True, but a system like I'm describing ought not to be terribly complicated to set up. Perhaps it's simply a remote syslog daemon under the control of a trusted exec. Preferably offsite or in a separate cage. Or if SAAS, under a distinct account.
Maybe we don't block transactions on writing to the log, but whenever discrepancies are detected of more than a short time (transactions more than 60 seconds old not appearing), we page all founders and senior leaders. The trading engine stays up, but we draw much attention to the logging outage.
(I'd also want controls like offline wallets and accounts that would prevent an attacker from obliterating our assets in a single withdrawal)
Maybe we don't block transactions on writing to the log, but whenever discrepancies are detected of more than a short time (transactions more than 60 seconds old not appearing), we page all founders and senior leaders. The trading engine stays up, but we draw much attention to the logging outage.
(I'd also want controls like offline wallets and accounts that would prevent an attacker from obliterating our assets in a single withdrawal)