Bitcoin Review Podcast BR064 - xz Utils Backdoor, LoLRa, Mutiny, HWI, COLDCARD Q, Krux, Labelbase, BitVM Bridge Risks, BIP editors discussion, Coinbase X Lightspark + MORE ft. Alex B, Harry, Paul & Craig
Iâm joined by guests Alex B, Harry Sudock, Future Paul and Craig Raw to go through the list.
Vulnerability Disclosures
- 00:01:02 xz utils backdoor[Arstechnica]
- A Microsoft developer discovered a backdoor in xz Utils, a widely used data compression utility on Linux and Unix-like systems, which was close to being merged into major Linux distributions Debian and Red Hat.
- The backdoor was intended to manipulate sshd, enabling remote execution of malicious commands with a specific encryption key.
- The complex operation to plant the backdoor spanned years, involving suspicious commits and social engineering to pressure project maintenance changes.
- 00:17:35 LoLRa project: Transmitting LoRa packets without radio [CNXSoft]
- Enables data transmission without a Semtech radio, using microcontrollers with I2S or SPI interfaces.
- Operates with two major modes: transmission using a tunable PLL and direct synthesis on a bitstream.
- Uses harmonics and aliasing, advising caution due to potential RF spectrum bans and FCC compliance issues.
- 00:42:13 Nunchuk uncovered a security weakness in Casaâs new inheritance planning implementation [Twitter post]
- Nunchuk criticizes Casaâs security, particularly around the encryption and handling of decryption keys, suggesting potential vulnerabilities.
- Key differences between both services include the requirement for beneficiaries to have an account with Casa, Casaâs 6-month claim period, and Nunchukâs flexible beneficiary designation and timelock feature.
- Nunchuk recommend Casa users to delay using Casa new service until it has been addressed.
- 00:25:53 BitVM Bridges Considered Unsafe [Blog post]
- An article written by Tyler Whittle & Rijndael demonstrating the economic instability and risks of BitVM bridges
- The article has opened a discussion on Stacker.News involving SuperTestNet and Tyler Whittle
- 00:43:06 Breez under DDoS attack [Twitter post]
- âWeâre under a DDoS attack. We appreciate your patience while weâre trying to mitigate the situation.â
Bitcoin
Software Releases & Project Updates
- 00:45:53 Bitcoin Core v26.1
- Wallet
- skip BnB when SFFO is enabled
- birth time update during tx scanning
- Fix use-after-free in WalletBatch::EraseRecords
- getrawchangeaddress and getnewaddress failures should not affect keypools for descriptor wallets
- RPC
- fix getrawtransaction segfault
- keep .cookie file if it was not generated
- Logs
- log mempool loading progress
- P2P and network changes
- create I2P sessions using both ECIES-X25519 and ElGamal encryption
- Donât process mutated blocks
- Donât consider blocks mutated if they donât connect to known prev block
- Build
- Use hardened runtime on macOS release builds
- CI
- Use Ubuntu 24.04 Noble for asan,tsan,tidy,fuzz
- Set HOMEBREW_NO_INSTALLED_DEPENDENTS_CHECK to avoid unrelated failures
- Wallet
- 00:46:27 Coldcard Q v1.1.0
- Scan any QR and report if it is part of a wallet this Coldcard knows the key for. Includes Multisig and single sig wallets.
- Searches up to the first 1528 addresses (external and change addresses)
- Stores data as it goes to accelerate future uses
- Can take up to 2 minutes to rule out an address, but after that it is fast!
- Calculator login mode. When enabled, the usual PIN entry screen is replaced with a functional calculator. Enter your PIN as 12-12 or 12 12 to get it. To verify anti phishing words, use 12-.
- Scan any QR and report if it is part of a wallet this Coldcard knows the key for. Includes Multisig and single sig wallets.
- 00:55:59 BDK v1.0.0-alpha.8
- Explicitly state that we truncate file for create_new
- Migrate to bitcoin::FeeRate
- Remove extra taproot fields when finalizing PSBT
- 00:52:39 HWI v3.0.0
- Add:
--emulators
option to enumerate and detect emulators. Otherwise default behavior is changed to ignore all emulators. - Add: Rebuilt to attempt to avoid antivirus false positive
- Add:
- 00:56:17 Nunchuk-desktop
- 00:56:35 Nunchuk-android [v1.9.44]
- Add support for BBQR
- Add a display setting to use large fonts for balances on Home
- Use large fonts for balances in Wallet Details
- 00:56:49 Liana v5.0: Vineroot
- Daemon/library
- Add experimental support for Taproot
- Configuration with bitcoind can now use a user and password instead of a cookie file
- The getinfo result now contains the âdescriptorâs timestampâ: that is the oldest date at which we scanned the blockchain for coins
- Createspend command doesnât error anymore on insufficient funds, it instead returns the missing amount in its result
- Listspendtxs command now accepts a new optional parameter to filter the result by txids
- GUI
- Add support for Coldcard, at time of writing, Miniscript support is only available on the Edge firmware
- Possibility to create a Taproot descriptor in the installer
- Add sweep functionnality
- Unconfirmed coins are now considered in spend transaction when using the default automated coin selection
- When creating a Spend transaction, you can now change screen and come back to your draft
- Display warning to the user when creating a spend transaction, i.e when the change output value is too small
- RBF transaction now get automatically labeled
- Hardware device transaction signing no longer hides details
- Payments from broadcasted transactions immediately shown on the home page
- Address QR codes now also contain the derivation index in the URI
- Display warning if a user tries to RBF a transaction whose change output is being spent by a later transaction
- The installer is now directly opened when starting Liana on a new datadir
- Daemon/library
- 00:57:21 Krux Beta24 (highly experimental)
- BIP85
- Change accounts derivation
- New wallet login and customizations
- Hide mnemonics security setting
- Cube screen optimizations
- 00:59:29 Blockstream Green
- Android v4.0.27
- Add push notification support for Lightning payments
- Bump Breez to version 0.3.8
- Make Lightning Shortcut opt-out
- Update transaction details view
- Improve QR code scanability
- QT
- v2.0.3
- Notice when Jade is configured with a custom oracle server
- Show mismatch warning on the setup PIN view
- v2.0.2
- Add button to clear address field
- Improved onboarding flow
- Improments in the Watch-Only login view
- Reinstate 2FA reset notification and request/cancel options
- Add general section in app settings
- Update GDK to 0.70.3
- v2.0.3
- Android v4.0.27
- 00:59:44 Blue Wallet
- 00:59:56 Brainbow
- v0.1.151
- Changed wallet onboarding order
- Fixed wrong label display in âTransaction Overviewâ. TBTC was shown while running Brainbow in mainnet mode
- Updated Electrum Server presets
- v0.1.151
- 1:00:07 Bitcoin Keeper v1.2.1
- Now hide or delete keys and wallets
- Support for Taproot wallets
- Fee Insights
- 1:00:18 Bisq v2.0.2
- Improve reputation import account age instructions
- Add Cash App
- Improve peer management
- Update JavaFx to v17.0.10
- Increase limit for btc addresses
- Increase price tolerance
- Add new seed and market provider
- 1:00:21 Citadel v0.3.5
- Allows switching between Bitcoin Core and Bitcoin Knots
- 1:00:25 Labelbase
Side Discussion
- 1:02:27 SimpleX versus nostr
- 1:06:20 Mutiny integration with nostr
- Convenience versus security
- 1:17:04 Fair versus unfair distribution
- 1:14:15 Social contracts and Duty of care
- 1:16:35 Importance of money and economic responsibility
Software Releases & Project Updates (Cont.)
- 1:20:43 Boltz-web-app v1.3.2
- Prevent refunding to lockup address
- Fix:
- NPM package version
- Only retry claims of Taproot swaps
- Node stats when LND is offline
- Multiple claim transactions being broadcasted
- 1:20:53 AgoraDesk v1.1.31
- Add local currencies to the wallet balance.
Project spotlight
- 1:21:02 Wizard Sardinesâ Antoine Poinsot announced a proof of concept to setup a Ledger device without Ledger Live [Github]
- âSetup your Ledger without Ledger Live. No scams, no shitcoins, no by-default-ledger-recover subscription.â
- Antoineâs work has been inspired by a previous investigation by Bitcoin Core contributor Ava Chow.
- With plans to integrate elements of the PoC into Liana, and bring the tool to a wider audience beyond Liana users and command line-savvy individuals.
- 1:22:34 Cypher.Space: a platform for building Bitcoin-focused web projects
- The project aims to provide a free, Bitcoin-only, flat file CMS as an alternative to WordPress and Shopify, allowing deployment on various cloud providers or self-hosting without monthly costs. [Github]
- 1:22:42 Spend-sats: Discover where you can pay with Bitcoin
- Website listing +100 online stores and service that accept sats
Privacy Software
Software Releases & Project Updates
- 1:22:46 Unleashed.chat v0.1.20
- Nostr mode improvements:
- Ask âWhatâs happening on my feed today?â The AI can now access recent posts by people you follow. You need to have Nostr login enabled for this to work. If you have an existing account, go to the Account page (left side menu) and connect your npub there.
- Youâll see some prompt suggestions when you start a new chat in Nostr mode.
- Other:
- AI generated code blocks now have a button for copying their contents to the clipboard.
- Nostr mode improvements:
Project spotlight
- 1:23:05 Hushline: Pre-launch of a lightweight, secure, and anonymous tip line [Github]
- âHush line is a free and open-source, anonymous-tip-line-as-a-service for organizations or individuals.â
Lightning + L2+
Software Releases & Project Updates
- 1:23:34 CLN v24.02.2
- Addresses incompatibility in the gossip protocol [PR #7174]
- lightningd: revert f450dfe to allow non-gossip_query nodes
- gossipd: be stricter with non-gossip_query nodes
- Addresses incompatibility in the gossip protocol [PR #7174]
- 1:23:47 Phoenixd v0.1.3
- Add phoenix-cli script to the JVM distribution
- Factor initialization of datadir directory
- Use lightning-kmp 1.6.2-FEECREDIT-5
- Update gradle to 8.5
- 1:23:52 Breez SDK v0.3.9
- Add API to generate diagnostic data
- Use multiple chain service urls with redundancy (generate_diagnostic_data)
- Fix swap confirmed block to be the earliest
- Add debugging to signer loop start
- 1:23:54 Mutiny Node
- Lightning Addresses announced
- v0.6.2
- Dedup fedimint events from relays
- Update fedimint to v0.3.0
- Claim hermes tokens
- Refetch blind tokens after subscribe
- Check LNURL name
- Add privacy_level to ActivityItem
- Improvements to mint discoverability
- Allow changing nostr keys on the fly
- Tag npub if no contact
- Update ldk fork for CLN issues
- Optimize label activity
- v0.6.1
- Add delete profile
- 1:35:49 Fedimint v0.3.0
- Dynamic meta fields through the Meta module
- Improve load-test-metrics for better performance insights
- Capability to pass âauth flag to fedimint-cli dev api
- Add recovery tool tests for enhanced reliability
- Enhance LN payments privacy for LND
- CLI improvements and more configurable options
- Add support to pay a lnurls
- Implement a special case descriptor for single-guardian instances for smaller on-chain transactions
- Introduce versioned Gateway API for backward compatibility
- Introduce a latency test for restore functions
- 1:36:38 Zeus v0.8.3-rc1 (pre-release)
- LND: on-chain tx coin control
- Custom pictures for saved nodes and wallets
- Enhanced Neutrino peer controls + ping test
- Signet support
- Improved LNC connection support
Project spotlight
- 1:37:06 LNCast: Lightning address broadcasting app [Github]
- LNCast is an application and tool designed for sending messages in bulk to LNAddresses on the Lightning Network.
