Security at Coinbase with Philip Martin - Software Engineering Daily

Summary5 min read

Episode Summary: Security at Coinbase with Philip Martin

Podcast: Software Engineering Daily
Host: Gregor Vand
Guest: Philip Martin, Chief Security Officer at Coinbase
Release Date: May 15, 2025

1. Introduction to Philip Martin and Coinbase Security

In this insightful episode, Gregor Vand welcomes Philip Martin, Coinbase's Chief Security Officer, to discuss the intricate world of security within the cryptocurrency exchange landscape. Philip brings a wealth of experience, having previously led security teams at Palantir and served as a U.S. Army counterintelligence agent.

2. Philip Martin's Career Path

Philip shares his unconventional journey into cybersecurity:

Early Passion:
"I knew I wanted to be a security practitioner when I was still in high school..." [01:39]
Education and Early Career:
Taught himself coding in high school, worked on web design, and delved into languages like C and Perl. Dropped out of San Jose State University to join a startup, Cobalt Networks, which was later acquired by Sun Microsystems.
Military Experience:
"I made a switch from technology into intelligence and then brought them back together." [07:28]
His time in counterintelligence honed his understanding of human factors in security.
Transition to Amazon and Palantir:
Worked at Amazon but left due to misaligned missions, then joined Palantir, attracted by the company's agility and mission-driven environment.
Joining Coinbase:
Initially skeptical about cryptocurrency, Philip became intrigued by the unique security challenges Coinbase faces, leading to his nine-year tenure at the company.

3. Understanding Coinbase

Philip provides a clear overview of Coinbase:

Retail Brokerage:
"Most people experience Coinbase as Coinbase.com, which is a retail brokerage..." [08:05]
Comparable to platforms like Schwab or E*TRADE, enabling users to buy, sell, and store cryptocurrencies.
Coinbase Wallet:
A self-custody mobile app allowing users to manage cryptocurrencies without intermediaries.
Institutional Services:
Includes qualified custodianship, derivatives trading, and more, catering to a broader range of financial activities.

4. Security Models and Human Factors

Philip delves into the foundational aspects of Coinbase's security strategy:

System Design Philosophy:
"We think a lot about how to safely manipulate something as sensitive as cryptocurrency, much like handling radioactive material." [10:07]
Emphasizes minimizing human trust by designing systems that require widespread collaboration to prevent breaches.
Human-Centric Security:
"The vast majority of humans using the system care about getting their work done, not about the underlying security." [12:21]
Focuses on integrating security seamlessly into user workflows to enhance both safety and usability.

5. Types of Attacks and Evolving Threats

Discussing the unique threat landscape for Coinbase:

Common Attack Vectors:
Phishing, web application attacks, and third-party vendor vulnerabilities mirror those faced by other large enterprises.
Cryptocurrency-Specific Threats:
"Smart contract security is changing at a pace that is shocking..." [15:14]
Constantly evolving tactics targeting blockchain protocols, private key management, and more.
Stockholm vs. Bearish on Attack Complexity:
While traditional attacks remain prevalent, the rise of sophisticated, targeted assaults reflects the high-stakes environment of cryptocurrency exchanges.

6. User Education and Scams

Philip emphasizes the importance of educating users to combat scams:

Trading Scams Defined:
"There are no new scams, just new iterations with different presentations." [19:08]
Focuses on confidence scams that trick users into transferring funds to malicious actors.
Educational Initiatives:
"Educated folks are much less likely to fall victim to scams." [19:08]
Utilizes blogs, animated videos, and outreach to various media channels to spread awareness.
Call to Action:
"Have a conversation with someone you care about who might be at risk." [24:02]
Encourages listeners to actively engage with their communities to disseminate security knowledge.

7. Authentication Mechanisms and Best Practices

Exploring robust authentication strategies:

SingPass Integration:
"We see [SingPass] as making things a little bit easier for our customers." [26:03]
Enhances user experience by integrating government digital identity systems while maintaining stringent security measures.
Two-Factor Authentication (2FA):
Advocates for hardware-based 2FA methods like Yubikeys over software solutions for superior security reliability.
Passkeys vs. Yubikeys:
Highlights the security vulnerabilities in software-backed passkeys and expresses a preference for hardware-based solutions for stronger assurance.

8. Future Concerns: AI and Quantum Computing

Addressing emerging technologies and their security implications:

AI in Phishing:
"We expect an uptick in phishing sophistication, particularly with the use of chatbots." [32:11]
Discusses how AI can enhance the volume and consistency of phishing attacks, making them more pervasive.
Quantum Computing Threats:
"Quantum is something we will see coming from a long way off." [35:56]
Recognizes the looming threat of quantum computing on current cryptographic protocols and the need for proactive measures to ensure future security.

9. Team Building and Hiring for Security

Insights into building an effective security team:

Key Attributes:
- Curiosity: Essential for navigating the ever-evolving security landscape.
- Humility: "No one is always right, and we're here to solve a problem together." [40:25]
- Communication Skills:
  "Good communicators can explain complex security concepts in simple terms." [40:25]
  Vital for bridging the gap between security teams and other departments.
Hiring Philosophy:
Seeks individuals who are not only technically proficient but also possess strong interpersonal skills to foster collaboration and innovation.

10. Open Source and Bug Bounty Programs

Fostering community involvement in security:

Bug Bounty Program:
"We run a large and active bug bounty program with a community of researchers helping us find vulnerabilities." [45:08]
Encourages external experts to identify and report security flaws, enhancing overall system robustness.
Open Source Engagement:
"Open sourcing our technologies enables others to build even better security solutions." [46:21]
Promotes transparency and collaborative improvement of security tools and protocols.

11. Advice for Early Career

Philip's reflective advice for aspiring security professionals:

Communication Over Technical Prowess:
"It doesn't matter if you're the smartest person in the room if you cannot make your case to the other people in the room." [46:54]
Emphasizes the importance of honing communication skills alongside technical expertise to effectively advocate for security measures.

Conclusion

Philip Martin's deep dive into Coinbase's security measures underscores the multifaceted challenges of securing a leading cryptocurrency exchange. From integrating advanced authentication mechanisms to educating users about evolving scams, Coinbase's approach is both comprehensive and adaptive. Philip's emphasis on human-centric security, effective communication, and community collaboration provides valuable insights for professionals navigating the dynamic field of cybersecurity.

Notable Quotes:

"We think a lot about how to safely manipulate something as sensitive as cryptocurrency, much like handling radioactive material." — Philip Martin [10:07]
"The vast majority of humans using the system care about getting their work done, not about the underlying security." — Philip Martin [12:21]
"We're here to solve a problem together with the business." — Philip Martin [40:25]
"It doesn't matter if you're the smartest person in the room if you cannot make your case to the other people in the room." — Philip Martin [46:54]

