an ethical way,
and we're happy to reward them for doing so.
So I see it as a real win-win.
It brings the broader community in to the security program that we run here.
It allows them to work on our behalf and it allows us to reward them for that great work that they do.
It's got to be especially relevant this year where you probably have something like 50 to 100 net new L1s and L2's launching.
And I'm sure you guys are looking at all of them and trying to figure out how do we interface with these, whether on the wallet or in the custody setup,
is just having more sets of eyes on some of these open source platforms is probably very helpful.
Yeah, that's right. You can't have too many eyes on a new product launch. You just can't.
So let's think about this for a minute.
A lot of people think about whitehead hackers.
They think about, oh, they're going to try and break into your servers, your websites, things
like that.
What about smart contracts?
Now we've got a whole new layer of code that needs to be reviewed and needs to be looked at.
So we're encouraging our community, our Hacker One community, to get smart on smart contracts,
because I believe firmly that as the Web 3 on-chain world continues to grow,
more and more capabilities, more and more services are going to be.
be offered on chain. More and more people are going to be on chain, and those on chain activities
are going to be governed by smart contracts published on these blockchains. We need eyes on those.
So if we have any hacker one folks listening, bone up on smart contracts, start looking at those
because that's the next frontier for us. And I think about that a lot through the venture capital
lenses. We'll probably just see some very consequential companies emerge really looking at some of
these open source platforms and really deeply understanding them from a security perspective.
It seems like a space where we need more talent, not less.
Agreed.
So, Jeff, this has been great.
I think you've done a great job breaking down some of the things that users should be aware of,
certainly customers should be aware of.
What can we expect to see from Coinbase over the next couple of months here from your perspective?
Well, you should expect to see our platforms continue to be the most trusted platforms that
are out there for new traders, for existing traders, for institutions to come and invest.
One of the things that we're doing over the next couple of months is we're doubling down.
We're investing more in cybersecurity.
We're bringing in more talent to make sure that we can retain that name as the most trusted
name in crypto.
That's so important to our brand.
It's so important to our customers.
And that's what people can expect to see.
Now, from the product side of the house, we have a lot of really exciting things coming up.
I am not authorized to release those here, unfortunately, and I'm a security guy.
So I'll stick to talking about the controls and the investments that we're making from a
cybersecurity perspective.
Totally understood.
Well, Jeff, this has been great.
Thanks for talking about some of these critical issues.
and hopefully everyone takes some of your advice here on how to ensure that they're interacting
with not only Coinbase but with public blockchains in a really safe way. So thanks again for
coming on the podcast. Awesome. Thanks for having me.
Thanks for listening to another episode of On the Brink with Castle Island. To find out more about
Castle Island, visit castle island. Visit castle island.vc. To listen to all of our podcast episodes,
please go to On the brink dashpodcast.com or just click on the tab in our website. Thanks for listening.
Thank you.
