#215 - Why are degens worried about a Ledger update?

GM and welcome to Decentra Daily.

We're the web3 newsletter made for that 5-min scroll between waking up and starting your day.

Today,

1. Does Ledger’s new feature create a security risk?

2. Sam Altman tells Washington to create an AI agency

3. The 6-figure Discord mod & HVY-MTL Evo 1 reveal

Plus, all the web3 headlines, memes, and Tweets of the day.

D-Daily takeaway 🥡
No significant changes among the top collections.

What's this? 🤔
Our floor price index tracks the biggest, most influential pfp projects, art collections, and gaming assets.

Did Ledger create a potential backdoor to its wallets?

This week, Ledger announced a new feature. It’s called Recover.

What does it recover?

The recovery phrase to your hardware wallet, aka, its seed phrase.

People locked out of their self-custodial crypto wallets can recover access by entering these cryptographic combinations of random words – which should be a secret to everyone but the wallet owner.

How does it work?

Recover “backs up your Secret Recovery Phrase and links it to your identity.”

Users opting in can submit ID confirmation to Ledger, who will “encrypt” their recovery phrase, break it into sections, send them to independent custodians, and link it all to the ID.

In the event that a user loses their phrase, they can connect their wallet to Recover, verify ID, and regain access.

So, I don’t need to worry so much about losing my seed phrase, and my crypto?

That’s the idea.

Great! 😊

Maybe not.

Oh. 😔

Soon after Ledger announced Recover, Crypto Twitter got worried.

Lots of people think that online duplication of a seed phrase goes against the entire point of having a physical hardware wallet.

No matter how encrypted, many believe that saving a seed phrase opens a potential “backdoor” for hackers.

Even worse, some degens have suggested that Recover means a backdoor now exists for all Ledger products, even if you don’t opt-in:

Part of Crypto Twitter’s uneasy reaction is due to the recent news of a series of crypto hacks, which gained entry to self-custody wallets that were supposedly offline or “cold.”

If the hacked wallets were genuinely cold, it suggests that either (1) a hacker has obtained leaked user data, or (2) there is some, currently unknown way to obtain a wallet’s private key…

That’s bad, right?

Bad if true. No person or company should ever be able to access a wallet’s seed phrase – even wallet providers.

And even those who don’t see a “back door” risk with Recover are finding it hard to understand the case for handing over their keys:

(Ledger previously suffered a customer info data leak in December 2020.)

So what does Ledger say?

First up, Ledger says that Recover is not an auto-update but “an optional subscription…You don’t have to use it and can continue managing your recovery phrase yourself.”

They also confirmed that the mechanism used to store recovery phrases does not give Ledger access to your keys.

And, in response to the idea that Recover exposes a potential malware opportunity for hackers, Ledger simply says that “there is no backdoor to a [seed phrase] backup.”

Ledger’s co-founder also repeated via Reddit that seeds are broken into shards and sent to different companies for storage:

(Neither of these responses seems like a direct answer. 🤷‍♀️)

After more unrest, Ledger held an AMA Twitter Spaces last night. There, they pitched Recover as a feature for crypto newcomers and casual users:

A security risk, or Twitter overreaction?

Any feature that connects a hardware wallet or its seed phrase to online services does introduce risk.

It’s up to wallet holders to decide exactly how much risk we’re talking about here.

For many, the idea that a seedphrase can theoretically leave a device is enough of a red flag to stop using that product.

The big question is: if/how the Recover firmware update affects the wallets of users who don’t enable the feature.

The wider point 👀

It seems like Ledger could be moving towards a model where “your identity becomes the key to your wallet.”

This security model is also favored by Sam Altman (OpenAI CEO, see today’s second story), whose own crypto wallet company WorldCoin is based on the idea of a single, universal online ID.

While seed phrases are secure, they’re also annoying, and surprisingly hard to keep safe.

Finding ways to link online security to personal identity could make navigating the metaverse a more seamless experience.

Notable Tweets ✅

On the web3 wire

Axie Infinity is coming to the Apple App Store 🎮
The rollout of the crypto game will begin in South America and select parts of Asia for a data gathering phase, before the global launch.

Montenegro court accepts Do Kwon’s $$$ bail 🚔
As a flight risk, Do Kown was required to pay the serious sum of $400,000 Euros to leave jail, pending his trial.

Floor price tumbles as HVY-MTL “Evo 1” metadata is revealed ⚙️
The first iteration of Yuga Labs’ new NFT collection has been revealed as cute battle robot companions. Traders were ready to sell the news.

The Senate + Sam Altman discuss AI regulation

Even AI’s bosses think it’s too powerful to be left to its own devices.

Yesterday, a Senate sub-committee in Washington started the conversation about how Congress should respond to AI’s sudden explosion into mainstream society.

They’re thinking about how AI might affect things like personal security, employment, and the democratic process.

As an opening remark, Connecticut Senator Blumenthal did the classic “get GPT to write my speech” bit – using a voice clone app to read out comments on how AI will impact society.

Then Senator for Missouri Josh Hawley brought the drama with his opening statement:

Hint: It’s OK. ChatGPT is not going to be like the atom bomb.

More interesting than Washington politicians freaking out about whether ChatGPT is going to overthrow society – was a panel of actual AI experts, who gave statements on their views.

Here’s what they said:

Sam Altman

CEO of OpenAI and vocal fry, Sam Altman, took a similar stance to his recent 60 minutes interview.

He said that GPT and wider AI have the potential to change the world for good and bad – impacting things like climate change, cancer research, and presidential campaigns.

On that last point, he underlined the need for some kind of regulation.

The big thing that Sam requested?

He wants a new agency specifically responsible for AI regulation.

Ideally, that agency should be able to do things like grant and revoke licenses to operate AI models, plus send out independent auditors to check on AI companies.

Other things Sam would like to see:

• A way for people to know when they are talking to an AI bot

• Some kind of universal “content trust” scoring system

Gary Marcus

Also speaking to senators, NYU professor Gary Marcus agreed that the best way to handle AI is to create a brand new government department.

He emphasized that Washington should make this agency now – before systems improve further.

He also pointed out that Sam’s company was initially founded on a mission to “benefit humanity,” but now, they are basically owned by for-profit Microsoft. Shots fired.

Christina Montgomery

IBM’s Chief Privacy Officer said that it’s the right time to make some rules, but she doesn't think that a new agency will help AI companies – or the public.

She voiced concerns about the time it would take for a new agency to get off the ground.

It’s true: even if a Washington agency was already formed and well-run, how could it keep up with the current pace of AI development?

I mean… Just yesterday, the SEC told Coinbase that they’re still preparing …to begin working on …how they might one day …create some clear regulations for crypto exchanges. 😂

You can watch the full committee hearing here.

Decentra Daily is brought to you by ProfilePicture.AI

What's the first thing people notice when they meet you online? Your profile picture.

And do they judge you based on your pfp? Oh buddy, you bet they do.

So what's the easiest way to improve your digital game? By enhancing your pfp, using the power of artificial intelligence. 🤖

ProfilePicture.AI generates professional-quality profile pictures for your LinkedIn, Tinder, and personal website using the latest AI tech.

They take around 20 real-life selfies and produce over 100 chiseled, air-brushed profile pictures for you to use.

What's the deal?

• 4K format and 300 dpi

• Over 279 styles to choose from

• No subscription required

They've already churned out nearly 1.5 million pfps for their customers – who all just got a lot more attractive.

With realism, artistic, and funny modes, there's an AI profile pic for every occasion – Oh, and they also make profile pictures for pets, too.

Meme of the day

Have a gud day! 👋

What we're reading this week