Skip to contentSkip to site index
Coinbase Logo

Language and region

Coinbase Logo

Gamifying Security Culture with PwnBot

By Graham Jenson

Company

, December 28, 2017

, 3 min read time

Gamifying Security Culture with PwnBot - If you see something, say something. attr. Tony Webster

Building security into your company culture is necessary but challenging. The first line of defense against most attacks are aware and vigilant people with an attitude of “see something, say something”.

Training employees on what is abnormal behavior and who to talk to when there is a potential problem can save your company from a lot of pain. For example, alerting security when a co-worker makes an unusual request because one of their accounts has been compromised by a hacker.

Lock your Laptops

One way Coinbase has improved the awareness of security in our organization is gamifying locking laptops using PwnBot. Unlocked and unattended laptops are open targets to be compromised. Anyone can gain access, install malicious software, copy credentials and other sensitive information, or just change a background image. If the attacker is prepared, they could do all of the above in seconds using a small programmable USB stick, like a MalDuino, to automate their actions.

PwnBot is a Slack bot that you call on someone else’s unlocked computer with 
/pwn @<your_name>
awarding a point to the “pwner” and recording the “pwnie”.
Shane pwning Jenson

Shane pwning Jenson

Everyone at the company can check the score board with /pwn to see who the most vigilant and careless employees are.

Shane checking the score board

Shane checking the score board

This game is unreasonably fun and good at encouraging people to lock their computers. After releasing PwnBot at Coinbase, the game was taken way too seriously and finding an unlocked computer immediately became difficult. I have seen people run across the entire office to lock their computer before someone notices.

New employees are introduced to PwnBot along with the other security tools and processes at Coinbase, and if they were not paying attention to the security training then they will get pwned very quickly. Security culture is a part of our company from day one because new employees are on the same front line with everyone else.

Links

You can install PwnBot to your Slack team with: Add to Slack

Or you can use the open-source PwnBot code to deploy your own bot.

Listen to Philip Martin (Coinbase head of security) discussing security @ Coinbase on Software Engineering Daily podcast

Graham Jenson’s talk about Coinbase and Security without Friction @ KiwiRuby

Thanks to cbisl

Coinbase logo

Company

Recent Stories

echo hero image v2 (2).png

Company,

Mar 13, 2025,

2 minutes read time

The Future of Investing is Open and Onchain

The future of startup investing is open and onchain. By becoming a group lead on Echo, the Base Ecosystem Group (led by Coinbase Ventures) will unlock broader and more dynamic capital for builders on Base.

government.png

Product,

Mar 12, 2025

Coinbase is helping governments engage with crypto

Tl;dr: Coinbase is prepared to support both domestic and global governments with regulated, secure, and comprehensive solutions.

Screenshot 2024-11-12 at 12.09.28 PM

Company,

Mar 11, 2025,

4min read time

Consumer Protection Tuesday: How Coinbase’s API Key Update Enhances Security and What Users Need to Do