I'm referring purely to the dongle attack. When you use an HMAC in that way, your secret is your "private" key. It also just happens to be the "public" key as well. That's why it's a terrible design.