Loading summary

Transcript49 lines

[00:00]
Narrator
A cryptocurrency exchange is a digital platform that allows users to buy, sell and trade cryptocurrencies. These exchanges face unique security challenges that require specialized threat assessments and planning. Coinbase is a US based cryptocurrency exchange that was founded in 2012 and has evolved alongside cryptocurrency as a technology. Philip Martin is the Chief Security Officer at Coinbase. Prior to Coinbase, Philip built and led the incident response and security engineering teams at Palantir and was a U.S. army counterintelligence agent and Arabic linguist. In this episode, Philip joins the podcast with Gregor Vand to talk about his career and security at Coinbase. Gregor Vand is a security focused technologist and is the founder and CTO of MailPass. Previously, Gregor was a CTO across cybersecurity, cyber insurance and general software engineering companies. He has been based in Asia Pacific for almost a decade and can be found via his profile@vandhk.
[01:15]
Gregor Vand
Hi Philip, welcome to Software Engineering Daily.
[01:18]
Philip Martin
Hey Gregor, it's great to be here.
[01:19]
Gregor Vand
Yeah, Philip, thank you so much for joining us today. You are the Chief Security Officer at Coinbase. So we're going to be hearing all about financial security obviously around cryptocurrencies. First of all we're going to be hearing a bit more about what you did before Coinbase. So what is kind of your path to Coinbase and how did you get into this industry at all?
[01:40]
Philip Martin
Sure, that goes way back really. I knew I wanted to be a security practitioner when I was still in high school so I taught myself to code in my parents proverbial basement. My parents don't have a basement, didn't have a basement but taught myself to code in high school. This is back in the 90s and started doing web design for local companies, had a good time, taught Myself C, Perl, JavaScript, et cetera and then ended up going to San Jose State for a bit for computer science. Dropped out because it was incredibly boring and joined a startup at the time that was building it's called Cobalt Networks that was building Linux based appliances for small to medium sized businesses, large work groups within larger business, things like that. Really pretty ahead of its time, but got through some pretty cool stuff there working on IPsec and other features of that device. And from there we got acquired by Sun Microsystems at the time, which was a behemoth, right? It was, I don't even know, call it 50,000 people globally at the time and got to do some really interesting work around the Linux kernel, getting some of our son's hardware Working with Linux, which at the time was unheard of, and got really bored of that, quite frankly. These huge behemoth organizations, it's stereotypical, going to meetings about meetings to then hold the meeting about the issue, as opposed to just moving ahead and fixing something. And so I left sun and made the obvious next step of going into the military, where I focused on, really, this was more about being a little bit burned out on computers and software engineering than anything else. But what went in was like, okay, what do you want to do? Well, what has as little to do with computers as possible that also isn't the infantry. And they're like this counterintelligence thing. You should do that. It's all about people. And that's totally true. It is all about people. And it taught me a lot about how to really interact with people, how to work with other human beings who are either like or not like myself. Great experience. Got to see a bunch of cool missions, do a bunch of cool things. And the process really rekindled my love for security in particular. So I left the military and then went to work for Amazon, which, like, fascinating technology challenges at Amazon. For me, the mission didn't really resonate. I wasn't super excited about what we were doing in the world. So I left Amazon, went to Palantir, where a friend of mine who I'd served with was working at the time and absolutely loved it. The mission was there, the technology challenges were there. It was a small 300 person or so company at the time, so lots of agility and ability to sort of move outside of my defined box. And then my boss left and I wasn't really excited about. I didn't have like a, oh, here's my next step within Palantir. That was like, really exciting to me. And so I had met some of the folks at Coinbase previously. They were working on some really fascinating, I'm sure some of the challenges we'll end up talking about in this session. At the time, I didn't know much about cryptocurrency. Some of the other folks on my team at Palantir had gotten into mining really early. At the time, I told them something to the effect of that pretend Internet money is not really going to go anywhere. And I regret that decision quite a bit. Obviously, I was aware of it broadly. I hadn't really ever considered the security challenges inherent in a cryptocurrency or in running an exchange or custodian, or what a fundamental shift it was in asset and how one protects assets. But as I started to learn more and talk to the folks. I started to get really, really intrigued about both how critical security was and is to Coinbase. It truly is the one existential threat I think the company has faced since the very first day it started, as well as how much work there was to build new things in furtherance of that goal. Because we protect. I don't remember what the last quarterly report number was, but hundreds of billions of dollars in cryptocurrency, but underneath that there are hundreds and hundreds of millions of private keys to be managed. And there are insane insider threat risks. When you can move money digitally in this way irrevocably, the human element of security becomes incredibly interesting and very, very difficult to control for the amount of money areas are willing to spend. Attacking us really is just proportional to the assets we have on platform. And so there's a very direct monetizable piece of the company at risk there. So we see attackers who are willing to spend a lot of effort and time and money and focus attacking not just Coinbase, but really everybody in the cryptocurrency ecosystem across the entire chain, all the way from the end user to the exchange to the custodian to the software infrastructure that's supporting those things. Software supply chain attacks are fascinating in crypto, Crypto, they actually happen right outside of nation state sponsored hacking activities. So that was just like, for me was just catnip. And I've been at Coinbase, it'll be nine years in April and really, honestly, people ask, have you stayed at one company that long? Coinbase has not been at the same company the entire time. Right. It's gone through a number of evolutions, as any organization like this would. But at the end of the day, for me, it's been that consistent presence of significant security engineering challenges in an environment where failure really matters has been a recipe for something that I just cannot get enough of.
[07:28]
Gregor Vand
Yeah, that's awesome. I mean, I like the kind of theme, I guess just throughout when you did actually get bored, you made a switch. And I think a lot of people don't maybe do that enough. I mean, it's not to say jump around, but it is sort of. I like that you completely did a hard left when you went from technology into intelligence and then brought them back together. And obviously, as you call out, you've been at Coinbase now nine years and clearly there's still an intellectual challenge there for you, which is great to see. So I mean, you've kind of touched on it there. But again, just in case any listeners are not aware, just a sort of very, very brief. What is Coinbase?
[08:05]
Philip Martin
