So the Ledger drama seems to be holding steady.
The Bitcoin & friends communities are still pretty heated over it. The other day I watched this entire hour long take on the situation with Jameson Lopp and Andreas Antonopoulos (that's @lopp and @aantonop on Twitter FYI). These are two guys I have a lot of respect for. They're both hardcore Bitcoiners but at the same time they're also not insufferable maximalists. Therefore it just goes without saying that insufferable maximalists often try to tell these guys they are doing it wrong, which is how we know the opposite is likely true.
A lot of the points they brought up were my own points as well.
Nice to see that some of the top minds in the space are coming to a lot of the exact same conclusions I am. For starters, simply the fact that code exists to exfiltrate the keys is a big problem. Anyone who upgrades their firmware is going to have that code injected into their device whether they choose to use the backup service or not.
Hardware wallets are also the epitome of securing one's own keys and being our own bank. This entire service is the antithesis of the thing we've been striving for in crypto, and it's being forced on participants that pretty much agreed to the opposite contract when they made their purchases.
Closed source
Ledger being closed source also results in a situation where we simply have to trust what the company says and hope we don't get burned. Again this is the compete antithesis of crypto and for the most part should be avoided. Verify; don't trust, is a statement we've heard countless times. Not great.
Extending the conversation
Of course these two big players have much more knowledge than me when it comes to Bitcoin, security, and cryptography. There are many points they bring up in addition to all this that really open up the rabbit hole and allow us to dive even further into the situation.
KYC
In addition to 3 key-shards leaving the device (2/3 Shamir’s Secret Sharing) it's pointed out that other information must leave the device as well. This is absolutely unavoidable, otherwise there would be no way to link keyshards to the rightful owner. Thus, on top of keys leaving the device it's quite guaranteed that an identifier leaves the device as well.
This opens up a host of even more problems and privacy concerns. Is Ledger going to be able to stealth KYC every single person that buys a device from them? More importantly, how difficult would it be to steal someone's identity and trick the 2/3 custodians into forking over the keyshard for the account? Again, a lot of the specific implementations are quite shrouded in mystery but it's pretty clear there will be some pretty significant attack vectors.
USA & UK
While not much is known about the 3 companies that would guard the keyshards (except that Ledger is one of them), it is known that one of the companies would be in USA and one would be in UK. Both USA and UK have shown their willingness to simply undermine everything we're trying to accomplish here, so both companies might as well exist within the same country and we can assume they're vulnerable to pretty much the same laws and government demands. Again, not good. The ability to undermine global self-sovereignty should not be the decision of a single entity.
Business Model
Make no mistake, the above video is not just 60 minutes of shit-talking and coming up with a million reasons for why this recovery system is a bad idea. The conversation is actually surprisingly objective, an a conscientious effort is made look at the issue from Ledger and the CEOs perspective. The first question they ask to this effect is: Who is the target audience here?
It's determined that the target audience would be users that have around $50k or less crypto in their wallet (as higher values than that would not get insured properly). It's also admitted that indeed the vast majority of these users would NOT have to worry about getting their funds stolen by the government (or so we would hope).
Risk vs Reward
Seed phrase security is a very all or nothing type scenario. Either one is able to recover their keys or they lose everything. However, there are many ways to lose ones keys and many ways to lose everything. Lopp and Antonopoulos correctly point out that often way to much focus is put on security in terms of someone trying to steal the keys, while much less thought is actually put into user error. The keys must not only be inaccessible to threat vectors, but more importantly must still be accessible to ourselves. This is the thing that many overzealous crypto users tend to forget when inventing convoluted security systems.
"Strength in Numbers"
It's rightfully concluded that there is a much much higher chance of losing your keys to user error trying to come up with a solution ourselves than it is to use a Ledger even after this debacle is rolled out. Forging our own path through the jungle is dangerous, and even if we personally make it, there is no way in hell our family members would make it through in the event of our death or imprisonment or whatever else.
Conclusion
Overall the discussion between these to players was quite good but it ran a bit long so I decided to post a summary on it here. The ultimate conclusion of all of this is that Ledger's recovery service is not that big of a deal... at least not in the moment. Rightfully many will uncomfortable with such a service long-term, and anyone that has a lot to lose should likely slowly and safely unwind their position while branching out to other devices.
The truly crazy thing for me is that knowledgeable Bitcoiners like this don't know anything about Hive. We have four different security levels and can even recover our accounts after they get stolen. While most Bitcoiners would focus on the idea that Hive isn't secure because "20 witnesses" here they are bickering over a 2/3 corporate custodianship that directly affects the Bitcoin community.
And here Hive is with good enough security to not even necessarily require a hardware wallet. I'm not exaggerating when I say after everything that's happened it feels like my Hive tokens are safer than the tokens in my hardware wallet, and I don't even use a Ledger. At the end of the day every Bitcoin endpoint out there is less secure than "20 witnesses", so perhaps Bitcoiners need to start taking their own advice and stop trying to machete their way through the jungle while the rest of us are walking on a comfortable path.
Return from Ledger Drama Discussion: Antonop & Lopp to edicted's Web3 Blog
