Bitcoin Review Podcast BR077 - BIP85 Drama, Bitcoin Core, secp256k1, DATUM, Jam, Krux, Twelve Cash, NomadNet, Salt Typhoon Hack + MORE ft. Rob & Paul

I’m joined by guests Rob Hamilton & Future Paul to go through the list.

Listen on your favorite podcast app:

Quote of the Day

“Peter Todd is not Satoshi.”

Housekeeping

• Nostr Rising dropping soon!
• COLDCARD Tutorials
  • Tutorial: Disable NFC and USB: Learn how to disable the NFC and USB functions on our COLDCARD Q.
  • Tutorial: Proper Coldcard Disposal Learn how to dispose of your COLDCARD Q securely
• European Coldcard reseller Coldhodl adds new colors to its Coldcard Q offering: Black and Orange [Announcement]

Urgent Vulnerability Disclosures

• BIP85 Drama
  • “Folks broke BIP85 without any reach out to vendors, we are no longer following the BIP let the install base size rule the spec…” @nvk
  • “Sorry for the knee jerk reaction. Got super annoyed at the lack of discussion with vendors. Not that’s their job but also no other way for any vendor to know either. Just one of those comms problems we still have in bitcoin standards.” @nvk
  • BIP85: Clarify spec, correct test vectors, add Portuguese language code, add dice application
  • BIP85: revert XPRV breaking changes for application 32’
• Non-disclosure of a consensus bug in btcd [Delving Bitcoin]
  • A consensus bug in btcd, reported in March 2024, allows attackers to hard fork nodes using a simple transaction. Although it has minimal impact on the broader Bitcoin network, it poses a critical risk for btcd users.
  • The bug was fixed in version v0.24.2 64, but about 16 nodes, representing 0.022% of Bitcoin full nodes, remain vulnerable. Users are urged to upgrade immediately to prevent potential attacks.
  • Despite initial requests to delay public disclosure, the team plans to reveal full details on October 10th, prioritizing transparency and user awareness.
• Bitcoin Core: RPC breakage with v28.0 [Open issue #31039]
  • Stricter RPC implementation breaks current version of LND, electrs and Dojo.

Bitcoin

Software Releases & Project Updates

• Bitcoin Core v28.0 - Official release
  • Testnet4/BIP94 support: Support for Testnet4 as specified in BIP94 has been added
  • P2P and network changes:
    • Bitcoin Core will now fail to start up if any of its P2P binds fail
    • UNIX domain sockets can now be used for proxy connections
    • Additional flags “in” and “out” have been added to -whitelist to control whether permissions apply to incoming connections and/or manual
    • Transactions that are too low feerate will be opportunistically paired with their child transactions and submitted as a package
  • Mempool Policy Changes:
    • Transactions with version number set to 3 are now treated as standard on all networks
    • Pay To Anchor(P2A) is a new standard witness output type for spending, a newly recognised output template
    • Limited package RBF is now enabled
  • Updated RPCs:
    • Using sendrawtransaction rpc, update help text from “Transaction already in block chain” to “Transaction outputs already in utxo set”
    • The default mode for the estimatesmartfee RPC has been updated from conservative to economical
    • An item of unspents, of scantxoutset, has two new fields: blockhash and confirmations
  • Updated REST APIs: Parameter validation for /rest/getutxos has been improved by rejecting truncated or overly large txids and malformed outpoint indices by raising an HTTP_BAD_REQUEST “Parse error”
  • Updated settings:
    • When running with -alertnotify, an alert can now be raised multiple times instead of just once
    • mempoolfullrbf=1 is now set by default
  • Wallet: The wallet now detects when wallet transactions conflict with the mempool
• secp256k1
  • The MuSig2 module has been [Merged into libsecp256k1.
  • “This marks significant progress in the real-world deployment of MuSig2 as it’ll be available to all existing projects using libsecp256k1 with the next release.”
  • “The module has been designed to be as safe to use as possible. We give two rules that, when followed by the implementer, prevent nonce reuse.” ~ @n1ckler
  • Example usage
  • Docs
• BDK v1.0.0-beta.5
  • This release changes bdk_wallet transaction creation to enable RBF by default, it also updates the bdk_esplora client to retry server requests that fail due to rate limiting. The bdk_electrum crate now also offers a use-openssl feature.
• Electrs v0.10.6
  • Update dependencies (bitcoin, configure_me_codegen, crossbeam-channel, log)
  • Deprecate unused config option timestamp
  • Don’t fail if bitcoind fee estimation is disabled
  • Save on allocations by using fixed size types for database rows
• Nunchuk
  • Android v1.9.52
    • Decoy wallets
    • Revamp Security PIN
    • Option to show total balance on Home screen when there’re multiple wallets
    • Export transaction history as PDF
    • Mark address as used
  • Desktop v1.9.38
    • Refactor sign-in flow
    • HWI 3.1.0
• Mempool v3.0.1
  • Enable RUST_GBT by default
• Blockstream Green
  • Android v4.0.35
    • Verify address with hardware wallet during 2FA reactivation
  • QT
    • v2.0.12
      • Improve address verification with Jade on redeposit
    • v2.0.11
      • Option to verify address on Jade in the redeposit 2FA expired coins flow
      • Camera selector when scanning QR codes
      • SPV status in the transaction details view
  • iOS v4.0.35
    • Add HW Address verification on expired 2FA ractivation
    • Improve QR code scanner
    • 2fa dialog: improved usability with native keyboard
• Krux
  • v24.09.0
    • New Device Support: WonderMV
    • Add Support for Korean and Simplified Chinese
    • Faster PSBT Scanning
    • Improved QR Code Scanning
    • UI Standardization
    • Enhanced Scanning Progress Bars
    • Mnemonics Editor:
      • Loading Mnemonics: you can now correct typos and mistakes during the review stage by simply tapping or navigating to the incorrect words
      • New Mnemonic: When generating new mnemonics through dice rolls or camera images, you can now modify the entropy by changing some of the mnemonic words
  • Support for Scanning Various Binary Grid Formats
  • Message Signing Using SD cards
  • Generate Double Mnemonics from Camera
  • Add Account Descriptor Type Support
  • Enhanced File Exploring
  • Krux experiments with a purely cryptographic ‘wax seal’ designed to reveal tampering by displaying contents only when the correct PIN is entered
  • “To leave no room for tricks with empty spaces on the flash, we can now fill them with random entropy from the camera feed when a PIN is set.”
• Coinbase
  • Coinbase․com users can now send Bitcoin to Taproot addresses, creating access to more onchain destinations. [Announcement
• BoltzExchange
  • web-app v1.4.2
    • Improve swap list
    • Implement RIF relay for claim transactions
    • Multiple wallet selection options
    • Remember wallet of swap
    • Scan contract logs for possible refunds
    • Renegotiate chain swap amounts
    • Show swap ID after uploading file
  • Client v2.1.7
    • Allow macaroon to be encoded in hex
    • Allow insecure lnd connection
    • Add custom reverse swap invoice expiry
• Jam v0.3.0 - Freezing Fig
  • Quickly freeze/unfreeze UTXOs on send page
  • Review eligible or selected UTXOs
  • Ability to trigger a rescan of the timechain
• libwally core v1.3.1
  • Elements: Add wally_tx_get_elements_weight_discount for computing ELIP-0200 weight discounts
• Simple Bitcoin Wallet v2.6
  • Add hardware wallet support
  • Add built-in Tor support
  • Add LNURL support
• Braiins Toolbox v24.09
  • Batch Hashrate Target Tuner mode now fully supported, allowing for batch hashrate target setting on Braiins OS devices during Braiins OS installation and Dynamic Performance Scaling (DPS)
  • Enhanced Device List features such as sticker hashrate, default power target, and more
• LiveWallet v0.9.0
  • Builds for linux redhat distributions
  • Builds for windows
• The RoboSats Federation now sends notes to clearnet relays, users can now find orders on the following relays: [Note]
  • wss://freelay.sovbit.host
  • wss://nostrvista.aaroniumii.com
  • wss://nostr.satstralia.com

Project spotlight

• DATUM by Ocean Mining: Decentralized Alternative Templates for Universal Mining [Press release]
  • DATUM is a decentralized mining protocol designed to shift power back to individual miners, allowing them to construct block templates instead of relying on centralized pools.
• BDK Swift Example Wallet
  • An example iOS app using Bitcoin Dev Kit via language bindings.
• Decoding Bitcoin: An interactive, exercise-heavy approach to learning Bitcoin [Github]
  • Scripts is the first and only module available, with Keys and addresses, Wallets and Transaction coming soon.
• Twelve Cash: API for creating BIP-353 usernames [Github]
  • Twelve Cash is an attempt to encode bitcoin payment instructions, specifically BOLT 12 offers, into DNS records
  • The v1.0.1-beta release features:
    • User Accounts and Paid User Names
    • Add random paycode trpc endpoint
    • Get user paycodes endpoint
    • Add lnd rest create invoice lookup invoice
• Kyoto Bitcoin Light Client: An Implementation of BIP-157/BIP-158 [Github]
  • Kyoto is a simple, memory-conservative, and private Bitcoin client for developers to build wallet applications
  • The v0.2.0 release adds support for a new silent payments feature-flag:
    • Receive block filters directly
    • Request blocks directly
    • Pause the node state before downloading filters
• Bitcoin script editor & visualizer: A playground for learning how to construct different spending mechanisms [Website]
  • Experiment with basic, multi-sig and timelocked transactions
• Wesatoshis: new hardware warm wallet for Bitcoin, capable of offline custodial Lightning payments and on-chain Bitcoin transactions. [Announcement]
  • Built with an Arduino board, screen, camera, and buttons, the wallet runs a full SPV node. It operates by connecting to other nearby Wesatoshis wallets within a 500-meter range.
• UtxoPocket: UtxoPocket is a Bitcoin watch only wallet that connects to Electrum
  • The project is in beta and will be open-source in the near future, says its developer. [Announcement]
• Bitcoin PIPEs (Polynomial Inner Product Encryption): introducing covenants without soft forks [Misha Komarov’s post on Delving Bitcoin]
  • PIPEs rely on cryptographic proofs to enforce transaction rules, maintaining Bitcoin’s trustless principles. After a one-time trusted setup, PIPEs minimize trust assumptions, allowing secure and efficient transaction logic without relying on custodians or off-chain solutions.
• Simple Proof: tool designed for institutions to improve transparency and ensure the authenticity of documents by incorporating robust timestamping [Explorer]

Vulnerability Disclosures

• Supply chain attack: New details on Mossad’s pager operation [The Washington Post]
  • Mossad engineered the pagers to appear trustworthy by manufacturing them in Israel under Taiwanese branding, concealing both their origin and the explosive components, making the devices virtually impossible to detect.
    • Mossad’s 2022 operation involved covertly supplying Hezbollah with 5,000 seemingly secure Apollo-branded pagers, rigged with hidden explosives. The AR924 pagers were designed to be durable and undetectable, appealing to Hezbollah’s need for secure battlefield communications.
• Backdoored backdoors: Chinese-linked ‘Salt Typhoon’ hack targets U.S. wiretap networks and broadband providers [WSJ]
  • Chinese hackers massively wiretapped U.S. broadband networks by targeting systems used for court-authorized wiretaps, accessing sensitive information from lawful surveillance systems.
• Decade-old Linux vulnerability enables DDoS and remote code execution via the Common Unix Printing System (CUPS) [Hack Read]
  • A Linux vulnerability discovered by Simone Margaritelli allows for remote code execution (RCE) and can be exploited to launch DDoS attacks targeting the Common UNIX Printing System (CUPS).
• Perfctl: newly discovered Linux malware Persistent infiltrates thousands of servers since 2021 [Ars Technica]
  • Perfctl is known for its stealth capabilities and its role in cryptomining, notably pausing its mining activities when a user logs into the affected machine.
  • It can also function as a traffic relay and facilitate the installation of additional malware on compromised systems​.
• Google’s latest phone raises privacy concerns over frequent transmission of personal data, including location, email addresses, and network information, to Google servers every 15 minutes. [Forbes]
  • Researchers found that even when GPS was disabled, the Pixel 9 Pro still shared location data via Wi-Fi networks.
  • Additional concerns include the phone’s ability to remotely install software, as it regularly communicates with Google’s staging environment for potential updates.
• Over 100 million Americans have had personal information leaked due to a security lapse at background check company MC2 Data [Cybernews]
  • The company left a 2.2TB database unprotected (passwordless), exposing sensitive data like names, email addresses, birthdates, phone numbers, and employment histories to anyone on the internet.

Privacy & Other Related Bitcoin Projects

Software Releases & Project Updates

• SimpleX v6.1.0-beta.2
  • New audio/video calls - switch between audio and video in one call
  • New UI for switching chat profiles
  • New conversation layout - grouping messages, date separators
• Sideband
  • v1.1.0
    • Add support for connecting to RNodes over BLE
    • Add RNode battery info to connectivity status dialog
  • v1.0.0
    • Add option to use high-quality voice for PTT
    • Improve notification handling
    • Tapping notifications on Android now goes directly to the relevant conversation
    • Automatically ask user for background service permission on Android
• reticulum-meshchat v1.13.0
  • Add support for network visualiser when connected to shared instance
  • Add support for showing custom display names in network visualiser
  • Add support for sending simple page data in nomadnet page links
  • Add LXMF stamp cost and ticket expiry to conversation toolbar
  • Add more support for micron format
• NomadNet v0.5.4
  • Add opportunistic message delivery if destination ratchets are available

Project spotlight

• Privacy Index: An index of all things digital privacy to help you stay private online. [Github]
  • “PrivacyIndex is a non-exhaustive, work in progress archive of threats, tools and topics to help you stay private online”
• DarkIRC: An anonymous P2P chat “without identities and message links” by DarkFi project [Release notes]
  • The project is available on Linux, MacOS, Windows and Android, and is the first step announced in building the DarkWallet platform.

Lightning + L2+

Project spotlight

• Diamond Wallet: new self-custodial Lightning wallet from built using Breez SDK and Blockstream’s Greenlight nodes. [Announcement]
  • Bolt Link is a key feature of the wallet: a bit.ly alternative with Lightning payments, where users can earn sats for watching ads within the in-app browser.
• LNUnit: C# Lightning Networking Unit Testing Library [Github]
  • “LNUnit is a unit-testing framework for Bitcoin Lightning network systems. It provides an easy-to-use interface for developers to write tests that check the functionality and performance of their Lightning network applications.”
• PLEBNET-Wiki: A Wikipedia for the Lightning Network [Github]
  • “PLEBNET is a vibrant community of Bitcoin enthusiasts, developers, and node operators dedicated to growing and strengthening the Lightning Network.”
• Matrix-Lightning-Tip-Bot: A btc lightning network tip bot for the matrix framework, inspired by the LightningTipBot Telegram project. [Github]
• Predyx: A Lightning Network native prediction market
• Fedimint Web SDK: A toolkit for building fedimint & lightning wallets in the browser [Github]
  • A Robust, privacy-focused, and WebAssembly-powered fedimint client for the browser.
• Fedimint Observer: Fedimint Federation Explorer aimed to become the ‘mempool.space for Fedimint’ [Github]
• NWC Tester: new tool by @supertestnet to test NWC strings to identify what they are and what they can do

Software Releases & Project Updates

• Ark v0.3.0 - VTXO Tree Signing and New Onboarding Process
  • VTXO Tree Signing: introduces the implementation of MuSig2 for VTXO tree signing
  • New Onboarding Process: simplified onboarding process so that users can now join Ark by simply sending funds to a boarding address
  • Extended Functionality
    • Enhanced Client SDK
    • Reversible Policy for Pending VTXOs
    • Chain Offline Payments
    • Bitcoin Wallet Restoration for Covenantless ASP
  • Improved Efficiency
    • Dynamic Fee and Dust Amount Handling: Ark now dynamically fetches dust amounts and minimum relay fees based on chain activity, replacing hardcoded values
  • Improved Testing: expanded the e2e testing suite to include adversarial scenarios
  • Developer Experience:
    • CLI built with Ark SDK
    • API Renaming
• Lightning Terminal v0.13.995-experimental
  • The Lightning Terminal (LiT) experimental release is the alpha-preview build that brings Taproot Assets to the Lightning Network, with support for Taproot Asset Channels.
    • Clarify Asset Balance Reporting: ListBalances now supports the include_leased flag, which will include leased asset balances in balance queries.
    • Tap Channel Liquidity Fixes: Fixed issues with tap channel liquidity calculations, including sending very small or very big asset amounts.
    • RFQ Price-acceptance Tolerances: Added AcceptPriceDeviationPpm configuration.
    • RFQ Quote Accept Message Parsing: Improved RFQ quote accept message parsing by looking up the associated quote request message.
    • Aux Signer Signal Handling: Improved aux signer signal handling to prevent quit signals from being missed.
    • Coin Select Type: Added a new CoinSelectType enum to FundVirtualPsbt to specify script key type.
    • Dust Checks for Allocations: Added dust checks for allocations in tap channels.
• LNDg v1.9.0
  • Inbound fees can be set from the /advanced page (negative values only)
  • Inbound fees will be shown next to successful forwards when LNDg detects the inbound fee was used
  • Unify logs between docker and manual installers
  • Add setting LND-DisableMPP to force rebalances to not use MPP (available at: /api/settings/)
  • Add a consolidate UTXOs button
  • Show attempted ppm when HTLC failure was fee insufficient
• Boltz launches BTCPay plugin to accept Lightning payments without running a node [Blog post]
  • ‘Nodeless’ mode: any merchant using BTCPay Server (even on a shared BTCPay instance) can now accept Lightning - powered by Liquid Swaps 🌊
  • Autoswap to mainchain: when using Liquid Swaps, the BTCPay Plugin allows for triggering swaps back to the mainchain based on a set of preferences
  • Integrated wallet system: create or import Liquid/mainchain wallets
  • Built on Taproot: fully leveraging the power of Taproot Swaps
  • Non-custodial: as with all Boltz products, all mentioned features are powered by Boltz Atomic Swaps, allowing merchants to stay in control of their money
• Shockwallet v0.0.13-beta - NIP68 Debits
  • NIP68 debits
  • userinfo includes ndebit
  • Add copyable ndebit string and show debits for selected source
  • Rerender linked apps after ndebit string fetch
  • Add new nostr-tools fork hash
  • Create rule
  • Debits placeholders
  • Debit improvements
  • Ndebit discoverable checkbox
• minibits v0.1.9
  • Significant performance improvements for cryptographic operations
  • Redesigned main wallet screen: The main wallet screen has been redesigned to include fiat exchange rates and an overview of NWC limits.
  • Ecash storage reliability and stability improvements: improve the reliability and performance of local ecash storage, especially for wallets with a large number of ecash notes (thousands).
• clboss v0.14.0 - Hand at the Grindstone
  • Upgrad EarningsTracker to a time bucket scheme allowing storage and access to earnings and expenditure data over specific time ranges
  • Add new scripts in contrib for displaying earnings history
  • Add Util::BacktraceException which captures backtraces where an exception is thrown and then formats them for debugging when they are displayed with `what()
• LNMarket v02102024
  • Account migration: All account types can now transition to a credentials-based authentication method
  • Important: For users of Joule and Slashtags, this migration is mandatory, as these authentication methods will be disabled at the end of the month
  • Account Recovery: All account types can now register an email for account recovery
• Star9Labs v1.10.1
  • Alby Hub initial release for StartOS

