BR064 - xz Utils Backdoor, LoLRa, Mutiny, HWI, COLDCARD Q, Krux, Labelbase, BitVM Bridge Risks, BIP editors discussion, Coinbase X Lightspark + MORE ft. Alex B, Harry, Paul & Craig
I’m joined by guests Alex B, Harry Sudock, Future Paul and Craig Raw to go through the list.
Vulnerability Disclosures
00:01:02 xz utils backdoor[Arstechnica]
A Microsoft developer discovered a backdoor in xz Utils, a widely used data compression utility on Linux and Unix-like systems, which was close to being merged into major Linux distributions Debian and Red Hat.
The backdoor was intended to manipulate sshd, enabling remote execution of malicious commands with a specific encryption key.
The complex operation to plant the backdoor spanned years, involving suspicious commits and social engineering to pressure project maintenance changes.
00:17:35 LoLRa project: Transmitting LoRa packets without radio [CNXSoft]
Enables data transmission without a Semtech radio, using microcontrollers with I2S or SPI interfaces.
Operates with two major modes: transmission using a tunable PLL and direct synthesis on a bitstream.
Uses harmonics and aliasing, advising caution due to potential RF spectrum bans and FCC compliance issues.
00:42:13 Nunchuk uncovered a security weakness in Casa’s new inheritance planning implementation [Twitter post]
Nunchuk criticizes Casa’s security, particularly around the encryption and handling of decryption keys, suggesting potential vulnerabilities.
Key differences between both services include the requirement for beneficiaries to have an account with Casa, Casa’s 6-month claim period, and Nunchuk’s flexible beneficiary designation and timelock feature.
Nunchuk recommend Casa users to delay using Casa new service until it has been addressed.
00:25:53 BitVM Bridges Considered Unsafe [Blog post]
An article written by Tyler Whittle & Rijndael demonstrating the economic instability and risks of BitVM bridges
The article has opened a discussion on Stacker.News involving SuperTestNet and Tyler Whittle
00:43:06 Breez under DDoS attack [Twitter post]
“We’re under a DDoS attack. We appreciate your patience while we’re trying to mitigate the situation.”
Bitcoin
Software Releases & Project Updates
00:45:53 Bitcoin Core v26.1
Wallet
skip BnB when SFFO is enabled
birth time update during tx scanning
Fix use-after-free in WalletBatch::EraseRecords
getrawchangeaddress and getnewaddress failures should not affect keypools for descriptor wallets
RPC
fix getrawtransaction segfault
keep .cookie file if it was not generated
Logs
log mempool loading progress
P2P and network changes
create I2P sessions using both ECIES-X25519 and ElGamal encryption
Don’t process mutated blocks
Don’t consider blocks mutated if they don’t connect to known prev block
Build
Use hardened runtime on macOS release builds
CI
Use Ubuntu 24.04 Noble for asan,tsan,tidy,fuzz
Set HOMEBREW_NO_INSTALLED_DEPENDENTS_CHECK to avoid unrelated failures
00:46:27 Coldcard Q v1.1.0
Scan any QR and report if it is part of a wallet this Coldcard knows the key for. Includes Multisig and single sig wallets.
Searches up to the first 1528 addresses (external and change addresses)
Stores data as it goes to accelerate future uses
Can take up to 2 minutes to rule out an address, but after that it is fast!
Calculator login mode. When enabled, the usual PIN entry screen is replaced with a functional calculator. Enter your PIN as 12-12 or 12 12 to get it. To verify anti phishing words, use 12-.
00:55:59 BDK v1.0.0-alpha.8
Explicitly state that we truncate file for create_new
Migrate to bitcoin::FeeRate
Remove extra taproot fields when finalizing PSBT
00:52:39 HWI v3.0.0
Add:
--emulatorsoption to enumerate and detect emulators. Otherwise default behavior is changed to ignore all emulators.Add: Rebuilt to attempt to avoid antivirus false positive
00:56:17 Nunchuk-desktop
00:56:35 Nunchuk-android [v1.9.44]
Add support for BBQR
Add a display setting to use large fonts for balances on Home
Use large fonts for balances in Wallet Details
00:56:49 Liana v5.0: Vineroot
Daemon/library
Add experimental support for Taproot
Configuration with bitcoind can now use a user and password instead of a cookie file
The getinfo result now contains the “descriptor’s timestamp”: that is the oldest date at which we scanned the blockchain for coins
Createspend command doesn’t error anymore on insufficient funds, it instead returns the missing amount in its result
Listspendtxs command now accepts a new optional parameter to filter the result by txids
GUI
Add support for Coldcard, at time of writing, Miniscript support is only available on the Edge firmware
Possibility to create a Taproot descriptor in the installer
Add sweep functionnality
Unconfirmed coins are now considered in spend transaction when using the default automated coin selection
When creating a Spend transaction, you can now change screen and come back to your draft
Display warning to the user when creating a spend transaction, i.e when the change output value is too small
RBF transaction now get automatically labeled
Hardware device transaction signing no longer hides details
Payments from broadcasted transactions immediately shown on the home page
Address QR codes now also contain the derivation index in the URI
Display warning if a user tries to RBF a transaction whose change output is being spent by a later transaction
The installer is now directly opened when starting Liana on a new datadir
00:57:21 Krux Beta24 (highly experimental)
BIP85
Change accounts derivation
New wallet login and customizations
Hide mnemonics security setting
Cube screen optimizations
00:59:29 Blockstream Green
Android v4.0.27
Add push notification support for Lightning payments
Bump Breez to version 0.3.8
Make Lightning Shortcut opt-out
Update transaction details view
Improve QR code scanability
QT
Notice when Jade is configured with a custom oracle server
Show mismatch warning on the setup PIN view
Add button to clear address field
Improved onboarding flow
Improments in the Watch-Only login view
Reinstate 2FA reset notification and request/cancel options
Add general section in app settings
Update GDK to 0.70.3
00:59:44 Blue Wallet
00:59:56 Brainbow
Changed wallet onboarding order
Fixed wrong label display in “Transaction Overview”. TBTC was shown while running Brainbow in mainnet mode
Updated Electrum Server presets
1:00:07 Bitcoin Keeper v1.2.1
Now hide or delete keys and wallets
Support for Taproot wallets
Fee Insights
1:00:18 Bisq v2.0.2
Improve reputation import account age instructions
Add Cash App
Improve peer management
Update JavaFx to v17.0.10
Increase limit for btc addresses
Increase price tolerance
Add new seed and market provider
1:00:21 Citadel v0.3.5
Allows switching between Bitcoin Core and Bitcoin Knots
1:00:25 Labelbase
Side Discussion
1:02:27 SimpleX versus nostr
1:06:20 Mutiny integration with nostr
Convenience versus security
1:17:04 Fair versus unfair distribution
1:14:15 Social contracts and Duty of care
1:16:35 Importance of money and economic responsibility
Software Releases & Project Updates (Cont.)
1:20:43 Boltz-web-app v1.3.2
Prevent refunding to lockup address
Fix:
NPM package version
Only retry claims of Taproot swaps
Node stats when LND is offline
Multiple claim transactions being broadcasted
1:20:53 AgoraDesk v1.1.31
Add local currencies to the wallet balance.
Project spotlight
1:21:02 Wizard Sardines’ Antoine Poinsot announced a proof of concept to setup a Ledger device without Ledger Live [Github]
“Setup your Ledger without Ledger Live. No scams, no shitcoins, no by-default-ledger-recover subscription.”
Antoine’s work has been inspired by a previous investigation by Bitcoin Core contributor Ava Chow.
With plans to integrate elements of the PoC into Liana, and bring the tool to a wider audience beyond Liana users and command line-savvy individuals.
1:22:34 Cypher.Space: a platform for building Bitcoin-focused web projects
The project aims to provide a free, Bitcoin-only, flat file CMS as an alternative to WordPress and Shopify, allowing deployment on various cloud providers or self-hosting without monthly costs. [Github]
1:22:42 Spend-sats: Discover where you can pay with Bitcoin
Website listing +100 online stores and service that accept sats
Privacy Software
Software Releases & Project Updates
1:22:46 Unleashed.chat v0.1.20
Nostr mode improvements:
Ask “What’s happening on my feed today?” The AI can now access recent posts by people you follow. You need to have Nostr login enabled for this to work. If you have an existing account, go to the Account page (left side menu) and connect your npub there.
You’ll see some prompt suggestions when you start a new chat in Nostr mode.
Other:
AI generated code blocks now have a button for copying their contents to the clipboard.
Project spotlight
1:23:05 Hushline: Pre-launch of a lightweight, secure, and anonymous tip line [Github]
“Hush line is a free and open-source, anonymous-tip-line-as-a-service for organizations or individuals.”
Lightning + L2+
Software Releases & Project Updates
1:23:34 CLN v24.02.2
Addresses incompatibility in the gossip protocol [PR #7174]
lightningd: revert f450dfe to allow non-gossip_query nodes
gossipd: be stricter with non-gossip_query nodes
1:23:47 Phoenixd v0.1.3
Add phoenix-cli script to the JVM distribution
Factor initialization of datadir directory
Use lightning-kmp 1.6.2-FEECREDIT-5
Update gradle to 8.5
1:23:52 Breez SDK v0.3.9
Add API to generate diagnostic data
Use multiple chain service urls with redundancy (generate_diagnostic_data)
Fix swap confirmed block to be the earliest
Add debugging to signer loop start
1:23:54 Mutiny Node
Lightning Addresses announced
Dedup fedimint events from relays
Update fedimint to v0.3.0
Claim hermes tokens
Refetch blind tokens after subscribe
Check LNURL name
Add privacy_level to ActivityItem
Improvements to mint discoverability
Allow changing nostr keys on the fly
Tag npub if no contact
Update ldk fork for CLN issues
Optimize label activity
Add delete profile
1:35:49 Fedimint v0.3.0
Dynamic meta fields through the Meta module
Improve load-test-metrics for better performance insights
Capability to pass –auth flag to fedimint-cli dev api
Add recovery tool tests for enhanced reliability
Enhance LN payments privacy for LND
CLI improvements and more configurable options
Add support to pay a lnurls
Implement a special case descriptor for single-guardian instances for smaller on-chain transactions
Introduce versioned Gateway API for backward compatibility
Introduce a latency test for restore functions
1:36:38 Zeus v0.8.3-rc1 (pre-release)
LND: on-chain tx coin control
Custom pictures for saved nodes and wallets
Enhanced Neutrino peer controls + ping test
Signet support
Improved LNC connection support
Project spotlight
1:37:06 LNCast: Lightning address broadcasting app [Github]
LNCast is an application and tool designed for sending messages in bulk to LNAddresses on the Lightning Network.
Features:
Easy management via the UI
Sending messages to multiple addresses simultaneously
Real-time tracking of message delivery
Adding addresses from CSV files
Recording and listing of past messages
Preset feature for saving multiple address books and sending different messages to different addresses through these address books
Nostr
Software Releases & Project Updates
1:38:51 NDK
A queueing system is now in place to fetch NIP-05 and ZAP endpoint information. Most applications should feel much faster.
Caching of NIP-05/Zap endpoints is now in place
Threading utility functions to make displaying threads properly
Now live: ndk-cache-dexie 2.3 and ndk-svelte-components 2.2.11
1:39:21 Primal
1:39:39 Amethyst v0.86.0
Features:
Draft notes for feeds, replies, live streams, public chats, NIP-04 DMs, GiftWrap DMs, polls and classifieds
Adds autosave for Drafts
Adds a Draft feed screen for all posts
Adds new algorithm to parse OpenGraph tags
Filters out too many reposts of the same note when on the main feed
Updates the bootstrap relay list
Adds missing classes to support WebServer connections in the Video Playback
Migrates shareable links from habla.news to njump.me
Adds k-tag to the Deletion events
Code Quality Improvements:
Breaks massive NoteCompose down into each event type
Removes dependency of the Robohash from CryptoUtils
Updates secp256k1KmpJniAndroid, compose, zoomable, media3, jackson and firebase libs
Refactoring caching systems for the Compose layer
1:41:20 Mostro v0.11.0
AddInvoice with LN address instead of bolt11
updated nostr-sdk lib
Added a check in dispute.rs
Use the right decrypt (nip04) function
Removed unwraps from scheduler
Add Cargo.lock file
Project spotlight
1:41:29 NostrSync
NostrSync.live provides a broadcast and export service, enabling users to download a copy of their data.
The service ensures user data is broadcasted to major relays within the network.
1:41:37 Nostr Signer: a simple nostr signing app [Blog post]
“Store your Nsec in a single app and use it to sign NIP-46 requests from other Nostr clients.” [Github]
1:41:41 X to Nostr by nostr.band
A simple UI that lets you cross-post your Tweets to Nostr. [Github]
Side Discussion
1:42:24 Infighting and toxicity
1:52:09 Bitcoin politics
1:54:23 Incentives and game theory
Boosts
1:58:10 Thanks to everyone who streamed sats, and shoutout to our top boosters:
[🏆 TOP BOOSTER] @qxotk (2,112 sats) “hey do not read the boosts.”
@dubravko (1,620 sats) “Pro tip: If you slow the podcast down to 1.0x (or slower), you can put your toddler to sleep. Also, I really gotta set up the 2FA equipment…”
@conorchepenik (699 sats) “good ep”
@benthefed (521 sats)
@TheWildHustle (500 sats) “Let’s go!”
@plebhodl (200 sats) “Is their a nostr signing app/plugin for grapheneos (your fav mobile OS :P)” “oh oh.. Also. best app/website for music creators that allows them to post songs and get zapped..”
@zdoxed (200 sats) “great mumble tech!”
@undefined “great chat. mic quality could improve. most importantly thanks to all developers on the space!!!!”
@monk_cactus (100 sats) “Smoked some crack after this episode”
Bitcoin Optech Newsletter
Revisiting consensus cleanup:
Antoine Poinsot (@darosior) revisits Matt Corallo’s 2019 consensus cleanup proposal, focusing on addressing severe blockchain issues including potential slow block verification times and security vulnerabilities.
Proposes technically simple soft fork solutions for problems like miner attacks and transaction deception.
Suggests updated consensus rules to apply only to transactions created after a specific block height, ensuring backward compatibility for older transactions.
Choosing new BIP editors: Discussion on choosing new BIP editors with community input is ongoing, aiming for a decision by April 5th. [Google Group discussion]
News & Noteworthy
Bitcoin
2:05:54 Bitcoin script and BitVM development
“After months in the mempool, our Blake3 transaction has finally been mined, executing the most sophisticated Script in the chain to date.” Robin Linus announced in a Twitter post.
2:05:55 HRF launches Bitcoin integration webinar for nonprofits [Announcement]
The first course, covers Bitcoin basics, including wallet setup, transactions, and security practices, focusing on its use in closed societies.
Aimed at individuals and organizations with no prior Bitcoin knowledge, it includes case studies of activists using Bitcoin for advocacy.
2:06:00 Umbrel has approved and integrated Bitcoin Knots into its app store [Twitter post]
The app will be compatible with the rest of the app store in a future update.
2:06:07 Google starts indexing Bitcoin data into its search engine [Twitter post]
Allows three address formats: P2PKH, P2SH and Bech32.
Lets users see the balance, last update and last transactions of public addresses.
Lightning
2:06:25 Coinbase Selects Lightspark for Lightning [Announcement]
The partnership allows Coinbase to use Lightspark’s infrastructure for scalable, reliable, and optimized node management.
2:06:29 Amboss launches Reflex Beta
A payment operations platform designed to enhance liquidity optimization and risk management on the Lightning Network.
Features advanced risk management tools, including AML policies, OFAC compliance, ransomware, and sanctions screening.
Offers continuous monitoring and reporting for compliance, with real-time risk assessments of channel peers and transactions.
Business & Finance
Casa acquires Chamber, a team specializing in applied cryptography and passkeys [Announcement]
Marathon launches Slipstream: a Bitcoin transaction submission portal
Designed for the direct submission of large or non-standard Bitcoin transactions to Marathon.
Addresses the issue of such transactions being automatically rejected by most nodes due to standard transaction relay policy guidelines.
The premium on transaction fees appears to be ~50% higher than average.
Unchained launches its mobile app [Announcement]
Focuses on providing a mobile-first experience for bitcoin transactions, specifically buying and depositing into multisig cold storage.
The initial release is iOS-only, with plans to expand features, including Android support, business operation approvals, mobile onboarding, and enhanced security measures.
New Fedi-Clovyr alliance [Announcement]
Clovyr’s interface enables users, including those without technical skills, to create test federations on Mutinynet.
Fedi launches Fedi Bravo and introduces Fedi Fund [Announcement]
Enables use of real money within the app.
Introduces Fedi Mods for personalized app experiences through custom features and developer-friendly deployment.