That's a fascinating question. So for the vast majority of people out there, you experience Coinbase as one of two things. You experience Coinbase as Coinbase.com, which is a retail brokerage. That's what we would call that. Right? Similar to your pickup brokerage, your Schwab account or Fidelity or E Trade or whatever, where we provide the access and tools to buy, sell, trade, store, transmit, cryptocurrency. Now there's more than that, there's also staking, there's a bunch of other stuff. We'll just keep it simple to start with there. So it's either that or they're a customer of Coinbase Wallet, which is our self custody mobile app that allows consumers to do all those same things with cryptocurrency, but without using Coinbase as an intermediary. You can go transfer, trade on things like Dexes and similar things. You can do all of that, but not having to depend on a third party to store and facilitate those transactions.
[09:04]
Gregor Vand
Got it. I don't have a huge relationship to crypto and it probably is because I got there very early and used a different exchange that fell over very fast and that was the end of that. So I think what's going to be a theme throughout today is the fact that Coinbase is such an established and think that runs throughout a lot of the. If you go to coinbase.com, et cetera, it's all about we are the most secure, the most established exchange.
[09:29]
Philip Martin
Now I should note we're way more than that. We do a bunch of stuff on the institutional side or on prem brokerage. We have a qualified custodian, we're into derivatives trading. There's a bunch of other pieces to the puzzle, but for the vast majority of users, that's their relationship with us.
[09:47]
Gregor Vand
So now we understand, at least at a very high level, what the Coinbase is you came from. I mean, ultimately he came from tech and then sort of what we might call traditional intelligence, and then now into crypto security. What mental models or frameworks did you have to actually rethink when you came from, I would say, traditional intelligence into Coinbase.
[10:08]
Philip Martin
I'm not sure if it's rethinking so much as putting the proper context. Right. Perhaps that's a distinction without a difference, but I think that I actually took quite a lot from how the government, for example, thinks about designing systems that protect classified information to how we think about building Systems that protect cryptocurrency. From a system design perspective, there's a lot similar in the way that I think about those two things because the problem space is actually almost the same when you think about what's the problem space for crypto, it's. Well, I have all this value that at its core is tied to a. Not a short string of digits, but not a huge one either. Right. Something that if you could, you know, if you could memorize 20 digits at a time, you could smuggle a key out of a place. If you could see it, memorize it, you do it piece by piece, whatever, right. Not dissimilar from the classified data problem. Right. Of what you're actually trying to protect is something that can be in someone's brain. When we think about protecting cryptocurrency in that way, we think a lot about. Not to jump around analogies here, but I will. Anyway. We think a lot about that. Just sort of like radioactive material, right. How do you safely manipulate radioactive material? Well, you don't. You build tools to manipulate it. Right. So it can be at arm's reach and you can be protected from it. You're not exposed to it or exposed as little as humanly possible. It's a very, very similar philosophy that we would take or we do take in thinking about how we design systems that actually those core. Core systems that touch private keys is in a very, very similar way. I also think that, again, from that design perspective, very firmly embedded in our design process is that people shouldn't be trusted individually. Right. We want to see system design where it really does require a conspiracy for things to go intentionally wrong, because conspiracies among humans can be fragile things. We want to introduce that additional risk into a bad actor would have to do in order to cause bad things to happen. So lots of stuff like that, where I think are actually a huge number of parallels in how we think about secure systems design.
[12:21]
Gregor Vand
Yeah, makes a lot of sense. I mean, when you were talking about your time in the military and you were saying it was all about humans, and at the end of the day, security basically is humans. It just so happens that there's this sort of interface that we all use called a computer and Internet, et cetera, but it's ultimately humans, and what can a human figure out versus another one?
[12:40]
Philip Martin
I think that's very, very true. And I think it's an element of security that you can't overemphasize. And I'm not talking when I say that some people think, oh, security Training or whatever. And sure, fine, right. Educating the human about the risks is a component of good security, but more about understanding how humans are going to interact with the system. More about the understanding that the vast majority of humans that use the system that you're building don't actually care about the security or insecurity of that system. They care getting their work done for that day. And so that's their incentive. And instead of sitting here and trying to say, well, no, I'm going to make them care about security, I think people should be sit there and say, how can I make the fastest path to that human getting what they want to get done done, the one that takes them through the most secure path? How can I make security the feature that they want in this system design? And I think we think about that a lot as we think about building security systems in Coinbase. And of course there's some amount of fiat about you must use this or you must do that. You can never get away from that entirely. But I think at the same time, there's a lot we spend a lot of time and effort thinking about, like what roads do we need to pave for our engineers, for our. Whoever it is to get their work done in a way that is safe and secure, in a way that they are safe and secure, because they know that if they are, they're going to be faster and more efficient, more, More able to get their actual thing done that they care about. So it's. That you could even call it sort of some. Some security humility. Right. No one cares as much about system security as the security folks do. Let's just like say that and be done with it and ask ourselves, okay, great, what do they care about and how can we position ourselves that we're delivering that to them in addition to security?
[14:33]
Gregor Vand
Yeah, I completely agree. I work in effectively email security, but I have to keep pointing out that email security is. It doesn't technically matter that a bad email lands in your inbox. It matters that the human interacts with the bad email. So to your point, it's around how can we always ensure that people are getting what they need to get done, but gracefully avoiding the bad stuff effectively?
[14:56]
Philip Martin
Absolutely.
[14:57]
Gregor Vand
That kind of brings us on to. Because that's effectively phishing. So just talking about the kinds of attacks we might see at Coinbase, what would you say the classic question, what's the most common kind of attack? And also just how have attack types changed over the last four to five years?
[15:15]
Philip Martin