Nostr

Project spotlight

• Khatru: A framework for making custom Nostr relays [Github]
  • Create custom event or filter acceptance policies, AUTH handlers, storage and pluggable databases, webpages and other HTTP handlers.
• Note Mixer Relay: A Nostr relay that mixes and anonymizes events using the Khatru framework [Github]
  • Key features include: Event mixing and anonymization, Configurable allowed event kinds, Optional pubkey whitelisting and Event rebroadcasting to other relays.
• Comet: an encrypted and shareable note-taking app with Nostr integration [Github]
• Dart Nostr Development Kit: a Dart library designed to enhance the Nostr development experience (Dart/Flutter NDK package) [Github]
  • “Beside basic stuff …, it features: several GOSSIP strategies for calculating relays for feed, Rust event verifier …, caching support, network bandwidth optimization, convenience methods for common nostr usecases, high test coverage and good documentation.”
• nostr-fetch: A utility library that allows JS/TS apps to effortlessly fetch past events from Nostr relays [Github]
• ONOSENDAI: The Cyberspace client for the one true metaverse: nostr [Github]
  • ONOSENDAI is an experimental client that visualizes the Nostr protocol in 3D, extending reality into digital space. [Announcement]
  • It features a coordinate system derived from a 256-bit number and divides cyberspace into manageable sectors for better navigation.
  • Users can create and own constructs, place 3D objects called shards, and control avatars representing humans or AI within this digital environment.
• Nowser: A nostr signing app for IOS and Android [Github]
  • Nowser offers NIP-07, NIP-46 and NIP-55 for Android users and NIP-07 and NIP-46 for iOS users.
• Route96: Image hosting service [Code repository]
  • Its main features include: NIP-96 and Blossom Support, Image compression to WebP, Blurhash calculation and AI image labeling.
• Ghost relay: A Nostr relay where events are truly ephemeral [Github]
  • “It deletes events right after they have been queried by a user. Useful for very specific applications where no traces are desired, like shh.com”
• Grain (Go Relay Architecture for Implementing Nostr): an open-source Nostr relay implementation written in Go [Github]
  • This project aims to provide an efficient and configurable Nostr relay.
• Chronicle: A Nostr personal relay that support the Outbox model, with spam protection by WoT [Github]
  • “Chronicle is a personal relay Nostr, built on the Khatru framework, that stores complete conversations in which the owner has taken part and nothing else: pure signal.”
• Notestack: A decentralized blogging platform using Nostr relays with lightning tips [Github]
  • Notestack is a long-form content nostr client inspired by the Blogstack project
• HAVEN (High Availability Vault for Events on Nostr): a sovereign personal relay for the Nostr protocol, for storing and backing up sensitive notes like eCash, private chats and drafts [Github]
  • The relay has features such as web of trust, inbox relay, cloud backups, blastr and the ability to import old notes.
• Atomstr: a RSS/Atom gateway to Nostr [Source code]
  • Atomstr “fetches all sorts of RSS or Atom feeds, generates Nostr profiles for each and posts new entries to given Nostr relay(s).”
• Nostr Metadata Updater: Scans all known online nostr relays for stale kind 0 metadata notes, rebroadcasts latest verified note [Github]
• Minestr: A bitcoin mining sim where nostr users compete against each other for sats while learning about bitcoin and nostr.
  • “50% of all in-game lightning payments go to the epoch winner and the other 50% go to OpenSats” [Announcement]
• GM Relay: A Nostr relay that only accepts GM notes once a day, by fiatjaf. [Github]
  • Comes with a bot to fetch some stats about your GMs.
• NostrSMS: A service using XMPP and jmp.chat to post to Nostr from a simple SMS [Code repository]