Launches “Fedi Fund” to support 21 communities with technical and hosting resources.
Funding
HRF announces CISA Research Fellowship [Announcement]
Sponsors a four-month fellowship to analyze the potential of Cross-Input Signature Aggregation (CISA) in Bitcoin.
The fellowship aims to produce an industry paper addressing specific aspects of CISA, such as its effect on transaction costs, privacy improvements, and potential changes required in Bitcoin Core and SegWit.
Tether awards $100,000 grant to BTCPay Server Foundation [Announcement]
Mining
Bitmain announced the launch of the Antminer S21 Pro at the Global Digital Mining Summit (WDMS) 2024 [No Bullshit Bitcoin]
The device boasts a hash rate of 234 TH/s and an energy efficiency ratio of 15.0 J/TH.
It can operate in environments up to 45 degrees Celsius (113 degrees Fahrenheit).
Shipments are scheduled to begin in Q3 2024.
F2Pool mined a 3.97MB video inscription on block #836964, taking almost an entire block space. [Twitter post]
Privacy
In-person payments at Canada Post will now require identity verification [Bull Bitcoin’s CEO announcement]
The new requirement, starting April 15, 2024, is a mandate as a condition for Bull Bitcoin to continue offering the account funding service at Canada Post.
Protocol
Bitcoin Core: track mempool conflicts with wallet transactions [merged]
“Begins tracking the txid of transactions in the mempool that conflict with a transaction belonging to Bitcoin Core’s built-in wallet.”
Bitcoin Core: Add RBF diagram checks [merged]
“Introduces utility functions to compare two Feerate Diagrams and to evaluate the incentive compatibility of replacing clusters with up to two transactions.”
Core Lightning: Removal of EOL deprecations [merged]
Eliminates several features previously marked for deprecation through Core Lightning’s updated deprecation process.
BDK: Define and document stop_gap [merged]
“Makes several changes to how BDK interprets the stop_gap parameter, which controls its gap limit behavior.”
Bitcoin Core maintainer Hennadii Stepanov announces progress in migrating Bitcoin Core’s build system from Autotools to CMake
Developers are encouraged to test the staging branch and provide feedback.
Government & Political
Argentina implements mandatory registry for Bitcoin service providers [No Bullshit Bitcoin]
Mandates a registry for individuals and companies engaging in Bitcoin service provision, following amendments aimed at complying with Financial Action Task Force recommendations.
Unregistered entities are prohibited from operating within the country, affecting both local and international providers.
Bhutan to ramp up Bitcoin mining capacity to 600MW [No Bullshit Bitcoin]
Bhutan plans to increase capacity by 500 megawatts, targeting a total of 600 megawatts by the first half of 2025.
Funding for the upgrade comes from a $500 million initiative started last year.
Paraguay considers temporary ban on Bitcoin mining due to energy concerns [No Bullshit Bitcoin]
Parliamentarians have suggested a 180-day ban until the nation can develop appropriate regulations and infrastructure to support the mining industry energy demands.
The bill highlights increased power outages in the Alto Paraná region, attributed to illicit energy use by miners, and aims to prevent grid destabilization.
Events
Ecash Hackday V2 [Announcement]
“This is a small and intimate event for hackers, researchers, and anyone else interested in Chaumian Ecash.”
Berlin, June 20-21, 2024
Die Bitcoin Konferenz 2024 (@thebconf) has been cancelled [Announcement]
thebconf organisers invite the German-speaking community to reunite at BTCPrague instead.
May 25th 2024 - Arnhem Bitcoin City, the Netherlands
“Join Us for the 10-Year Celebration at Luxor Live, Willemsplein 10. Explore Nearby Bitcoin-Friendly Spots and Join Pre-Conference Satellite Events, Including Pizzaday on May 22.”
Tickets Can Be Paid In Bitcoin Only
Reads
Here’s a list of our top recently published reads:
Review of Smart Contract Concepts for Bitcoin by Jeremy Rubin [Twitter post]
Bitkey by Block: a comprehensive review
Safety Practices on Using Nostr by @natalia [stacker.news]
Episode submission ideas
We’re looking for ideas for interesting panel conversations. To send Bitcoin related questions, just go to bitcoin.review and follow the contact links at the bottom of the page.
Get in touch with the pod
Nostr & LN ⚡nvk@nvk.org (not an email!)