29 August 2022
Bitcoin.Review E4: A Review of Updates to Popular Bitcoin Projects with NVK and Justin Moon
show notes: https://github.com/nvk/bitcoin.review.episodes/blob/main/2022-08-22-Episode-04.md
support the show: https://citadeldispatch.com/contribute
twitch: https://twitch.tv/citadeldispatch
youtube: https://www.youtube.com/channel/UCoA72saVAuQ8hYCnBO0Lymw
bitcointv: https://bitcointv.com/video-channels/citadeldispatch/videos
podcast: https://www.podpage.com/citadeldispatch
telegram: https://t.me/citadeldispatch
stream sats to the show: https://www.fountain.fm/
join the chat: https://matrix.to/#/#citadel:bitcoin.kyoto
[00:00:08]
Unknown:
Hello, and welcome to the Bitcoin review podcast. The podcast where we fail at boringly reading the latest release notes and discuss project updates. So we, have, Matt and Justin again on the show. Really it's just Justin. We have the ghost of Matt here. He's gonna be replaced by a computer, the booze. Well, I guess the next stop really is for us to have, Marty prerecord the show notes. And then we play Marty doing the show notes, and we talk about And we'll just tackle him. That's right. I mean, that that would be quite perfect. So, yeah, thanks thanks for coming again, guys.
This is this should be fun. It's, it's quite the the long list. Do you guys, do you guys have a a a good day so far? Absolutely.
[00:01:08] Unknown:
It's been a good Monday.
[00:01:10] Unknown:
So people that can't see because there's no video, Justin has taken over Marty's podcast studio. Yeah. It's over for Marty Bent.
[00:01:18] Unknown:
Word put the word out. He's run off to New Jersey or wherever the hell he went. You know? Fled Texas, couldn't handle the heat. Now I got his podcast studio, and,
[00:01:31] Unknown:
yeah. It's it's over Maybe maybe he moved to to California. It's gonna be very compatible lifestyle.
[00:01:39] Unknown:
Yeah. Nobody knows.
[00:01:41] Unknown:
Right. Alright, guys. Let's let's enter the boring list.
[00:01:46] Unknown:
So starting off be a good black boom this week.
[00:01:50] Unknown:
I love how hard it it just like goes right in there. No. I'm not gonna make it. I I am not making to conferences until probably mid late October.
[00:02:03] Unknown:
Well, Justin, I'll I'll see you tomorrow then.
[00:02:06] Unknown:
I won't see him today.
[00:02:08] Unknown:
Bit black boom's gonna be fucking sick this year. I'm pretty excited.
[00:02:11] Unknown:
Are you guys ready for the list, or are we gonna just, like, you know, keep this not boring and fail every time?
[00:02:19] Unknown:
Oh, I've been ready for the list for, what, 3 weeks now, 4 weeks? How many weeks have I been ready for the list? I mean, This list is just gonna keep on getting too long. I've been begging for it, the list.
[00:02:30] Unknown:
Okay. So then let's give it to, to Justin. Sparrow, 1.6.6. That was a good strong start there. Authentication via off 47 and lnurls, improved performance for very deep wallets, change from notification tx's in spent last, copy labels from deposit UTXOs into bed bank. Any comments, concerns?
[00:03:08] Unknown:
These are extremely detailed release notes. Craig has been very busy.
[00:03:12] Unknown:
I I know, like, I I've asked, I think, once for him to have, like, a summary, but, no. It's a we got we got the deep ones. Alright. Joinbox version 0.7.0. Neo automatically generated SD card image for Raspberry Pi 4 and 3, connect fully loaded with QR code to the join market API, add custom labels to addresses, add join market API dot services dot tools. I have comments. Do you guys?
[00:03:45] Unknown:
You go first.
[00:03:46] Unknown:
Where do I find where do I find the list?
[00:03:50] Unknown:
Oh, Matt. You would never go this unprepared to,
[00:03:54] Unknown:
the rabbit hole recap. There's no preparation for rabbit hole recap. Trust me. It shows. I just wanted to say that Craig Raw is an absolute legend, and, Sparrow Wallet, I'm just so grateful we have Sparrow Wallet. This is such a fantastic fucking wallet. I sent on signal the the show notes. Thank you. Why don't you have them linked at bitcoin.review?
[00:04:14] Unknown:
We will. Yeah. This is a commit to the bitcoin dot review markdown file that then gets served as the website. We're professionals here, Matt. Yeah. So if you wanna open any of these links, you have to copy and paste. It doesn't the links don't work yet because Rudolph hasn't merged the pull request yet. But the list yeah.
[00:04:33] Unknown:
Very convenient.
[00:04:36] Unknown:
Yeah. It's great. So on join inbox, there's no, programming language here. It's just shell scripts for this UI for join market.
[00:04:45] Unknown:
Which is very useful, and and really sort of just ties things together because, you know, join market is the only sort of solution that we have that we know that our people are not gonna go to jail.
[00:04:59] Unknown:
So join inbox has been around for a minute. The lead maintainer is Open Arms, and it's primarily used via the Raspberry Pi Blitz project. So if you have Raspberry Pi Blitz, you basically just, you know, press install, and it's very, very straightforward to use.
[00:05:18] Unknown:
That's, that's right. I I think so this is still quite nerdy for for people listening, wanting to try join market. I think it's pretty much as nerdy as it gets. However, if you're a dev out there who can do UI, who can build something interesting, join markets, need some love. I think Gigi has some Yes. A bounty for join markets UI.
[00:05:49] Unknown:
Right? No. No. So HRF has a bounty for join market UI. It's about a half a Bitcoin. Okay. Gigi is leading basically the main project that seeks to win that bounty, and that's jam. Forget what Jam stands for, but, essentially, it's a joint market web UI, so you can run it on, like, Umbrella or RaspiBlitz or something like that and just open it up in your browser, Use it with your own node really easily. Yeah. I haven't tried that one yet, but, it did look promising from the the specs I I I saw online. That's that that was the g g one that I knew of.
[00:06:26] Unknown:
And for people that don't know, the cool thing about joint markets that joint markets does not have a centralized coordinator. It's part of the reason why I like it so much. It's just a market. People, put out an offer, to mix their coins, with yours, and you choose to pay their fee or not or pick another offer, from a market maker.
[00:06:51] Unknown:
Yeah. So anyone could be a maker and join market, and they set they basically put up this much Bitcoin. They say it's available for coin join. This is the fee you have to pay me. And then if you want to use that, offer, then you open up joint market as a taker and you use it. And then they have, like, different automated things that go through them and switch between, makers and whatnot. So one of the biggest trade offs with that is, yeah, you you have robust. It's a robust system that doesn't have central points of failure, but in return, you lack convenience. And the main lack of convenience there historically has been you have to use your own node with it, and the UI. So, to get to make the node part easier, you bundle it with node projects.
And then to make the UI part easier, you provide a web UI, where it's just point and click. And that jam tries to accomplish both of those elements. Have anyone looked into,
[00:07:48] Unknown:
using the Noster protocol to create a joint market coordinator? I I could see how that would work because right now you could use IRC. There's a few ways to coordinate joint market. Right now, they use IRC, which is, like, not ideal. Yeah. But the well, at least the cool thing about IRC is that anyone can connect to that sort of quite privately.
[00:08:10] Unknown:
There was a coin join implementation with Nostra recently that someone posted a gist, like, 2 months ago, and there's a slightly more polished one from, like, a pretty well known Bitcoin developer. I don't know how this thing has it's it's called the Joinster. You You just look on Twitter for example.
[00:08:28] Unknown:
Alright. So Electrum 4.3.0. This version introduces a set of UI modifications, simple simplify the use of lightning, the idea of stock payments, layer blah blah blah. Honestly, I am not a fan of Electrum lightning. I really wish they had not included that on Electrum. I actually have many things to bitch about Electrum recently. Do you guys wanna start before I go on my rant? Go for it. Go for it. So the new UI, UX really, on Electrum now requires, you know, 50,000 more clicks to just sign a transaction. I don't understand why they create that finalized screen, probably because of lightning stuff. As usual, why can't we just keep things separate? You know, the lightning stuff and the electrum stuff for Bitcoin, and, it's it's it's very brutal.
Yeah. Anyways, so that's really that's that's my rant.
[00:09:29] Unknown:
I mean, look. I appreciate the Electrum team because they've been around forever, and, I used to heavily rely on their project. But, at this point, I just don't know why you wouldn't just use Sparrow.
[00:09:42] Unknown:
Oh, I have many reasons, but I I am an absolute the the reason why I'm so passionately pissed at Electrum is because I'm passionately fan of Electrum. I love Electrum. I use Electrum. So you still use Electrum
[00:09:56] Unknown:
primarily?
[00:09:57] Unknown:
Of course. It's the devil I know. Right? And I know the amount of eyes that are on it. It's it's, you know, it's a fairly well reviewed project with a lot of user base. And, I I I think it it serves a huge purpose. We can't end up with just one wallet. It would be terrible. Well, yeah, obviously. So I really want Electrum to stop with the lightning stuff and and sort of focus on Bitcoin.
[00:10:23] Unknown:
But it's really the opposite. Right? The opposite is what was happening is is is if you talked about power user wallets, we were basically just we basically just had Electrum.
[00:10:34] Unknown:
No. You could have used, Bitcoin core with RPC commands for power users. Yeah. Of course, you can use Bitcoin core. Yeah. No. But but, like, that's kinda how I see the competition, and it's kinda funny because that's how the project started was literal competition for Bitcoin Core because Bitcoin Core, while it was unusable way back, still unusable. And, yeah, I mean like Spector Desktop, I I don't know where that's going.
[00:10:58] Unknown:
No. But, I mean, look. If you if you look 2 years ago and you wanted to use a desktop software wallet, with, let's say, with your hardware signers, for instance, if you had hardware wallets Mhmm. Your basically, your your two choices were Electrum and maybe, like, Bitcoin Core. Now over those last 2 years, we've added Specter to it, we've added Wasabi to it, and we've added Sparrow to it. Yeah. But not really. Right? Because Wasabi now does chain analytics, and everybody hates it. Right. Correct. Sparrow
[00:11:31] Unknown:
really does not have enough devs or time in the market. We gotta start somewhere. No. Listen. I I absolutely love Craig. Right? Like, it's this is not a criticism of Craig or the project. It's just sort of like a a a factor of the the time in the market and sort of like install base size. Right? So, like, when you're talking about, like, you know, putting all your, like, doing very large transactions on on a computer, you kind of really want the the project to have, you know, time in the market, like, a lot of people who don't necessarily like it, use it to also audit it. It's just a function of market size and time.
I think you'll get there. It's already getting there. It's a fantastic project, but, you know, it's also Java, which has a lot less people in Bitcoin space looking at it as well. Nunchuk too. Yeah. So Nunchuk is fantastic, but also, you know, still sort of not quite there in time in the market, install base, and and reviews. We need people using it so that they do get there, and we want them to get there.
[00:12:41] Unknown:
And then I guess on mobile, and the I think they have a Mac app. It's BlueWallet too.
[00:12:46] Unknown:
But isn't BlueWallet sold to some exchange and nobody's developing much anymore? I I don't see, you know, much going on.
[00:12:53] Unknown:
Nuno responded to one of my tweets saying that that deal didn't happen.
[00:12:59] Unknown:
Maybe are the devs, like, busy with other stuff then? Because, like, the project seems sort of, like, semi abandoned. Right? They just keep up with updates for us. I mean, my sources kept telling me they got sold and, like, had pretty
[00:13:10] Unknown:
concrete exam like, concrete proof of it, but he said they did it publicly, so I I have no idea. We're not gonna know. And in all honesty, it shouldn't matter. Right? Right. It's a false project.
[00:13:23] Unknown:
No. I mean, it's just it's just it shouldn't matter. Right? If the if the cold is good and, you know, it's a shame that because of the way app stores work and stuff, you can't just side load and whatever on iOS. But ideally, it shouldn't matter. Right? People can review the code. People can build a project. People can test, and it shouldn't
[00:13:42] Unknown:
matter. Well, I mean, even with the App Store thing, and BlueWallet is MIT. Mhmm. So, presumably, like, we could get off this podcast, just rip a direct copy of it, put it on the App Store, and call it, you know, Aqua Wallet or something. Yep. Well, I I mean, you know, I am a huge sort of,
[00:14:01] Unknown:
BlueWallet fan to when I when people ask me which wallets they should use as, like, a simple single sig iOS wallet, but progressively, I've been sort of switching to tell people to I send them to either Nunchuk, or Mun Moon Moon Wallet. Although Moon Wallet, I can't send people to because they don't use seeds, which drives me absolute bonkers. I I can't, in the right mind, send anybody to a wallet that doesn't use seeds.
[00:14:32] Unknown:
Yeah. I mean, that's a difficult one with Moon. Right? Because it's like the ultimate beginner's wallet, but you kinda set them up in the wrong trajectory because it doesn't have seeds.
[00:14:42] Unknown:
Great. And, you know, I I appreciate people wanting to make an encrypted backup into the Icloud for those kinds of wallets, which is fair. It's a very reasonable way of handling backups. But you should still be seed based because then you're compatible with every other wallet that can recover those funds. My understanding is it's because they use a a multisig. But it still doesn't matter. You can still use the seed the seed as the source of entropy.
[00:15:09] Unknown:
Yeah. But it wouldn't be recoverable in other wallets. That point is off is what I mean.
[00:15:14] Unknown:
I don't well, right, they use do they use a proprietary sort of, like, non spec version of the multisig script. Is that is that why? I think it's just 2 of 2. If it's 2 or 2 give you a seed? Yes, but green uses nonstandard multisig too, unless you use the their new version of green now allows you to create single sig and standard multisigs. But if I remember right, their basic automatic default, their 2 of 2 thing, is non standard. You know, there's recovery scripts out there and stuff, but, you know, I ideally, I don't want to send users to any wallet that needs, some custom script that nobody else uses. Right?
[00:16:03] Unknown:
That's the beauty of BIP 39 if used. Yeah. But I don't think I don't think Moon competes. Like, it's weird that Moon even came up in this conversation. Right? Because, you know, we were talking about specifically on chain wallets and specifically within that savings wallets or wallets that you use to, you know, to interact with your savings. While Moon, on the other hand, to me, is, you know, an easy way for people to participate in lightning on mobile, with very, you know, little little user friction. And in that situation, it's really competing against, you know, like, Wallet of Satoshi and Blue Wallet's custodial lightning wallet, and both of those are custodial lightning wallets. So let alone the backup method. I mean, you don't even have your keys.
[00:16:44] Unknown:
This is the problem though. People are not gonna download more than one wallet, and they shouldn't. Right? Especially the people we're talking about here. Right? The the person who is just gonna have some bucks to spend on lightning or some bucks to spend on on on chain. They're gonna want a single wallet, or they might download 2 wallets if each of them does not do what the other one does in the wrong way. So the problem is, you know, they get they get blue water and then they're gonna use blue water for all their stuff. Right? So then they're gonna end up on on custodial lightning. And then if they use moon, then they're gonna end up using Bitcoin base layer in a way that is not easy to recover.
So it kinda sucks. You know, my dream wallet, which I might end up having to do, is I want a phone wallet that does single sig basic. Okay, very basic single sig, and then go use Lightning somewhere else, You know, or
[00:17:51] Unknown:
you Yeah. Like with Moon.
[00:17:53] Unknown:
Right. But but why does Moon then do base layer?
[00:17:58] Unknown:
Because the whole point of Moon is to keep it as simple as possible. You scan a QR code and it just pays. Like, I don't like, this idea that Moon should have, like, all this different functionality is ridiculous.
[00:18:09] Unknown:
Sure. Then he uses seeds so that people can use a metal plate that already works for seeds.
[00:18:14] Unknown:
As far as I'm concerned, you don't even need a backup for Moon Wallet. That's just icing on the cake. Like, if you're carrying around, like, $400, $500, it's a spending wallet. Yeah. But, man, like, people lose phones. People break phones. Which is why they have email password recovery, which for, like, 99% of people is more intuitive than a seed anyway.
[00:18:35] Unknown:
I don't I don't like that. Maybe I've just been in this space for too long. But meanwhile, like, right now, my current Moon Wallet, not backed up at all. Yeah. I I can't. I just I just can't. Because, you know, the problem is people are gonna have, like, $400 in their moon wallet or a $100 in their moon wallet. Right? And then they're gonna forget that they had it, and then 2 years later, Bitcoin's worth, you know, a 100 times more, and then they go like,
[00:19:03] Unknown:
oh, I had some Bitcoin on that old moon. Then we sit tell them thank you for their service.
[00:19:08] Unknown:
I know. But, like, this was already the experience we used to have with Blockchain. Info way back then. Right? We shouldn't have this experience anymore. Everyone should be able to recover with 12 words minimum their freaking wallet. It shouldn't be that hard. It makes no difference. I I can't comprehend why they couldn't use 12 words as the entropy for whatever they're doing.
[00:19:30] Unknown:
I just think the complaints are misplaced. I think the complaints are really using lightning on mobile and easily backing up lightning things and, like, easy channel management and all this other stuff, and Moon is kind of dealing with what they have today and giving, like, a pretty good user experience for people
[00:19:49] Unknown:
in spite of all of that. It's fantastic, but why can't they just use 12 words instead of the gibberish? The the entropy space is the same. Anyways, we're not gonna come up with a solution on this call, but, you know, that's the problem.
[00:20:05] Unknown:
We should invite Dario on the next,
[00:20:07] Unknown:
Bitcoin review. Yeah. That could be cool. And then but then we're gonna have to be polite because the person is gonna be here who actually does all the work. There's a very big difference between bitching about projects when the people who work on the project are around and when they aren't. So just so everybody knows, we're just bitching. Right? I mean, like, really, it's not like we're taking our time going and fixing it or forking it. Alright. So Nunchuk, 1.9.12, they have some bug fixes and they added Sats card integration. That is the first SatsCard integration in the wild.
That's pretty cool. I don't know, have you guys seen the video yet?
[00:20:49] Unknown:
I've seen a few videos.
[00:20:51] Unknown:
It's pretty neat. You just tap, sweep, boom. Bitcoin is yours.
[00:20:56] Unknown:
Can you use it in a multisig?
[00:20:59] Unknown:
No. You you use Tapsigner on the multisig. Oh, yeah. Taps. Okay. Gotcha. Yeah. No. The Sats card is just like OpenDime, like, modern.
[00:21:08] Unknown:
Yeah. It's the cheaper one. So now they're both supported on Nunchucks, Sats card and Tap center?
[00:21:13] Unknown:
That's right. Those guys are busy. We talk to them just back channel for, like, 5 minutes to go and build it. That's awesome. Another thing I love about Nunchuk is that there is no dependencies. Like the the whole thing is there. All c plus plus, libsack, it's absolutely brilliant. It's a lot less attack surface that way. And also, they're not doing what the JavaScript guys have to do there's no serializing, deserializing, serializing, deserializing of all the secrets between many libraries. It's, it's very nice. Mhmm.
[00:21:49] Unknown:
Yeah.
[00:21:50] Unknown:
Alright. And moving on to Blockstream Green, 3.8.6. IOS and Android, display, firmware wash no. Sorry. Firmware wash. Firmware hash during Jade firmware update. Display the net amount without fees, handle connection failure during wallet discovery. And then on Android, login same, Thrasir and Ledger, single sig. Faster Jade firmware update,
[00:22:28] Unknown:
improved Ledger support. Does Nunchuk support the MK four's NFC yet? They're working on it. So it's it's a lot different. The flow the flow is a lot different than with Tap Signer? Yes. So
[00:22:41] Unknown:
Tapsigner uses message digests. Right? It's like a true, true, dumb blind signer for Bitcoin with a pin. Tapsider doesn't understand, PSBT, some of this stuff. Right? The the the stack is much reduced. While on cold card, it's the opposite. There is no proprietary SPAC, it just it's just data in and out via NFC. So technically it would be much faster, but the value add of doing cold card NFC is much lower than TapCigner with a multisig on Nunchuk, like collaborative or by yourself.
[00:23:24] Unknown:
Yeah. That makes sense
[00:23:25] Unknown:
to me. One question on green. Does, does green actually do the firmware updates for the Jade, like, via via Bluetooth or something? Or how do they how do they do the firmware update? Does it say, like, faster Jade firmware update? I have no clue. That'd be kinda cool if you could update your firmware with your phone.
[00:23:45] Unknown:
Sounds like a terrible idea. Can you imagine? Yeah. Because the the phone is, like, essentially, like, fully fully owned. Right? And now you're gonna take firmwares that you can't sort of verify on hardware that has no security, because Jade doesn't have any security. Right? Their their, security model is very different. So, essentially, Jade is using ESP 32, and which you cannot defend, like, at all. Right? And, what they do is they do a 2 factor authentication There's no secure element. No. It's worse than that. So ESP 32 is an extremely
[00:24:27] Unknown:
powerful,
[00:24:29] Unknown:
cheap, unsecure Chinese platform. Okay? It was designed for you to create essentially, like, fun things like a block clock, right, not for you to handle money. However, they came up with this sort of 2 factor authentication thing where you use Blockstream servers as the security of the jade, but you know, like you're still like holding a device that you can't trust, right, so if you see an address on a screen you can't trust that. That's part of the model problem that I see with with Jade. It's an interesting proposition, and it was a great solution because no other wallet was supporting Liquid at the time, but, like, you know, as an actual security solution, I am not, I'm not a huge fan.
And presumably, it's cheap as fuck. Yeah. I mean, ESP 32, the module itself is very cheap. It's a very powerful platform for the price. It's actually quite incredible. The reason why it's possible to do that is because it's made by a Chinese company that doesn't give a fuck about patents or licensing IP. So they go they they they they went, they did that, and and it has, like, you know, no security at all, for example. Right? All these things will save a lot of cost, and you can create these incredible devices that can do a lot. You just can't depend on them. Let's put it this way.
[00:25:57] Unknown:
So if someone someone has a a low price point for a signer and they're considering getting a Jade because it has a screen on it versus a TAP signer? What would you say to them?
[00:26:10] Unknown:
I mean, it's hard to say, right, because I'm very biased on this with both the fact that TAP signer is made by us and and also the way that we prefer our security trade offs. At least Tapsigner is secure. Right? It uses an actual secure element. It doesn't have a screen, so you are depending on the software that gives you the address. Now at least you know that the integrity of the device is much more secure. Is it perfect? Absolutely not. It's still a cheap secure element, but in my view is a much better security trade off scenario, especially if you're using TAP signer or multisig.
[00:26:47] Unknown:
Couldn't the phone just lie to you and then you tap it?
[00:26:50] Unknown:
Yes. But for TAP signer, if you're using a multisig, you can be the other party or your other device, so to be your sanity check for that address. It could also be, Jade or it could also be a cold card as the cosigner. Right? So you you would you you would rely on another party or another device to double check that address. Now, if you're using TapSigner as a single signer, the security model is not for you to have your life savings on it, it's for you to just not have your private keys on a phone, right? So you would have your spending wallet say your $500, $5,000 using the Tap signer just so that it's not on the phone.
It's just a little bit of a different sort of security trade off in a place there. While the Jade, in my opinion, gives you a false sense of security by having that screen when the device itself is not secure. But in the same way as the tap signer, you could rely on a third party to be your sanity check for that address. So I see the 2 actually very similar in terms of security threshold, but one is much cheaper and much more secure itself, but doesn't have a screen. Does that make any sense, Matt?
[00:28:14] Unknown:
Yeah. I mean, essentially, what it boils down to is if you're using it in a multisig, you would need multiple points of failure, to be compromised. Right? Because you'd have you'd have different coordinators for each of the signers anyway. Yeah. I mean, unless you're all using the same wallet software, right, which in the case of Nunchuck could be true. Right. But you might not all be updated, or your individual phone might not be pwned or something. That's correct. Even in a situation where it was a 3 of 5 multisig and 3 of the signers are different people holding tap signers and nunchuck, the tax surface becomes way smaller Yes.
Yes. Even in that situation. Just because there's multiple devices that need to be compromised. I guess you could, yeah, and update. Yeah. I mean, unless Nunchuk is malicious, right, like themselves, because then they would have to make a release for each platform,
[00:29:09] Unknown:
right, being evil and the same
[00:29:12] Unknown:
version. Right.
[00:29:14] Unknown:
I guess yeah. Yeah. Because your coordinator's online, so that has a massive attack surface.
[00:29:20] Unknown:
Yes. That that's correct. I don't know. I it may it makes sense. It's a low cost. You have to make trade offs if you want low cost, basically, is what it comes down to. Exactly. Right? I mean So it's what trade offs you make. And remember, right, like, you know, in a year or 2 from now, maybe, like, top signer is, like, you know, less than $10. Right? So you can have a hardware wallet for less than $10. So just, like, that's the path. Right?
[00:29:42] Unknown:
I will say, like, in multisig in general, it's nice that you do you do feel a bit of an extra safety that it's like, okay. If I fuck up this one signer, this one signer gets compromised or I lose the backup or something like that, I don't lose everything, and the other devices need to be compromised too.
[00:30:02] Unknown:
Yeah. I mean, multisig is amazing. Right? It's just the reason why we often recommend people to use single sig plus strong task phrase for real money is because most people will screw themselves out of their coins before they're actually robbed by somebody. Right? And having essentially a split secret, right, that's what passphrase plus single sig plus seed is, is very hard to screw up. So especially if you have a backup of each. Now with multisig, it's a lot easier to screw up, and you're still now depending on multisig. You either have extreme sort of, understanding of the stuff, and you're using, say, Electrum with multisig plus Sparrow. So, like, you're using multi client multisig.
Right? Now you're really getting the benefit of multi sig. If you're using single client multi sig, you know, the benefits of multi sig start to diminish because, you know, now you're relying that the client is not lying to you in multiple platforms too. Right? So it's not like a magical thing. The desktop? The coordinator? Yeah. So so imagine imagine for sake of argument that Nunchuk is evil. Right? They could be releasing evil software into 3 platforms, right, and then they could be doing a grifting attack or something like that, because you're using the same software to validate the transaction, like, before you sign it.
[00:31:39] Unknown:
Well, you should validate on the device. Like, that's the whole point of a screen on a hardware wall. Right? Because you don't trust the coordinator. Right. But not if the device is not does not have a secure element. So
[00:31:49] Unknown:
the problem with, say, Jade or Trezor is that it's very easy to put, like, fake software on it. Right? Like, some some dummy software on it that's lying to you.
[00:32:01] Unknown:
Right. That's why you want a screen and a secure element.
[00:32:04] Unknown:
Yeah. Yeah. I mean, remember, the secure element doesn't just protect your seed. It protects the firmware as well.
[00:32:10] Unknown:
Right. The integrity of the device. Exactly. It does How exactly does it protect the firmware? I used to know this. It it, like, does it do a do a do a signature check when you try to update that, like, that file? The, like, the new firmware file? I can speak in our case. I'm I imagine the the the ledger guys probably do the same is that we check byte per byte of the firmware,
[00:32:30] Unknown:
right, in memory. So you become very obvious if there is a change to the firmware because you'll have a hash of it, and you also check all the bytes. Right? How would you check the bytes on a new firmware update that the old firmware doesn't know about yet? So the the secure element has a, certificate, right, that checks the signature when it receives the firmware binary. Yep. So then, you know, it checks that. And then once you have it in memory, right, it always knows that the signature checks, but it also checks the, you know, the stuff that's actually running in memory is also the stuff that's supposed to be there. Oh, okay. Interesting. Yeah. So so the the challenge when you don't have a secure element is that, like, if you if you can run any software you want, the the user won't know. Right? That maybe once they put their PIN, they're actually unlocking their secrets to a malicious firmware.
[00:33:21] Unknown:
I mean, I'm pretty sure that, like, a Trezor does, like, they their official instructions don't have anything about GPG
[00:33:29] Unknown:
verification, because I think the device itself checks the signatures when it's uploaded. It's just that the the keys that That's correct. Up that that check that aren't stored in a secure element. That's the main difference, I guess. Yeah. Exactly. So, you know, a bad guy could go and replace that key. Yeah. Like, as easy as it would be to steal that seed to begin with. Right? Yeah. In that specific device. If I remember right, Jade goes a bit a bit further, right, because they are using a server model to do some validation, but at the end of the day, I mean, you know, if the client is weak, the client is weak. Right?
There's only so much you can do, And mind you, like, you know, this is not to FUD any of these projects or or, like, to to FUD the stuff in in general. It's just we're just sort of discussing, you know, like, realistic, attacks surface that is not trivial to do. Right? I mean, it is trivial to to extract a seed from a treasure, but it's not trivial to replace the signature on the device and load a new firmware that looks the same. It shouldn't be too hard, but I would say it's not trivial.
[00:34:43] Unknown:
Mhmm. Do you know how the server validation works on Jade?
[00:34:47] Unknown:
I looked into it, to be honest, like, why a while back. I I haven't looked in a while. They they have some some clever cryptography there, but, you know, you're still depending on the device. Right?
[00:35:01] Unknown:
And I guess that go that happens through Green Wallet? Yes. It it does. Actually, I I don't I I don't know. Have no idea. I didn't even know that's was their configuration.
[00:35:11] Unknown:
I kind of vaguely recall that being the case, but I've never used it or anything. You know, I I also think that there's a much smaller install base, so it's not as concerning. I I don't think there's a lot of people using for a lot of Bitcoin. It's mostly like a liquid thing, so it's just different, to to the amount of eyes on a lot of stuff. They employ a lot of smart people too. Like, you know, cryptographically speaking, they have a lot of very, very high quality cryptographers at Blockstream. So I I don't think that would be the the attack surface there. I think for them would be more like implementation on the hardware and, you know, just, you know, ESP 32. It's a Swiss cheese.
Man, I think we should rename this pod the the bitching about wallet pod. We join you every few weeks to bitch and also to be grateful. I mean, the last one the last one, we didn't bitch this much.
[00:36:12] Unknown:
Did we? On the Embassy OS? Yes. So you bitch about an operating system for a bit?
[00:36:19] Unknown:
Oh. Alright. So Embassy OS 0.3.1.1. Loads of updates. I think it was Bitcoin mechanic who who gave us the update. Oh, Jesus Christ. It is a lot of updates. I'll start reading some, and then I'll give up. Doctor, doctor, Docker, stats fix, update back end dependencies, fix receipt, receipts, health, return correct. Okay, guys. You guys really need to you could work on her. Keep going. It's so so organic. I can't I can't do this. It's too long. There's like 50, like it's literally every commit too long. Is there a TLDR? Let's look at their website.
[00:37:11] Unknown:
Well, it's a it's it's not a major commit there. How many decimal places here? Three decimal places in this version. Yeah. That's not.
[00:37:21] Unknown:
Anyways, so yes. So Embase OS had a lot of updates. You guys have any comments about, Embassy OS?
[00:37:28] Unknown:
I mean, it has a very wide scope. You know? Like, they have all kinds of stuff outside of Bitcoin. Well, stuff I never heard of. Burn after reading share messages and files that are destroyed after they are viewed. You know, all kinds of little things like this you never heard of. And even, like, for example, after the, what was the, Ethereum thing that got that got sanctioned? Oh, no. They're coming in at for my studio here. Tornado Cash. Yeah. Tornado Cash. After that, they they did a self hosted get service that they added, you know. So they add all kinds of stuff to there, much more so than I think any other implementations tend to.
[00:38:08] Unknown:
Yeah. No. It it's a you know, that it's like a a big project, it seems.
[00:38:13] Unknown:
Yeah. I mean, I've never used an embassy, but, everyone I've talked to that uses it really enjoys it. And I I just I I appreciate I appreciate their goal, which is basically all the things that we currently use, like AWS and these big cloud providers for. You know, maybe we can host some of those at home in a relatively easy convenient way.
[00:38:37] Unknown:
Yeah. Like, they have a photo viewer. You know? They really try to cover everything.
[00:38:41] Unknown:
I don't even think they would consider it a Bitcoin project. Like, Bitcoin supported on it. No. But it's really a sovereignty project.
[00:38:50] Unknown:
Yeah. The, like, your own cloud. Like, there was there was a term for this. Self cloud. Self hosting? Cloud. No. No. But there was, like remember, like, when when people started getting pissed at Dropbox and all this service, the the photo sort of hosting software, somebody came up with a term for this stuff. Whatever. Let's call it own cloud, cloud, cloud. Own cloud. Alright. Ras Blitz, introduction of WebUI and API. Rasp Blitz is an interesting project. This is fairly Bitcoin sort of
[00:39:34] Unknown:
focused. Raspberry Blitz is a 100% a Bitcoin project. Yeah. They have CK bunker. Yeah. They support pretty much every good Bitcoin project that, you know, that you want to use with your own node and that you want hosted 247, and you can run it relatively easily. Now it's interesting because, you know, RAS by Bliss has always been extremely powerful, and I honestly think it's pretty convenient to use. But for their their big differentiator, the the reas all of a sudden, all these other node projects started to be successful. You could think like Umbrel and MyNode.
They were becoming successful because they were more convenient to use than RAS by Blitz, and that was because they had a web UI. And for a long time, the Raspberry Pi Blitz guys did not want to they said, you know, if if you can't figure out how to use our command line interface, then use a different project. But it looks like I mean, technically,
[00:40:35] Unknown:
half of the you know, for half of the purposes people use this these, node in a box, honestly, they shouldn't be using them if they don't know what's going on under, especially with, like, auto updates and stuff for core, major attack surface there. Right. But
[00:40:55] Unknown:
but, yeah, no rep splits, I guess, when it's those users too. Yeah. So they added a web UI. So this has been a long time coming and
[00:41:03] Unknown:
very big release for them. Very cool. Congrats, guys. It's a it's a good project. Alright. B d k 645 adds away well, this is just a pull request. It's not a release yet, but, adds away to specify which Taproot span paths to sign for. Previously, bdk would sign for a key path span if it was able, plus sign for any script path leaves it, leaves it had the keys for. That doesn't sound right. Anyways yeah. No. BDK, it's it's it's interesting. It's a lot of effort going to it. It's a shame it's in Rust.
[00:41:53] Unknown:
Okay. I guess you guys don't have a I don't know if you need on that one. I mean, I'm trying to figure out what it does. I think it's just trying to not sign sometimes. It's not trying to sign too much. You know? Like, if if there's hidden things in the Taproot, it's trying not to, like, leak them, basically. That's what I'm guessing.
[00:42:09] Unknown:
It it could be. It also makes sense. Right? Because with Taproot, you you don't know what you don't know as part of the script. Right? Because there's there's a bunch of other stuff that could be there that
[00:42:20] Unknown:
you don't know. Yeah. There's more you can leak.
[00:42:23] Unknown:
That's true. Alright. It's nice to see Taproot sort of, like, moving in in in good Bitcoin fashion, like, boring and sort of quietly moving a lot.
[00:42:40] Unknown:
Have you used the Taproot address yet?
[00:42:42] Unknown:
No. You know me. I'm gonna be probably I'll die before I move to Segwit. Have you used the Segwit address yet? What's that?
[00:42:52] Unknown:
Justin, you I I assume you have. Right? I have, but very little. Just, actually, BDK
[00:42:58] Unknown:
because that was the first wall that used it. Yeah. I've used Taproot, but mostly just for, hey, I made a transaction, but, like, no. I shared a link before this call about the transaction stats for Taproot, like, what percentage of all UTXOs are Taproot. And this is BitNex's thing. It's down right now. But it was, like, something like 0.06 percent of all transactions are, are tap root right now, the UTXO set. So it's it's very minimally, Point 6? Something like that. 0.6 or 0.06? Yeah. We add it to the show notes. Yeah. It's just it's crashed right now, so I can't see.
[00:43:32] Unknown:
So generally speaking, you know, when it comes to money, I am a huge fan of not changing anything unless you need the something that's gonna come from it. You know, like, Taproot is amazing, very cool. Can't wait to have all kinds of cool stuff I can do with it, but I'm not gonna use it for real money, for real every day until there's a specific feature
[00:43:53] Unknown:
I want. I'm on the same exact page there. 100% aligned.
[00:43:58] Unknown:
Yep. I'm glad to hear it, Matt.
[00:44:01] Unknown:
Gives me confidence in your stats. Do you use Segwit for hardware wallets? Because Segwit has some features that make it better on hardware wallets. Right? Like, they they fix the segash so you can verify amounts and stuff. Like, I guess that's something that you'd probably Yep. Yeah. No. Cold card is Segwit by default.
[00:44:18] Unknown:
Segwit is pretty battle tested at this point.
[00:44:21] Unknown:
Yeah. Yeah. Yeah. And and also another thing about Segway 2 is for multisig where you don't have to to have an order for the signers. Yeah. While the legacy analysts as you do, which is a huge deal when the widow of a programmer who overcomplicated the script hits our support.
[00:44:42] Unknown:
Yeah.
[00:44:43] Unknown:
So, next is, Kotlin multiplatformtor, Add store controller support for map address and resolve, full change log there. Who was it who brought this up? Somebody did on the on the issues. Nice to see more tour stuff happening. Alright, guys. We're moving on to the noteworthy section of the show. New self custody redundancy service, seed bank, upstart, service for passphrase, multisig users act as an Internet connected location in the context of redundancy backups. Seeds are sent obscure obscured over multiple channels, stored offline, anonymous operators, synonymous.
[00:45:32] Unknown:
Synonymous clients. Like an ad?
[00:45:36] Unknown:
No. I mean, that's that's their that's their, It's a seed bank. It's a seed bank just like, for Kumrockets. Like a third party service. Right?
[00:45:48] Unknown:
It reads like an ad. For more information, email us here. Yeah. I know.
[00:45:53] Unknown:
Yeah. Exactly.
[00:45:54] Unknown:
Oh, so the website doesn't work? It was working before when I checked. You gotta get rid of the www. And then it worked.
[00:46:02] Unknown:
Okay. So
[00:46:04] Unknown:
Yeah. Why are we talking about this? Did it did it someone you know What? Yeah. Listen. It's a it's a Bitcoin project. I mean, I'm gonna cover list. It's on the list, man. How did it get on the list? I I I can't remember. Point is, it's essentially a place for you to store your seed on the 3rd party, which is kind of a terrible idea, but at the same time, it is kinda cool. If provided that encryption is strong enough and you know the implementation of the encryption does not have any And the website works. And the backdoor there's no backdoors.
[00:46:38] Unknown:
There is no accidental bugs on the implementation of the encryption. I could see it being useful for multisig. And the website works. Multisig reduces the trust significantly.
[00:46:49] Unknown:
Yeah. I mean, personally, you probably wanna encrypt before
[00:46:54] Unknown:
they encrypt. Yeah. But then why are you even why not just encrypt it and put it in some kind of cloud or something?
[00:47:03] Unknown:
Matt, this has the same vibes as remember that project you had? Was it the Yeah. Final Message. Final message in a little bit. So it's like a way to store seeds. I always wanted to make a online lockbox Yeah. Right, for people. The problem is unless you can prove that the stuff is not illegal stuff in the file, you could have spam takedown requests.
[00:47:30] Unknown:
Right. That's why we made ours text only. Yeah. But I I mean, when I was thinking about with final message, it was specifically for inheritance. We're like, some trade offs have to be made for inheritance and you have to be careful with those trade offs because they can affect your
[00:47:46] Unknown:
security. Yeah. So yeah. No. I mean, listen. I I don't have something inherently against people storing
[00:47:54] Unknown:
encrypted stuff for you. Is this for inheritance though? Is is that what this No. Because I don't wanna go to I think it's just backup. Honestly, I'm, like, a little bit sketched out by the description, and I have my VPN turned off because I wanted to have a good Internet connection for this. So I don't wanna go to the website with my VPN turned off, so I have no idea what the website looks like. Oh, it was all over Twitter. Is it primarily targeted at inheritance? Like, do they have a mechanism in there to send that piece of the multisig to someone after you die?
I didn't check that fully. No. Because that could be that's useful. Like, I was hoping the only reason I created Final Mess because no one else did it. I needed that's the tool that could be very useful to me. If I could take a multisig one signer in the multisig and be able to pass that down to someone, in a dead man switch kinda way.
[00:48:44] Unknown:
I like the idea of having a encrypted lockbox on the Internet that is available to you, but I don't see a safe way of making that project in a way that the founders don't go to GAO or is just completely spammed out of existence with takedowns that you don't wanna fight in court. But if it's text, that's not the case. Well, but but then you can't really do text. It needs to be encrypted. Yeah. But encrypted text. No. You can't. But that then you can't prove that the data inside that is not something that shouldn't be there. See, what what law enforcement is gonna do is they're gonna be dicks. They're gonna go they're gonna get, kind of pictures that gets people in jail, and then they're gonna encrypt those pictures. Right? And then they're gonna put on your website, and they're gonna go to the judge and say, look.
There is encrypted pictures of things that shouldn't be there. But how do they put pictures and text? Well, it's it's gonna be binary, my Matt. That's the encrypted data, unless you're using XOR or something else, and that would have to be a seed kind of thing. But if there's if if there's just a text box on the website. No. But it doesn't matter. I could see, I could get binary data or or, you know, encoded base 58 or whatever. Right? That looks like text dumped on your on an input box on your website and upload it. But no, a character limit prevents that. No.
You can do BIS 58. So that's the that's the characters that you would use for text.
[00:50:23] Unknown:
You could get it that compact. Yeah. Yeah.
[00:50:25] Unknown:
Interesting. Yeah. Yeah. That that's that's how, for example, you put, like, say, PNGs in a, like, on page on a web in an HTML file. Anyways, point is it's very easy to yes. You can encode your binary data in whichever sort of format you want. Base 58 is an extremely common one because it is a limited char set that looks exactly like text, so that there is no issues with the parsers, and then somebody can put that stuff in your website. Noted. Now if you have normalized data, say for example seeds, you could come up with a SPAC that it can provably say that there is 12 words in there, as opposed to encrypted pictures.
Anyways, moving on from this one. It's a tricky one. It was all over Twitter. I figured I'd mention it. It's actually good that we discussed it in case somebody was thinking about putting their seed there. Foundry, the largest mining pool provides grants to open source Stratum V2. That's great. We need Stratum 2 v 2 to happen. It's about time.
[00:51:38] Unknown:
This is particularly big because Foundry is is the largest, mining pool in the world, but also because so so a major aspect of stratum b two is right now mining pool operators are able they're the ones who choose which transactions go into a block. They can obviously be coerced, or forced to not include certain transactions, so they become a central point of failure. In the current setup, individual miners in that situation could leave and go to a different pool. They basically have, like, a soft, like a soft veto there. But with Stratum v 2, one of the implications of it, one of the main goals of it is to make it so that the individual miners actually construct the blocks.
So it takes that power away from the pool operator and gives it to all these individual miners that are much more distributed than the pool operators. Also notable here is Foundry fully KYCs all of their customers. So they're, like, particularly regulatory friendly pool, and they're funding something that dethoots a lot of that defangs a lot of that regulation.
[00:52:56] Unknown:
Yeah. No. I I think any smart business, that is not aligned with the state thinking. They're just following, you know, the regulation that they have to so they don't get in trouble. Sees that it's important to create the tools that makes regulation pointless. So then they can get out of it without having to fight it.
[00:53:24] Unknown:
100%. But, anyway, great to see. Shout out to the founder team on this one.
[00:53:29] Unknown:
Yeah. This is, by the way, the the realistic way of handling things. Right? Like, it's kinda like the tornado cash sort of people sort of thinking that, you know, Coinbase is gonna fight, you know, the US government and risk 30 years in prison, for all the executives. You know, it's completely ludicrous. It's not it's completely unrealistic. You know, nobody's gonna risk jail time because, you know, people want privacy. That's why the regulations are designed the way that they are, is to discourage large companies from supporting the privacy stuff, and it's designed very well. Like, they're they're very good at making things awful to people.
So, the technology has to be inherently good at making regulation useless, not requiring some large entity to be benevolent.
[00:54:26] Unknown:
No. I agree with you, MBK. Justin, we can hear you eating. And laughing too. No. I was laughing. I was laughing at Justin eating.
[00:54:35] Unknown:
Oops. Small bite. Long podcast.
[00:54:39] Unknown:
It is. Can't you stay 2 hours without eating?
[00:54:43] Unknown:
Long list. Excuse me. Long list of podcasts. It's great. The list is long.
[00:54:51] Unknown:
Alright. Wait. Why don't we talk about no. No. No. Let's talk about tornado cache. I'm curious in your opinion. No. We will. After. After. Okay. Yeah. Because then there is, like, more than one story there. I'm I'm I but I only have so much capacity of reading text, Matt.
[00:55:09] Unknown:
Yeah. I don't, I mean, you don't have to go so far deep into the show notes. I mean, everyone always makes fun of Marty.
[00:55:16] Unknown:
Oh, yeah. We will. That that's no. No. This is the whole point of this podcast. Okay. We're gonna excruciatingly
[00:55:23] Unknown:
argue each. I guess now we're on to, like, news items. Right? Before they were, like, Bitcoin projects.
[00:55:29] Unknown:
Yeah. That's called the news and noteworthy. News and noteworthy. Okay. Or just noteworthy. Why is Nick's Bitcoin in here then? Because,
[00:55:37] Unknown:
I don't know. Shouldn't it be in the other section? He totally should. Okay. We'll read it. I I'm gonna blame the new producer. Well, let me let me let me take this one. So next next bit is is a little bit like, what was the one we just talked that just got the WebUI? Raspberry Blitz. You know, it's it's a similar thing like that. It's more security focused, less moving parts. The interesting thing is, like, next is a, it's actually a distribution of Linux where you can have, like, one little config file that can completely define your operating system, and it can, you know, build an entire operating system from that. And so you can have all kinds of restrictions, like what users can see which folders and can make which network requests. You can really lock it down at the operating system level. And so Nix Bitcoin is, a config, basically, in next that can build up such an operating system just for running a Bitcoin node, lightning node, and other things like that. So it's very security focused. Like, you know, for example, Jonas Nick from Blackstream is one of the main people behind it. I mean, he was just basically building a node from himself, and next batch plan is what it became. And so we're, Teddy went I think some probably some of our first production deployments will use this, just because we were using mix for our developer environment and our build system currently, and so it's pretty easy to just integrate it with this. So it's a it's a it's a really interesting security focus like node in a box solution that's much more aimed at tempers.
