My team is hiring! I’ve just opened 8 new roles, including for application security testers and red teaming & adversary emulation. If you have a passion for securing the world’s most important organizations and want to be a part of a team with amazing culture, great benefits, and

Scams are a scourge, and education is one of the most important tools we have. Maybe *you* already know everything there is to know about scams, but do your friends and family? My ask: share this video with at least one person in your life that might be vulnerable.

Only scammers demand you pay only with gift cards. Only scammers demand you pay only with Zelle. How about instead: “Only scammers pressure you to do things before you understand them”? If in doubt, take a beat, talk to a friend, be skeptical.

Excited to chat with @teddyfuse and @hongkim__ about how Coinbase does institutional grade custody!

hey @GaryGensler and @SECGov, serious offer: as a crypto exchange we've had a lot of experience with security protocols around social media, and as a veteran and patriot I love to help my country. If you'd like any suggestions feel free to reach out.

Check out a new in depth look at the Euler exploit coming out of our Unit 0x team. Part one (looking at the exploit) is below, part two coming early next week! https://t.co/3TigRyngFm

10/ They may also cherry pick cold storage addresses and ask us to restore those if they didn’t see enough cold storage activity in a given period…but you all tend to keep us busy enough that we haven’t needed to go there.

9/ Come audit time, the auditors verify the controls are functioning as intended, verify the signed messages and review cold restores over the audit period to make sure we moved enough funds over time to provide appropriate assurance.

8/ In short: at key generation time, we sign a message with the private key, allowing us to prove we generated it. We then exhaustively define our cold storage system controls so auditors can test those controls (e.g. all cold storage keys are backed up before being put into use)

7/ You may be wondering why Coinbase doesn’t move all funds on-chain every year. Well, we’ve built systems and processes that allow our auditors to assess control over keys without that and then they can randomly sample just a small subset of addresses each year.

6/ Even arbitrary text-only payloads would be an interesting loophole to try to exploit.

5/ Second, I would consider it bad practice to build a high security asset storage system with a mode that allows for arbitrary serialized payloads to be signed. That would be a function begging for abuse by an attacker.

4/ This is important because there is nothing auditors hate more than custom processes. It leads to the potential for gaps, which can call into question the entire audit. So auditors will always look for the lowest common denominator for their audit procedures.

3/ First, assets have different serialization methods and not all assets have a built-in message signing capability. So in order to sign messages you’d need to implement custom code for assets that don’t have that function.

2/ At scale, differences in listed assets really start to drag on you in a bunch of ways. One of the ways is audit procedures. While in theory you can sign a message with any private key, there are some practical blockers to that.

1/ I don't have inside knowledge of what is happening inside @binance. That said, their on-chain movement of funds for audit purposes isn’t out of the norm and @coinbase did something similar many years ago when we first started 3rd party auditor review of custodial assets. 🧵

1/ First off, I have a lot of sympathy for everyone involved in the current situation with FTX - it's stressful any time there is potential for customer loss.

Really excited for this! Introducing Coinbase Security Prompt — a safer and easier way of signing into Coinbase by @coinbase

I’m not much of a TV guy, but just saw this spot from our marketing team and it was too good not to share. In crypto winters it’s important to find your reasons to be calm… https://t.co/5pB6RNEPpA

7/ You can find more details in our updated blog post here: