BR068 - Casa, Harbor, Wasabi, NFC Push Tx, Wrench Attacks, BBQr + MORE ft. Lopp, Paul, Rob & Ben
I’m joined by guests Rob Hamilton, Ben Carman, Future Paul and Jameson Lopp to go through the list.
Housekeeping
00:01:01 Coinkite is looking for a Production Manager, email jobs@coinkite.com
00:01:39 BBQr reminder
Vulnerability Disclosures
00:04:53 Flaw in password manager RoboForm helps researchers recovered a 20 character passphrase, unlocking access to a bitcoin wallet containing 43.6 bitcoin [Wired]
The flaw tied password generation to the computer’s date and time, making it possible to recreate passwords if the creation date was known.
00:08:24 Japanese exchange DMM hacked for 4,502.9 bitcoin [Official announcement]
While nothing as been confirmed yet, on-chain analyst @Mononautical has suggested a possible address poisoning attack.
00:11:34 GitHub warns of SAML auth bypass flaw in Enterprise Server [Bleeping Computer]
“GitHub has fixed a maximum severity authentication bypass vulnerability tracked as CVE-2024-4985, which impacts GitHub Enterprise Server (GHES) instances using Security Assertion Markup Language (SAML) single sign-on (SSO) authentication”
00:16:35 Whatsapp vulnerable to traffic analysis [The Intercept]
A security assessment reveals that governments can conduct traffic analysis to monitor who communicates with whom, utilizing internet infrastructure to observe data flow, exposing both sender and recipient details without breaking encryption.
00:17:21 Surveilling the Masses with Wi-Fi-Based Positioning Systems [ArXiv research paper]
A new attack shows how Apple’s Wi-Fi-based Positioning Systems (WPSes) can be abused allowing unprivileged attackers to “amass a worldwide snapshot of Wi-Fi BSSID geolocations in only a matter of days.”
00:18:12 Lopp’s list of known physical bitcoin attacks
Bitcoin
Software Releases & Project Updates
00:41:36 Casa announces support for wallet descriptors [Blog post]
Descriptors provide a standardized way to define wallet addresses and spending conditions.
What is a Wallet Descriptor?
Structured format describing wallet characteristics.
Includes keys/hashes, script expression, and script operations.
Standardizes address generation, import, and spending conditions.
Casa’s Use of Wallet Descriptors
Example: A 3-key Casa vault descriptor uses extended public keys and derivation paths.
Allows easy viewing and saving of wallet descriptors in the Casa app.
Benefits of Wallet Descriptors
Unambiguous and specific, avoiding confusion.
Ensures interoperability between different wallet implementations.
Simplifies wallet backups and recreation.
Supports complex scripts and future compatibility.
Wallet Recreation and Recovery
Descriptors prevent loss of access due to missing derivation paths or public keys.
Simplifies multisig wallet recoveries by including all necessary public keys.
00:51:47 BTCPay Server v1.13.2
BoltCard plugin - Create, top-up and check boltcard balance of all from your BTCPay! (A single point of sale device can now not only accept, but also issue and top up BoltCards. BTCPay is now becoming end-to-end solution for #bitcoin economies.
Refund reports
Allow lightning: in html hyperlinks
00:51:52 Specter
specter-diy v1.9.0
Add taproot miniscript support
BIP85 app
Export of multiple xpubs
Ask for overwrite of the files on the SD card and smartcard
specter-desktop
00:53:07 Electrum v4.5.5
General: update support to latest revision of SLIP-39 mnemonic spec (to restore)
Lightning: unify max fee bounds for payments, make it configurable
QML GUI (Android): add tx options to ConfirmTxDialog, RbfBumpFeeDialog
Binaries: add AppArmor profiles for tarball and AppImage
00:53:35 Nunchuk Desktop v1.9.34 / Android v1.9.46
Update network settings for easily managing Electrum servers, including custom ones
Ability for subscribers to securely change their email address
Update message retention logic for Byzantine and Finney group chats
00:58:24 Bitcoin Keeper v1.2.7
File based communication enabled for all supporting devices
Canary Wallet: Action cards notify you of key use
Health Check UX enhanced for all types of signers
One time backup of all Assisted Keys now available
00:58:32 Green QT v2.0.6
Add QR unlock for Jade as an experimental feature
Improve QR Code scanning
00:58:42 Bisq2 v2.0.4
Add list view to Offerbook
Offerbook list and markets list are collapsable for minimized layout
Last seen column, search filter and export to csv feature to user profile table at reputation UI
Add support for custom
bisq.conffile in data directoryAdd support for running on Whonix
00:58:45 Wasabi Wallet v2.0.8
Exclude UTXOs from autocoinjoin: an “exclude coins” menu option is now available … that allows users to restrict which coins are consumed as coinjoin inputs.
