nordlys on Nostr: Just listened to the #Ledger Recover episode on WhatBitcoinDid and found it mildly ...
Just listened to the #Ledger Recover episode on WhatBitcoinDid and found it mildly frustrating. Both NYK and Ledger’s CEO made inaccurate claims. Here are some general notes on #Bitcoin wallets and security as it relates to the episode.
- Ledger’s CEO claimed that we would know whether a vulnerability exists and has been discovered due to responsible disclosure agreements or widespread loss of customer funds. That’s simply not true. 0-day vulnerabilities must always be presumed to exist in any system and it was scary to me that he brushed off the issue.
- Software wallets are actually not terrible when done well. They’re perfectly fine for smaller amounts imo. Open source wallets that properly store your seed backed by Android’s keystore of the Secure Enclave in iOS is still relatively secure (though nowhere near a hardware wallet)
- My biggest concern is that Ledger feels confident about verifying a large number of customer recovery claims online in a time where deepfakes and AI image video generation has recently taken leaps forward. How long until we see customer funds recovered by malicious actors if Ledger’s recovery service sees any sort of large scale adoption?
However, in the end I’m not very concerned. This will be a nische feature due to its $10 a month cost (which nobody seems to be talking about) and the target audience it’s aimed at. Ledger has one of the most respected security teams in the space but the company sucks at PR.
- Ledger’s CEO claimed that we would know whether a vulnerability exists and has been discovered due to responsible disclosure agreements or widespread loss of customer funds. That’s simply not true. 0-day vulnerabilities must always be presumed to exist in any system and it was scary to me that he brushed off the issue.
- Software wallets are actually not terrible when done well. They’re perfectly fine for smaller amounts imo. Open source wallets that properly store your seed backed by Android’s keystore of the Secure Enclave in iOS is still relatively secure (though nowhere near a hardware wallet)
- My biggest concern is that Ledger feels confident about verifying a large number of customer recovery claims online in a time where deepfakes and AI image video generation has recently taken leaps forward. How long until we see customer funds recovered by malicious actors if Ledger’s recovery service sees any sort of large scale adoption?
However, in the end I’m not very concerned. This will be a nische feature due to its $10 a month cost (which nobody seems to be talking about) and the target audience it’s aimed at. Ledger has one of the most respected security teams in the space but the company sucks at PR.