Hacker News new | past | comments | ask | show | jobs | submit login

A better question would be: why were Coinbase employees allowed to use any browser with javascript enabled and outside of a VM? Qubes OS has been a thing for quite a while.



> why were Coinbase employees allowed to use any browser with javascript enabled

I don't know, maybe because they need to get work done...? Even traditional banks allow JS.


I've worked at a large traditional bank (market cap and enterprise value are both around 100b), they also allowed firefox as well as js, at least for developers (I don't know what it looked like for non developers).


Of course, there generally are legal processes to leverage if money is stolen from a bank. The cryptosphere isn't as forgiving.


Google and Stackoverflow work just fine without javascript enabled. Trustworthy sites can be whitelisted if absolutely necessary.


It's this sort of attitude that makes sysadmins so incredibly popular among the masses.

Hint: if your environment feels like a concentration camp, users will find ways to work outside of it most of the time - which will be even more disastrous.


That's a fair point when literally hundreds of millions of dollars aren't on the line. It's not hard to properly secure your system from all manner of internet threats. There's no excuse for crypto exchanges not to implement such measures.


If hundreds of millions of dollars are one JS exploit away, the defense model is flawed. That sort of movement should require approvals from multiple people and even dedicated terminals that are not used for everyday browsing.

Security is a tradeoff; nuking browsers for everyone is just a bad tradeoff in 2019.


There are a million hypothetical security issues you could worry about. How would you weigh the risks of Javascript against the loss of basically all online productivity apps?


A standard VM doesn't protect from attacks of this level of sophistication.


I imagine it does unless the attacker has an additional XEN zero-day to pile on.


In the thread about this attack yesterday someone linked a paper about another attack against cryptocurrency researchers which did use a VM escape exploit [1], so if a cryptocurrency researcher is worth such an exploit, I'd say a company handling the kind of money Coinbase does is probably worthy as well.

[1]: https://news.ycombinator.com/item?id=20221279




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: