You can't handle the truth
Some of those piling on to attack Ledger have simply misunderstood that the new Ledger Recover service, and the identity documentation involved, are entirely opt-in. Ledger Recover is aimed at less rigorous crypto users who may want an insurance policy against losing their private keys. Strategically for Ledger, and frankly for crypto as a whole, offering this sort of middle-ground security option makes sense.
But the backlash only spun further out of control after someone at Ledger, purportedly a customer support agent, tweeted that "technically speaking it is and always has been possible to write firmware that facilitates key extraction."
Now here's the thing: while Ledger has wisely deleted and rephrased its message, this tweet seems to be basically accurate. As cryptography pioneer Christopher Allen laid out in this Twitter thread, "all it requires is a signed firmware update and seeds can go wherever they want." And that applies to many kinds of hardware wallets, not just Ledger.
But boy oh boy, is "you have always trusted Ledger not to steal all your money" not the right way to put it. Despite being seemingly accurate, the message added immensely to the confusion, fueling even more panicky rhetoric on Twitter – including claims that Ledger devices have been revealed to have some deep flaw or "back door."
The offending comment seems to simultaneously affirm all of the worst fears being floated – and also belittle the worriers for not catching on sooner. Regardless of intent, both "technically speaking" and "whether you knew it or not" will be heard as condescending, even dismissive. "Yes we can do the thing you're most worried about, but you shouldn't be worried about it because we could always do it, and you're kind of dumb for not already realizing that" is not a way to calm anybody down.
(A note on responsibility here: If they were indeed a rank-and-file customer service rep, whoever wrote this tweet should not have felt empowered or responsible to make such a broad statement at all. True culpability for the misstep lies further up the chain of command.)
Even worse, the message commits a sin that we in journalism call "burying the lede." A second tweet, threaded onto the "technically speaking" post, emphasized that every update has to be manually approved by the user. This is the core of Ledger's rebuttal of the ongoing attacks against it.
You can still use a Ledger
While the technical nuances are beyond my scope here, some extremely trustworthy experts have rebutted the most extreme worries circulating about Ledger.
Most significantly, Taylor Monahan, founder of the MyCrypto wallet and now part of the Metamask team, has vigorously condemned the worries about Ledger as "sensationalist bullshit." Haseeb Qureshi of Dragonfly Capital also notably walked back his initial concerns, writing "now I'm in the 'nvm it's fine'" camp.
It's too soon to completely sign off on the idea that everything is fine, but the main misunderstanding here is clear. A hardware wallet needs an updatable operating system (OS), including to be able to add support for new tokens and chains. So users have to allow updates at some point, and most Ledger users have likely gotten an update or two before the current controversy popped off.
That is, they've trusted Ledger, whether they knew it or not. The fact that an update would be used to implement a recovery scheme was what finally drew attention to the process. The alternative isn't to buy a different hardware wallet, but to store your seed phrase on a piece of paper in a safe.
The one ding on Ledger that does seem valid is that these updates, and the Ledger code, are not open source, while many other hardware wallets' code is. This genuinely makes the trust placed in Ledger even higher than with other wallets. But this real question has become muddled with a lot of off-base and ill-informed speculation, and Ledger has so far failed to quell either the real concerns or the mistaken ones.
One way of thinking about this unfortunate drama is that language is not like computer code. If you're writing a smart contract or a physics engine, you can construct the same function a half dozen different ways with little functional difference. When you're writing a tweet, by contrast, tiny variations matter immensely to how it will be received. It's art, not science – and the gap between the two is only going to grow wider as more and more average folks adopt crypto.
– David Z. Morris
@davidzmorris
david.morris@coindesk.com