- Features:
- Easy management via the UI
- Sending messages to multiple addresses simultaneously
- Real-time tracking of message delivery
- Adding addresses from CSV files
- Recording and listing of past messages
- Preset feature for saving multiple address books and sending different messages to different addresses through these address books
Nostr
Software Releases & Project Updates
- 1:38:51 NDK
- v2.7.0
- A queueing system is now in place to fetch NIP-05 and ZAP endpoint information. Most applications should feel much faster.
- Caching of NIP-05/Zap endpoints is now in place
- Threading utility functions to make displaying threads properly
- Now live: ndk-cache-dexie 2.3 and ndk-svelte-components 2.2.11
- v2.7.0
- 1:39:21 Primal
- 1:39:39 Amethyst v0.86.0
- Features:
- Draft notes for feeds, replies, live streams, public chats, NIP-04 DMs, GiftWrap DMs, polls and classifieds
- Adds autosave for Drafts
- Adds a Draft feed screen for all posts
- Adds new algorithm to parse OpenGraph tags
- Filters out too many reposts of the same note when on the main feed
- Updates the bootstrap relay list
- Adds missing classes to support WebServer connections in the Video Playback
- Migrates shareable links from habla.news to njump.me
- Adds k-tag to the Deletion events
- Code Quality Improvements:
- Breaks massive NoteCompose down into each event type
- Removes dependency of the Robohash from CryptoUtils
- Updates secp256k1KmpJniAndroid, compose, zoomable, media3, jackson and firebase libs
- Refactoring caching systems for the Compose layer
- Features:
- 1:41:20 Mostro v0.11.0
- AddInvoice with LN address instead of bolt11
- updated nostr-sdk lib
- Added a check in dispute.rs
- Use the right decrypt (nip04) function
- Removed unwraps from scheduler
- Add Cargo.lock file
Project spotlight
- 1:41:29 NostrSync
- NostrSync.live provides a broadcast and export service, enabling users to download a copy of their data.
- The service ensures user data is broadcasted to major relays within the network.
- 1:41:37 Nostr Signer: a simple nostr signing app [Blog post]
- âStore your Nsec in a single app and use it to sign NIP-46 requests from other Nostr clients.â [Github]
- 1:41:41 X to Nostr by nostr.band
- A simple UI that lets you cross-post your Tweets to Nostr. [Github]
Side Discussion
- 1:42:24 Infighting and toxicity
- 1:52:09 Bitcoin politics
- 1:54:23 Incentives and game theory
Boosts
- 1:58:10 Thanks to everyone who streamed sats, and shoutout to our top boosters:
- [đ TOP BOOSTER] @qxotk (2,112 sats) âhey do not read the boosts.â
- @dubravko (1,620 sats) âPro tip: If you slow the podcast down to 1.0x (or slower), you can put your toddler to sleep. Also, I really gotta set up the 2FA equipmentâŚâ
- @conorchepenik (699 sats) âgood epâ
- @benthefed (521 sats)
- @TheWildHustle (500 sats) âLetâs go!â
- @plebhodl (200 sats) âIs their a nostr signing app/plugin for grapheneos (your fav mobile OS :P)â âoh oh.. Also. best app/website for music creators that allows them to post songs and get zapped..â
- @zdoxed (200 sats) âgreat mumble tech!â
- @undefined âgreat chat. mic quality could improve. most importantly thanks to all developers on the space!!!!â
- @monk_cactus (100 sats) âSmoked some crack after this episodeâ
Bitcoin Optech Newsletter
- Revisiting consensus cleanup:
- Antoine Poinsot (@darosior) revisits Matt Coralloâs 2019 consensus cleanup proposal, focusing on addressing severe blockchain issues including potential slow block verification times and security vulnerabilities.