Coordinator selection in GUI: users can now paste the connection information for their chosen coinjoin coordinator without needing to edit any config files.
Tor bridges are now supported in Wasabi
Tails & Whonix OS support
Install Linux udev rules for hardware wallets
1:01:24 Labelbase v2.2.0 - Derive Addresses Feature
Efficient address derivation: generate Bitcoin addresses from a BIP-329 XPUB label with ease
Direct labeling: label each derived address directly within the ‘Derive Addresses’ tab
Enhanced workflow: integrate address derivation and labeling into your existing processes smoothly
1:03:39 ESP-miner v2.1.5
Add option to configure hostname
Add more Logging before esp_restart
Add best difficulty since system boot
Wifi will continue to try to re-connect when disconnected
Fan will no longer go 100% on reboot
Project spotlight
1:03:45 Satsie Zines
1:06:28 NFC Push Tx This feature allows single-tap broadcast of the freshly-signed transaction
Once enabled with a URL, the COLDCARD will show the NFC animation after signing the transaction. When the user taps their phone, the phone will see an NFC tag with URL inside. That URL contains the signed transaction ready to go, and once opening in the mobile browser, that URL will load. The landing page will connect to a Bitcoin node (or similar) and send the transaction on the public Bitcoin network.
This feature is available on Q and Mk4 and requires NFC to be enabled. See Advanced/Tools > NFC Push Tx
1:10:44 Meshtastic BitcoinCore Bridge: Broadcast raw transactions over Meshtastic Lora to a computer with Bitcoin Core [Github]
1:14:30 Ginger Wallet: Bitcoin privacy solution with an active coinjoin service [Github]
Ginger Wallet is a fork of Wasabi Wallet that established a new coordinator with a coinjoin service.
The coordinator is “maintained by former CTO, Head of UI, Head of Communications and some other devs from @WasabiWallet”, according to a Twitter post.
1:15:11 cargo-checkct: open-source tool developed to counter timing attacks [Ledger Donjon Blog post]
Privacy & Other Related Bitcoin Projects
Software Releases & Project Updates
1:15:23 SimpleX
Private message routing to protect IP addresses
Protect IP address when receiving files
Chat themes with wallpapers - set themes for all chats app-wide, per chat profile and per conversation - Android and desktop apps
Some groups permissions can now be granted to admins only
Improved message and file delivery with reduced battery usage
Persian interface language - Android and desktop apps
Opt-in “private message routing” that protects IP addresses from destination messaging relays - both configured and destination relays must support it.
Additional group preferences: per-role permissions to send SimpleX links, files and media, voice messages and direct messages.
Project spotlight
1:15:50 Pushtx: Privacy-focused bitcoin transaction broadcast tool [Announcement]
“Rust program that broadcasts Bitcoin transactions directly into the P2P network by connecting to a set of random Bitcoin nodes”. [Github]
1:16:15 lofextra: local-first expense tracker [Github]
Retain full ownership of your data securely and privately, e2e encrypted updates between devices, use mnemonic phrase as key to your account, no registration, no email, no password, works offline
Lightning + L2+
Software Releases & Project Updates
LND v0.18.0-beta
Functional Enhancements:
Experimental support for inbound routing fees is added
A new config value,
sweeper.maxfeerate, is added so users can specify the max allowed fee rate when sweeping on-chain fundsSupport for pathfinding and payment to blinded paths has been added via the
QueryRoutes(andSendToRouteV2) APIs
RPC Additions:
Adds a new RPC endpoint
GetTransactionto thewalletrpcsub-server to fetch transaction detailsAdd a new flag to the
CloseChannelRPC method that instructs the client to not wait for the closing transaction to be negotiated
lncli Additions:
Deprecate
bumpclosefeeforbumpforceclosefeeto accommodate for the fact that only force closing transactions can be bumped to avoid confusionThe
closeallchannelscommand now asks for confirmation before closing all channels
1:17:27 Mutiny node v1.7.2
Fetch federation info from invite code if not on nostr
Add NIP98 auth for nostr.build
Match NWC events by p tag instead event pk
Alby
lightning-browser-extension v3.8.1
Eliminate Nostr permissions inconsistencies, removes need to set permissions repeatedly, after being set.
Introduce deny permission functionality, block permissions once or permanently
Add possibility to use LaWallet via the browser extension
UI update to Extension, Wallet and Nostr settings
Introduce lightning and Nostr address settings in the extension
bitcoin-connect
BoltzExchange
boltz-backend v3.7.0
This release enables users to swap between Liquid and the mainchain with both sides being regular on-chain transactions
Updates:
allow specifying referral via URL query
chain swap POC
FeeProvider for chain swaps
SQL queries for chain swaps
recreate filters for chain swaps
cooperative chain swap claims
cooperative chain swap refunds
EVM chain swaps
allow configuring API endpoint of CLI
include reverse routing hints in swapinfo
partialy cooperative chain swap claims
boltz-web-app v1.4.0
add Dockerfile
play sound on successful swaps
show amount on success page
add browser notification
chain swaps
lnbits v0.12.6
User Manager added for easily monitoring users and wallets on the server
Eclair critical bug fix - please update if running on Eclair
phoenixd wallet integration
Geyser: Removes ‘Milestones’ and introduces ‘Goals’
Goals start at $0
Set denomination
Contribute to a goal
Prioritize goals
Hide/View toggle
Add emoji
minibits-cash minibits_wallet v0.1.8-beta.19
Optional push notifications delivered even app is closed or backgrounded
Firebase messaging is used only as a data carrier. Notification shown is constructed only on device
All data encrypted to keys living on device only
Ecash is never sent through notification, it is claimed by wallet on wakeup using api sending all claimable tokens as a batch over TLS, with tokens encrypted to device keys again, so that MITM or some api auth leak won’t leak your ecash to an attacker
Claiming fully works without notifications enabled
Add new recovery tool to recover wallet address only from Settings for cases, where balance recovery is not necessary
Thunderhub v0.13.31
Add Taproot swaps, upgrading Boltz LN -> on-chain swaps to Taproot.
BitBanana v0.8.0
Core Lightning support
LndHub support
Support for self-hosted exchange rate provider
Add mempool.space as exchange rate provider (clearnet & tor)
Support for self-hosted Fee Estimation
Add mempool.space and blockstream as Fee Estimation providers (clearnet & tor)
Scan QR codes from images
Set exact on-chain fees in sat/vB
Send and request sub satoshi amounts
Liquid Wallet Kit wollet v0.5.1
Add wallet drain (send all) support for L-BTC
Aqua Wallet v0.1.55
iOS only release. Disable Buy Bitcoin card and sideswap swaps for app store compliance
Project spotlight
1:17:27 Harbor: ecash desktop wallet for better Bitcoin privacy [Announcement] [Geyser page]
Privacy: uses Tor for all communications and displays a privacy score for funds held in the wallet.
Multi-mint: Harbor simplifies the use of multiple mints by showing a unified balance, reducing risks associated relying on a single mint.
Automation: the desktop app allows processes to be run in the background. Increase privacy by setting up a schedule moving funds in and out of mints.
Invoice Detective by Lipa: Rust library and service designed to deduce the recipient of a lightning payment [Github]
“By looking at the details of the provided BOLT-11 lightning invoice and leveraging some knowledge of the lightning network graph.”
“Invoice Detective identifies whether the payee is a user of a non-custodial wallet, custodial exchange, or something else.”
Nostr
Software Releases & Project Updates
1:25:17 Primal iOS v1.7.21
Faster rendering
Wide feed layout
Top zaps in feeds
Notifications facelift
Improved app chrome
Improved connectivity
Amethyst v0.87.0
Add support for:
NIP-90, data vending machines
Discovery content DVMs in the discovery tab
Paid DVMs
NIP-06 seed word key derivation (bip32 and bip39) when logging in
NIP-65 relay lists
NIP-17 private DM relay lists
Private relay lists to save Draft events
Local relays as a separate relay set, saving locally only.
Add message + dialog to setup Search relays when searching
Add message + dialog to setup DM relays when messaging
Add paste from clipboard button to NWC screen
Improves Zap efficiency for large zap splits
Coracle v0.4.5
Accept npubs in people input
Skip notifying admin when the person joining/leaving groups is the admin
Remove group share modal, skip straight to create invite link
Make groups deletable
Republish user profile data when joining a new relay
Add wallet setup onboarding item
Add custom feeds
Introduce new in-memory relay
Use bitcoin connect instead of webln
nos.social v0.1.15
Redesign the Profile screen
Improve performance in various parts of the app for users with large follow lists
Sort the featured profiles in the Discover tab
Switch from Reportinator to Tagr bot for content labeling
Discover tab now features new accounts
zap.store
Add categories and latest releases to home screen
Tablet/landscape support
Remove autofocus in search bar
Remove Primal link in time before the pitchforks, njump is used now
Results will now clear when clearing the search query
Logged in user is now persisted
Refresh now works when pulling in the app detail screen
Add SHA-256 hash in the release details
Voyage v0.5.1
Show direct replies and cross-posts in inbox view
Add tabs to profile view for posts, replies, about page and relays
Open translator to translate note content
Project spotlight
1:26:00 SIGit: open-source and self-hostable solution for secure document signing and verification using Nostr [Gitlab]
Design factors:
Uses Nostr for identity and key management
Documents remain encrypted at every steps of the process
1:27:14 git-remote-nostr: Git remote helper for nostr [Github]
Transparent bidirectional bridge between git and nostr. It lets you push your git repositories to blossom servers and maintains branch and tags info using NIP-34 kind 30618 repository state events.
1:27:35 Corny Chat: open source audio space built on Jam that integrates Nostr and Lightning [Github]
Existing Nostr users can easily login using the name and image set on their Nostr profile.
1:28:11 Tidal Nostr Login
Boosts
Thanks to everyone who streamed sats, and shoutout to our top boosters:
[🏆 TOP BOOSTER] @hightraverse (100,000 sats) “Love the pod. Love NVK, a true builder. Love Coldcard. Also love Seedsigner - just different tradeoffs as ODELL often reminds us. No need to talk your book and shit on Pi without the nuance - is tiresome.”
@seedor (21,000 sats) “ONLY since Satoshi found digital gold, any real liberty can exist! Few.”
@maxawebster (21,000 sats) “Great show gents!”
@vake (10,000 sats) “Bitcoin is so boring, like watching paint dry.”
@qxotk (4,224 sats) “ETFr TROLL ME”
@wartime (3,333 sats) “Nostr only for a few weeks now. Odell did start a movement. Dozens of us have followed suit 🍻”
@dubravko (1,760 sats) “Holy Mother Eff this is a spicy episode. Thank you all. This panel is definitely (probably) not ghey.”
@cantillionaire (1,000 sats) “Bluetooth.review”
Tech Tip of the Day
Apple “Hide My email” feature
Bitcoin Optech Newsletter
Highlights from recent Bitcoin Optech Newsletters
Light client protocol for silent payments: post by Setor Blagogee describing a protocol draft specification to assist lightweight clients in receiving silent payments.
Raw taproot descriptors: post by Oghenovo Usiwoma, dedcribing two new descriptors for constructing taproot spend conditions (
rawnode(<hash>)andrawleaf(<script>,[version]))Should overlapping soft fork proposals be considered mutually exclusive? Discussion initiated by Pierre Rochard on Delvin Bitcoin.
Upgrading existing LN channels: summary posted by Carla Kirk-Cohen to Delving Bitcoin, analyzing proposals in upgrading existing LN channels to support new features.
Changing parameters: allow channel parameters to be updated subsequently
Updating commitments: “ Commitment upgrades can allow switching to anchor outputs and v3 transactions in P2WSH-based channels, and for simple taproot channels to switch to using PTLCs.”
Replacing funding: allow for different types of outputs to be used in the funding transaction, originally using P2WSH output.
Suggestions comparison by Kirk-Cohen in upgrading channels: Dynamic commitments, Splice to upgrade and Upgrade on re-establish.
Challenges in rewarding pool miners: post by Ethan Tuttle suggesting a new payout system from mining pools, rewarding miners with ecash tokens in proportion to the number of shares mined.
Discussion about PSBTs for silent payments: post by Josie Baker, discussing PSBTs for silent payments. Two aspects have been cited from a previous draft specification by Andrew Toth.
Spending to SP addresses: “Baker describes a scheme that may allow a spender to create an SP output script without the private key, but it has the potential to leak a private key …”
Spending previously received SP outputs: will require PSBTs to include the shared secret.
Proposed miniscript BIP: Ava Chow posted to the Bitcoin-Dev mailing list a draft BIP for miniscript.
Channel value pegging: proposal by Tony Klausing for Stable Channels, peer-to-peer dollar balances on Lightning.
News & Noteworthy
Business & Finance
Ark Labs, a new company dedicated to building bitcoin layer-two solutions based on the new Ark protocol, unveiled [Blog Post]
Company Launch**: Ark Labs, a new venture, is dedicated to developing bitcoin layer-two solutions using the Ark protocol.
Proposed in May 2023, Ark is designed to offer speed and scalability without liquidity management burdens for end users, while maintaining self-custody.
Ark is moving from theoretical to practical implementation with Ark Labs’ launch.
A working Ark implementation is available on GitHub.
Key Features of Ark
Frictionless Onboarding: Users can start receiving Ark transactions immediately without needing existing bitcoin.
No Inbound Liquidity Issues: Users can receive as many virtual transactions as supported by an Ark Service Provider (ASP).
Offline Receives: Users can receive Ark transactions even when their wallets are offline.
Self-Custody: Users can withdraw funds on-chain at any time, even if their ASP is offline.
Ark Labs invites interested parties to integrate Ark, contribute to its development, or make initial Ark payments.
Reach out via email or subscribe to the newsletter for updates.
Gemini Earn users receive $2.18 billion of their digital assets in kind [Gemini’s Blog post]
Approximately 97% of digital assets owed by Genesis were deposited into users Gemini accounts, with remaining assets expected within the next 12 months.
Blink launches Blink Private, its OTC desk in El Salvador [Announcement]
1:32:22 HodlHodl blocks access to Lend, its lendind platform, to U.S. citizens [Blog post]
HodlHodl removes Venmo, Zelle, Charles Schwab, Fidelity Bank (USA) and Apple Pay from its list of payment methods [Announcement]
Semler Scientific adopts bitcoin as its primary treasury reserve asset and purchased 581 bitcoin [Press release]
Gibraltar-regulated Xapo Bank enables bitcoin deposits via the Lightning Network leveraging partneship with Lightspark [The Block]
Strike adds instant bank withdrawals for U.S. customers [Twitter post]
Ledger starts shipping latest product Ledger Stax [Announcement]
CoinCards launches physical gift cards in the U.S. [Announcement]
Funding
1:33:16 Peer-to-Peer Rights Fund Launched
“Our mission is to safeguard the decentralized, peer-to-peer integrity of the Bitcoin ecosystem by defending non-custodial tools and their developers from regulatory overreach.”
“We are committed to protecting innovation, privacy, and user autonomy through strategic litigation and advocacy. By supporting pivotal legal cases and providing essential regulatory guidance, we aim to establish a fair legal framework that ensures the continued growth and resilience of Bitcoin’s open-source community.”
1:33:28 Unchained and the University of Austin launch first long-term endowment fund held in bitcoin [Press release]
The collaboration aims to raise $5 million, with the goal to integrate bitcoin into higher education.