Yeah, I mean, Coinbase gets attacked the way every Other company on the Internet gets attacked. We see the phishing, we see the web app attacks, we see all the same things that everyone else does. And I say a lot of people sometimes ask me, wow, Coinbase, the security must be so different. I'm like, it's absolutely not. It's fundamentally ignore a couple of things on the back end that I'll talk about in a second. But it's fundamentally web app security at a large corporate enterprise. So you get all the same social engineering, phishing perimeter stuff, web app stuff, we have vendors, so vendor third party security, we have all the same attack types everyone else does. Now where it gets interesting is where we get into the cryptocurrency specific stuff because that creates a bunch of really interesting and unique security sort of threat surface for us. Everything from, hey, we're interacting with smart contracts, or actually in some cases, we're writing smart contracts. How do we write smart contracts in a way that is safe and secure? Which is a really interesting set of problems I occasion. It's sort of like, what if you're able to travel back in time and pick up a C programmer from 1970, fast forward to 2025 now, and asked them to write a secure application? They couldn't possibly, right? Because the whole classes of attacks have been invented that they would just have been unaware of, even as a state of the art practitioner back then. Very, very similar problem in smart contract security is that whole classes of attacks are getting invented on a regular basis as people really explore the boundaries of the security of the language, of how the compilers operate, of how the underlying network processes, the bytecode and the message types that are sent and all of this stuff together. It's changing, it's updating at a pace that is shocking. It shouldn't be shocking, not after nine years, but it still is sometimes to be shocking how quickly the space moves. And so we spin, we have a whole team, a blockchain security team that does nothing but work on the various pieces and parts of that. From smart contract security to protocol security, secure protocol design, to how we store, process private keys, the whole sort of ball acts there. That is really the unique bit of how Coinbase sees attacks. The other unique bit, as I talked about before, is just how much is at stake for Coinbase. And so while we certainly see our share of, you know, spray and pray phishing that went to us and a billion of our closest friends, we also see some very, very targeted attacks that attackers clearly spent time and effort and money executing, which is really awesome from the perspective of a security professional developers.
[18:05]
Narrator
We've all been there. It's 3am and your phone blares, jolting you awake. Another alert. You scramble to troubleshoot, but the complexity of your microservices environment makes it nearly impossible to pinpoint the problem quickly. That's why Chronosphere is on a mission to help you take back control with Differential Diagnosis, a new distributed tracing feature that takes the guesswork out of troubleshooting. With just one click, DDX automatically analyzes all spans and dimensions related to a service, pinpointing the most likely cause of the issue. Don't let troubleshooting drag you into the early hours of the morning, just DDX it and resolve issues faster. Cycronosphere was named a leader in the 2024 Gartner Magic Quadrant for Observability Platforms. At Chronosphere IO Sed, there were a.
[18:54]
Gregor Vand
Couple of one I've heard of before, but one I hadn't. If I go to coinbase.com and there's obviously a lot on there about security because educating users is a of huge importance. There is a term a trust trading scam. What is that?
[19:09]
Philip Martin
So I say a lot, right? There are no new scams in the world. They're just sort of scams that have a different coat of paint on them. And so something like a trading scam is really sort of a confidence scam where a bad actor is one way or another. And there are many sort of variations of this. Convincing a victim that they are going to teach them how to trade crypto or clue them in on some great investment opportunity or whatever. The pitch varies quite a bit. And getting that victim to in some way shape or form transfer money to either the attacker or attacker controlled address or wallet or something of that nature. And there are like, look there, there are as many scams as there are scammers, probably more out there. And so I think the really important thing that we focus on when we talk about scams, sort of two prongs to that the first prong is it's about to your point, educating customers and potential victims out there, getting the information in front of them. Because what we see on our end is that educated folks, meaning that folks who have heard about these games before, who have some inkling of the shape of them and what they might sound like, are much less likely to be victims to those scams than people who are encountering them for the first time. That seems intuitive, but the data backs it that that is actually true. And so we want to get in front of as many eyeballs as we can. Now, the hard thing about that is that scam details change. And they change not just over time, but they change in reaction to our education efforts and the different controls we put in place. And so when we talk about this stuff, what I talk about tends to be in fairly generic terms, right? It tends to be a. I equate it a lot to sort of what I might call real life security or security advice people have heard growing up for ages. If it's too good to be true, it probably is. That applies just as much online as it does in real life is the, hey, if you're being pressured into making a decision, if someone is pushing you to move faster than you're comfortable with, that's the moment when you take a beat, step back, ask yourself, talk to somebody. And the third thing is like, financial decisions should not be secrets, right? If someone's telling you, hey, I need you to do this thing, but don't tell anyone about it. Don't talk to your trusted loved one, your brother, your mother, your father, whoever, right? Don't tell them about it. They're not going to understand. That should be a red flag for folks. And these are very common. In fact, in most scams, we'll see some combination of one or more of these tactics, whether it be pressure, isolation or what have you. And those should really be. And I encourage folks to talk, not just educate themselves, but talk to their loved ones about this stuff and communicate these core concepts. One of the most fundamental things I talk about a lot is that it's almost independent. So almost anywhere I go to talk to people, people don't need to hear what I'm talking about. From a consumer protection standpoint point, the audience is probably like, I would bet your audience is in at least the top quartile, right, of educated. Educated meaning aware of online scams folks out there, which great, I'm very happy for that. But the folks that need to hear what I'm saying are not listening to software engineering daily. They're not reading the Coinbase blog, they're not attending Ripple's Swell conference in Miami. They are watching Good Morning America, they're reading the AARP magazine, they're in other venues and consuming media differently. And so two things. One, we do a lot of work to try to get out in those media channels too. But, and this is, you know, if I could encourage your audience to do one thing walking out of this one thing that will improve security for everybody, it is have a conversation with one person, you know, who you think might be at risk for being scammed online. You know somebody, I promise you, right? A cousin, an aunt, an uncle, a neighbor, a friend from a social group, whatever it is. There's one person that comes to mind for almost everybody. I'd worry about that person if a scammer, like called them. Go talk to them. We have a bunch of resources on Coinbase's blog. We've done some animated stuff on Coinbase's YouTube channel for sort of scam awareness. There are other resources that it doesn't have to be Coinbase. It's more important to me that the information gets out there than it's a Coinbase source for it. But that is really a rallying cry. I push everywhere I can is talk to the people in your life who might be at risk because you don't to want. You want it to be you that has that conversation with them first. Not a bad guy.
[24:02]