- Proposes technically simple soft fork solutions for problems like miner attacks and transaction deception.
- Suggests updated consensus rules to apply only to transactions created after a specific block height, ensuring backward compatibility for older transactions.
- Choosing new BIP editors: Discussion on choosing new BIP editors with community input is ongoing, aiming for a decision by April 5th. [Google Group discussion]
News & Noteworthy
Bitcoin
- 2:05:54 Bitcoin script and BitVM development
- âAfter months in the mempool, our Blake3 transaction has finally been mined, executing the most sophisticated Script in the chain to date.â Robin Linus announced in a Twitter post.
- 2:05:55 HRF launches Bitcoin integration webinar for nonprofits [Announcement]
- The first course, covers Bitcoin basics, including wallet setup, transactions, and security practices, focusing on its use in closed societies.
- Aimed at individuals and organizations with no prior Bitcoin knowledge, it includes case studies of activists using Bitcoin for advocacy.
- 2:06:00 Umbrel has approved and integrated Bitcoin Knots into its app store [Twitter post]
- The app will be compatible with the rest of the app store in a future update.
- 2:06:07 Google starts indexing Bitcoin data into its search engine [Twitter post]
- Allows three address formats: P2PKH, P2SH and Bech32.
- Lets users see the balance, last update and last transactions of public addresses.
Lightning
- 2:06:25 Coinbase Selects Lightspark for Lightning [Announcement]
- The partnership allows Coinbase to use Lightsparkâs infrastructure for scalable, reliable, and optimized node management.
- 2:06:29 Amboss launches Reflex Beta
- A payment operations platform designed to enhance liquidity optimization and risk management on the Lightning Network.
- Features advanced risk management tools, including AML policies, OFAC compliance, ransomware, and sanctions screening.
- Offers continuous monitoring and reporting for compliance, with real-time risk assessments of channel peers and transactions.
Business & Finance
- Casa acquires Chamber, a team specializing in applied cryptography and passkeys [Announcement]
- Marathon launches Slipstream: a Bitcoin transaction submission portal
- Designed for the direct submission of large or non-standard Bitcoin transactions to Marathon.
- Addresses the issue of such transactions being automatically rejected by most nodes due to standard transaction relay policy guidelines.
- The premium on transaction fees appears to be ~50% higher than average.
- Unchained launches its mobile app [Announcement]
- Focuses on providing a mobile-first experience for bitcoin transactions, specifically buying and depositing into multisig cold storage.
- The initial release is iOS-only, with plans to expand features, including Android support, business operation approvals, mobile onboarding, and enhanced security measures.
- New Fedi-Clovyr alliance [Announcement]
- Clovyrâs interface enables users, including those without technical skills, to create test federations on Mutinynet.
- Fedi launches Fedi Bravo and introduces Fedi Fund [Announcement]
- Enables use of real money within the app.
- Introduces Fedi Mods for personalized app experiences through custom features and developer-friendly deployment.
- Launches âFedi Fundâ to support 21 communities with technical and hosting resources.
Funding
- HRF announces CISA Research Fellowship [Announcement]
- Sponsors a four-month fellowship to analyze the potential of Cross-Input Signature Aggregation (CISA) in Bitcoin.
- The fellowship aims to produce an industry paper addressing specific aspects of CISA, such as its effect on transaction costs, privacy improvements, and potential changes required in Bitcoin Core and SegWit.
- Tether awards $100,000 grant to BTCPay Server Foundation [Announcement]
Mining
- Bitmain announced the launch of the Antminer S21 Pro at the Global Digital Mining Summit (WDMS) 2024 [No Bullshit Bitcoin]
- The device boasts a hash rate of 234 TH/s and an energy efficiency ratio of 15.0 J/TH.