Software Releases & Project Updates

• Damus newest version
  • Support for viewing Highlights and a way to create highlights in the Safari share sheet
  • Push notifications powered by our new nostr push notification server (notepush)
  • More obvious friend filter for reducing spam in notifications and DMs
  • Improved reconnection speed
  • Support for AlbyHub zaps
• Amethyst v0.92.0 - Tor and Transient Accounts
  • Add tor node
  • Add multiple settings for the use of Tor
  • Add privacy presets to simplify Tor choices
  • Add support for NFC-hosted transient accounts
  • Add button to take and add pictures from camera
  • Add Uncompressed option when uploading media
  • Add support for Bloom filters
  • Add zapstore yaml setup
  • Add mempool api to verify OTS via Tor
• Coracle v0.4.11
  • Add NIP 55 support to Android
  • Add negentropy support
  • Simplify sync for messages, groups, and notifications
• Iris
  • The newest version is based on NDK
    • Zero-configuration zaps for new users: comes with a [npub]@npub.cash lightning address and an integrated Cashu wallet (cashu.me)
    • ReplyGuy-free experience: automatically hides content by users not in your social graph
    • ‘Unseen’ feed: click ‘home’ or switch tabs to refresh
    • ‘Adventure’ feed: shows content from everyone in your social graph
    • Social graph based fast user search
    • Better scroll position retention on back navigation
  • The developers also added a tool for crawling the follow lists of your friends-of-friends and “the option to download a large pre-crawled social graph with 161K users and 5.25M follow relationships”. [Note]
• Lume
  • v4.2.1
    • Improve preload events
    • Improve performance and stability
  • v4.2.0
    • Add gossip model
    • Add client tag
    • Add web of trust filter, disabled by default
    • Improve post editor
    • Use proof of work by default with difficulty: 21
• Nos v0.1.27
  • Add the option to preview a note before posting it
  • Add functionality to share notes link through the 3 dots note menu
  • Add routing to profile when tapping on follow notification
  • Add support for NIP-62 Request to Vanish events
  • Delete all user data when logging out
  • Publish empty metadata event and empty contact list on delete account
• Oxchat v1.3.4-beta
  • Add message jump feature for replies, search, and paginated message loading
  • Add encryption for audio and videos in DMs/private groups before uploading
  • Add support for custom Blossom servers, and removed the default 0xChat file server
  • Add the ability to preload group messages before joining
• Nostur v1.16.0
  • Nostr Nests integration
  • Live video streams and chats
  • VPN detection toggle: only connect to additional relays if VPN is detected
  • Reduce data usage for new follower notifications
• Gossip v0.12.0
  • Bookmarks support (including private bookmarks)
  • Global feed and per-Relay feeds (with volatile storage, erased when you quit)
  • Friends-of-friends scores shown in avatar
  • Improve spam filtering script with more inputs to make decisions on
• Nostrmo v2.9.1
  • Add previous to NIP-29’s messages
  • Search memery notes also search from local relay
  • nostr.build change to using NIP-96 upload
  • Dirty world filter add support for space
  • Add WOT filter support
• Mostro v0.12.5
  • Hotfix for changing admin-settled message from dispute to order
  • Add info publish interval to settings
  • Additions to have tokens for dispute
  • Implement gift wrap
  • Avoid a buyer taking the same order twice in status waiting-buyer-invoice
• Yana v0.15.0
  • List transactions
  • Send and receive in wallet
  • NWC subscription notifications
  • Improve hell threads handling

Audience Questions

• Thanks to everyone who sent in questions. Remember to send yours to questions@bitcoin.review.
  • “Can you explain why the usage of libsecp256k is one of the most important choices in writing Bitcoin code, for this of us who are not cryptographers and do listen to the end? And answer in as non-engineery a way as possible?” -@drianmalcolm

Boosts

• Thanks to everyone who streamed sats, and shoutout to our top boosters:
  • [🏆 TOP BOOSTER] @drianmalcolm (25,000 sats) “Also I’ve been thinking lately about not trusting the randomness of Ledger and other closed source secure elements which are under NDAs, and using dice rolling. Perhaps for solidarity have Pascal from Ledger on the show.”
  • @Ape Mithrandir (7,777 sats) “Big milestone for Sparrow, hitting 2.0”
  • @Chris @ seedor_io (5,000 sats) “The timing attack you were looking for in the last episode was with BitMEX and their 3-of-4 multisig, with 3 keys held by the founders and a fourth vanity key thrown in to give the addresses a cool 3BiTMEX prefix. By watching which keys signed off on daily withdrawals, one could make a good guess about who owned what key.”
  • @podconf (5,000 sats) “THIS PODCAST IS PODCONF Disapproved ❌ NVK is a NOSTR apologist which is an attack on Bitcoin (America). This podcast continues to support this noncompliant technology. Submit Proof of Compliance® and a public apology if you want your status updated.”
  • @vake (5,000 sats) “Bitcoin is boring.”
  • @btconboard (1,111 sats) “Thanks, especially love hearing more about Liana, Anchorwatch, and miniscript”

Tech Tip of the Day

• Changesets: A tool to manage versioning and changelogs with a focus on multi-package repositories [Github]

Bitcoin Optech Newsletter

• Highlights from recent Bitcoin Optech Newsletters
  • 323
    • Impending btcd security disclosure: Antoine Poinsot announces on Delving Bitcoin the upcoming disclosure of a consensus bug affecting the btcd full node, scheduled for October 10th.
  • 322
    • Disclosure of vulnerability affecting Bitcoin Core versions before 24.0.1: Antoine Poinsot shares a link on the Bitcoin-Dev mailing list regarding a vulnerability in Bitcoin Core versions that have been unsupported since at least December 2023. This announcement comes after earlier reports of vulnerabilities in older versions.
    • Hybrid jamming mitigation testing and changes: Carla Kirk-Cohen shares information on Delving Bitcoin regarding multiple efforts to overcome a mitigation method for channel jamming attacks initially suggested by Clara Shikhelman and Sergei Tikhomirov.
    • Shielded client-side validation (CSV): Jonas Nick, Liam Eagen, and Robin Linus submit a paper to the Bitcoin-Dev mailing list discussing a new client-side validation protocol. This protocol enables the secure transfer of tokens using Bitcoin’s proof-of-work while keeping details about the tokens and transfers confidential.
    • Draft of updated BIP process: Murch announces on the Bitcoin-Dev mailing list that a pull request is available for a draft BIP detailing a revised procedure for the BIP repository.

News & Noteworthy

Bitcoin

• Ledger launches Ledger Key Ring Protocol, its solution for secure data sharing [Announcement]
  • The protocol allows users to generate and manage encryption keys, giving them full control over their data, similar to a decentralized Google Drive.
  • Ledger’s solution aims to complement existing standards, offering granular control over shared data through its range of products, without requiring users to store all their data on the device.
• DLC Markets transitions to Bitcoin Mainnet [Blog post]

Business & Finance

• Swan Bitcoin’s lawsuit involving tether and alleged coup in mining business [The Miner Mag]
  • Swan Bitcoin accuses former executives of resigning en masse, stealing proprietary mining software, and forming a new company to manage Tether’s mining operations.
  • Proton Managament has since then denied allegations made by Swan Bitcoin in a written response
• Bitkey partners with Robinhood App, allowing US customers to buy and transfer Bitcoin on their Bitkey hardware wallet with Robinhood Connect [Announcement]
• BitBoxSwiss partners with Pocket Bitcoin, implementing ‘secure bitcoin sales’ [Blog post]
  • BitBoxApp now allows users in Europe to sell bitcoin directly, the process sends exchanged funds to users’ bank accounts after transaction confirmation.
• Centralized exchange Gemini plans to end operations in Canada by the end of 2024, citing regulatory pressures as a driving factor [Cryptoslate]

Tradfi

• BlackRock requests changes to their custody agreement with Coinbase and asks the SEC to modify the bitcoin withdrawal procedures for its Bitcoin spot ETF over concerns to Coinbase’s custody practices. [Atlas21]
  • The request mandates the custodian to complete bitcoin withdrawal within 12 hours of receiving instructions.