[00:57:00] Unknown:
There is one more super important thing about Nix is that they're very careful about dependencies management and, and reproducible builds. Right? So they they take a lot of extra effort to make sure that the dependencies are let's call it this way, the supply chain of dependencies, that the dependency chain is way better managed, and is sort of properly paid attention to, so you're not pulling some of the dependency that could be a non review new version that has a hole in it or something like that. They're they're a lot more conservative about dependencies that than your usual Linux. Yeah. This is this is the whole point of the project. This is the the reason it's different from other ones, is that they they
[00:57:43] Unknown:
model the software. It's just a is is a graph of dependencies. Right? So it's like Bitcoin Core. Right? Like, I'm just on a very high level. Right? Bitcoin Core is dependent on the GCC compiler because that's what's used to build the code. It's also dependent on SQLite. That's the database for files. And it's also dependent on LevelDB. That's the database for blocks. SQLite is for blocks. LevelDB is for blocks. So it, but this sort of graph can get much, much more granular because each one of these has dependencies. And so if you want a really deterministic build, you you need, like, a model of all the dependencies. And so the really cool thing about Nix is that they took this There's actually a fork of it called Geeks, which is used for Bitcoin Chorus build system, which took this to the absolute extreme where, not only can you build basically, like, if you use Ubuntu, you start you have to trust about 400 megabytes of trusted binaries.
Like, they're just, blobs of of of computer programs that you can't really audit. They're outputs of compilers. But, with geeks, you can build you can basically build all that from from source and a 250 byte trusted binary. So, like, this is basically a a a really interesting way of of making it so your reproducible build for a software project is, like, reproducibly correct. It's built from source code and not source code and a bunch of trusted binaries can't audit. So it's it's really interesting for security.
[00:59:06] Unknown:
Yep. But it's still not free BSD.
[00:59:09] Unknown:
Nick's Bitcoin is a is a really, really, really cool project. And I'm I mean, on the on the most basic level, it's just when we talk about that security versus convenience trade off balance, they're all the way on the security side.
[00:59:22] Unknown:
Yeah. They're extreme. It's hard to use. I'm I I I've been struggling to figure out how to get a server running.
[00:59:29] Unknown:
That that's a good sign.
[00:59:31] Unknown:
Yeah. I was fortunate enough to have, Nickler and the other lead maintainer on on dispatch, and it was a really great conversation. It was episode 40 42.
[00:59:43] Unknown:
Yeah. They have a matrix room that's very helpful.
[00:59:45] Unknown:
Yeah. Jonas is also the guy who did the half aggregation, signatures. He's a real cryptographer. He's fucking awesome.
[00:59:54] Unknown:
Yeah.
[00:59:55] Unknown:
It's another lizard made project, you know, he works for Blockstream. Alright. Signing devices.com. Oh, that's mine. It's a website to remind everybody that hardware wallets are a stupid term for Bitcoin wallets. It should be signing devices for hardware. You can go there and check it out.
[01:00:15] Unknown:
No. That was an ad.
[01:00:17] Unknown:
No. Not really. I I was not the one who added there.
[01:00:21] Unknown:
I just made it sound like an ad. Well, isn't signing devices dot com your website? Yeah. Oh, but you didn't But Did you did you did you not approve the pull request?
[01:00:33] Unknown:
Of course not.
[01:00:34] Unknown:
Okay. Fair enough. I just wanted to say on the previous on the previous topic, you said it's another lizard creation. I mean, the Bitcoin space has has I wonder how many people in the Bitcoin space recognize that comment.
[01:00:52] Unknown:
No. I mean, it was a joke because, see, for people that were not around the block wars Exactly. The a lot of people were saying that, you know, like, me and other people who supported small blocks were people paid by Blockstream, which I'm not, and we were all dragons, and we were lizards. So, you know, the the joke going forward always is if you work for Blockstream, you're a lizard.
[01:01:20] Unknown:
It's it's it's so dumb. Yeah. Most people don't recognize that reference because we have so many new people now. Yeah. I know.
[01:01:27] Unknown:
Well, I'm glad we explained it. Right. It's it's really dumb because all these projects are all open source and all verifiable, so it makes really no difference even if it was evil. Alright, tornado cache GitHub taken down, lead developers accounts frozen, and in response to Tornado Cash GitHub being taken down, Start9 added, GTS service to the EmbaseOS. Well, we can talk about all that together. So for people that don't know, this Tornado Cash was a sort of like a quote unquote decentralized contract on Ethereum that provided reasonably good privacy, except that the way Ethereum works, it doesn't have UTXOs like coins. It has accounts, which is very dumb.
So anyone who received, Tornado Cash token into their account, and all these accounts clearly monitored because within minutes everybody was being sort of like completely doxxed on Twitter, now has a has funds from a tool that is under sanctions, which is a very big deal in in legal problems. So, anyways, there's there's a lot of stuff going on here. I mean, you know, of course, you know, they should not take the cold or the dev down because cold is free speech. In some countries it's not, maybe in Holland it's not where he is and the reason why he was taken. My theory is, you know, if this developer, one, was in communication with bad people, knowingly or unknowingly, they would use that against him. Ethereum people have a history of talking about DPRK somehow in North Korea.
I think there was a guy that went there and got arrested on the way back.
[01:03:26] Unknown:
Yeah. That was Virgil Griffith. Virgil went to Yeah. North Korea and gave a presentation on how to use Ethereum to circumvent sanctions and then got arrested.
[01:03:40] Unknown:
Very bright. Generally speaking, when it comes to privacy providing tools that are highly used by people who the state deemed unliked, and is very very successful. The state doesn't care what is correct, what's not correct, what is truly illegal, what is not illegal, they will find a way to get these people, right, because they are now people of interest. Remember that at all, the state doesn't have to really follow the law when it comes to anything that they deemed terrorism or whatever, they would just come up with some bullshit reason, but there's also this other concept in law which is profiting from proceeds of crime.
So say for example somebody runs a coordinator for CoinJoin, and they are taking profit directly from the CoinJoin of that specific transaction, and the state might see that as a problem, and they might try to frame it that way and go after the people. That's, in my view, how they will go after some of these people. Is that correct? Absolutely not. Is that fucked up? Yes. It is fucked up. But, you know, these are not the good guys. Right? These are just assholes in suits, so it's gonna get weird out there, especially for projects that are like meaningfully doing volume. Right? These guys were doing quite a bit of volume.
I'm sure Matt will have opinions.
[01:05:21] Unknown:
It was 7,000,000,000 total volume they had done.
[01:05:26] Unknown:
There you go. That's a bit of
[01:05:28] Unknown:
money. Yeah. I mean, I've spoken at length about, the situation, and we have a lot more to cover. So I don't have that much more to add, but it it was it was good to hear your opinion on the situation.
[01:05:40] Unknown:
I appreciate it. Yeah. No. I mean, it sucks. It's like it's one of those things that, like, you know, I don't think the world should work this way, but it does. So our our goal and our like, we should strive to create tools that don't get the devs in jail, because, you know, we don't put people in jail because people use the dollar for bad things, you know, it's ridiculous. So unfortunately, there will be a learning curve for people, and, you know, you can't you can't prevent. Like, people will come up with alternative solutions, and it's gonna be a cat and mouse game. If you're on the, you know, the state side or on the freedom side, it doesn't matter.
It is what it is. I just I just hope that, you know, this guy has a good lawyer and he gets out because it's fucking bullshit. It's just gold.
[01:06:36] Unknown:
Yeah. I mean, on the tornado cash specific side, I personally kind of feel like it's a very low lift, fact finding kind of mission. So, I mean, all all the treasury had to do is, you know, they basically just updated the blog post. They just copy and pasted the contract address into, you know, the OFAC list blog post. And then they just watch, and they they just watch to see what happens from there. And sure enough, you know, most of these so called DeFi services, you know, they have very centralized front ends, and they, like, immediately started blocking accounts that are that have a history, a shared history with with that contract address.
And, the dusting aspect is really interesting because, you know, as you said earlier, a bunch of celebrities and stuff were getting sent to their account, this Tornado Cash, and you can't there's no coin control in Ethereum, so you can't not spend it. So there's gonna be all these things that get exposed because of this single little this single change, which was put that contract address into that into that sanctions post. And, it should be interesting to see how everything plays out. Personally, in in America, code is is is speech, and speech is supposed to be a protected right. Unfortunately, we've learned we can't really rely on on those legal protections.
I mean, it's it's it's I think I think we will look back and it will be like the start of a very strong fight against financial privacy in the the Bitcoin world, but we shall see. On the coordinator side, one thing that should be noted, I think, at least in terms of any kind of service that relies on a centralized coordinator. A big thing there is how how hard is it to run a coordinator, you know, self host to coordinator through Tor. And I wonder if we will see if we will see alternative coordinators pop up that are not connected to known legal identities.
[01:08:45] Unknown:
You know, Matt, I think what the state just did with this tornado cash thing is piss off a fuck ton of devs. And if there is one thing you don't want, it's to piss off a ton of fucking devs.
[01:08:58] Unknown:
Very true.
[01:08:59] Unknown:
You know, seriously, it's like, you know, as much as we get some shit or fried at Ethereum design choices, you know, like I think we get more pissed at the state sort of going boot after these people, right? So I think there will be a lot of new tools coming out that will be substantially better trying to cover exactly whichever attack scenarios, legal or technical, were used after these guys.
[01:09:27] Unknown:
Yeah. I mean, basically, like, the best thing they could have done to neuter these systems is they've been doing nothing for so long that a lot a lot of these projects are built in a completely non adversarial environment. So if there's an adversarial environment all of a sudden Exactly. Things get hard hardened. Right? More robust, and and the end result is is stronger tools.
[01:09:50] Unknown:
You know, it's like he always goes back to the to the PGP, fight back in the day. You know, if you wanna classify, encryption as munition, which is, like, one of the the most strict ways of classifying something. It's it's like this is, like, literally the worst thing the state can try to do is classify something as a weapon of war, to prevent citizens from doing anything and having zero legal recourse, and look how that turned out. Right? And then look at the war on drugs and look how that turned out. So, you know, we're fortunate to live in a time where the only nuclear option a state has is to turn off everything, which they can't because everybody goes broke.
Right? So if they have any tap open, everything else leaks through. So, you know, best of luck, and I I I really hope that some of these people that work in this in this entities, you know, find a better thing to do with their lives than than to make people's lives miserable. Anyways. Alright. Next, is, let's talk about the 2 disclosures at the same time because why not? Swan email provider leaked data, which is Swan's data, and Casa discloses also a data breach of the Casa store. It it all it's a tricky one because, you know, realistically speaking, nobody can run an email server anymore. You get immediately flagged as spam by all the big, big email providers.
So that boat has sailed. And, you know, this third party email providers were not designed to have the level of security required to hold Bitcoiners' information private. So it's it's not a matter of if, it's a matter of when email providers will will screw up. Now that doesn't mean you can't do something about it, like, for example, delete information. You can't guarantee that these email providers will delete their logs and do that, all that stuff. So for email's sake, please use an email that is not your email, like your like, for example, me from way back in the day, you'd have, like, your name, full name kind of thing, and Gmail or something like that. Right?
Don't use those emails. I don't use mine of those anymore. So maybe use burner emails to order things from Bitcoin companies. And then for the Casa leak, I didn't see full information on that. I don't know if this was a storefront that they were running internally, if it was third party. Do you guys know if this was, internal or external breach?
[01:12:55] Unknown:
We're talking about Casa?
[01:12:56] Unknown:
Yep.
[01:12:57] Unknown:
I'm not sure Casa was using a third party, merchant vendor, and it was for their store. So it was if you bought, like, additional hardware wallets or Faraday bags Right. Or seed plates, you would you would get them from that store. So, technically, not all their users, but you have to or or the nodes that they sold. So, technically, not all their customers, but probably a large portion of their customers. And then, even the Bitcoiners bought the node. And, yeah, a shit ton of people that aren't their customers that just bought the nodes. Right? They probably have more people buy the nodes than use the multisig. Maybe I'm talking about it in my ass, but I remember a lot of people bought those nodes when they still had them out.
[01:13:39] Unknown:
Yeah. You know, eventually, our store is also gonna get hacked at some point, but, you know, we keep it in house for a reason because you can't trust the store providers to defend Bitcoin or information. Trusted third parties or security holes. Yep. And another thing too is that when we delete the data internally, we actually delete the data. We know that the data was deleted. You shouldn't trust us, but this is not about you. It's about us knowing that we deleted the data. Right. You don't have to trust a third party. Like, CoinKite doesn't have to trust a third party with it. Exactly. Like, when when people say trusted third parties or security holes, like, sometimes you have to use a trusted third party, but you wanna use a trusted third party that's not using another trusted third party
[01:14:19] Unknown:
who's then using another trusted third party. It's like trusted third parties all the way fucking down.
[01:14:26] Unknown:
You know, that's all how it works. Right? So but another challenge is, for example, shipping companies. Right? Like, your information in order to ship to you has to be sent to a shipping company and a company that calculates shipping costs and shit. So, you know, shipping to a PO box really is your ultimate realistic solution. Everybody should have a PO box somewhere where they ship stuff to. Because listen, the state is gonna find out where you are. Right? Because you normally can't even get a shipping, PO box without your ID being photocopied, but It's like full k y c to get one of those. Yeah.
Yeah. But at least bad guys won't. Right? So so that's one nice thing. Phone numbers is trickier. Sure. There's a few solutions. No. Use a use a use burner numbers.
[01:15:18] Unknown:
If if the state's not in the threat model, then you can use one of those apps like my pseudo or Hush. Use burner emails. If the state's not in the issue, then you can use, like, the different aliases these services offer, like Proton offers it, 2 DeNoto offers it. These things reduce your attack surface. Obviously, use companies that, you believe are taking your your privacy and your security seriously. But one thing, Enrique, you know, at Bitcoin Park, that's one of the key features that we're one of the key benefits we're offering our members is that they can get things shipped to the park.
Nice. And, also, we're just gonna have, like, a merge store. Like, we just wanna have, like, cold cards and block locks and stuff for people to buy there. That that's pretty cool. I mean, having
[01:16:06] Unknown:
locations see, there's a couple of things going on there, but, like, you don't wanna have a seal of approval on a reseller, right, because that's a security hole. What you want to have is local webs of trust. So there's a few guys who you know that based on the security threat model of their hardware wallet, you know, those guys are probably trusted to buy the wallet for you because you trust them. Right. Right? Not because they're being certified kind of thing. Right. Straight offs. Because that's stupid. That just gives false security. Exactly. That that's pretty cool. And and another thing too is that, like, if you're a company out there who wants to sell stuff online, please don't use Shopify, please don't use WooCommerce PHP crap.
It all it doesn't matter that you're hosting the PHP stack. It's still a PHP stack store, not designed to be safe. Right? There is a lot of LARPing out there about stores, and remember, right, like it seems to be that the marketing and commercial tools are always how most Bitcoin companies get owned. Remember the Ledger guys was not like, them or their store themselves. It was the the CRM tool that was feeding from the store. List.
[01:17:27] Unknown:
Yeah. It was a fucking marketing list. Yeah. I feel like this happens, like, every fucking week now. It's or, like Exactly.
[01:17:35] Unknown:
Well, the the problem is this. Right? You know, companies wanna sell. Okay? Having a CRM tool, right, having some analytics on your sales and your customers and knowing a bit of your customers is a huge advantage in sales, it really is. Right? The question for companies that we asked ourselves was, in our case, for example, what's worse? And this is like pure selfish question, right? What's worse? The cost of not having new customers because we lost the data or being able to cater sales to people using a CRM in terms of sales gains? I mean, it all, like we, in our opinion, feel like having the bad news of being hacked and losing all that information is not gonna is is gonna be worse for sales than having advanced sales capabilities.
It's a business question, like, you know, like forget about the morals of this for a second. I think it's a much better way of looking at it. So No. Yeah. 100%. It's not marketing to people. It's not it's not,
[01:18:44] Unknown:
I'm not making a plea based on on morals or ethics. I'm I'm saying that if if if you care about your business, then get your shit in order, or you're not gonna last very long in this space because it's fucking ridiculous. And I I would say and I've I've already said this publicly, but I will reiterate it, that specifically on the on the Casa side, you know, I have a lot of respect for that team, but I was, I was really disappointed because the thing is, first of all, it's one thing. If you get owned, if you get owned, you need to be transparent and you have to learn from your mistakes. And with this particular breach, their public release, didn't say what information was leaked.
You had to go and search for it. Like, they they had emailed people, what had actually been leaked, but they their public release didn't say that. And I feel like that is that's that's kinda some bullshit. I I don't I don't necessarily have it. Publicly downplaying it. Like, the leaked data was names, emails, phone numbers, shipping and billing addresses, and the products ordered. It was it was basically as owned as you could get.
[01:19:53] Unknown:
No. Personally, I just wanna make sure at least the people who got owned got informed that they got owned. How people handle their PR, there is nice ways, there's bad ways, but, like, you know, it's debatable, but I I just at least I'm happy to hear that they informed each. They're they're a responsible actor. Right? Like, they're not a bad actor in Bitcoin. So and there there's good people there. So, like, I I'm just happy to know that they informed each customer about what got owned. I just wish they didn't keep that data because they don't sell nodes anymore. Just delete the data.
[01:20:34] Unknown:
Yeah. It's unfortunate because they go to such they've gone to such lengths to to not KYC people for their multisig service. Right? Like, this was has been a big Mhmm. Selling point of theirs for a long time. They said they don't do any KYC. You can use a NEM. And, yeah, to leak addresses is is, you know, is pretty bad. If that's if that's what, like, our core thing your business is trying to do.
[01:21:02] Unknown:
It's, maintaining anything that's online secure is not easy. Assume you will get owned. I mean, we we we know eventually our store is gonna get hacked. Right? It's like, how can I minimize the amount of data that's there? Alright. ETH versus BTC differences in capturable attack surface, that's a whole different rabbit hole. That was there because the list was not this big yet when it was added there, but I just I guess I just need to comment a little bit on this just because such a fucking mess out there. You can't compare the 2.
Okay. Bitcoin was designed for the worst case scenario. It's, you know, is designed for a battlefield. It's the Byzantine general's problem. How do you trust a message to get to the other side? And Ethereum literally made all the bad trade offs so that it can have, you know, high yield smart contracts, and, like, it's just, it drives me insane to see all these people arguing as if there is anything to be argued in any sort of comparable footing. I assume that you have your tired of that subject.
[01:22:18] Unknown:
No. Wait. Was that you went back to Tornado Cash. Is that what just happened?
[01:22:23] Unknown:
No. Just ETH versus BTC in general because the the merge
[01:22:27] Unknown:
Yeah. I mean, like, this is this is is one of those things. Right? It's it's if if you're trying to build an open global financial network, you need a really stable foundation, and you need that foundation to be as censorship resistant and robust as possible. And so Bitcoin Development has has prioritized that since the beginning, and Ethereum has done pretty much the exact opposite, and that doesn't become obvious right away. So now it's gonna start to become obvious, and that that and that's really the situation right now. But see, Ben, what drives me nuts is Bitcoiners
[01:23:06] Unknown:
arguing with Ethereum people on Twitter as as if there was anything to argue about on the same footing. It's like it's like trying to compare water and oil. Right? Like like it's like it's 2 different things.
[01:23:21] Unknown:
Yeah. There's no there's no need to debate. It's all becoming quite obvious on its own.
[01:23:28] Unknown:
Yeah. And and, you know, and the shitcoiners, the Ethereum heads, of course, they wanna send back Bitcoin and try to drag Bitcoin in because, you know, it's always been what they've done. Right? They they they want to sort of use Bitcoin and sort of like straw man Bitcoin because it makes their keys don't look as bad, but it's gonna be a lot of fun to watch that project fail.
[01:23:50] Unknown:
I mean, I think capture is almost the plan at this point. Right? Like, Lubin came out recently with a big proposal through the like, I think it was, like, an article he wrote through the Ethereum Foundation explaining how you do a CBDC on Ethereum. Right? So it's like, I think capture is almost a goal to get
[01:24:07] Unknown:
another pump or 2 out of out of Ethereum. Right? It was always the plan. It was always what was gonna happen. I mean, it was designed.
[01:24:15] Unknown:
It's pumponomics. Yeah. Yep. Right? I mean, like, Ethereum is essentially a factory of Ponzi's. Mhmm. Which is a shame. Right? Because, you know, there is interesting stuff you could build on that platform knowing that that platform could be fully captured. It's just what pisses me off, I guess, is that they pretend that it isn't, right? They pretend it's decentralized, they pretend all this stuff, but, you know, it really is AWS, right? Everything is running on Amazon, nobody can run a node, nobody can verify anything, it's not ultrasound money, it's not a world computer, it's none of the crap that they sell us. It really is the false market marketing and Bitcoin affinity scamming that pisses me off, I guess.
You can see I am very passionate about the topic. Alright. This one is, Matt's, Matt related here. OpenSats launches legal defense fund. It aims to defend open source Bitcoin contributors from lawsuit regarding their activities in Bitcoin and free open source ecosystems by directing donations to the fund to to fund legal fees related to the contributions. That's pretty cool. I think Square or Jack also launched, some some defense fund as well. I think Bitcoiners should fight hard and with all the money. Right. So,
[01:25:43] Unknown:
Dorsey and some others launched, a defense fund for developers facing lawsuits. We we had Huddl not, reach out to us when reach out to us a couple of months ago. He has immense legal burden. He's a very humble dude. He we base I we basically had to push it out of him, to ask for help, and he's inundated in legal fees right now, over a tweet he made, about CSW. So none of the existing avenues were he he didn't have any help any other way. So we worked with him and some other partners, to set up this fundraiser, and alongside the fundraiser, we set up this fund where the funds are getting directed to. That that's great. So we have our general we have our general fund. Our general fund is mandated to support open source projects.
People can apply for grants, whatnot, tax deductible. Then we have this legal defense fund, also tax deductible, or you can donate anonymously, whichever way you prefer, Bitcoin or credit cards. And this mandate is much broader. Right? This mandate is is is legal fees, defensive legal fees, and free space free speech cases that are, of open source contributors. But when we say open source contributors, we don't just mean developers. So Huddl not will be a recipient of some of the funds, but, also, hopefully, we raise excess of that, and, it can be used, for others as well.
[01:27:27] Unknown:
So correct me if I'm wrong. So people can have peace of mind knowing that, you know, if there is, like, extra money that's that's, donated that doesn't that's unneeded to the legal fees, they will just go to a fund for further legal defenses.
[01:27:45] Unknown:
Correct. And all the funds at Open Sats period are held in Bitcoin. So if you believe that Bitcoin will increase in price, then, you know, we're holding your funds in the hardest money possible. So so even if you donate via credit card, Ledger has, basically stepped up to and they they they donate the the processing fee for our credit cards, and then Okcoin has agreed to convert it to us, convert it for us free of charge. So if you donate via credit card, it's it's immediately without fees converted into Bitcoin and held as Bitcoin.
[01:28:23] Unknown:
That's pretty awesome. So for people that don't know, when you have assholes who have very deep pockets to sue people, what they do is, aside from the fact that, like, normal litigation is extremely expensive already. Right? Like, it's always a few $100,000. What they would do though is they'll go crazy on discovery, and and all kinds of other aspects of the litigation so that they their goal is to suck you dry so that you cannot fight anymore and you settle or you withdraw. Right? So so that's what, what, what that fraudster is doing is, he's trying to to suck people dry off their legal fund capacity, and that's terrible because that sets precedent, and then next time a judge goes, in the same jurisdiction or even sort of any common law jurisdiction really, people cite that case saying, hey, you know, there is enough people who agree that CSW is Satoshi just because they withdraw their case, right, and, it's a terrible thing, so the more people that fight this guy, the better.
Boy. Anyways, good for you, Matt, for putting this together. That's pretty awesome.
[01:29:51] Unknown:
Cheers. Huddl not surreal one, and, I'm just, I'm just grateful. There was a lot of people involved, and, it came together pretty quickly. It was pretty cool to to watch unfold, but we're gonna have a, we're doing a 12 hour telethon. So first of all, defendingbtc.com if you want to donate. Every set matters. The legal fees just for Halton, not alone, are significantly high. They're very high. They're in the millions,
[01:30:23] Unknown:
and yeah. So so the more, the better. Well, but the good thing is keep on donating because it's still gonna go to your defense fund. Correct.
[01:30:31] Unknown:
Exactly.
[01:30:32] Unknown:
You know, it doesn't matter how little or how much there is there. Just keep on donating because you will go still towards Right. People who will have to be defended in the future. And if you or your company are sitting on
[01:30:45] Unknown:
large amounts of gains and you're in US or a partner country, we do have tax deductible donations. So consider that instead of sending it to the state, send it send it to our defense fund or our general fund.
[01:30:58] Unknown:
Yeah. You should get set up as a as a, tax deductible entity here in Canada too. I think there's some reciprocation,
[01:31:05] Unknown:
isn't there?
[01:31:06] Unknown:
It's not that simple. Yeah. It's not all kinds of, of,
[01:31:11] Unknown:
tax deductible. Anyways, just saying because there's a lot of Bitcoin entities here. We'll look into that. But I my understanding is some countries have reciprocation. And then the second thing is Yes. We're gonna be doing a 12 hour telethon live from Austin on Friday, during Bit Black Boom. So join us for that. That should be a good time. There's gonna be art is gonna be auctioned, Different collectibles and stuff like that will be auctioned. We're doing a limited edition block clock courtesy of NVK and CoinKite. So it'll be a fun time. Hopefully, we'll raise a bunch of money.
So so defendingbtc.com.
[01:31:48] Unknown:
Are you gonna be able to take the orange one there for the demo I am not. Till we have the other orange one to send out? I am not because I'm on the road, but we have a
[01:31:58] Unknown:
shitty picture of it that we will show people. But just know to anyone listening That's great. For my for my wedding, NVK gave me a limited edition orange block clock, and the only one that's not in his hands is currently in my hands, but there's gonna be another one that's gonna be available for, during this telethon. So if you're interested in that, consider joining us and bidding up that auction.
[01:32:26] Unknown:
Yeah. No. It's, I hope I hope it raises a lot. Alright, well this one is cool. Replicant reproducing a fault injection attack on Trezor. So this is this is the old, Trezor 1 attack. It's just it's just fun to see when other people go and reproduce this attack by themselves, And I don't know if I ever heard in a podcast anybody talk about it, like, in a way that they sort of explain how this is done, and I figured I'd bring it up. So this was Tresor 1, but it was was it already when Tresor t was already around or not? I can't remember. So essentially what this attack does is it glitches essentially when you have, a chip that is not designed to monitor voltage for security purposes, what it does is, say for example, you have the the chip saying, hey, is this been correct? Is this been correct? Is this been correct? And then the response is not correct, not correct after the user puts it in.
Imagine that sort of like as voltage. Right? Now, essentially, what this attack does is when when I'm responding not correct, but because it's not designed for security it also doesn't hear is correct either, so it just assumes is correct and then it's bound, it's on. Right? So the reason why I brought this article up is because it's a great explanation of the attack, it's very fun for people to understand how this attack is done, and understand how chips work, especially non secure chips work. Anyways, it's it's a very good article with very accessible sort of, like, level of information.
It's not like a paper.
[01:34:35] Unknown:
How much do you think this attack cost? Structurally?
[01:34:39] Unknown:
You know, this guy used fancy stuff, but you can do, like, $20 worth of parts.
[01:34:46] Unknown:
That's crazy.
[01:34:47] Unknown:
Yeah. No. It's see, this is the thing. Right? I think we will be in a in a in a very in the very near future, we're gonna be at a point where when you go through the near port, the same way they can plug your iPhone or Android to a little machine that can essentially own the device, copy its memory even if it's fully encrypted. It either knows essentially, all phones are backdoor. Right? Doesn't matter how fancy your distro is. The difference is some of them may achieve a level of encryption on the OS that's, like, acceptable or breakable later. So there is this black box that's made by security farms for airports where they plug your phone in when they take it from you, and then they copy everything. They can either break it there or they can break it later.
I think we're gonna arrive at a point soon where, state actors and bad guys will have, like, little black boxes so that they don't have to have the technical, know how to do any of these attacks. They just plug the device or stick the device into these machines that take the seat out essentially. Right? This is what they are achieving with this thing. I I think, I think we will be at that that space soon. So that's why it's so important to have strong passphrases, to have physically secured hardware, multisig, and sort of upgrade your security because, you know, it might already be out there. It's just we won't know until we know. Very, very nicely done by this, the security researcher.
[01:36:20] Unknown:
Yeah. I've been expecting that for a while. Surprisingly to this point, I have not I I I tend to like to travel with empty signings just to see if, like, when they pay attention. Mhmm. The most recent time was I was I was going to Norway and, I was carrying a couple, empty MK fours, SATS cards, tap signers, and open dimes, because I wanted to show the activists your complete line of products. Not because I wanted to show the activists, like, all these different form factors you could use, for holding Bitcoin. And we're connecting through Heathrow in London, and we have to go through a separate security because I was a fucking idiot and I forgot the UK wasn't in the EU. So I had to go through customs twice.
But that's besides the point. I went through a security there and they pulled me over to the side and they opened up my bag directly to where the signers were. And the signers were just in this mesh compartment wide out in the open. I was like, it's finally it's finally gonna happen. And then he just grabbed he grabbed my, like, bathroom bag and pulled out a conditioner and told me the conditioner was too large and then sent me on. Do you use conditioner, Matt? I don't know. Whatever it was. It was like conditioner or shampoo or something. I think that's the egregious part here.
[01:37:45] Unknown:
Yeah. For the mustache. Oh, it's for the mustache. Only for the mustache. Okay.
[01:37:49] Unknown:
Yeah. No. I I I like conditioners night. Like, my hair is long. Like, you need conditioner, otherwise, it tangles
[01:37:55] Unknown:
up. Rodolfo, this might be a tech tip. Travel with an empty hardware wall.
[01:38:00] Unknown:
Right. That that's right. I mean, at least have a BRICKME pin set up. That that's, you know so here, sir. I'm just gonna put the pin on and oh, it doesn't work. You know what I don't like about the BrickMeIn?
[01:38:13] Unknown:
You can't test it. That's that's kind of by design. I had to kill a device to test it. Also, I have a device Don't trust. Verify. I have a cold card with a ticker on it that's, like, the countdown timer or whatever. That's it's like a year or some shit. 28 days. And I didn't realize it it has to stay plugged in. Yes. Like, I can't I don't have the self control to keep a device plugged in that long, so it might as well be brick too. I just got rid of it. No. Just leave it on. It's fun. You just plug it to a USB and leave it running for 28 days. I got, like, 14 days once and there was a power surge and then So so worked as designed. That's really what you're saying. Just just a heads up, like, if you're gonna pick a big countdown timer, don't try and test it.
[01:39:00] Unknown:
Somebody did it. Somebody did the 28 days once and, posted on Twitter. Is 28 days the largest one? Yeah. I call it 28 28 days later, in regards to the movie. Yeah. It's a good movie. Alright. So Square, Wallet fame, they keep on making posts, which is interesting. This latest one was about, seeds and things. Again, it's kind of annoying me because it's the seed hating thing. Seeds are great. No? What do you guys think?
[01:39:35] Unknown:
Yeah. I think if you're gonna self custody, you should probably do it the way that other people. You should you should kinda do the best practice thing that has been has worked for a lot of people for a long time.
[01:39:46] Unknown:
I kinda like where they're going with this with the caveat that I just think more options are good and people should try different trade off models. Like, I feel like we're still pretty early in the Bitcoin game, and we shouldn't just, like, lock ourselves into how we've always done it. Or No. That in that sense, I agree. In this particular model, they'd make some interesting trade offs that you don't really have. First of all, you have this this hardware signer that's presumably extremely cheap. It's a blind signer. In an average day to day usage, the person will never use it.
Things will get signed by their servers, will get signed by the 3rd party servers. And if the 3rd party acts up and the 3rd party is not letting you get your funds, then you use the blind signer and you you pull your funds off.
[01:40:34] Unknown:
But but see, why even bother with the signer then? Just have a piece of paper that you write down whatever secret that signer is gonna have if it's just a backup.
[01:40:44] Unknown:
Because you're assuming the user can't keep track of something like that?
[01:40:48] Unknown:
Yeah. But then they're gonna lose the device. You give them a little fob and they can just tap it on the back of the phone. Easy peasy.
[01:40:55] Unknown:
I don't know. Because I think they're putting a screen on it or at least a button or something. Right? And that might be a battery. I don't know. I I I wanna see it. I welcome new different things. I just I just wish there was more intent and interest in human readable backup solutions. Maybe it's just I'm jaded because I've seen so many people lose so much money through their years too. Right? So maybe it's part of that, including myself. Yeah. I mean, you know, it's nice to see. It's just I don't know. It's just every time I hear no see, they sort of bulk a bit. You know, we made kind of trade offs to top signer too. Right? We there is no seed because the device is too dumb, cannot handle BIP 39. So so the backup, it's essentially automatic.
When you when you set up the device, say, with Nunchuk or whatever, it offers you for you to back up the the encrypted file into your phone cloud chip. And but but the keys for that are are lasered etched on the card so that the digital wallet cannot see the backup. It's fairly strong encryption too. But then the problem now that I see is collusion between 2 server entities offering you the signing part. Right? But I guess for small amounts, it doesn't matter. The reputation of these companies is more important. So even if they get hacked and start signing people's funds, they'll probably make everybody whole. It would be in their interest.
Yeah. It's an interesting it's an interesting solution. Alright. Justin, I think this one, was from you. A new way to do DLCs.
[01:42:46] Unknown:
Go for it. Yeah. So DLCs are a way to bet on an outcome, and, the cool thing is all you need is an oracle, so I'm gonna test in the outcome, like, who won the Super Bowl. And, the, yeah, the cool thing is that you the people making the bet don't the the the oracle that's attached to the outcome doesn't need to know about who is participating in the bet, and it's all based on Bitcoin and doesn't require any changes to Bitcoin. Some of the downsides to it are that no one uses it. There's no liquidity yet. It's sort of a trade, these DLCs, and, also, you need to, you can only bet on things that Oracle's broadcast outcomes for. So, like, you can't, you know, make your own custom contract and write a Python script or something and make them bet on what the outcome of the script is gonna be in 2 weeks.
And so the cool thing about this is that it's it's changing the signature algorithm underneath. It would basically allow you to run the DLC protocol on any sort of outcome. So, like, you could anything that you could express in software, you could write, like, a little smart contract. But here, the smart contract could just be literally a Python script, and you and your counterparty would agree to run this at a certain point. And only if you disagree would you have to give this off to the to the to the DLC. So it's it's kinda interesting because it's it it it could potentially do some of the, like, accomplish some of the the, goals with these smart contracting systems, but in you know, blockchain systems, but it it doesn't resemble them at all. It's just a totally Bitcoin Bitcoin based Bitcoin signature based protocol, that would doesn't have a blockchain at all. So it's it's it's pretty interesting. Where do you run the scripts? You could just run it anywhere. It's the the the this is just like an example of an outcome, so you could yeah. I I don't know if I should do exactly how how you how you do this, but it's it's just, like, outside of the protocol. Yeah. So so let's say I have, like, a a dice protocol a dice script.
[01:44:39] Unknown:
Right? Yeah. And my and my contract says that, you know, it needs to be, like, a minimum of 6, right, for this funds to be released or something. Yeah. Does how does my contract validates that this was actually dice as supposed to me just feeding in 6?
[01:45:00] Unknown:
Yeah. So I think here it wouldn't it, you'd be basically trusting the the Oracle. So it's it's it's it's, like, observable things. So dice wouldn't be a good example because that's not really, like, a Mhmm. A thing that multiple parties could all observe unless they were all on the same place. But, like like, just for example, you know, if you wanted to make bets on some like, some very specific thing, like, you know, which basketball player gets a technical foul in the second quarter, there's no oracle that's attesting to that currently, but you could write a little script. You can do an API called the ESPN or something, and you can make bets on this. So it could potentially make more thing make make DLCs work for more types of events, and that might lead to more liquidity, which then would make DLCs useful in the real world. Because currently, they're not because there isn't enough liquidity.
Very cool. And it also simplifies the protocol a little bit too, I think, potentially. So just a cool interesting thing, that yeah. It's,
[01:45:59] Unknown:
you know, maybe in a couple years this will actually exist. You know, part of the reason why I wanted to start this bot is because I hear Shitcoin are saying that nothing gets built on Bitcoin. Right? So just just mentioning and bringing up all these little things that are being created, maybe somebody else hears it, and that's exactly the thing that they were looking for, and, you know, some people go build a company on it. So that's that's pretty cool.
[01:46:26] Unknown:
Yeah. This one's really interesting because the main guy I mean, there was, like, 8 people on this paper, but the main one the one that I know, Lloyd Fournier, Fournier, I don't know how you say his name. He's just been grinding away trying to do these kinda crazy cryptographic applied cryptographic ideas on Bitcoin for, like, 2 or 3 years. You know, he's sponsored by Spiral and did some other stuff. And so this is to me, it's, like, the first really big thing he's produced that's super interesting. Very cool. Yeah. Sometimes it takes a long time as well to actually produce something. So you mean good technology is not just like, you know, something you come up in a hackathon and it's done, and you go fundraising?
[01:47:03] Unknown:
Correct. Correct. That's that's good to know. It's very validating.
[01:47:08] Unknown:
Correct.
[01:47:09] Unknown:
Alright. There is this bit proposal, receiving a change derivation path in a single descriptor. That's very useful.
[01:47:20] Unknown:
Yeah. It's kinda ridiculous if you're if you're doing a descriptor wallet. Like, a descriptor the idea of a descriptor is it's supposed to describe the scripts in your con in your wallet. Right? It sounds very simple, but in practice It's not. Every wallet has receive and change addresses. So you can't you the one descriptor doesn't actually even describe a wallet and until this bit. You'd always need 2 descriptors, which is kinda stupid.
[01:47:42] Unknown:
So with this one, we'll finally be able to have 1 descriptor describe the average of 32 wallet. It's kinda funny, right, because the original proposal for descriptors were to resolve this problem by having a single descriptor,
[01:47:54] Unknown:
and yet it didn't. Yeah. It was never a single. Yeah. It was always 2. Exactly.
[01:47:59] Unknown:
No. This is this is great. It's nice to see movement on this. This is the kind of stuff that we would definitely support on, on CodeCard, fast. Nice. Alright. So Taproot adoption, there is a link here for people to go check it out, but I don't think it's it was down. It's still down. It's down. Yeah. It's BitMax's thing. They're down. It'll be on the show notes. People can check out later.
[01:48:24] Unknown:
It's up into the right Yeah. With very small numbers.
[01:48:28] Unknown:
Yeah. No. I mean, it's, it is gonna take a long time because there is no need for it for the majority of the users. Right? Bitcoin is serving its purpose very well with the very little it it offers, which is a lot. Alright. Yeah, I mean guys if there are other links, of projects and things that you want listed that we didn't talk about, feel free to add to the show notes because people will look at it and click and read at their own, their own time after no longer bothering their ears. Okay. So this there's a new section of the show now we're testing out, and we're gonna check the analytics to make sure that people really, got to this part. Otherwise, we'll kill it, of course.
So this one is the this one is the tech tip of the day.
[01:49:22] Unknown:
By the way, MBK, multiple people this week told me they listened to the show. Multiple. Like, 3 or 4. Can you believe that? I also had a handful reach out to me about it. Yeah.
[01:49:33] Unknown:
Okay. It must be the grace of, Matt's mustache and Justin's mullet. I I cannot think of any other reason.
[01:49:45] Unknown:
And the list.
[01:49:51] Unknown:
Alright. So the tech tip. Okay. So, you know, you should have Thor running on your computer by default as as a as a as a daemon, not per application cause that's silly and you end up with multiple instances, and it's just stupid. So if you're on a Mac, which majority of sane people are, you can use brew to install Tor, so you do brew install Tor, and then you there is this new feature from brew that's been around for a couple years now at least called services. So you go brew services start Tor, and then you can actually check which brew services are running, and you go brew services list, and it's gonna list which services are running. What's nice about this is that for people that use brew already probably know is that brew is a much more sane package manager for OSX.
It keeps everything tidy, and it's nice and clean and simple so it's easier to audit some of the stuff, and now you have Tor running on your computer. So you go on your Alactrim or whatever, and you essentially just put all the services that you can and you should to proxy over Tor, if they don't have onion addresses to reach out to to begin with. So in the proxy, you just go 127.0.0.1, which is local host, and the port is 9,050. All that 4 step process is on the show notes. So I wanted to get something, a tech tip that the 2 of you maybe take for granted, but could be useful to somebody out there. Is there anything like that that you guys have?
[01:51:46] Unknown:
One of my favorite ones every time I get a map, this is a very this is very minute, but, I love to change the key key repeat rate. Make make the key so, like, you hold down a key and it goes faster. That's there's a way that you can Google that. There's a way to do that, and it's it's really a life changer. You you hold down the key and you can move much faster.
[01:52:08] Unknown:
You can make it like lightning fast. The key repeat and the gap to repeat. Yes. So the hold down to repeat, so how long it takes to start repeating, you can also change that. That's that's like a huge deal. Justin, do you wanna find the 2 commands? It's like a 2, global, variables in the OSX that you can change. We can add to the show notes too. I'll add that to the show notes. Thank you. That's that's a great one. I'm setting up a new Mac a few days ago, and, that's, definitely one that I did on the 1st day of setting up the new Mac. Matt, do you have anything for us?
[01:52:47] Unknown:
If the bandwidth constraints and latency of of Tor got you down, you can get a hosted VPN account with MOLVAD using lightning@vpn. Sovereign.engineering. Fantastic little Really? Service offered by, I think Carl Dong offers that. So lightning VPN? He has cons has some kind of gift card relationship with them, so he just accepts the lightning and then immediately credits your account. And if you don't have an account, give you a new account. So you don't need an email or a password or anything like that. It just gives you this number code that you put in to either, the mobile apps or you can use it with OpenVPN.
It's a fantastic little service.
[01:53:34] Unknown:
On the on the privacy, Helm there, I know you have some suggestions for, like, throwaway phone numbers and those providers. If you wanna add to the to the show notes the some of those providers would be very helpful because when you Google those, it's a lot of shit scamming, options out there. It will be nice to have a field that sort of, like, are recommended.
[01:54:04] Unknown:
Yeah. I mentioned that right now just real quickly. There's text verified.com. You can pay with Bitcoin. Those are single use numbers, so it's only at the time of verification. But they work really well for services that need verification because a lot of times they have blacklisted numbers, but text verified doesn't. So you can use it with Twitter. You can use it with different services like that. Bitcoin ATMs, they support a bunch of different brands of Bitcoin ATMs. So that's textverify.com. Then you have silent.link, which provides you a full esim, for Bitcoin. So a lot of the new phones now, you can just download an esim from the Internet rather than use a SIM card. So they'll give you a fully functioning SIM card virtually, with data and everything.
That's also payable in Bitcoin. And then if your threat model is lower and you just wanna make sure when you go and buy something from a store or something like that, they don't have, the same phone number that you always use. There's apps in in both app stores. The 2 big ones that I've used and recommend is mypseud0, m y s u d o, and hushed, h u s h e d. And both of those, like, you just download them from the App Store. If you have, like, an iPhone or whatever, like, your credit card set up to it, you can literally just purchase it in the app. Really cheap. You can get a number for a year for, like, $40, and you can just end up with, like, hundreds of numbers for $40 each a year, or you can buy them for 30 days or even cheaper, and just never put the same number ever again.
[01:55:37] Unknown:
I wonder how many of those numbers that get reused eventually. You keep on getting text messages from, like, weird services from other people. Oh, they're so reused. Like, I get sent money on, like,
[01:55:47] Unknown:
like, it's like someone's trying to send me money on Cash App or one of my numbers, and they're asking why I haven't paid my rent. And
[01:55:55] Unknown:
That's funny. That's really funny, and I could totally see it. I bought another number, from from a different town, and, that guy clearly owed money. So, like, every single tax collection that service out there calls that number is really annoying and I have it forwarded so I don't necessarily know that I was trying to call that number. So I'm often like, what are you talking about? Alright. And then I have to explain to them. Guys, do do you have anything else that we may have missed on the list? Because it would be at least another couple weeks before we record again if you guys come on again. So, now would be a good time to mention it.
[01:56:38] Unknown:
I believe the list was comprehensive on my side. That's good. No. I mean, I think this is a great conversation. It's always a pleasure having you and Justin on to join me.
[01:56:49] Unknown:
Hey, Matt. It was very nice having you as a guest. A guest. And, just and maybe I'll promote him to, cohost just to piss off Matt.
[01:57:00] Unknown:
Matt has too many engagements. He cannot cohost anything else anymore. Yeah. He was holding us hostage for the better part of a day.
[01:57:07] Unknown:
There is that too. Totally,
[01:57:09] Unknown:
calendar Cinderella there. Yeah. It was a family emergency. Thank you very much.
[01:57:14] Unknown:
In all seriousness, I really appreciate you guys joining me on this. It's, it's very helpful and it's very pleasant and it's fun. Thanks to our new producer, Joni. He's been super helpful too, and I hope, I hope, Joni doesn't have too hard of a time adding more to this list from all the extra crap that we talked about. And, now we have recorded exits, so I don't even have to say the the closing anymore. I do recommend people go check out the show notes, not on the podcast apps because those only have 4 4,000 character max, and we already have a 160 lines on GitHub for this episode, and we were sort of cutting it down. So, this is this is a lot of fun. It's nice to talk about all the stuff that's going on in Bitcoin. And, with that, I guess we can say our goodbyes here. Cheers. Always a pleasure. See you next time. Take care, guys.
Thanks for listening and going through another boring list of updates once again. Don't forget to get in touch on Twitter at Bitcoin review HQ or the Telegram Bitcoin review pod or email bitcoin review atquaintite dotcom. Remember, I don't have a crystal ball. So if you have a cool project you're working on, do make sure to get in touch with us. And if you're still not bored, you can follow me on Twitter at nvk.
Hello, and welcome to the Bitcoin review podcast. The podcast where we fail at boringly reading the latest release notes and discuss project updates. So we, have, Matt and Justin again on the show. Really it's just Justin. We have the ghost of Matt here. He's gonna be replaced by a computer, the booze. Well, I guess the next stop really is for us to have, Marty prerecord the show notes. And then we play Marty doing the show notes, and we talk about And we'll just tackle him. That's right. I mean, that that would be quite perfect. So, yeah, thanks thanks for coming again, guys.
This is this should be fun. It's, it's quite the the long list. Do you guys, do you guys have a a a good day so far? Absolutely.
[00:01:08] Unknown:
It's been a good Monday.
[00:01:10] Unknown:
So people that can't see because there's no video, Justin has taken over Marty's podcast studio. Yeah. It's over for Marty Bent.
[00:01:18] Unknown:
Word put the word out. He's run off to New Jersey or wherever the hell he went. You know? Fled Texas, couldn't handle the heat. Now I got his podcast studio, and,
[00:01:31] Unknown:
yeah. It's it's over Maybe maybe he moved to to California. It's gonna be very compatible lifestyle.
[00:01:39] Unknown:
Yeah. Nobody knows.
[00:01:41] Unknown:
Right. Alright, guys. Let's let's enter the boring list.
[00:01:46] Unknown:
So starting off be a good black boom this week.
[00:01:50] Unknown:
I love how hard it it just like goes right in there. No. I'm not gonna make it. I I am not making to conferences until probably mid late October.
[00:02:03] Unknown:
Well, Justin, I'll I'll see you tomorrow then.
[00:02:06] Unknown:
I won't see him today.
[00:02:08] Unknown:
Bit black boom's gonna be fucking sick this year. I'm pretty excited.
[00:02:11] Unknown:
Are you guys ready for the list, or are we gonna just, like, you know, keep this not boring and fail every time?
[00:02:19] Unknown:
Oh, I've been ready for the list for, what, 3 weeks now, 4 weeks? How many weeks have I been ready for the list? I mean, This list is just gonna keep on getting too long. I've been begging for it, the list.
[00:02:30] Unknown:
Okay. So then let's give it to, to Justin. Sparrow, 1.6.6. That was a good strong start there. Authentication via off 47 and lnurls, improved performance for very deep wallets, change from notification tx's in spent last, copy labels from deposit UTXOs into bed bank. Any comments, concerns?
[00:03:08] Unknown:
These are extremely detailed release notes. Craig has been very busy.
[00:03:12] Unknown:
I I know, like, I I've asked, I think, once for him to have, like, a summary, but, no. It's a we got we got the deep ones. Alright. Joinbox version 0.7.0. Neo automatically generated SD card image for Raspberry Pi 4 and 3, connect fully loaded with QR code to the join market API, add custom labels to addresses, add join market API dot services dot tools. I have comments. Do you guys?
[00:03:45] Unknown:
You go first.
[00:03:46] Unknown:
Where do I find where do I find the list?
[00:03:50] Unknown:
Oh, Matt. You would never go this unprepared to,
[00:03:54] Unknown:
the rabbit hole recap. There's no preparation for rabbit hole recap. Trust me. It shows. I just wanted to say that Craig Raw is an absolute legend, and, Sparrow Wallet, I'm just so grateful we have Sparrow Wallet. This is such a fantastic fucking wallet. I sent on signal the the show notes. Thank you. Why don't you have them linked at bitcoin.review?
[00:04:14] Unknown:
We will. Yeah. This is a commit to the bitcoin dot review markdown file that then gets served as the website. We're professionals here, Matt. Yeah. So if you wanna open any of these links, you have to copy and paste. It doesn't the links don't work yet because Rudolph hasn't merged the pull request yet. But the list yeah.
[00:04:33] Unknown:
Very convenient.
[00:04:36] Unknown:
Yeah. It's great. So on join inbox, there's no, programming language here. It's just shell scripts for this UI for join market.
[00:04:45] Unknown:
Which is very useful, and and really sort of just ties things together because, you know, join market is the only sort of solution that we have that we know that our people are not gonna go to jail.
[00:04:59] Unknown:
So join inbox has been around for a minute. The lead maintainer is Open Arms, and it's primarily used via the Raspberry Pi Blitz project. So if you have Raspberry Pi Blitz, you basically just, you know, press install, and it's very, very straightforward to use.
[00:05:18] Unknown:
That's, that's right. I I think so this is still quite nerdy for for people listening, wanting to try join market. I think it's pretty much as nerdy as it gets. However, if you're a dev out there who can do UI, who can build something interesting, join markets, need some love. I think Gigi has some Yes. A bounty for join markets UI.
[00:05:49] Unknown:
Right? No. No. So HRF has a bounty for join market UI. It's about a half a Bitcoin. Okay. Gigi is leading basically the main project that seeks to win that bounty, and that's jam. Forget what Jam stands for, but, essentially, it's a joint market web UI, so you can run it on, like, Umbrella or RaspiBlitz or something like that and just open it up in your browser, Use it with your own node really easily. Yeah. I haven't tried that one yet, but, it did look promising from the the specs I I I saw online. That's that that was the g g one that I knew of.
[00:06:26] Unknown:
And for people that don't know, the cool thing about joint markets that joint markets does not have a centralized coordinator. It's part of the reason why I like it so much. It's just a market. People, put out an offer, to mix their coins, with yours, and you choose to pay their fee or not or pick another offer, from a market maker.
[00:06:51] Unknown:
Yeah. So anyone could be a maker and join market, and they set they basically put up this much Bitcoin. They say it's available for coin join. This is the fee you have to pay me. And then if you want to use that, offer, then you open up joint market as a taker and you use it. And then they have, like, different automated things that go through them and switch between, makers and whatnot. So one of the biggest trade offs with that is, yeah, you you have robust. It's a robust system that doesn't have central points of failure, but in return, you lack convenience. And the main lack of convenience there historically has been you have to use your own node with it, and the UI. So, to get to make the node part easier, you bundle it with node projects.
And then to make the UI part easier, you provide a web UI, where it's just point and click. And that jam tries to accomplish both of those elements. Have anyone looked into,
[00:07:48] Unknown:
using the Noster protocol to create a joint market coordinator? I I could see how that would work because right now you could use IRC. There's a few ways to coordinate joint market. Right now, they use IRC, which is, like, not ideal. Yeah. But the well, at least the cool thing about IRC is that anyone can connect to that sort of quite privately.
[00:08:10] Unknown:
There was a coin join implementation with Nostra recently that someone posted a gist, like, 2 months ago, and there's a slightly more polished one from, like, a pretty well known Bitcoin developer. I don't know how this thing has it's it's called the Joinster. You You just look on Twitter for example.
[00:08:28] Unknown:
Alright. So Electrum 4.3.0. This version introduces a set of UI modifications, simple simplify the use of lightning, the idea of stock payments, layer blah blah blah. Honestly, I am not a fan of Electrum lightning. I really wish they had not included that on Electrum. I actually have many things to bitch about Electrum recently. Do you guys wanna start before I go on my rant? Go for it. Go for it. So the new UI, UX really, on Electrum now requires, you know, 50,000 more clicks to just sign a transaction. I don't understand why they create that finalized screen, probably because of lightning stuff. As usual, why can't we just keep things separate? You know, the lightning stuff and the electrum stuff for Bitcoin, and, it's it's it's very brutal.
Yeah. Anyways, so that's really that's that's my rant.
[00:09:29] Unknown:
I mean, look. I appreciate the Electrum team because they've been around forever, and, I used to heavily rely on their project. But, at this point, I just don't know why you wouldn't just use Sparrow.
[00:09:42] Unknown:
Oh, I have many reasons, but I I am an absolute the the reason why I'm so passionately pissed at Electrum is because I'm passionately fan of Electrum. I love Electrum. I use Electrum. So you still use Electrum
[00:09:56] Unknown:
primarily?
[00:09:57] Unknown:
Of course. It's the devil I know. Right? And I know the amount of eyes that are on it. It's it's, you know, it's a fairly well reviewed project with a lot of user base. And, I I I think it it serves a huge purpose. We can't end up with just one wallet. It would be terrible. Well, yeah, obviously. So I really want Electrum to stop with the lightning stuff and and sort of focus on Bitcoin.
[00:10:23] Unknown:
But it's really the opposite. Right? The opposite is what was happening is is is if you talked about power user wallets, we were basically just we basically just had Electrum.
[00:10:34] Unknown:
No. You could have used, Bitcoin core with RPC commands for power users. Yeah. Of course, you can use Bitcoin core. Yeah. No. But but, like, that's kinda how I see the competition, and it's kinda funny because that's how the project started was literal competition for Bitcoin Core because Bitcoin Core, while it was unusable way back, still unusable. And, yeah, I mean like Spector Desktop, I I don't know where that's going.
[00:10:58] Unknown:
No. But, I mean, look. If you if you look 2 years ago and you wanted to use a desktop software wallet, with, let's say, with your hardware signers, for instance, if you had hardware wallets Mhmm. Your basically, your your two choices were Electrum and maybe, like, Bitcoin Core. Now over those last 2 years, we've added Specter to it, we've added Wasabi to it, and we've added Sparrow to it. Yeah. But not really. Right? Because Wasabi now does chain analytics, and everybody hates it. Right. Correct. Sparrow
[00:11:31] Unknown:
really does not have enough devs or time in the market. We gotta start somewhere. No. Listen. I I absolutely love Craig. Right? Like, it's this is not a criticism of Craig or the project. It's just sort of like a a a factor of the the time in the market and sort of like install base size. Right? So, like, when you're talking about, like, you know, putting all your, like, doing very large transactions on on a computer, you kind of really want the the project to have, you know, time in the market, like, a lot of people who don't necessarily like it, use it to also audit it. It's just a function of market size and time.
I think you'll get there. It's already getting there. It's a fantastic project, but, you know, it's also Java, which has a lot less people in Bitcoin space looking at it as well. Nunchuk too. Yeah. So Nunchuk is fantastic, but also, you know, still sort of not quite there in time in the market, install base, and and reviews. We need people using it so that they do get there, and we want them to get there.
[00:12:41] Unknown:
And then I guess on mobile, and the I think they have a Mac app. It's BlueWallet too.
[00:12:46] Unknown:
But isn't BlueWallet sold to some exchange and nobody's developing much anymore? I I don't see, you know, much going on.
[00:12:53] Unknown:
Nuno responded to one of my tweets saying that that deal didn't happen.
[00:12:59] Unknown:
Maybe are the devs, like, busy with other stuff then? Because, like, the project seems sort of, like, semi abandoned. Right? They just keep up with updates for us. I mean, my sources kept telling me they got sold and, like, had pretty
[00:13:10] Unknown:
concrete exam like, concrete proof of it, but he said they did it publicly, so I I have no idea. We're not gonna know. And in all honesty, it shouldn't matter. Right? Right. It's a false project.
[00:13:23] Unknown:
No. I mean, it's just it's just it shouldn't matter. Right? If the if the cold is good and, you know, it's a shame that because of the way app stores work and stuff, you can't just side load and whatever on iOS. But ideally, it shouldn't matter. Right? People can review the code. People can build a project. People can test, and it shouldn't
[00:13:42] Unknown:
matter. Well, I mean, even with the App Store thing, and BlueWallet is MIT. Mhmm. So, presumably, like, we could get off this podcast, just rip a direct copy of it, put it on the App Store, and call it, you know, Aqua Wallet or something. Yep. Well, I I mean, you know, I am a huge sort of,
[00:14:01] Unknown:
BlueWallet fan to when I when people ask me which wallets they should use as, like, a simple single sig iOS wallet, but progressively, I've been sort of switching to tell people to I send them to either Nunchuk, or Mun Moon Moon Wallet. Although Moon Wallet, I can't send people to because they don't use seeds, which drives me absolute bonkers. I I can't, in the right mind, send anybody to a wallet that doesn't use seeds.
[00:14:32] Unknown:
Yeah. I mean, that's a difficult one with Moon. Right? Because it's like the ultimate beginner's wallet, but you kinda set them up in the wrong trajectory because it doesn't have seeds.
[00:14:42] Unknown:
Great. And, you know, I I appreciate people wanting to make an encrypted backup into the Icloud for those kinds of wallets, which is fair. It's a very reasonable way of handling backups. But you should still be seed based because then you're compatible with every other wallet that can recover those funds. My understanding is it's because they use a a multisig. But it still doesn't matter. You can still use the seed the seed as the source of entropy.
[00:15:09] Unknown:
Yeah. But it wouldn't be recoverable in other wallets. That point is off is what I mean.
[00:15:14] Unknown:
I don't well, right, they use do they use a proprietary sort of, like, non spec version of the multisig script. Is that is that why? I think it's just 2 of 2. If it's 2 or 2 give you a seed? Yes, but green uses nonstandard multisig too, unless you use the their new version of green now allows you to create single sig and standard multisigs. But if I remember right, their basic automatic default, their 2 of 2 thing, is non standard. You know, there's recovery scripts out there and stuff, but, you know, I ideally, I don't want to send users to any wallet that needs, some custom script that nobody else uses. Right?
[00:16:03] Unknown:
That's the beauty of BIP 39 if used. Yeah. But I don't think I don't think Moon competes. Like, it's weird that Moon even came up in this conversation. Right? Because, you know, we were talking about specifically on chain wallets and specifically within that savings wallets or wallets that you use to, you know, to interact with your savings. While Moon, on the other hand, to me, is, you know, an easy way for people to participate in lightning on mobile, with very, you know, little little user friction. And in that situation, it's really competing against, you know, like, Wallet of Satoshi and Blue Wallet's custodial lightning wallet, and both of those are custodial lightning wallets. So let alone the backup method. I mean, you don't even have your keys.
[00:16:44] Unknown:
This is the problem though. People are not gonna download more than one wallet, and they shouldn't. Right? Especially the people we're talking about here. Right? The the person who is just gonna have some bucks to spend on lightning or some bucks to spend on on on chain. They're gonna want a single wallet, or they might download 2 wallets if each of them does not do what the other one does in the wrong way. So the problem is, you know, they get they get blue water and then they're gonna use blue water for all their stuff. Right? So then they're gonna end up on on custodial lightning. And then if they use moon, then they're gonna end up using Bitcoin base layer in a way that is not easy to recover.
So it kinda sucks. You know, my dream wallet, which I might end up having to do, is I want a phone wallet that does single sig basic. Okay, very basic single sig, and then go use Lightning somewhere else, You know, or
[00:17:51] Unknown:
you Yeah. Like with Moon.
[00:17:53] Unknown:
Right. But but why does Moon then do base layer?
[00:17:58] Unknown:
Because the whole point of Moon is to keep it as simple as possible. You scan a QR code and it just pays. Like, I don't like, this idea that Moon should have, like, all this different functionality is ridiculous.
[00:18:09] Unknown:
Sure. Then he uses seeds so that people can use a metal plate that already works for seeds.
[00:18:14] Unknown:
As far as I'm concerned, you don't even need a backup for Moon Wallet. That's just icing on the cake. Like, if you're carrying around, like, $400, $500, it's a spending wallet. Yeah. But, man, like, people lose phones. People break phones. Which is why they have email password recovery, which for, like, 99% of people is more intuitive than a seed anyway.
[00:18:35] Unknown:
I don't I don't like that. Maybe I've just been in this space for too long. But meanwhile, like, right now, my current Moon Wallet, not backed up at all. Yeah. I I can't. I just I just can't. Because, you know, the problem is people are gonna have, like, $400 in their moon wallet or a $100 in their moon wallet. Right? And then they're gonna forget that they had it, and then 2 years later, Bitcoin's worth, you know, a 100 times more, and then they go like,
[00:19:03] Unknown:
oh, I had some Bitcoin on that old moon. Then we sit tell them thank you for their service.
[00:19:08] Unknown:
I know. But, like, this was already the experience we used to have with Blockchain. Info way back then. Right? We shouldn't have this experience anymore. Everyone should be able to recover with 12 words minimum their freaking wallet. It shouldn't be that hard. It makes no difference. I I can't comprehend why they couldn't use 12 words as the entropy for whatever they're doing.
[00:19:30] Unknown:
I just think the complaints are misplaced. I think the complaints are really using lightning on mobile and easily backing up lightning things and, like, easy channel management and all this other stuff, and Moon is kind of dealing with what they have today and giving, like, a pretty good user experience for people
[00:19:49] Unknown:
in spite of all of that. It's fantastic, but why can't they just use 12 words instead of the gibberish? The the entropy space is the same. Anyways, we're not gonna come up with a solution on this call, but, you know, that's the problem.
[00:20:05] Unknown:
We should invite Dario on the next,
[00:20:07] Unknown:
Bitcoin review. Yeah. That could be cool. And then but then we're gonna have to be polite because the person is gonna be here who actually does all the work. There's a very big difference between bitching about projects when the people who work on the project are around and when they aren't. So just so everybody knows, we're just bitching. Right? I mean, like, really, it's not like we're taking our time going and fixing it or forking it. Alright. So Nunchuk, 1.9.12, they have some bug fixes and they added Sats card integration. That is the first SatsCard integration in the wild.
That's pretty cool. I don't know, have you guys seen the video yet?
[00:20:49] Unknown:
I've seen a few videos.
[00:20:51] Unknown:
It's pretty neat. You just tap, sweep, boom. Bitcoin is yours.
[00:20:56] Unknown:
Can you use it in a multisig?
[00:20:59] Unknown:
No. You you use Tapsigner on the multisig. Oh, yeah. Taps. Okay. Gotcha. Yeah. No. The Sats card is just like OpenDime, like, modern.
[00:21:08] Unknown:
Yeah. It's the cheaper one. So now they're both supported on Nunchucks, Sats card and Tap center?
[00:21:13] Unknown:
That's right. Those guys are busy. We talk to them just back channel for, like, 5 minutes to go and build it. That's awesome. Another thing I love about Nunchuk is that there is no dependencies. Like the the whole thing is there. All c plus plus, libsack, it's absolutely brilliant. It's a lot less attack surface that way. And also, they're not doing what the JavaScript guys have to do there's no serializing, deserializing, serializing, deserializing of all the secrets between many libraries. It's, it's very nice. Mhmm.
[00:21:49] Unknown:
Yeah.
[00:21:50] Unknown:
Alright. And moving on to Blockstream Green, 3.8.6. IOS and Android, display, firmware wash no. Sorry. Firmware wash. Firmware hash during Jade firmware update. Display the net amount without fees, handle connection failure during wallet discovery. And then on Android, login same, Thrasir and Ledger, single sig. Faster Jade firmware update,
[00:22:28] Unknown:
improved Ledger support. Does Nunchuk support the MK four's NFC yet? They're working on it. So it's it's a lot different. The flow the flow is a lot different than with Tap Signer? Yes. So
[00:22:41] Unknown:
Tapsigner uses message digests. Right? It's like a true, true, dumb blind signer for Bitcoin with a pin. Tapsider doesn't understand, PSBT, some of this stuff. Right? The the the stack is much reduced. While on cold card, it's the opposite. There is no proprietary SPAC, it just it's just data in and out via NFC. So technically it would be much faster, but the value add of doing cold card NFC is much lower than TapCigner with a multisig on Nunchuk, like collaborative or by yourself.
[00:23:24] Unknown:
Yeah. That makes sense
[00:23:25] Unknown:
to me. One question on green. Does, does green actually do the firmware updates for the Jade, like, via via Bluetooth or something? Or how do they how do they do the firmware update? Does it say, like, faster Jade firmware update? I have no clue. That'd be kinda cool if you could update your firmware with your phone.
[00:23:45] Unknown:
Sounds like a terrible idea. Can you imagine? Yeah. Because the the phone is, like, essentially, like, fully fully owned. Right? And now you're gonna take firmwares that you can't sort of verify on hardware that has no security, because Jade doesn't have any security. Right? Their their, security model is very different. So, essentially, Jade is using ESP 32, and which you cannot defend, like, at all. Right? And, what they do is they do a 2 factor authentication There's no secure element. No. It's worse than that. So ESP 32 is an extremely
[00:24:27] Unknown:
powerful,
[00:24:29] Unknown:
cheap, unsecure Chinese platform. Okay? It was designed for you to create essentially, like, fun things like a block clock, right, not for you to handle money. However, they came up with this sort of 2 factor authentication thing where you use Blockstream servers as the security of the jade, but you know, like you're still like holding a device that you can't trust, right, so if you see an address on a screen you can't trust that. That's part of the model problem that I see with with Jade. It's an interesting proposition, and it was a great solution because no other wallet was supporting Liquid at the time, but, like, you know, as an actual security solution, I am not, I'm not a huge fan.
And presumably, it's cheap as fuck. Yeah. I mean, ESP 32, the module itself is very cheap. It's a very powerful platform for the price. It's actually quite incredible. The reason why it's possible to do that is because it's made by a Chinese company that doesn't give a fuck about patents or licensing IP. So they go they they they they went, they did that, and and it has, like, you know, no security at all, for example. Right? All these things will save a lot of cost, and you can create these incredible devices that can do a lot. You just can't depend on them. Let's put it this way.
[00:25:57] Unknown:
So if someone someone has a a low price point for a signer and they're considering getting a Jade because it has a screen on it versus a TAP signer? What would you say to them?
[00:26:10] Unknown:
I mean, it's hard to say, right, because I'm very biased on this with both the fact that TAP signer is made by us and and also the way that we prefer our security trade offs. At least Tapsigner is secure. Right? It uses an actual secure element. It doesn't have a screen, so you are depending on the software that gives you the address. Now at least you know that the integrity of the device is much more secure. Is it perfect? Absolutely not. It's still a cheap secure element, but in my view is a much better security trade off scenario, especially if you're using TAP signer or multisig.
[00:26:47] Unknown:
Couldn't the phone just lie to you and then you tap it?
[00:26:50] Unknown:
Yes. But for TAP signer, if you're using a multisig, you can be the other party or your other device, so to be your sanity check for that address. It could also be, Jade or it could also be a cold card as the cosigner. Right? So you you would you you would rely on another party or another device to double check that address. Now, if you're using TapSigner as a single signer, the security model is not for you to have your life savings on it, it's for you to just not have your private keys on a phone, right? So you would have your spending wallet say your $500, $5,000 using the Tap signer just so that it's not on the phone.
It's just a little bit of a different sort of security trade off in a place there. While the Jade, in my opinion, gives you a false sense of security by having that screen when the device itself is not secure. But in the same way as the tap signer, you could rely on a third party to be your sanity check for that address. So I see the 2 actually very similar in terms of security threshold, but one is much cheaper and much more secure itself, but doesn't have a screen. Does that make any sense, Matt?
[00:28:14] Unknown:
Yeah. I mean, essentially, what it boils down to is if you're using it in a multisig, you would need multiple points of failure, to be compromised. Right? Because you'd have you'd have different coordinators for each of the signers anyway. Yeah. I mean, unless you're all using the same wallet software, right, which in the case of Nunchuck could be true. Right. But you might not all be updated, or your individual phone might not be pwned or something. That's correct. Even in a situation where it was a 3 of 5 multisig and 3 of the signers are different people holding tap signers and nunchuck, the tax surface becomes way smaller Yes.
Yes. Even in that situation. Just because there's multiple devices that need to be compromised. I guess you could, yeah, and update. Yeah. I mean, unless Nunchuk is malicious, right, like themselves, because then they would have to make a release for each platform,
[00:29:09] Unknown:
right, being evil and the same
[00:29:12] Unknown:
version. Right.
[00:29:14] Unknown:
I guess yeah. Yeah. Because your coordinator's online, so that has a massive attack surface.
[00:29:20] Unknown:
Yes. That that's correct. I don't know. I it may it makes sense. It's a low cost. You have to make trade offs if you want low cost, basically, is what it comes down to. Exactly. Right? I mean So it's what trade offs you make. And remember, right, like, you know, in a year or 2 from now, maybe, like, top signer is, like, you know, less than $10. Right? So you can have a hardware wallet for less than $10. So just, like, that's the path. Right?
[00:29:42] Unknown:
I will say, like, in multisig in general, it's nice that you do you do feel a bit of an extra safety that it's like, okay. If I fuck up this one signer, this one signer gets compromised or I lose the backup or something like that, I don't lose everything, and the other devices need to be compromised too.
[00:30:02] Unknown:
Yeah. I mean, multisig is amazing. Right? It's just the reason why we often recommend people to use single sig plus strong task phrase for real money is because most people will screw themselves out of their coins before they're actually robbed by somebody. Right? And having essentially a split secret, right, that's what passphrase plus single sig plus seed is, is very hard to screw up. So especially if you have a backup of each. Now with multisig, it's a lot easier to screw up, and you're still now depending on multisig. You either have extreme sort of, understanding of the stuff, and you're using, say, Electrum with multisig plus Sparrow. So, like, you're using multi client multisig.
Right? Now you're really getting the benefit of multi sig. If you're using single client multi sig, you know, the benefits of multi sig start to diminish because, you know, now you're relying that the client is not lying to you in multiple platforms too. Right? So it's not like a magical thing. The desktop? The coordinator? Yeah. So so imagine imagine for sake of argument that Nunchuk is evil. Right? They could be releasing evil software into 3 platforms, right, and then they could be doing a grifting attack or something like that, because you're using the same software to validate the transaction, like, before you sign it.
[00:31:39] Unknown:
Well, you should validate on the device. Like, that's the whole point of a screen on a hardware wall. Right? Because you don't trust the coordinator. Right. But not if the device is not does not have a secure element. So
[00:31:49] Unknown:
the problem with, say, Jade or Trezor is that it's very easy to put, like, fake software on it. Right? Like, some some dummy software on it that's lying to you.
[00:32:01] Unknown:
Right. That's why you want a screen and a secure element.
[00:32:04] Unknown:
Yeah. Yeah. I mean, remember, the secure element doesn't just protect your seed. It protects the firmware as well.
[00:32:10] Unknown:
Right. The integrity of the device. Exactly. It does How exactly does it protect the firmware? I used to know this. It it, like, does it do a do a do a signature check when you try to update that, like, that file? The, like, the new firmware file? I can speak in our case. I'm I imagine the the the ledger guys probably do the same is that we check byte per byte of the firmware,
[00:32:30] Unknown:
right, in memory. So you become very obvious if there is a change to the firmware because you'll have a hash of it, and you also check all the bytes. Right? How would you check the bytes on a new firmware update that the old firmware doesn't know about yet? So the the secure element has a, certificate, right, that checks the signature when it receives the firmware binary. Yep. So then, you know, it checks that. And then once you have it in memory, right, it always knows that the signature checks, but it also checks the, you know, the stuff that's actually running in memory is also the stuff that's supposed to be there. Oh, okay. Interesting. Yeah. So so the the challenge when you don't have a secure element is that, like, if you if you can run any software you want, the the user won't know. Right? That maybe once they put their PIN, they're actually unlocking their secrets to a malicious firmware.
[00:33:21] Unknown:
I mean, I'm pretty sure that, like, a Trezor does, like, they their official instructions don't have anything about GPG
[00:33:29] Unknown:
verification, because I think the device itself checks the signatures when it's uploaded. It's just that the the keys that That's correct. Up that that check that aren't stored in a secure element. That's the main difference, I guess. Yeah. Exactly. So, you know, a bad guy could go and replace that key. Yeah. Like, as easy as it would be to steal that seed to begin with. Right? Yeah. In that specific device. If I remember right, Jade goes a bit a bit further, right, because they are using a server model to do some validation, but at the end of the day, I mean, you know, if the client is weak, the client is weak. Right?
There's only so much you can do, And mind you, like, you know, this is not to FUD any of these projects or or, like, to to FUD the stuff in in general. It's just we're just sort of discussing, you know, like, realistic, attacks surface that is not trivial to do. Right? I mean, it is trivial to to extract a seed from a treasure, but it's not trivial to replace the signature on the device and load a new firmware that looks the same. It shouldn't be too hard, but I would say it's not trivial.
[00:34:43] Unknown:
Mhmm. Do you know how the server validation works on Jade?
[00:34:47] Unknown:
I looked into it, to be honest, like, why a while back. I I haven't looked in a while. They they have some some clever cryptography there, but, you know, you're still depending on the device. Right?
[00:35:01] Unknown:
And I guess that go that happens through Green Wallet? Yes. It it does. Actually, I I don't I I don't know. Have no idea. I didn't even know that's was their configuration.
[00:35:11] Unknown:
I kind of vaguely recall that being the case, but I've never used it or anything. You know, I I also think that there's a much smaller install base, so it's not as concerning. I I don't think there's a lot of people using for a lot of Bitcoin. It's mostly like a liquid thing, so it's just different, to to the amount of eyes on a lot of stuff. They employ a lot of smart people too. Like, you know, cryptographically speaking, they have a lot of very, very high quality cryptographers at Blockstream. So I I don't think that would be the the attack surface there. I think for them would be more like implementation on the hardware and, you know, just, you know, ESP 32. It's a Swiss cheese.
Man, I think we should rename this pod the the bitching about wallet pod. We join you every few weeks to bitch and also to be grateful. I mean, the last one the last one, we didn't bitch this much.
[00:36:12] Unknown:
Did we? On the Embassy OS? Yes. So you bitch about an operating system for a bit?
[00:36:19] Unknown:
Oh. Alright. So Embassy OS 0.3.1.1. Loads of updates. I think it was Bitcoin mechanic who who gave us the update. Oh, Jesus Christ. It is a lot of updates. I'll start reading some, and then I'll give up. Doctor, doctor, Docker, stats fix, update back end dependencies, fix receipt, receipts, health, return correct. Okay, guys. You guys really need to you could work on her. Keep going. It's so so organic. I can't I can't do this. It's too long. There's like 50, like it's literally every commit too long. Is there a TLDR? Let's look at their website.
[00:37:11] Unknown:
Well, it's a it's it's not a major commit there. How many decimal places here? Three decimal places in this version. Yeah. That's not.
[00:37:21] Unknown:
Anyways, so yes. So Embase OS had a lot of updates. You guys have any comments about, Embassy OS?
[00:37:28] Unknown:
I mean, it has a very wide scope. You know? Like, they have all kinds of stuff outside of Bitcoin. Well, stuff I never heard of. Burn after reading share messages and files that are destroyed after they are viewed. You know, all kinds of little things like this you never heard of. And even, like, for example, after the, what was the, Ethereum thing that got that got sanctioned? Oh, no. They're coming in at for my studio here. Tornado Cash. Yeah. Tornado Cash. After that, they they did a self hosted get service that they added, you know. So they add all kinds of stuff to there, much more so than I think any other implementations tend to.
[00:38:08] Unknown:
Yeah. No. It it's a you know, that it's like a a big project, it seems.
[00:38:13] Unknown:
Yeah. I mean, I've never used an embassy, but, everyone I've talked to that uses it really enjoys it. And I I just I I appreciate I appreciate their goal, which is basically all the things that we currently use, like AWS and these big cloud providers for. You know, maybe we can host some of those at home in a relatively easy convenient way.
[00:38:37] Unknown:
Yeah. Like, they have a photo viewer. You know? They really try to cover everything.
[00:38:41] Unknown:
I don't even think they would consider it a Bitcoin project. Like, Bitcoin supported on it. No. But it's really a sovereignty project.
[00:38:50] Unknown:
Yeah. The, like, your own cloud. Like, there was there was a term for this. Self cloud. Self hosting? Cloud. No. No. But there was, like remember, like, when when people started getting pissed at Dropbox and all this service, the the photo sort of hosting software, somebody came up with a term for this stuff. Whatever. Let's call it own cloud, cloud, cloud. Own cloud. Alright. Ras Blitz, introduction of WebUI and API. Rasp Blitz is an interesting project. This is fairly Bitcoin sort of
[00:39:34] Unknown:
focused. Raspberry Blitz is a 100% a Bitcoin project. Yeah. They have CK bunker. Yeah. They support pretty much every good Bitcoin project that, you know, that you want to use with your own node and that you want hosted 247, and you can run it relatively easily. Now it's interesting because, you know, RAS by Bliss has always been extremely powerful, and I honestly think it's pretty convenient to use. But for their their big differentiator, the the reas all of a sudden, all these other node projects started to be successful. You could think like Umbrel and MyNode.
They were becoming successful because they were more convenient to use than RAS by Blitz, and that was because they had a web UI. And for a long time, the Raspberry Pi Blitz guys did not want to they said, you know, if if you can't figure out how to use our command line interface, then use a different project. But it looks like I mean, technically,
[00:40:35] Unknown:
half of the you know, for half of the purposes people use this these, node in a box, honestly, they shouldn't be using them if they don't know what's going on under, especially with, like, auto updates and stuff for core, major attack surface there. Right. But
[00:40:55] Unknown:
but, yeah, no rep splits, I guess, when it's those users too. Yeah. So they added a web UI. So this has been a long time coming and
[00:41:03] Unknown:
very big release for them. Very cool. Congrats, guys. It's a it's a good project. Alright. B d k 645 adds away well, this is just a pull request. It's not a release yet, but, adds away to specify which Taproot span paths to sign for. Previously, bdk would sign for a key path span if it was able, plus sign for any script path leaves it, leaves it had the keys for. That doesn't sound right. Anyways yeah. No. BDK, it's it's it's interesting. It's a lot of effort going to it. It's a shame it's in Rust.
[00:41:53] Unknown:
Okay. I guess you guys don't have a I don't know if you need on that one. I mean, I'm trying to figure out what it does. I think it's just trying to not sign sometimes. It's not trying to sign too much. You know? Like, if if there's hidden things in the Taproot, it's trying not to, like, leak them, basically. That's what I'm guessing.
[00:42:09] Unknown:
It it could be. It also makes sense. Right? Because with Taproot, you you don't know what you don't know as part of the script. Right? Because there's there's a bunch of other stuff that could be there that
[00:42:20] Unknown:
you don't know. Yeah. There's more you can leak.
[00:42:23] Unknown:
That's true. Alright. It's nice to see Taproot sort of, like, moving in in in good Bitcoin fashion, like, boring and sort of quietly moving a lot.
[00:42:40] Unknown:
Have you used the Taproot address yet?
[00:42:42] Unknown:
No. You know me. I'm gonna be probably I'll die before I move to Segwit. Have you used the Segwit address yet? What's that?
[00:42:52] Unknown:
Justin, you I I assume you have. Right? I have, but very little. Just, actually, BDK
[00:42:58] Unknown:
because that was the first wall that used it. Yeah. I've used Taproot, but mostly just for, hey, I made a transaction, but, like, no. I shared a link before this call about the transaction stats for Taproot, like, what percentage of all UTXOs are Taproot. And this is BitNex's thing. It's down right now. But it was, like, something like 0.06 percent of all transactions are, are tap root right now, the UTXO set. So it's it's very minimally, Point 6? Something like that. 0.6 or 0.06? Yeah. We add it to the show notes. Yeah. It's just it's crashed right now, so I can't see.
[00:43:32] Unknown:
So generally speaking, you know, when it comes to money, I am a huge fan of not changing anything unless you need the something that's gonna come from it. You know, like, Taproot is amazing, very cool. Can't wait to have all kinds of cool stuff I can do with it, but I'm not gonna use it for real money, for real every day until there's a specific feature
[00:43:53] Unknown:
I want. I'm on the same exact page there. 100% aligned.
[00:43:58] Unknown:
Yep. I'm glad to hear it, Matt.
[00:44:01] Unknown:
Gives me confidence in your stats. Do you use Segwit for hardware wallets? Because Segwit has some features that make it better on hardware wallets. Right? Like, they they fix the segash so you can verify amounts and stuff. Like, I guess that's something that you'd probably Yep. Yeah. No. Cold card is Segwit by default.
[00:44:18] Unknown:
Segwit is pretty battle tested at this point.
[00:44:21] Unknown:
Yeah. Yeah. Yeah. And and also another thing about Segway 2 is for multisig where you don't have to to have an order for the signers. Yeah. While the legacy analysts as you do, which is a huge deal when the widow of a programmer who overcomplicated the script hits our support.
[00:44:42] Unknown:
Yeah.
[00:44:43] Unknown:
So, next is, Kotlin multiplatformtor, Add store controller support for map address and resolve, full change log there. Who was it who brought this up? Somebody did on the on the issues. Nice to see more tour stuff happening. Alright, guys. We're moving on to the noteworthy section of the show. New self custody redundancy service, seed bank, upstart, service for passphrase, multisig users act as an Internet connected location in the context of redundancy backups. Seeds are sent obscure obscured over multiple channels, stored offline, anonymous operators, synonymous.
[00:45:32] Unknown:
Synonymous clients. Like an ad?
[00:45:36] Unknown:
No. I mean, that's that's their that's their, It's a seed bank. It's a seed bank just like, for Kumrockets. Like a third party service. Right?
[00:45:48] Unknown:
It reads like an ad. For more information, email us here. Yeah. I know.
[00:45:53] Unknown:
Yeah. Exactly.
[00:45:54] Unknown:
Oh, so the website doesn't work? It was working before when I checked. You gotta get rid of the www. And then it worked.
[00:46:02] Unknown:
Okay. So
[00:46:04] Unknown:
Yeah. Why are we talking about this? Did it did it someone you know What? Yeah. Listen. It's a it's a Bitcoin project. I mean, I'm gonna cover list. It's on the list, man. How did it get on the list? I I I can't remember. Point is, it's essentially a place for you to store your seed on the 3rd party, which is kind of a terrible idea, but at the same time, it is kinda cool. If provided that encryption is strong enough and you know the implementation of the encryption does not have any And the website works. And the backdoor there's no backdoors.
[00:46:38] Unknown:
There is no accidental bugs on the implementation of the encryption. I could see it being useful for multisig. And the website works. Multisig reduces the trust significantly.
[00:46:49] Unknown:
Yeah. I mean, personally, you probably wanna encrypt before
[00:46:54] Unknown:
they encrypt. Yeah. But then why are you even why not just encrypt it and put it in some kind of cloud or something?
[00:47:03] Unknown:
Matt, this has the same vibes as remember that project you had? Was it the Yeah. Final Message. Final message in a little bit. So it's like a way to store seeds. I always wanted to make a online lockbox Yeah. Right, for people. The problem is unless you can prove that the stuff is not illegal stuff in the file, you could have spam takedown requests.
[00:47:30] Unknown:
Right. That's why we made ours text only. Yeah. But I I mean, when I was thinking about with final message, it was specifically for inheritance. We're like, some trade offs have to be made for inheritance and you have to be careful with those trade offs because they can affect your
[00:47:46] Unknown:
security. Yeah. So yeah. No. I mean, listen. I I don't have something inherently against people storing
[00:47:54] Unknown:
encrypted stuff for you. Is this for inheritance though? Is is that what this No. Because I don't wanna go to I think it's just backup. Honestly, I'm, like, a little bit sketched out by the description, and I have my VPN turned off because I wanted to have a good Internet connection for this. So I don't wanna go to the website with my VPN turned off, so I have no idea what the website looks like. Oh, it was all over Twitter. Is it primarily targeted at inheritance? Like, do they have a mechanism in there to send that piece of the multisig to someone after you die?
I didn't check that fully. No. Because that could be that's useful. Like, I was hoping the only reason I created Final Mess because no one else did it. I needed that's the tool that could be very useful to me. If I could take a multisig one signer in the multisig and be able to pass that down to someone, in a dead man switch kinda way.
[00:48:44] Unknown:
I like the idea of having a encrypted lockbox on the Internet that is available to you, but I don't see a safe way of making that project in a way that the founders don't go to GAO or is just completely spammed out of existence with takedowns that you don't wanna fight in court. But if it's text, that's not the case. Well, but but then you can't really do text. It needs to be encrypted. Yeah. But encrypted text. No. You can't. But that then you can't prove that the data inside that is not something that shouldn't be there. See, what what law enforcement is gonna do is they're gonna be dicks. They're gonna go they're gonna get, kind of pictures that gets people in jail, and then they're gonna encrypt those pictures. Right? And then they're gonna put on your website, and they're gonna go to the judge and say, look.
There is encrypted pictures of things that shouldn't be there. But how do they put pictures and text? Well, it's it's gonna be binary, my Matt. That's the encrypted data, unless you're using XOR or something else, and that would have to be a seed kind of thing. But if there's if if there's just a text box on the website. No. But it doesn't matter. I could see, I could get binary data or or, you know, encoded base 58 or whatever. Right? That looks like text dumped on your on an input box on your website and upload it. But no, a character limit prevents that. No.
You can do BIS 58. So that's the that's the characters that you would use for text.
[00:50:23] Unknown:
You could get it that compact. Yeah. Yeah.
[00:50:25] Unknown:
Interesting. Yeah. Yeah. That that's that's how, for example, you put, like, say, PNGs in a, like, on page on a web in an HTML file. Anyways, point is it's very easy to yes. You can encode your binary data in whichever sort of format you want. Base 58 is an extremely common one because it is a limited char set that looks exactly like text, so that there is no issues with the parsers, and then somebody can put that stuff in your website. Noted. Now if you have normalized data, say for example seeds, you could come up with a SPAC that it can provably say that there is 12 words in there, as opposed to encrypted pictures.
Anyways, moving on from this one. It's a tricky one. It was all over Twitter. I figured I'd mention it. It's actually good that we discussed it in case somebody was thinking about putting their seed there. Foundry, the largest mining pool provides grants to open source Stratum V2. That's great. We need Stratum 2 v 2 to happen. It's about time.
[00:51:38] Unknown:
This is particularly big because Foundry is is the largest, mining pool in the world, but also because so so a major aspect of stratum b two is right now mining pool operators are able they're the ones who choose which transactions go into a block. They can obviously be coerced, or forced to not include certain transactions, so they become a central point of failure. In the current setup, individual miners in that situation could leave and go to a different pool. They basically have, like, a soft, like a soft veto there. But with Stratum v 2, one of the implications of it, one of the main goals of it is to make it so that the individual miners actually construct the blocks.
So it takes that power away from the pool operator and gives it to all these individual miners that are much more distributed than the pool operators. Also notable here is Foundry fully KYCs all of their customers. So they're, like, particularly regulatory friendly pool, and they're funding something that dethoots a lot of that defangs a lot of that regulation.
[00:52:56] Unknown:
Yeah. No. I I think any smart business, that is not aligned with the state thinking. They're just following, you know, the regulation that they have to so they don't get in trouble. Sees that it's important to create the tools that makes regulation pointless. So then they can get out of it without having to fight it.
[00:53:24] Unknown:
100%. But, anyway, great to see. Shout out to the founder team on this one.
[00:53:29] Unknown:
Yeah. This is, by the way, the the realistic way of handling things. Right? Like, it's kinda like the tornado cash sort of people sort of thinking that, you know, Coinbase is gonna fight, you know, the US government and risk 30 years in prison, for all the executives. You know, it's completely ludicrous. It's not it's completely unrealistic. You know, nobody's gonna risk jail time because, you know, people want privacy. That's why the regulations are designed the way that they are, is to discourage large companies from supporting the privacy stuff, and it's designed very well. Like, they're they're very good at making things awful to people.
So, the technology has to be inherently good at making regulation useless, not requiring some large entity to be benevolent.
[00:54:26] Unknown:
No. I agree with you, MBK. Justin, we can hear you eating. And laughing too. No. I was laughing. I was laughing at Justin eating.
[00:54:35] Unknown:
Oops. Small bite. Long podcast.
[00:54:39] Unknown:
It is. Can't you stay 2 hours without eating?
[00:54:43] Unknown:
Long list. Excuse me. Long list of podcasts. It's great. The list is long.
[00:54:51] Unknown:
Alright. Wait. Why don't we talk about no. No. No. Let's talk about tornado cache. I'm curious in your opinion. No. We will. After. After. Okay. Yeah. Because then there is, like, more than one story there. I'm I'm I but I only have so much capacity of reading text, Matt.
[00:55:09] Unknown:
Yeah. I don't, I mean, you don't have to go so far deep into the show notes. I mean, everyone always makes fun of Marty.
[00:55:16] Unknown:
Oh, yeah. We will. That that's no. No. This is the whole point of this podcast. Okay. We're gonna excruciatingly
[00:55:23] Unknown:
argue each. I guess now we're on to, like, news items. Right? Before they were, like, Bitcoin projects.
[00:55:29] Unknown:
Yeah. That's called the news and noteworthy. News and noteworthy. Okay. Or just noteworthy. Why is Nick's Bitcoin in here then? Because,
[00:55:37] Unknown:
I don't know. Shouldn't it be in the other section? He totally should. Okay. We'll read it. I I'm gonna blame the new producer. Well, let me let me let me take this one. So next next bit is is a little bit like, what was the one we just talked that just got the WebUI? Raspberry Blitz. You know, it's it's a similar thing like that. It's more security focused, less moving parts. The interesting thing is, like, next is a, it's actually a distribution of Linux where you can have, like, one little config file that can completely define your operating system, and it can, you know, build an entire operating system from that. And so you can have all kinds of restrictions, like what users can see which folders and can make which network requests. You can really lock it down at the operating system level. And so Nix Bitcoin is, a config, basically, in next that can build up such an operating system just for running a Bitcoin node, lightning node, and other things like that. So it's very security focused. Like, you know, for example, Jonas Nick from Blackstream is one of the main people behind it. I mean, he was just basically building a node from himself, and next batch plan is what it became. And so we're, Teddy went I think some probably some of our first production deployments will use this, just because we were using mix for our developer environment and our build system currently, and so it's pretty easy to just integrate it with this. So it's a it's a it's a really interesting security focus like node in a box solution that's much more aimed at tempers.
[00:57:00] Unknown:
There is one more super important thing about Nix is that they're very careful about dependencies management and, and reproducible builds. Right? So they they take a lot of extra effort to make sure that the dependencies are let's call it this way, the supply chain of dependencies, that the dependency chain is way better managed, and is sort of properly paid attention to, so you're not pulling some of the dependency that could be a non review new version that has a hole in it or something like that. They're they're a lot more conservative about dependencies that than your usual Linux. Yeah. This is this is the whole point of the project. This is the the reason it's different from other ones, is that they they
[00:57:43] Unknown:
model the software. It's just a is is a graph of dependencies. Right? So it's like Bitcoin Core. Right? Like, I'm just on a very high level. Right? Bitcoin Core is dependent on the GCC compiler because that's what's used to build the code. It's also dependent on SQLite. That's the database for files. And it's also dependent on LevelDB. That's the database for blocks. SQLite is for blocks. LevelDB is for blocks. So it, but this sort of graph can get much, much more granular because each one of these has dependencies. And so if you want a really deterministic build, you you need, like, a model of all the dependencies. And so the really cool thing about Nix is that they took this There's actually a fork of it called Geeks, which is used for Bitcoin Chorus build system, which took this to the absolute extreme where, not only can you build basically, like, if you use Ubuntu, you start you have to trust about 400 megabytes of trusted binaries.
Like, they're just, blobs of of of computer programs that you can't really audit. They're outputs of compilers. But, with geeks, you can build you can basically build all that from from source and a 250 byte trusted binary. So, like, this is basically a a a really interesting way of of making it so your reproducible build for a software project is, like, reproducibly correct. It's built from source code and not source code and a bunch of trusted binaries can't audit. So it's it's really interesting for security.
[00:59:06] Unknown:
Yep. But it's still not free BSD.
[00:59:09] Unknown:
Nick's Bitcoin is a is a really, really, really cool project. And I'm I mean, on the on the most basic level, it's just when we talk about that security versus convenience trade off balance, they're all the way on the security side.
[00:59:22] Unknown:
Yeah. They're extreme. It's hard to use. I'm I I I've been struggling to figure out how to get a server running.
[00:59:29] Unknown:
That that's a good sign.
[00:59:31] Unknown:
Yeah. I was fortunate enough to have, Nickler and the other lead maintainer on on dispatch, and it was a really great conversation. It was episode 40 42.
[00:59:43] Unknown:
Yeah. They have a matrix room that's very helpful.
[00:59:45] Unknown:
Yeah. Jonas is also the guy who did the half aggregation, signatures. He's a real cryptographer. He's fucking awesome.
[00:59:54] Unknown:
Yeah.
[00:59:55] Unknown:
It's another lizard made project, you know, he works for Blockstream. Alright. Signing devices.com. Oh, that's mine. It's a website to remind everybody that hardware wallets are a stupid term for Bitcoin wallets. It should be signing devices for hardware. You can go there and check it out.
[01:00:15] Unknown:
No. That was an ad.
[01:00:17] Unknown:
No. Not really. I I was not the one who added there.
[01:00:21] Unknown:
I just made it sound like an ad. Well, isn't signing devices dot com your website? Yeah. Oh, but you didn't But Did you did you did you not approve the pull request?
[01:00:33] Unknown:
Of course not.
[01:00:34] Unknown:
Okay. Fair enough. I just wanted to say on the previous on the previous topic, you said it's another lizard creation. I mean, the Bitcoin space has has I wonder how many people in the Bitcoin space recognize that comment.
[01:00:52] Unknown:
No. I mean, it was a joke because, see, for people that were not around the block wars Exactly. The a lot of people were saying that, you know, like, me and other people who supported small blocks were people paid by Blockstream, which I'm not, and we were all dragons, and we were lizards. So, you know, the the joke going forward always is if you work for Blockstream, you're a lizard.
[01:01:20] Unknown:
It's it's it's so dumb. Yeah. Most people don't recognize that reference because we have so many new people now. Yeah. I know.
[01:01:27] Unknown:
Well, I'm glad we explained it. Right. It's it's really dumb because all these projects are all open source and all verifiable, so it makes really no difference even if it was evil. Alright, tornado cache GitHub taken down, lead developers accounts frozen, and in response to Tornado Cash GitHub being taken down, Start9 added, GTS service to the EmbaseOS. Well, we can talk about all that together. So for people that don't know, this Tornado Cash was a sort of like a quote unquote decentralized contract on Ethereum that provided reasonably good privacy, except that the way Ethereum works, it doesn't have UTXOs like coins. It has accounts, which is very dumb.
So anyone who received, Tornado Cash token into their account, and all these accounts clearly monitored because within minutes everybody was being sort of like completely doxxed on Twitter, now has a has funds from a tool that is under sanctions, which is a very big deal in in legal problems. So, anyways, there's there's a lot of stuff going on here. I mean, you know, of course, you know, they should not take the cold or the dev down because cold is free speech. In some countries it's not, maybe in Holland it's not where he is and the reason why he was taken. My theory is, you know, if this developer, one, was in communication with bad people, knowingly or unknowingly, they would use that against him. Ethereum people have a history of talking about DPRK somehow in North Korea.
I think there was a guy that went there and got arrested on the way back.
[01:03:26] Unknown:
Yeah. That was Virgil Griffith. Virgil went to Yeah. North Korea and gave a presentation on how to use Ethereum to circumvent sanctions and then got arrested.
[01:03:40] Unknown:
Very bright. Generally speaking, when it comes to privacy providing tools that are highly used by people who the state deemed unliked, and is very very successful. The state doesn't care what is correct, what's not correct, what is truly illegal, what is not illegal, they will find a way to get these people, right, because they are now people of interest. Remember that at all, the state doesn't have to really follow the law when it comes to anything that they deemed terrorism or whatever, they would just come up with some bullshit reason, but there's also this other concept in law which is profiting from proceeds of crime.
So say for example somebody runs a coordinator for CoinJoin, and they are taking profit directly from the CoinJoin of that specific transaction, and the state might see that as a problem, and they might try to frame it that way and go after the people. That's, in my view, how they will go after some of these people. Is that correct? Absolutely not. Is that fucked up? Yes. It is fucked up. But, you know, these are not the good guys. Right? These are just assholes in suits, so it's gonna get weird out there, especially for projects that are like meaningfully doing volume. Right? These guys were doing quite a bit of volume.
I'm sure Matt will have opinions.
[01:05:21] Unknown:
It was 7,000,000,000 total volume they had done.
[01:05:26] Unknown:
There you go. That's a bit of
[01:05:28] Unknown:
money. Yeah. I mean, I've spoken at length about, the situation, and we have a lot more to cover. So I don't have that much more to add, but it it was it was good to hear your opinion on the situation.
[01:05:40] Unknown:
I appreciate it. Yeah. No. I mean, it sucks. It's like it's one of those things that, like, you know, I don't think the world should work this way, but it does. So our our goal and our like, we should strive to create tools that don't get the devs in jail, because, you know, we don't put people in jail because people use the dollar for bad things, you know, it's ridiculous. So unfortunately, there will be a learning curve for people, and, you know, you can't you can't prevent. Like, people will come up with alternative solutions, and it's gonna be a cat and mouse game. If you're on the, you know, the state side or on the freedom side, it doesn't matter.
It is what it is. I just I just hope that, you know, this guy has a good lawyer and he gets out because it's fucking bullshit. It's just gold.
[01:06:36] Unknown:
Yeah. I mean, on the tornado cash specific side, I personally kind of feel like it's a very low lift, fact finding kind of mission. So, I mean, all all the treasury had to do is, you know, they basically just updated the blog post. They just copy and pasted the contract address into, you know, the OFAC list blog post. And then they just watch, and they they just watch to see what happens from there. And sure enough, you know, most of these so called DeFi services, you know, they have very centralized front ends, and they, like, immediately started blocking accounts that are that have a history, a shared history with with that contract address.
And, the dusting aspect is really interesting because, you know, as you said earlier, a bunch of celebrities and stuff were getting sent to their account, this Tornado Cash, and you can't there's no coin control in Ethereum, so you can't not spend it. So there's gonna be all these things that get exposed because of this single little this single change, which was put that contract address into that into that sanctions post. And, it should be interesting to see how everything plays out. Personally, in in America, code is is is speech, and speech is supposed to be a protected right. Unfortunately, we've learned we can't really rely on on those legal protections.
I mean, it's it's it's I think I think we will look back and it will be like the start of a very strong fight against financial privacy in the the Bitcoin world, but we shall see. On the coordinator side, one thing that should be noted, I think, at least in terms of any kind of service that relies on a centralized coordinator. A big thing there is how how hard is it to run a coordinator, you know, self host to coordinator through Tor. And I wonder if we will see if we will see alternative coordinators pop up that are not connected to known legal identities.
[01:08:45] Unknown:
You know, Matt, I think what the state just did with this tornado cash thing is piss off a fuck ton of devs. And if there is one thing you don't want, it's to piss off a ton of fucking devs.
[01:08:58] Unknown:
Very true.
[01:08:59] Unknown:
You know, seriously, it's like, you know, as much as we get some shit or fried at Ethereum design choices, you know, like I think we get more pissed at the state sort of going boot after these people, right? So I think there will be a lot of new tools coming out that will be substantially better trying to cover exactly whichever attack scenarios, legal or technical, were used after these guys.
[01:09:27] Unknown:
Yeah. I mean, basically, like, the best thing they could have done to neuter these systems is they've been doing nothing for so long that a lot a lot of these projects are built in a completely non adversarial environment. So if there's an adversarial environment all of a sudden Exactly. Things get hard hardened. Right? More robust, and and the end result is is stronger tools.
[01:09:50] Unknown:
You know, it's like he always goes back to the to the PGP, fight back in the day. You know, if you wanna classify, encryption as munition, which is, like, one of the the most strict ways of classifying something. It's it's like this is, like, literally the worst thing the state can try to do is classify something as a weapon of war, to prevent citizens from doing anything and having zero legal recourse, and look how that turned out. Right? And then look at the war on drugs and look how that turned out. So, you know, we're fortunate to live in a time where the only nuclear option a state has is to turn off everything, which they can't because everybody goes broke.
Right? So if they have any tap open, everything else leaks through. So, you know, best of luck, and I I I really hope that some of these people that work in this in this entities, you know, find a better thing to do with their lives than than to make people's lives miserable. Anyways. Alright. Next, is, let's talk about the 2 disclosures at the same time because why not? Swan email provider leaked data, which is Swan's data, and Casa discloses also a data breach of the Casa store. It it all it's a tricky one because, you know, realistically speaking, nobody can run an email server anymore. You get immediately flagged as spam by all the big, big email providers.
So that boat has sailed. And, you know, this third party email providers were not designed to have the level of security required to hold Bitcoiners' information private. So it's it's not a matter of if, it's a matter of when email providers will will screw up. Now that doesn't mean you can't do something about it, like, for example, delete information. You can't guarantee that these email providers will delete their logs and do that, all that stuff. So for email's sake, please use an email that is not your email, like your like, for example, me from way back in the day, you'd have, like, your name, full name kind of thing, and Gmail or something like that. Right?
Don't use those emails. I don't use mine of those anymore. So maybe use burner emails to order things from Bitcoin companies. And then for the Casa leak, I didn't see full information on that. I don't know if this was a storefront that they were running internally, if it was third party. Do you guys know if this was, internal or external breach?
[01:12:55] Unknown:
We're talking about Casa?
[01:12:56] Unknown:
Yep.
[01:12:57] Unknown:
I'm not sure Casa was using a third party, merchant vendor, and it was for their store. So it was if you bought, like, additional hardware wallets or Faraday bags Right. Or seed plates, you would you would get them from that store. So, technically, not all their users, but you have to or or the nodes that they sold. So, technically, not all their customers, but probably a large portion of their customers. And then, even the Bitcoiners bought the node. And, yeah, a shit ton of people that aren't their customers that just bought the nodes. Right? They probably have more people buy the nodes than use the multisig. Maybe I'm talking about it in my ass, but I remember a lot of people bought those nodes when they still had them out.
[01:13:39] Unknown:
Yeah. You know, eventually, our store is also gonna get hacked at some point, but, you know, we keep it in house for a reason because you can't trust the store providers to defend Bitcoin or information. Trusted third parties or security holes. Yep. And another thing too is that when we delete the data internally, we actually delete the data. We know that the data was deleted. You shouldn't trust us, but this is not about you. It's about us knowing that we deleted the data. Right. You don't have to trust a third party. Like, CoinKite doesn't have to trust a third party with it. Exactly. Like, when when people say trusted third parties or security holes, like, sometimes you have to use a trusted third party, but you wanna use a trusted third party that's not using another trusted third party
[01:14:19] Unknown:
who's then using another trusted third party. It's like trusted third parties all the way fucking down.
[01:14:26] Unknown:
You know, that's all how it works. Right? So but another challenge is, for example, shipping companies. Right? Like, your information in order to ship to you has to be sent to a shipping company and a company that calculates shipping costs and shit. So, you know, shipping to a PO box really is your ultimate realistic solution. Everybody should have a PO box somewhere where they ship stuff to. Because listen, the state is gonna find out where you are. Right? Because you normally can't even get a shipping, PO box without your ID being photocopied, but It's like full k y c to get one of those. Yeah.
Yeah. But at least bad guys won't. Right? So so that's one nice thing. Phone numbers is trickier. Sure. There's a few solutions. No. Use a use a use burner numbers.
[01:15:18] Unknown:
If if the state's not in the threat model, then you can use one of those apps like my pseudo or Hush. Use burner emails. If the state's not in the issue, then you can use, like, the different aliases these services offer, like Proton offers it, 2 DeNoto offers it. These things reduce your attack surface. Obviously, use companies that, you believe are taking your your privacy and your security seriously. But one thing, Enrique, you know, at Bitcoin Park, that's one of the key features that we're one of the key benefits we're offering our members is that they can get things shipped to the park.
Nice. And, also, we're just gonna have, like, a merge store. Like, we just wanna have, like, cold cards and block locks and stuff for people to buy there. That that's pretty cool. I mean, having
[01:16:06] Unknown:
locations see, there's a couple of things going on there, but, like, you don't wanna have a seal of approval on a reseller, right, because that's a security hole. What you want to have is local webs of trust. So there's a few guys who you know that based on the security threat model of their hardware wallet, you know, those guys are probably trusted to buy the wallet for you because you trust them. Right. Right? Not because they're being certified kind of thing. Right. Straight offs. Because that's stupid. That just gives false security. Exactly. That that's pretty cool. And and another thing too is that, like, if you're a company out there who wants to sell stuff online, please don't use Shopify, please don't use WooCommerce PHP crap.
It all it doesn't matter that you're hosting the PHP stack. It's still a PHP stack store, not designed to be safe. Right? There is a lot of LARPing out there about stores, and remember, right, like it seems to be that the marketing and commercial tools are always how most Bitcoin companies get owned. Remember the Ledger guys was not like, them or their store themselves. It was the the CRM tool that was feeding from the store. List.
[01:17:27] Unknown:
Yeah. It was a fucking marketing list. Yeah. I feel like this happens, like, every fucking week now. It's or, like Exactly.
[01:17:35] Unknown:
Well, the the problem is this. Right? You know, companies wanna sell. Okay? Having a CRM tool, right, having some analytics on your sales and your customers and knowing a bit of your customers is a huge advantage in sales, it really is. Right? The question for companies that we asked ourselves was, in our case, for example, what's worse? And this is like pure selfish question, right? What's worse? The cost of not having new customers because we lost the data or being able to cater sales to people using a CRM in terms of sales gains? I mean, it all, like we, in our opinion, feel like having the bad news of being hacked and losing all that information is not gonna is is gonna be worse for sales than having advanced sales capabilities.
It's a business question, like, you know, like forget about the morals of this for a second. I think it's a much better way of looking at it. So No. Yeah. 100%. It's not marketing to people. It's not it's not,
[01:18:44] Unknown:
I'm not making a plea based on on morals or ethics. I'm I'm saying that if if if you care about your business, then get your shit in order, or you're not gonna last very long in this space because it's fucking ridiculous. And I I would say and I've I've already said this publicly, but I will reiterate it, that specifically on the on the Casa side, you know, I have a lot of respect for that team, but I was, I was really disappointed because the thing is, first of all, it's one thing. If you get owned, if you get owned, you need to be transparent and you have to learn from your mistakes. And with this particular breach, their public release, didn't say what information was leaked.
You had to go and search for it. Like, they they had emailed people, what had actually been leaked, but they their public release didn't say that. And I feel like that is that's that's kinda some bullshit. I I don't I don't necessarily have it. Publicly downplaying it. Like, the leaked data was names, emails, phone numbers, shipping and billing addresses, and the products ordered. It was it was basically as owned as you could get.
[01:19:53] Unknown:
No. Personally, I just wanna make sure at least the people who got owned got informed that they got owned. How people handle their PR, there is nice ways, there's bad ways, but, like, you know, it's debatable, but I I just at least I'm happy to hear that they informed each. They're they're a responsible actor. Right? Like, they're not a bad actor in Bitcoin. So and there there's good people there. So, like, I I'm just happy to know that they informed each customer about what got owned. I just wish they didn't keep that data because they don't sell nodes anymore. Just delete the data.
[01:20:34] Unknown:
Yeah. It's unfortunate because they go to such they've gone to such lengths to to not KYC people for their multisig service. Right? Like, this was has been a big Mhmm. Selling point of theirs for a long time. They said they don't do any KYC. You can use a NEM. And, yeah, to leak addresses is is, you know, is pretty bad. If that's if that's what, like, our core thing your business is trying to do.
[01:21:02] Unknown:
It's, maintaining anything that's online secure is not easy. Assume you will get owned. I mean, we we we know eventually our store is gonna get hacked. Right? It's like, how can I minimize the amount of data that's there? Alright. ETH versus BTC differences in capturable attack surface, that's a whole different rabbit hole. That was there because the list was not this big yet when it was added there, but I just I guess I just need to comment a little bit on this just because such a fucking mess out there. You can't compare the 2.
Okay. Bitcoin was designed for the worst case scenario. It's, you know, is designed for a battlefield. It's the Byzantine general's problem. How do you trust a message to get to the other side? And Ethereum literally made all the bad trade offs so that it can have, you know, high yield smart contracts, and, like, it's just, it drives me insane to see all these people arguing as if there is anything to be argued in any sort of comparable footing. I assume that you have your tired of that subject.
[01:22:18] Unknown:
No. Wait. Was that you went back to Tornado Cash. Is that what just happened?
[01:22:23] Unknown:
No. Just ETH versus BTC in general because the the merge
[01:22:27] Unknown:
Yeah. I mean, like, this is this is is one of those things. Right? It's it's if if you're trying to build an open global financial network, you need a really stable foundation, and you need that foundation to be as censorship resistant and robust as possible. And so Bitcoin Development has has prioritized that since the beginning, and Ethereum has done pretty much the exact opposite, and that doesn't become obvious right away. So now it's gonna start to become obvious, and that that and that's really the situation right now. But see, Ben, what drives me nuts is Bitcoiners
[01:23:06] Unknown:
arguing with Ethereum people on Twitter as as if there was anything to argue about on the same footing. It's like it's like trying to compare water and oil. Right? Like like it's like it's 2 different things.
[01:23:21] Unknown:
Yeah. There's no there's no need to debate. It's all becoming quite obvious on its own.
[01:23:28] Unknown:
Yeah. And and, you know, and the shitcoiners, the Ethereum heads, of course, they wanna send back Bitcoin and try to drag Bitcoin in because, you know, it's always been what they've done. Right? They they they want to sort of use Bitcoin and sort of like straw man Bitcoin because it makes their keys don't look as bad, but it's gonna be a lot of fun to watch that project fail.
[01:23:50] Unknown:
I mean, I think capture is almost the plan at this point. Right? Like, Lubin came out recently with a big proposal through the like, I think it was, like, an article he wrote through the Ethereum Foundation explaining how you do a CBDC on Ethereum. Right? So it's like, I think capture is almost a goal to get
[01:24:07] Unknown:
another pump or 2 out of out of Ethereum. Right? It was always the plan. It was always what was gonna happen. I mean, it was designed.
[01:24:15] Unknown:
It's pumponomics. Yeah. Yep. Right? I mean, like, Ethereum is essentially a factory of Ponzi's. Mhmm. Which is a shame. Right? Because, you know, there is interesting stuff you could build on that platform knowing that that platform could be fully captured. It's just what pisses me off, I guess, is that they pretend that it isn't, right? They pretend it's decentralized, they pretend all this stuff, but, you know, it really is AWS, right? Everything is running on Amazon, nobody can run a node, nobody can verify anything, it's not ultrasound money, it's not a world computer, it's none of the crap that they sell us. It really is the false market marketing and Bitcoin affinity scamming that pisses me off, I guess.
You can see I am very passionate about the topic. Alright. This one is, Matt's, Matt related here. OpenSats launches legal defense fund. It aims to defend open source Bitcoin contributors from lawsuit regarding their activities in Bitcoin and free open source ecosystems by directing donations to the fund to to fund legal fees related to the contributions. That's pretty cool. I think Square or Jack also launched, some some defense fund as well. I think Bitcoiners should fight hard and with all the money. Right. So,
[01:25:43] Unknown:
Dorsey and some others launched, a defense fund for developers facing lawsuits. We we had Huddl not, reach out to us when reach out to us a couple of months ago. He has immense legal burden. He's a very humble dude. He we base I we basically had to push it out of him, to ask for help, and he's inundated in legal fees right now, over a tweet he made, about CSW. So none of the existing avenues were he he didn't have any help any other way. So we worked with him and some other partners, to set up this fundraiser, and alongside the fundraiser, we set up this fund where the funds are getting directed to. That that's great. So we have our general we have our general fund. Our general fund is mandated to support open source projects.
People can apply for grants, whatnot, tax deductible. Then we have this legal defense fund, also tax deductible, or you can donate anonymously, whichever way you prefer, Bitcoin or credit cards. And this mandate is much broader. Right? This mandate is is is legal fees, defensive legal fees, and free space free speech cases that are, of open source contributors. But when we say open source contributors, we don't just mean developers. So Huddl not will be a recipient of some of the funds, but, also, hopefully, we raise excess of that, and, it can be used, for others as well.
[01:27:27] Unknown:
So correct me if I'm wrong. So people can have peace of mind knowing that, you know, if there is, like, extra money that's that's, donated that doesn't that's unneeded to the legal fees, they will just go to a fund for further legal defenses.
[01:27:45] Unknown:
Correct. And all the funds at Open Sats period are held in Bitcoin. So if you believe that Bitcoin will increase in price, then, you know, we're holding your funds in the hardest money possible. So so even if you donate via credit card, Ledger has, basically stepped up to and they they they donate the the processing fee for our credit cards, and then Okcoin has agreed to convert it to us, convert it for us free of charge. So if you donate via credit card, it's it's immediately without fees converted into Bitcoin and held as Bitcoin.
[01:28:23] Unknown:
That's pretty awesome. So for people that don't know, when you have assholes who have very deep pockets to sue people, what they do is, aside from the fact that, like, normal litigation is extremely expensive already. Right? Like, it's always a few $100,000. What they would do though is they'll go crazy on discovery, and and all kinds of other aspects of the litigation so that they their goal is to suck you dry so that you cannot fight anymore and you settle or you withdraw. Right? So so that's what, what, what that fraudster is doing is, he's trying to to suck people dry off their legal fund capacity, and that's terrible because that sets precedent, and then next time a judge goes, in the same jurisdiction or even sort of any common law jurisdiction really, people cite that case saying, hey, you know, there is enough people who agree that CSW is Satoshi just because they withdraw their case, right, and, it's a terrible thing, so the more people that fight this guy, the better.
Boy. Anyways, good for you, Matt, for putting this together. That's pretty awesome.
[01:29:51] Unknown:
Cheers. Huddl not surreal one, and, I'm just, I'm just grateful. There was a lot of people involved, and, it came together pretty quickly. It was pretty cool to to watch unfold, but we're gonna have a, we're doing a 12 hour telethon. So first of all, defendingbtc.com if you want to donate. Every set matters. The legal fees just for Halton, not alone, are significantly high. They're very high. They're in the millions,
[01:30:23] Unknown:
and yeah. So so the more, the better. Well, but the good thing is keep on donating because it's still gonna go to your defense fund. Correct.
[01:30:31] Unknown:
Exactly.
[01:30:32] Unknown:
You know, it doesn't matter how little or how much there is there. Just keep on donating because you will go still towards Right. People who will have to be defended in the future. And if you or your company are sitting on
[01:30:45] Unknown:
large amounts of gains and you're in US or a partner country, we do have tax deductible donations. So consider that instead of sending it to the state, send it send it to our defense fund or our general fund.
[01:30:58] Unknown:
Yeah. You should get set up as a as a, tax deductible entity here in Canada too. I think there's some reciprocation,
[01:31:05] Unknown:
isn't there?
[01:31:06] Unknown:
It's not that simple. Yeah. It's not all kinds of, of,
[01:31:11] Unknown:
tax deductible. Anyways, just saying because there's a lot of Bitcoin entities here. We'll look into that. But I my understanding is some countries have reciprocation. And then the second thing is Yes. We're gonna be doing a 12 hour telethon live from Austin on Friday, during Bit Black Boom. So join us for that. That should be a good time. There's gonna be art is gonna be auctioned, Different collectibles and stuff like that will be auctioned. We're doing a limited edition block clock courtesy of NVK and CoinKite. So it'll be a fun time. Hopefully, we'll raise a bunch of money.
So so defendingbtc.com.
[01:31:48] Unknown:
Are you gonna be able to take the orange one there for the demo I am not. Till we have the other orange one to send out? I am not because I'm on the road, but we have a
[01:31:58] Unknown:
shitty picture of it that we will show people. But just know to anyone listening That's great. For my for my wedding, NVK gave me a limited edition orange block clock, and the only one that's not in his hands is currently in my hands, but there's gonna be another one that's gonna be available for, during this telethon. So if you're interested in that, consider joining us and bidding up that auction.
[01:32:26] Unknown:
Yeah. No. It's, I hope I hope it raises a lot. Alright, well this one is cool. Replicant reproducing a fault injection attack on Trezor. So this is this is the old, Trezor 1 attack. It's just it's just fun to see when other people go and reproduce this attack by themselves, And I don't know if I ever heard in a podcast anybody talk about it, like, in a way that they sort of explain how this is done, and I figured I'd bring it up. So this was Tresor 1, but it was was it already when Tresor t was already around or not? I can't remember. So essentially what this attack does is it glitches essentially when you have, a chip that is not designed to monitor voltage for security purposes, what it does is, say for example, you have the the chip saying, hey, is this been correct? Is this been correct? Is this been correct? And then the response is not correct, not correct after the user puts it in.
Imagine that sort of like as voltage. Right? Now, essentially, what this attack does is when when I'm responding not correct, but because it's not designed for security it also doesn't hear is correct either, so it just assumes is correct and then it's bound, it's on. Right? So the reason why I brought this article up is because it's a great explanation of the attack, it's very fun for people to understand how this attack is done, and understand how chips work, especially non secure chips work. Anyways, it's it's a very good article with very accessible sort of, like, level of information.
It's not like a paper.
[01:34:35] Unknown:
How much do you think this attack cost? Structurally?
[01:34:39] Unknown:
You know, this guy used fancy stuff, but you can do, like, $20 worth of parts.
[01:34:46] Unknown:
That's crazy.
[01:34:47] Unknown:
Yeah. No. It's see, this is the thing. Right? I think we will be in a in a in a very in the very near future, we're gonna be at a point where when you go through the near port, the same way they can plug your iPhone or Android to a little machine that can essentially own the device, copy its memory even if it's fully encrypted. It either knows essentially, all phones are backdoor. Right? Doesn't matter how fancy your distro is. The difference is some of them may achieve a level of encryption on the OS that's, like, acceptable or breakable later. So there is this black box that's made by security farms for airports where they plug your phone in when they take it from you, and then they copy everything. They can either break it there or they can break it later.
I think we're gonna arrive at a point soon where, state actors and bad guys will have, like, little black boxes so that they don't have to have the technical, know how to do any of these attacks. They just plug the device or stick the device into these machines that take the seat out essentially. Right? This is what they are achieving with this thing. I I think, I think we will be at that that space soon. So that's why it's so important to have strong passphrases, to have physically secured hardware, multisig, and sort of upgrade your security because, you know, it might already be out there. It's just we won't know until we know. Very, very nicely done by this, the security researcher.
[01:36:20] Unknown:
Yeah. I've been expecting that for a while. Surprisingly to this point, I have not I I I tend to like to travel with empty signings just to see if, like, when they pay attention. Mhmm. The most recent time was I was I was going to Norway and, I was carrying a couple, empty MK fours, SATS cards, tap signers, and open dimes, because I wanted to show the activists your complete line of products. Not because I wanted to show the activists, like, all these different form factors you could use, for holding Bitcoin. And we're connecting through Heathrow in London, and we have to go through a separate security because I was a fucking idiot and I forgot the UK wasn't in the EU. So I had to go through customs twice.
But that's besides the point. I went through a security there and they pulled me over to the side and they opened up my bag directly to where the signers were. And the signers were just in this mesh compartment wide out in the open. I was like, it's finally it's finally gonna happen. And then he just grabbed he grabbed my, like, bathroom bag and pulled out a conditioner and told me the conditioner was too large and then sent me on. Do you use conditioner, Matt? I don't know. Whatever it was. It was like conditioner or shampoo or something. I think that's the egregious part here.
[01:37:45] Unknown:
Yeah. For the mustache. Oh, it's for the mustache. Only for the mustache. Okay.
[01:37:49] Unknown:
Yeah. No. I I I like conditioners night. Like, my hair is long. Like, you need conditioner, otherwise, it tangles
[01:37:55] Unknown:
up. Rodolfo, this might be a tech tip. Travel with an empty hardware wall.
[01:38:00] Unknown:
Right. That that's right. I mean, at least have a BRICKME pin set up. That that's, you know so here, sir. I'm just gonna put the pin on and oh, it doesn't work. You know what I don't like about the BrickMeIn?
[01:38:13] Unknown:
You can't test it. That's that's kind of by design. I had to kill a device to test it. Also, I have a device Don't trust. Verify. I have a cold card with a ticker on it that's, like, the countdown timer or whatever. That's it's like a year or some shit. 28 days. And I didn't realize it it has to stay plugged in. Yes. Like, I can't I don't have the self control to keep a device plugged in that long, so it might as well be brick too. I just got rid of it. No. Just leave it on. It's fun. You just plug it to a USB and leave it running for 28 days. I got, like, 14 days once and there was a power surge and then So so worked as designed. That's really what you're saying. Just just a heads up, like, if you're gonna pick a big countdown timer, don't try and test it.
[01:39:00] Unknown:
Somebody did it. Somebody did the 28 days once and, posted on Twitter. Is 28 days the largest one? Yeah. I call it 28 28 days later, in regards to the movie. Yeah. It's a good movie. Alright. So Square, Wallet fame, they keep on making posts, which is interesting. This latest one was about, seeds and things. Again, it's kind of annoying me because it's the seed hating thing. Seeds are great. No? What do you guys think?
[01:39:35] Unknown:
Yeah. I think if you're gonna self custody, you should probably do it the way that other people. You should you should kinda do the best practice thing that has been has worked for a lot of people for a long time.
[01:39:46] Unknown:
I kinda like where they're going with this with the caveat that I just think more options are good and people should try different trade off models. Like, I feel like we're still pretty early in the Bitcoin game, and we shouldn't just, like, lock ourselves into how we've always done it. Or No. That in that sense, I agree. In this particular model, they'd make some interesting trade offs that you don't really have. First of all, you have this this hardware signer that's presumably extremely cheap. It's a blind signer. In an average day to day usage, the person will never use it.
Things will get signed by their servers, will get signed by the 3rd party servers. And if the 3rd party acts up and the 3rd party is not letting you get your funds, then you use the blind signer and you you pull your funds off.
[01:40:34] Unknown:
But but see, why even bother with the signer then? Just have a piece of paper that you write down whatever secret that signer is gonna have if it's just a backup.
[01:40:44] Unknown:
Because you're assuming the user can't keep track of something like that?
[01:40:48] Unknown:
Yeah. But then they're gonna lose the device. You give them a little fob and they can just tap it on the back of the phone. Easy peasy.
[01:40:55] Unknown:
I don't know. Because I think they're putting a screen on it or at least a button or something. Right? And that might be a battery. I don't know. I I I wanna see it. I welcome new different things. I just I just wish there was more intent and interest in human readable backup solutions. Maybe it's just I'm jaded because I've seen so many people lose so much money through their years too. Right? So maybe it's part of that, including myself. Yeah. I mean, you know, it's nice to see. It's just I don't know. It's just every time I hear no see, they sort of bulk a bit. You know, we made kind of trade offs to top signer too. Right? We there is no seed because the device is too dumb, cannot handle BIP 39. So so the backup, it's essentially automatic.
When you when you set up the device, say, with Nunchuk or whatever, it offers you for you to back up the the encrypted file into your phone cloud chip. And but but the keys for that are are lasered etched on the card so that the digital wallet cannot see the backup. It's fairly strong encryption too. But then the problem now that I see is collusion between 2 server entities offering you the signing part. Right? But I guess for small amounts, it doesn't matter. The reputation of these companies is more important. So even if they get hacked and start signing people's funds, they'll probably make everybody whole. It would be in their interest.
Yeah. It's an interesting it's an interesting solution. Alright. Justin, I think this one, was from you. A new way to do DLCs.
[01:42:46] Unknown:
Go for it. Yeah. So DLCs are a way to bet on an outcome, and, the cool thing is all you need is an oracle, so I'm gonna test in the outcome, like, who won the Super Bowl. And, the, yeah, the cool thing is that you the people making the bet don't the the the oracle that's attached to the outcome doesn't need to know about who is participating in the bet, and it's all based on Bitcoin and doesn't require any changes to Bitcoin. Some of the downsides to it are that no one uses it. There's no liquidity yet. It's sort of a trade, these DLCs, and, also, you need to, you can only bet on things that Oracle's broadcast outcomes for. So, like, you can't, you know, make your own custom contract and write a Python script or something and make them bet on what the outcome of the script is gonna be in 2 weeks.
And so the cool thing about this is that it's it's changing the signature algorithm underneath. It would basically allow you to run the DLC protocol on any sort of outcome. So, like, you could anything that you could express in software, you could write, like, a little smart contract. But here, the smart contract could just be literally a Python script, and you and your counterparty would agree to run this at a certain point. And only if you disagree would you have to give this off to the to the to the DLC. So it's it's kinda interesting because it's it it it could potentially do some of the, like, accomplish some of the the, goals with these smart contracting systems, but in you know, blockchain systems, but it it doesn't resemble them at all. It's just a totally Bitcoin Bitcoin based Bitcoin signature based protocol, that would doesn't have a blockchain at all. So it's it's it's pretty interesting. Where do you run the scripts? You could just run it anywhere. It's the the the this is just like an example of an outcome, so you could yeah. I I don't know if I should do exactly how how you how you do this, but it's it's just, like, outside of the protocol. Yeah. So so let's say I have, like, a a dice protocol a dice script.
[01:44:39] Unknown:
Right? Yeah. And my and my contract says that, you know, it needs to be, like, a minimum of 6, right, for this funds to be released or something. Yeah. Does how does my contract validates that this was actually dice as supposed to me just feeding in 6?
[01:45:00] Unknown:
Yeah. So I think here it wouldn't it, you'd be basically trusting the the Oracle. So it's it's it's it's, like, observable things. So dice wouldn't be a good example because that's not really, like, a Mhmm. A thing that multiple parties could all observe unless they were all on the same place. But, like like, just for example, you know, if you wanted to make bets on some like, some very specific thing, like, you know, which basketball player gets a technical foul in the second quarter, there's no oracle that's attesting to that currently, but you could write a little script. You can do an API called the ESPN or something, and you can make bets on this. So it could potentially make more thing make make DLCs work for more types of events, and that might lead to more liquidity, which then would make DLCs useful in the real world. Because currently, they're not because there isn't enough liquidity.
Very cool. And it also simplifies the protocol a little bit too, I think, potentially. So just a cool interesting thing, that yeah. It's,
[01:45:59] Unknown:
you know, maybe in a couple years this will actually exist. You know, part of the reason why I wanted to start this bot is because I hear Shitcoin are saying that nothing gets built on Bitcoin. Right? So just just mentioning and bringing up all these little things that are being created, maybe somebody else hears it, and that's exactly the thing that they were looking for, and, you know, some people go build a company on it. So that's that's pretty cool.
[01:46:26] Unknown:
Yeah. This one's really interesting because the main guy I mean, there was, like, 8 people on this paper, but the main one the one that I know, Lloyd Fournier, Fournier, I don't know how you say his name. He's just been grinding away trying to do these kinda crazy cryptographic applied cryptographic ideas on Bitcoin for, like, 2 or 3 years. You know, he's sponsored by Spiral and did some other stuff. And so this is to me, it's, like, the first really big thing he's produced that's super interesting. Very cool. Yeah. Sometimes it takes a long time as well to actually produce something. So you mean good technology is not just like, you know, something you come up in a hackathon and it's done, and you go fundraising?
[01:47:03] Unknown:
Correct. Correct. That's that's good to know. It's very validating.
[01:47:08] Unknown:
Correct.
[01:47:09] Unknown:
Alright. There is this bit proposal, receiving a change derivation path in a single descriptor. That's very useful.
[01:47:20] Unknown:
Yeah. It's kinda ridiculous if you're if you're doing a descriptor wallet. Like, a descriptor the idea of a descriptor is it's supposed to describe the scripts in your con in your wallet. Right? It sounds very simple, but in practice It's not. Every wallet has receive and change addresses. So you can't you the one descriptor doesn't actually even describe a wallet and until this bit. You'd always need 2 descriptors, which is kinda stupid.
[01:47:42] Unknown:
So with this one, we'll finally be able to have 1 descriptor describe the average of 32 wallet. It's kinda funny, right, because the original proposal for descriptors were to resolve this problem by having a single descriptor,
[01:47:54] Unknown:
and yet it didn't. Yeah. It was never a single. Yeah. It was always 2. Exactly.
[01:47:59] Unknown:
No. This is this is great. It's nice to see movement on this. This is the kind of stuff that we would definitely support on, on CodeCard, fast. Nice. Alright. So Taproot adoption, there is a link here for people to go check it out, but I don't think it's it was down. It's still down. It's down. Yeah. It's BitMax's thing. They're down. It'll be on the show notes. People can check out later.
[01:48:24] Unknown:
It's up into the right Yeah. With very small numbers.
[01:48:28] Unknown:
Yeah. No. I mean, it's, it is gonna take a long time because there is no need for it for the majority of the users. Right? Bitcoin is serving its purpose very well with the very little it it offers, which is a lot. Alright. Yeah, I mean guys if there are other links, of projects and things that you want listed that we didn't talk about, feel free to add to the show notes because people will look at it and click and read at their own, their own time after no longer bothering their ears. Okay. So this there's a new section of the show now we're testing out, and we're gonna check the analytics to make sure that people really, got to this part. Otherwise, we'll kill it, of course.
So this one is the this one is the tech tip of the day.
[01:49:22] Unknown:
By the way, MBK, multiple people this week told me they listened to the show. Multiple. Like, 3 or 4. Can you believe that? I also had a handful reach out to me about it. Yeah.
[01:49:33] Unknown:
Okay. It must be the grace of, Matt's mustache and Justin's mullet. I I cannot think of any other reason.
[01:49:45] Unknown:
And the list.
[01:49:51] Unknown:
Alright. So the tech tip. Okay. So, you know, you should have Thor running on your computer by default as as a as a as a daemon, not per application cause that's silly and you end up with multiple instances, and it's just stupid. So if you're on a Mac, which majority of sane people are, you can use brew to install Tor, so you do brew install Tor, and then you there is this new feature from brew that's been around for a couple years now at least called services. So you go brew services start Tor, and then you can actually check which brew services are running, and you go brew services list, and it's gonna list which services are running. What's nice about this is that for people that use brew already probably know is that brew is a much more sane package manager for OSX.
It keeps everything tidy, and it's nice and clean and simple so it's easier to audit some of the stuff, and now you have Tor running on your computer. So you go on your Alactrim or whatever, and you essentially just put all the services that you can and you should to proxy over Tor, if they don't have onion addresses to reach out to to begin with. So in the proxy, you just go 127.0.0.1, which is local host, and the port is 9,050. All that 4 step process is on the show notes. So I wanted to get something, a tech tip that the 2 of you maybe take for granted, but could be useful to somebody out there. Is there anything like that that you guys have?
[01:51:46] Unknown:
One of my favorite ones every time I get a map, this is a very this is very minute, but, I love to change the key key repeat rate. Make make the key so, like, you hold down a key and it goes faster. That's there's a way that you can Google that. There's a way to do that, and it's it's really a life changer. You you hold down the key and you can move much faster.
[01:52:08] Unknown:
You can make it like lightning fast. The key repeat and the gap to repeat. Yes. So the hold down to repeat, so how long it takes to start repeating, you can also change that. That's that's like a huge deal. Justin, do you wanna find the 2 commands? It's like a 2, global, variables in the OSX that you can change. We can add to the show notes too. I'll add that to the show notes. Thank you. That's that's a great one. I'm setting up a new Mac a few days ago, and, that's, definitely one that I did on the 1st day of setting up the new Mac. Matt, do you have anything for us?
[01:52:47] Unknown:
If the bandwidth constraints and latency of of Tor got you down, you can get a hosted VPN account with MOLVAD using lightning@vpn. Sovereign.engineering. Fantastic little Really? Service offered by, I think Carl Dong offers that. So lightning VPN? He has cons has some kind of gift card relationship with them, so he just accepts the lightning and then immediately credits your account. And if you don't have an account, give you a new account. So you don't need an email or a password or anything like that. It just gives you this number code that you put in to either, the mobile apps or you can use it with OpenVPN.
It's a fantastic little service.
[01:53:34] Unknown:
On the on the privacy, Helm there, I know you have some suggestions for, like, throwaway phone numbers and those providers. If you wanna add to the to the show notes the some of those providers would be very helpful because when you Google those, it's a lot of shit scamming, options out there. It will be nice to have a field that sort of, like, are recommended.
[01:54:04] Unknown:
Yeah. I mentioned that right now just real quickly. There's text verified.com. You can pay with Bitcoin. Those are single use numbers, so it's only at the time of verification. But they work really well for services that need verification because a lot of times they have blacklisted numbers, but text verified doesn't. So you can use it with Twitter. You can use it with different services like that. Bitcoin ATMs, they support a bunch of different brands of Bitcoin ATMs. So that's textverify.com. Then you have silent.link, which provides you a full esim, for Bitcoin. So a lot of the new phones now, you can just download an esim from the Internet rather than use a SIM card. So they'll give you a fully functioning SIM card virtually, with data and everything.
That's also payable in Bitcoin. And then if your threat model is lower and you just wanna make sure when you go and buy something from a store or something like that, they don't have, the same phone number that you always use. There's apps in in both app stores. The 2 big ones that I've used and recommend is mypseud0, m y s u d o, and hushed, h u s h e d. And both of those, like, you just download them from the App Store. If you have, like, an iPhone or whatever, like, your credit card set up to it, you can literally just purchase it in the app. Really cheap. You can get a number for a year for, like, $40, and you can just end up with, like, hundreds of numbers for $40 each a year, or you can buy them for 30 days or even cheaper, and just never put the same number ever again.
[01:55:37] Unknown:
I wonder how many of those numbers that get reused eventually. You keep on getting text messages from, like, weird services from other people. Oh, they're so reused. Like, I get sent money on, like,
[01:55:47] Unknown:
like, it's like someone's trying to send me money on Cash App or one of my numbers, and they're asking why I haven't paid my rent. And
[01:55:55] Unknown:
That's funny. That's really funny, and I could totally see it. I bought another number, from from a different town, and, that guy clearly owed money. So, like, every single tax collection that service out there calls that number is really annoying and I have it forwarded so I don't necessarily know that I was trying to call that number. So I'm often like, what are you talking about? Alright. And then I have to explain to them. Guys, do do you have anything else that we may have missed on the list? Because it would be at least another couple weeks before we record again if you guys come on again. So, now would be a good time to mention it.
[01:56:38] Unknown:
I believe the list was comprehensive on my side. That's good. No. I mean, I think this is a great conversation. It's always a pleasure having you and Justin on to join me.
[01:56:49] Unknown:
Hey, Matt. It was very nice having you as a guest. A guest. And, just and maybe I'll promote him to, cohost just to piss off Matt.
[01:57:00] Unknown:
Matt has too many engagements. He cannot cohost anything else anymore. Yeah. He was holding us hostage for the better part of a day.
[01:57:07] Unknown:
There is that too. Totally,
[01:57:09] Unknown:
calendar Cinderella there. Yeah. It was a family emergency. Thank you very much.
[01:57:14] Unknown:
In all seriousness, I really appreciate you guys joining me on this. It's, it's very helpful and it's very pleasant and it's fun. Thanks to our new producer, Joni. He's been super helpful too, and I hope, I hope, Joni doesn't have too hard of a time adding more to this list from all the extra crap that we talked about. And, now we have recorded exits, so I don't even have to say the the closing anymore. I do recommend people go check out the show notes, not on the podcast apps because those only have 4 4,000 character max, and we already have a 160 lines on GitHub for this episode, and we were sort of cutting it down. So, this is this is a lot of fun. It's nice to talk about all the stuff that's going on in Bitcoin. And, with that, I guess we can say our goodbyes here. Cheers. Always a pleasure. See you next time. Take care, guys.
Thanks for listening and going through another boring list of updates once again. Don't forget to get in touch on Twitter at Bitcoin review HQ or the Telegram Bitcoin review pod or email bitcoin review atquaintite dotcom. Remember, I don't have a crystal ball. So if you have a cool project you're working on, do make sure to get in touch with us. And if you're still not bored, you can follow me on Twitter at nvk.
Introduction and podcast setup
Discussion about upcoming events and conferences
Review of software updates and wallets
Tornado Cash and privacy on Ethereum
Data breaches at Swan and Casa
Differences between ETH and BTC in terms of attack surface
Importance of privacy and security in online transactions
Dorsey and others launching a defense fund for developers facing lawsuits
General fund and legal defense fund at Open Sats
OpenSats legal defense fund
Reproducing a fault injection attack on Trezor
New way to do DLCs
Receiving a change derivation path in a single descriptor
Taproot adoption