Gregor Vand
Yeah, I think that's a great call out. I have sort of aging parents and I think they've managed to avoid most things, but they certainly have been targeted in the past. But luckily they do know to message me.
[24:13]
Philip Martin
Perfect.
[24:13]
Gregor Vand
Anything that looks a bit suspicious, they just say, what about this? And I'm like, yeah, that's a scam as well. Even my wife got a very sophisticated phishing scam recently. And I was almost saying, no, I think it's probably correct. And then we did some extra checking on it. It's like, no, that's also a scam. So, yeah, I think it's a great call out. Just as you call out, our audience here, probably more aware of things than the average person, but we all know someone who's not. So that's a great call out. I want to kind of just talk about mechanisms for a second. I mean, one thing that jumped out at me here in Singapore is we have this thing called SingPass. So that's government digital identity and it's used to log into. If I log into my tax or just any other government kind of portal. And then it can also be used to log into Coinbase. And I'm kind of curious around what that adds to something like Coinbase. And I've just got a little anecdote here, which I'm curious if you've got something that resonates alongside this, which is on my apartment door. I've got this. I didn't put it on there. It's a very fancy lock. It's got fingerprint, it's got digits, it's got all these things. And one day the batteries run out and we didn't actually know how to jump start it. There is a way, but we didn't know at the time. So we call the locksmith and we expect he's going to come with some sort of special rewiring device or something. And it comes with a giant metal bar. And I was like, no, no, no, this is a digital fingerprint. And he's like, yeah, yeah, yeah. And he pops out the eye hole and he puts his metal bar in and he opens the door from the inside. Which just for me this was just like an eye opening moment. I thought, geez, this is security in a nutshell, right? We can build all these amazing mechanisms on the front. So just kind of going back to that, things like SingPass and obviously multifactor, et cetera, et cetera, what kind of stands out as mechanisms that do work. And again, why something like? What does SingPass for example, bring to Coinbase?
[26:03]
Philip Martin
So as you mentioned up front, half of Coinbase's mission is be the most secure, be most trusted as we say. The other half is be the easiest to use. And you could think about that as being as being two pieces of a mission that are in tension with each other. I don't think they are in tension or perhaps they are occasionally, but they don't have to be really. It is a challenge to us to say it is unquestionable that we have to be the most trusted exchange because if we are not, then the business dies. However, if we are so secure that no one can remember their password, no one can log into their account, then we have failed in our mission to actually be easy to use and thus we have failed in our larger mission of encouraging the economic freedom in the world. So we have to balance it. So things like SingPass or equivalent in the US would probably be closer to logging in with Google or whatever. We see that as making things a little bit easier for our customers. While at the same time in our overall security architecture design, we don't outsource 2fa. So even if when you log in with your SingPass you still have to present whatever 2fa you have configured, hopefully it's a Yubikey. If it's not, I encourage you to use a Yubikey. We see that that is by far the safest method of two factor that is out there.
[27:23]
Gregor Vand
Do you have listeners know I like passkeys. I'm curious, do you have any sort of leaning on passkeys versus Yubikey?
[27:29]
Philip Martin
The interesting thing for me about Passkeys is that they're not like a passkey is not a passkey, it's not a passkey. From a security design perspective, what's backing that passkey where it's stored? Right. There are implementations where that passkey, the backing private key, might be on a Google Drive, right. Or might be on a password manager with a bad password. We can't know. From Coinbase's perspective, there's no way for us to. And in fact, I think that's actually a gap in the protocol that I know our team has been working with or working to address. Is what we would love to know is, is this passi hardware backed or not?
[28:03]
Gregor Vand
Yeah, I think that's a great call out.
[28:05]
Philip Martin
If we could know that, then we could have a lot more faith in that. And even if maybe there's a world here where we're big advocates of using risk models in situations like this, so this is not how it works today, but you could imagine a future world that says, well, hey, you're logging in using username pass using a software backed passkey or non hardware backed PassKey and your IP address is new and maybe there's three or four more other factors. We're not going to let you log in like that. Whereas maybe if it was a hardware back pass key or a yubikey or something, we'd say like, okay, you physically possess a thing that is letting you make this assertion. So we have a lot more confidence that you were you and not a bad actor who got access to some sort of digital repository where that passkey private key was stored.
[28:56]
Gregor Vand
I think that's a really good call out. I mean, I've always appreciated passkeys from a sort of conceptual standpoint and I was working with them at least two years ago. And the thing is, as things have kind of advanced, yes, okay, things have got easier for users in theory, but as you call out, it's almost become too easy in some respects that I can log into my password manager with literally just a password and then suddenly that's my passkey. And I don't think was really ever supposed to be how things were. And I'm noticing that my password manager is now saying they're going to start backstopping that with my email address. And of course this is a lot of what I work on, which is backstopping accounts.
[29:35]
Philip Martin
And then you get back down to the locksmith who pokes out the eye hole and uses the stick to unlock the door is everyone is depending on a different layer to be the ultimate backing authority. And then someone comes along and says, well, that layer is vulnerable, and then the whole thing sort of collapses. Right. I think this is really the hard part about modern secure system design is systems have gotten to the point they're so complicated today. This is probably true in the past as well, but from my perspective, they're even more complicated today that it's hard to even know that that eye hole exists in the door. If you're designing door locks, you can make some assumptions about doors. You can think about eye holes and hinges and deadbolts and deadbolt depths, and you can make some assumptions about that and you design your deadbolt with those in mind. Trying to do that with an Internet application today is, gosh, the breadth of knowledge you'd have to have, right?
[30:35]
Gregor Vand
Yeah, exactly. API security just virtually impossible. I mean, there are obviously platforms and frameworks for dealing with that, but every endpoint could have some strange anomaly in it that someone figures out.
[30:49]
Philip Martin
You inherit a constellation of assumptions that you don't necessarily even know have been made as that person operating at the very top layer that imply constraints that you're not aware of that you may or may not break because you don't know that you shouldn't. That's a very difficult problem to solve without a large and active team of people that do nothing but pay attention to this stuff.
[31:12]
Gregor Vand