Funding

• OpenSats announces:
  • Second Wave of Education Grants, the six projects of this funding wave are:
    • Bitcoin Jungle
    • Bitcoin Indonesia
    • Deciphering Bitcoin
    • BOBSpaces Residency - Cohort 3
    • Satsie’s Pocket Guides
    • Africa Free Routing
  • Long-term support for Jon Atack, contributor to Bitcoin Core and the Bitcoin Improvement Proposals, and Dusty Daemon, creator behind Splicing on the Lightning Network.
• Human Rights Foundation announces new grants for North Korean Human Rights:
  • The NGO Council for North Korean Human Rights
  • NK Human Rights Corporation
  • Korea Young Leaders Forum
  • International Democracy Hub
  • The North Korea Baseball Association
• Maelstrom awards Jon Atack a one-year Bitcoin developer grant [Announcement]
• Brink, a non-profit organization supporting Bitcoin developers, publishes its 2023-2024 annual report. The organization has raised ~$2.4M in 2023 from 500 different donors and its expenses were ~$1.6M.
• UK-based Bitcoin payments business, Musqet, secures £750k in funding round led by Axiom [Press release]

Privacy

• Saving Privacy Act: A Bill to reform financial privacy
  • The Act revises financial privacy laws, prohibits central databases from storing personal information and central bank digital currencies, and updates executive regulations and penalties. [The Rage]
• Tor Project & Tails join forces: the Tor Project and Tails have merged operations to improve collaboration, expand outreach, and counter digital surveillance. [Blog post]
• Over 300 scientists and researchers sign open letter on their position on the updated version of the EU’s proposed Child Sexual Abuse Regulation [Open letter]
• Telegram updates privacy policy on user data sharing. The new policy allows sharing users’ phone numbers and IP addresses with law enforcement based on valid legal requests. [Durov’s announcement]
• Tornado Cash case challenges code as protected speech, expands MSB responsibilities [The Rage]
  • In a key ruling, a judge in the Tornado Cash case declares that code is not protected as free speech. This stance has broad implications for developers of blockchain technology and privacy protocols, emphasizing that writing code can be subject to legal scrutiny in cases involving financial regulations and money laundering​.

Security

• NIST proposes ending ineffective password rules to improve security [Ars Technica]
  • The proposed guidelines argue that frequent password changes or forcing users to include specific character types encourage predictable passwords. Instead, the focus shifts to longer, more user-friendly passphrases to improve overall cybersecurity hygiene.

Protocol

• Bitcoin Core #30043: introduces a built-in implementation of the Port Control Protocol (PCP) to support IPv6 pinholing, allowing nodes to become reachable without manual configuration on the router. [Merged]
• BIP #1674: Revert BIP #1600 “BIP85: Clarify spec, correct test vectors, add Portuguese language code, add dice application” [Merged]
• Draft BIP #1670: QuBit, proposal for a quantum resistant soft fork for Bitcoin to introduce a new address format called P2QRH [Draft]
• BOLTs #798: merges the offers protocol specification which introduces BOLT12, and also brings several updates to BOLT1 and BOLT4. [Merged]
• NIP-XX #1522: Multiple Public Key Types and Signature Algorithms for Event Signing [Open]
  • A proposal introduces support for multiple public key types and signature algorithms in Nostr, allowing compatibility with various blockchain networks using different cryptographic methods.

Government & Political

• Bank of Canada pauses plans for digital currency development [CBC]
  • After years of research, the Bank of Canada shifts its focus away from launching a digital Canadian dollar, emphasizing that innovation must balance safety within the existing monetary system.
• Australian Federal Police (AFP) restrain $9.3 million in cryptocurrency, uncovering assets linked to the alleged mastermind behind Ghost, an encrypted criminal communication platform. [Press release]
  • The seizure is part of Operation Kraken, which has led to 46 arrests and 93 search warrants.
• The United Arab Emirates has introduced VAT exemptions for cryptocurrency transfers and conversions [Cointelegraph]
• Taiwan’s Financial Supervisory Commission introduces foreign Bitcoin ETFs, facilitating access for professional investors amid growing digital asset interest. [TFTC]

Events

• Paralelní Polis announces its closure: founder Pavel Tyc attributes this to their estrangement from the rapidly evolving cryptoscene, now more aligned with mainstream financial systems [Wired]

Reads

• Here’s a list of our top recently published reads:
  • Crooked Cops, Stolen Laptops & the Ghost of UGNazi: an investigation into Adam Iza cryptocurrency robberies by Brian Krebs [Krebs on Security]
  • How to Share a Secret by Adi Shamir [Satoshi Nakamoto Institute]
  • Can duress wallets stop physical attacks on your bitcoin? by Jameson Lopp [Casa]
  • The Bitcoin Revolution in Iran by Marius Farashi Tasooji [AdoptBlock]

Episode submission ideas

• We’re looking for ideas for interesting panel conversations. To send Bitcoin related questions, just go to bitcoin.review and follow the contact links at the bottom of the page.

Get in touch with the pod

• Podcast Twitter
• NVK Twitter
• Telegram
• Email
• Nostr & LN ⚡nvk@nvk.org (not an email!)

---

Did I get anything wrong above? Help me correct it producer@coinkite.com