- It can operate in environments up to 45 degrees Celsius (113 degrees Fahrenheit).
- Shipments are scheduled to begin in Q3 2024.
- F2Pool mined a 3.97MB video inscription on block #836964, taking almost an entire block space. [Twitter post]
Privacy
- In-person payments at Canada Post will now require identity verification [Bull Bitcoinâs CEO announcement]
- The new requirement, starting April 15, 2024, is a mandate as a condition for Bull Bitcoin to continue offering the account funding service at Canada Post.
Protocol
- Bitcoin Core: track mempool conflicts with wallet transactions [merged]
- âBegins tracking the txid of transactions in the mempool that conflict with a transaction belonging to Bitcoin Coreâs built-in wallet.â
- Bitcoin Core: Add RBF diagram checks [merged]
- âIntroduces utility functions to compare two Feerate Diagrams and to evaluate the incentive compatibility of replacing clusters with up to two transactions.â
- Core Lightning: Removal of EOL deprecations [merged]
- Eliminates several features previously marked for deprecation through Core Lightningâs updated deprecation process.
- BDK: Define and document stop_gap [merged]
- âMakes several changes to how BDK interprets the stop_gap parameter, which controls its gap limit behavior.â
- Bitcoin Core maintainer Hennadii Stepanov announces progress in migrating Bitcoin Coreâs build system from Autotools to CMake
- Developers are encouraged to test the staging branch and provide feedback.
Government & Political
- Argentina implements mandatory registry for Bitcoin service providers [No Bullshit Bitcoin]
- Mandates a registry for individuals and companies engaging in Bitcoin service provision, following amendments aimed at complying with Financial Action Task Force recommendations.
- Unregistered entities are prohibited from operating within the country, affecting both local and international providers.
- Bhutan to ramp up Bitcoin mining capacity to 600MW [No Bullshit Bitcoin]
- Bhutan plans to increase capacity by 500 megawatts, targeting a total of 600 megawatts by the first half of 2025.
- Funding for the upgrade comes from a $500 million initiative started last year.
- Paraguay considers temporary ban on Bitcoin mining due to energy concerns [No Bullshit Bitcoin]
- Parliamentarians have suggested a 180-day ban until the nation can develop appropriate regulations and infrastructure to support the mining industry energy demands.
- The bill highlights increased power outages in the Alto ParanĂĄ region, attributed to illicit energy use by miners, and aims to prevent grid destabilization.
Events
- Ecash Hackday V2 [Announcement]
- âThis is a small and intimate event for hackers, researchers, and anyone else interested in Chaumian Ecash.â
- Berlin, June 20-21, 2024
- Die Bitcoin Konferenz 2024 (@thebconf) has been cancelled [Announcement]
- thebconf organisers invite the German-speaking community to reunite at BTCPrague instead.
- Adopting Bitcoin Arnhem
- May 25th 2024 - Arnhem Bitcoin City, the Netherlands
- âJoin Us for the 10-Year Celebration at Luxor Live, Willemsplein 10. Explore Nearby Bitcoin-Friendly Spots and Join Pre-Conference Satellite Events, Including Pizzaday on May 22.â
- Tickets Can Be Paid In Bitcoin Only
Reads
- Hereâs a list of our top recently published reads:
- Review of Smart Contract Concepts for Bitcoin by Jeremy Rubin [Twitter post]
- Bitkey by Block: a comprehensive review
- Safety Practices on Using Nostr by @natalia [stacker.news]
Episode submission ideas
- Weâre looking for ideas for interesting panel conversations. To send Bitcoin related questions, just go to bitcoin.review and follow the contact links at the bottom of the page.
Get in touch with the pod
- Podcast Twitter
- NVK Twitter
- Telegram
- Nostr & LN âĄnvk@nvk.org (not an email!)
Did I get anything wrong above? Help me correct it producer@coinkite.com