Absolutely. So just going to move us along. I'd love to get your thoughts on a couple of topics. Obviously one has to be AI. Let's start there. In terms of security, I think when ChatGPT kind of became a thing and I think a lot of people all expected this to massively change, especially things like phishing. Now what was interesting was, I believe in the last Verizon dbir, which is a big report that's compiled every year, really well done and is about the most accurate from a stats point of view. What's going on in the world, security wise? They actually were saying that they hadn't seen any kind of material jump in phishing or phishing sophistication yet. Now we're due for the next report in a few months. Would you say you've noticed anything materially different since AI being such an available technology? And I guess the second question is any aspects that you're using internally, purely in the security part?
[32:11]
Philip Martin
My guess is we'll see an uptick. I don't think it's going to be the world changing impact that people were predicting. I think that's for a good reason. There's a story it may be Apocryphal. Right. But at some point somebody had a conversation with the people that write the Nigerian prince email, like scam emails, right. And ask them, hey guys, a Grammarly subscription is not that much money. Like why don't you write these emails better, more sophisticated, with better punctuation, grammar or whatever. And the answer was because if someone responds to the email as poorly as it's put together, they're already in our target zone. Right. They're more likely to believe us when we engage in the scam than if we had written a perfect email that was very difficult to tell apart. Now we're getting people who are going to be skeptical. And so they're sort of. People talk about a sales funnel a lot. Their sort of scam funnel then becomes much more difficult for them to parse through. They're spending more human time. My guess is something like that is at play in the phishing world. That, number one, phishing has always worked really well. So why try harder than you have to in order to get the outcome that you want from a bulk phishing perspective? Number two, maybe it serves as that same kind of first step filter for these bad actors in a way that they don't have to do as much effort farther down in the pipeline. I'm speculating there, of course, but that's one of my guesses. I think that there's probably been more impact on the higher end. There's certainly been more impact on things like the use of chatbots in scams targeting consumers. That's a real thing. That's absolutely happening today in a way that it just couldn't have historically.
[34:07]
Gregor Vand
Yeah. When you say using chatbots in scams, how does that sort of look?
[34:11]
Philip Martin
I guess so an example here could be you've probably gotten. Or maybe not. I don't know if it works the same for scams in Singapore, but you've probably gotten a text message, something that it was just like a hi or hey, Kathy, looking forward to golf tomorrow or whatever it is. Right. And what's supposed to happen there? And sort of the scammer's happy path is you reply back and say like, I'm not Kathy. They then kick off a conversation. Well, historically that was a human on the back of that. Now frequently, very tragically, that was frequently a human trafficked human sitting somewhere in Southeast Asia in what amounts to a scammer sweat camp. There have been a number of really heartbreaking stories. 60 Minutes Australia did one. I think it was maybe three or six months back on this. But historically it had been an actual human doing that stuff or moving into a world where it can be a chatbot. And so what that means is the volume goes way up and the quality becomes more consistent. I think that's the kind of place where I think AI technologies are more likely to show up in the average potential victim's day to day life than in phishing emails.
[35:20]
Gregor Vand
Yeah, makes a lot of sense. So moving on from AI, we're doing a few episodes sort of covering different aspects of this. But post Quantum Cryptography, how are you guys thinking about that? And just our listeners might not have heard of any of the other episodes. So we're talking about things like store now, decrypt later. That is when people get access to data that's encrypted today with a certain protocol and knowing full well that maybe in four or five years there's going to be increased computing power to be able to decrypt that and then use it at that stage. And I mean, I can imagine this very sort of something that you guys are thinking about a lot.
[35:56]
Philip Martin
Yes and no. It's definitely something that's on our mind. I think the store now decouplator, that sort of world of things. It's fascinating, but it's also not really our problem to solve. That'll get solved by the browser makers who are already doing a good job, and really the protocol designers who are already doing a good job figuring out how to layer quantum resistant or what we believe to be quantum resistant algorithms. I think it's important to acknowledge that we actually have no idea, really. We have strong beliefs but no hard data because we can't test our assumptions against an actual quantum computer that doesn't exist. Doing the best job to sort of layer protections in such that when that does happen, it reduces the sort of the vulnerability window. Right. Because we've layered in some, you know, whatever, some lattice based encryption mechanism that turns out to be hard for computers to break. I think that will get solved. It's already in the process of being solved. It'll absolutely get solved. I think the more interesting problem for us is that basically all of cryptocurrency depends on private keys, asymmetric private keys. And now I think there are, there's a bunch of smart people thinking about this. As to how we could update protocols to become more resistant, the obvious answer is, oh, why don't you just change the signing algorithm to use a quantum resistant protocol? Well, okay, so every single person that has the private key is going to have to regenerate the Private key. What about people who have lost a private key or forgotten one? Is that money just up for grabs now? What about people who don't know how to regenerate a private key? There's a bunch of interesting corner cases around that kind of migration that makes it more difficult than someone just casually thinking about it realizes. That said, my belief, and I could turn out to be spectacularly wrong here. So let me just be clear here. I don't believe I have any particular expertise over anybody else in this space. But my belief here is quantum is something we will see coming from a long way of way and we're already seeing coming, right, the improvements in not just qubit count, but much more importantly error correction in these quantum computers and in sort of quantum networking. And like this is all. It's happening right in front of us every single day. And every single day it's improving the, I'll just call it computational power for lack of a better quantum or the computational power of these quantum computers. But it's happening in a way that we can see it. We can say, okay, they're getting closer, one step at a time. We're still well away from an algorithm that could effectively break a reasonable length modern asymmetric key pair. But I think what is going to happen here is we will see it coming from far enough off that at some point here we will see a 512 bit key get broken. And that I think will wake up a lot of people. And at that point we're still, right, we're still depending on or really for Bitcoin256. We'll see 128bit key get broken at some point here. Right. And that will really encourage folks to think hard about how are we migrating this stuff. But we're not going to jump from one to the other in the space of a week or a year. I think it'll be a long slog.
[39:16]
Gregor Vand