1:33:35 The Human Rights Foundation has awarded full or partial bounties in 7 out of 11 categories, based on features wanted by at-risk activists and dissidents [Announcement]
With four categories remaining: Human Readable Bolt12 Offers, Easy Mobile Multisig, Frost Multisig Wallet and BIP47 Expansion.
1:33:40 Spiral supports newest grantee Sean Giligan in building ValidiTEE, a FOSS Validating Lightning Signer that runs in a Secure Enclave [Announcement]
1:33:45 Bitcoin Design Foundation grants support to two more contributors:
Michael Haase (@haasemike) has been working on “the Bitcoin Core App project across design and other project contributions like testing, communication, and project management.” [Announcement]
@Yashraj__ for his “work around best practices for silent payments UX.” [Announcement]
Mining
1:34:05 Concept for solderless ASIC chip modules [Twitter post]
These modules allow for quick replacement of failed chips, potentially reducing e-waste in Bitcoin mining.
The open-source design aims to enable universal hashboards or hashdisks that can accept various ASIC chip models, facilitating easy upgrades.
Riot Platforms proposes to acquire bitcoin mining competitor Bitfarms for US$2.30 per share and acquires a 9.25% stake becoming Bitfarms largest shareholder [Press release]
Marathon Digital enters into an agreement with the Ministry of Energy and Petroleum of the Republic of Kenya (MOEP) [Press release]
Ocean Mining establishes international hub in San Salvador, El Salvador [Press release]
Privacy
European police chiefs call for action against end-to-end encryption roll-out [Press release]
The agency argues that such encryption hinders law enforcement’s ability to combat serious crime and terrorism.
Luxor Technology implements KYB for its business customers, partners with Persona [stacker.news]
Speed Wallet implements KYC for all U.S. based users [Twitter post]
Mastercard launches Crypto Credentials [Press release]
Allows users to send and receive cryptocurrencies using simplified aliases across multiple exchanges and countries.
Protocol
Bitcoin Core binaries can now be reproducible built on all 8 release platforms across x86_64, AArch64 and RISC-V. [PR #21778]
“Migrating our macOS builds from Apples LD64 & cctools, to LLVMs LLD and binutils, was the last step.” [@fanquake’s Twitter post]
Government & Political
SEC officially approves all spot Ethereum ETFs [Watcher.guru]
Samourai Wallet developers first court hearing [Bitcoin Magazine]
“The prosecution stated that it is nearly set to engage in discovery (sharing the evidence that it plans to use for the trial with the defendants) …”
SW founder’s attorney plans to file a motion to dismiss the indictment, arguing that non-custodial service providers shouldn’t be classified as money transmitters.
Moody’s upgrades 🇸🇻 El Salvador’s credit rating to Caa1 from Caa3. [Bitcoin News]
The outlook remains stable. This upgrade reflects a significant decrease in credit risks and a lower likelihood of liquidity stress.
Bitcoin and cryptocurrency mining is now prohibited in Venezuela [Venezuela’s National Association of Cryptocurrencies’ Twitter post]
Donald Trump becomes first president to accept bitcoin Lightning Network payment for campaign donations [Bitcoin Magazine]
Events
Announces 2024 edition
September 14-15, 2024 in Terceira island, Azores
The Bulgarian Bitcoin Conference
Fourth edition of the conference
June 8-9, 2024 in Sofia, Bulgaria
Indonesia Bitcoin Conference has been postponed
Future conferences will happen biannually, with the next one set for 2025
Reads
Here’s a list of our top recently published reads:
Save Money with UTXO Management: a 5 minute Guide [Bittr’s Blog post]
“Bitmain’s latest fuckery” by @GrassFedBitcoin [Twitter post]
Going Dark: The war on encryption is on the rise [Mullvad’s article]
drduh tutorial on building your own router based on relatively simple tech like openbsd and debian [Github]
Episode submission ideas
We’re looking for ideas for interesting panel conversations. To send Bitcoin related questions, just go to bitcoin.review and follow the contact links at the bottom of the page.
Get in touch with the pod
Nostr & LN ⚡nvk@nvk.org (not an email!)