Ledger's controversial product, Ledger Recover, has ignited heated debates on CT.
On May 16, a space hosted by @Ledger featured the CXO, CTO and co-founder in an attempt to clarify doubts about this upgrade. If you missed it, here's a TLDR - along with my take🔥💸! (1/n)
(2/n) @iancr (CXO) drops the facts on Ledger Recover:
• Optional subscription service that won't leave you vulnerable
• Simplifies seed phrases for new users
• Opt in/out as needed
• $50k coverage if things go awry.
(3/n) @P3b7_ (CTO):
Our service uses Shamir's secret-sharing technique to divide the seed phrase into three encrypted fragments using a symmetric key within secure element. Partners communicate through a secure channel, so no third-party interference is possible.
(4/n) The Shamir technique of secret sharing has it's own fair share of scrutiny. Check the thread by Christopher Allen, the creator of TLS:
Christopher Allen
@ChristopherA
One of my concerns with the new @Ledger Recover service is that they appears to be sharding via Shamir’s Secret Sharing, but doing so in a proprietary way and possibly in a naive fashion. We don’t know, as it is not open source. [1/11]
(5/n) @BTChip (Co-founder):
While the subscription service has KYC, it supports traditional recovery like notary services. For situations where someone else might need to access your crypto such as an accident. Design intention is to maintain user control at all times. (??)
Ledger
@Ledger
"When you need to recover your seed, you will go through a ID Verification process (which is very comprehensive) to confirm your identity. After you are verified, the providers will send the encrypted shards to your Ledger Nano device directly. The device decrypts the shards in…
(6/n) Don't like it? Stop using it. That's what CEO @_pgauthier said in a Twitter Space, as shared by @OlimpioCrypto.
olimpio
@OlimpioCrypto
An angry and egocentric Ledger CEO @_pgauthier invited all Ledger users to stop using Ledger if we "do not like the service" in the Twitter Spaces
"We can agree to disagree"
Pascal, it's only legitimate that your users question and ask about a business decision like this one…
(7/n) Catch this: @Ledger goes back on their word.
On Nov 15 '22 they claimed firmware couldn't extract keys...
And now, in May 2023, it's "ALWAYS" been possible. 🤔
CHRIS2PHΞR CHASΞ
@Chris2pherChase
Wow. Ledger is done
(8/n) My thoughts:
The potential backdoor in Ledger Recover raises valid concerns. It creates a vulnerability for dangerous parties, and Ledger's closed-source nature leaves users unable to assess their security. #SecurityConcerns
(9/n)
Ledger's closed-source firmware have sparked debates. The new Ledger Recover raises concerns as users can't examine the code, limiting their ability to verify its integrity. Transparency is crucial for security,
(10/n) Let me ask you something:
Do you honestly believe that third parties have never attempted to breach a Ledger device? 🔍 So there's no indication that malicious actors will ever stop trying. 🤨
(11/n) 🔒 If you owned a Ledger device before this fiasco knowing and trusting a closed source device to be invulnerable to attacks, you can continue to trust it. This service changes nothing, it's always been about trusting an organization to do what they claim. 🛡️
(12/n) However, this still creates uncertainty about @Ledger's priorities. Raising a possibility of cooperating with Law Institutions and hostile confiscations of people's wallets, adding a huge question mark -- "Be your own bank?????"
(13/n)
That being said, I truly believe that launching this service on a new Web3 n00b friendly wallet is the best move for Ledger right now. Being able to expand their reach all the while retaining their privacy seeking customers happy.
(14/n)
I will continue using my Ledger for the meantime without upgrading my firmware. I am not a security expert so DYOR.
I don't believe anything is truly air-gapped when it can be connected to a network/device.
(15/n)
Those looking at other options:
@Trezor (Open Source)
@gridplus (OS in Q3)
@ngrave_official ("Air-Gapped" uses QR codes for transactions)
bitaddress.org (to create a paper wallet offline) ⭐ here's a guide https://99bitcoins.com/bitcoin-wallet/paper/
Comment if you know better ones
(16/n)
Here's a link to a recording of the Twitter Space for those who want the full version:
Ledger
@Ledger
Join us today at 6:30pm CEST/12:30pm EST for an AMA about our new opt-in service, Ledger Recover.
Our CXO @iancr, CTO @P3b7_, and co-founder @btchip will be there to answer all your questions.