Yeah, we did an episode recently with Meta and so the work that they've been doing on this and actually internally they've been using what they call a hybrid approach basically where some of it's done on a sort of regular protocol and then some is on a post quantum protocol. And yeah, there's various sort of reasons around that and encourage anyone to go listen to that episode to get into the nuts and bolts of that. But I think what you call out is, is absolutely right that this isn't a tomorrow problem, but it is a five, maybe ten year problem. And yeah, we'll start to see some Signals at some stage, not quite yet, but it's good that people are sort of thinking about it. So just moving on, obviously conscious of time. And I'd just like to hear a little bit around the team, maybe that you've built up at Coinbase. And what do you think about when you're hiring people into your team? I think it's often a bit of a. At any company, the security side is always almost a bit of a. Sometimes to outsiders, feels a bit of a club or secretive. So what do you look for when you're hiring for your team? And I'm also curious about some of the initiatives that you maybe do. Things like bug bounty programs, this kind of thing. How does that all look?
[40:25]
Philip Martin
Sure. So we obviously look for different things across different teams from a specific skill set point of view. But if I back that up into generically, what are the characteristics I hope to see of any person in the Security Org or Coinbase? Number one is curiosity. I think in the world of security, and especially in the world of cryptocurrency security, Coinbase, dogmatic answers just don't work. It's not this way because it's this way. It's this way for a reason. Let's figure out what that reason is and let's figure out if that reason applies to our use case. Right. I think the second thing I hope to see in anyone that works in my org is humility. No one is always right and we're not here to be always right. We're here to solve a problem together with the business. And I think it's so easy to get pulled into a us versus them mindset in security. They won't listen, they don't care about security, they don't want to do the right thing, they're lazy. Whatever. Whatever the excuse is. Right? When someone that has the humility to step back and say, I'm not landing my message correctly with this audience, what am I missing here and how can I help them better grasp the concepts that I'm trying to communicate and how can I really listen to them and what they're trying to tell me, right? So that we can get to common ground and solve a problem. Problem that's. I think there's no more important place for that than insecurity. Because without that humility and that ability to take a step back and say, like, we're on the same team trying to solve the same problem, it's like, let's not fight, let's work together. Without that quality, you end up being a Security team that is consulted or less and less and less or bypassed more and more and more because your customers are going to think, well, if I go there, I know what answer I'm going to hear, so let's avoid going there. Let's say, oh no, this isn't a major change, it's a minor change. No security view needed. This system isn't security critical. For whatever reason, they'll seek reasons to avoid you. So that humility so, so, so important. I think I want people who are are good communicators. I think that quality is inconsistently valued in technology circles, in my opinion. But I think it doesn't matter how smart you are if no one understands what you're trying to communicate to them. That's a generalization, right? A single smart person can get a lot of things done. But even more than that, a single smart person who can communicate their ideas and help other people come along with them will get exponentially more done, right? Over the long term. I want people who can speak simply, directly, clearly. I want people who can cut through the all the security whiz bang words we throw around out there, all the Gartner abbreviations, all that stuff, and using sentences that an eighth grader can understand can explain a problem. You might not explain all of it when you explain it like that. You might not explain every single nuance, but you can definitely communicate the shape of it. And then you can invite people to come along with you for the rest of that journey into the details of it. And that again, that's an inconsistently valued skill. But I think it is absolutely critical to executing effectively the mission of a security org at a technology company. There's a bunch more I could probably go on for hours on this question, but maybe boil it down to a reasonable human being who cares about the mission, who cares about other people, and who cares about doing the right thing.
[44:24]
Gregor Vand
I think that's obviously a great call out and it almost is full circle here where security is humans at the end of the day. And if humans, especially within security, can't communicate with each other, then that's usually where things start to break down. I think a lot of unintentional failures of security has sort of arisen from that. I can certainly remember a couple of episodes where basically a breakdown in communication has probably led to something not going so well. And I can certainly reflect on that. So I think that's a really great call out. And just looking at the kind of, I guess, sort of external side, if you want to call it that or community effectively. Do you run bug bounty programs or how do you interface with open source or anything like that?
[45:08]
Philip Martin
Yeah, so we do both. We run a large and active bug bounty program. We have for really as long as Coinbase has been around, so call it whatever that is now, 13, 14 years and have a very active community of researchers out there who are are helping us find things that slip through the cracks. We also do a bunch of open source engagement. We open source a number of our technologies and have for a long time and we do it for a bunch of reasons, but from my perspective, because a lot of the problems we solve are unique in some way. But I think what we tend, it's less. I think our problem set is less unique and no one else will ever have and more unique in we have it today and it'll be a lot of other places in 10 years. And so if we think in that direction, the stuff that we're building today will really be the vanguard of future stuff. Right. So not saying we have the right answers here, because again, I think being humble about this stuff is incredibly important. I think we have good answers, but I think open sourcing some of this stuff enables other people to build even better answers.
[46:21]
Gregor Vand
Yeah, absolutely. I mean, we see this more and more security products or frameworks, but being open source makes a ton of sense. If everyone can see and analyze that code, then you're always going to get someone who can point out the problems, which is helpful for everybody. So just as we kind of come to wrap up, I tend to ask this question to most guests now, which is a pretty simple question, but get some different answers. Knowing what you know now, what would you tell yourself sort of at the start of your career? Just something that you now know, but you could have in theory then told yourself at the beginning of things.
[46:55]
Philip Martin
I think I would have told myself that. Really what I just said to you, that it doesn't matter if you're the smartest person in the room if you cannot make your case to the other people in the room. So spend more time on rhetoric and philosophy and public speaking. Really hone that craft in addition to your technical craft.
[47:19]
Gregor Vand
That's awesome. I really like that. We've not had that answer before, so that's a great place to leave it. Philip, thank you so much for coming on. You've imparted, I think, a lot of wisdom today. You're obviously a great communicator yourself.
[47:31]
Philip Martin
Well, it's been a pleasure, Gregor.
[47:32]
Gregor Vand
Thank you so much and hope we get to catch up in the future.
[47:35]
Philip Martin
Me too.
[47:40]
Gregor Vand
Sa.