So, as I understood, OP_RETURN is the least harmful way to store data on Bitcoin and since Bitcoin Ordinals are inevitably part of Bitcoin, it is beneficial for us to motivate those spammers to use OP_RETURN instead of using fake public keys and Taproot witness method? Am I right?
Yes. (By the way, why do we have Taproot?)
Taproot transactions allow you to combine the signatures of many different input addresses so that you can't reverse-engineer the public keys (and thus break them with quantum computing or kangaroos). You can create transactions in such a matter without requiring everyone else's public key if the Taproot script was designed for that. I also want to know, does it matter for spammers which method they'll use? Fake public keys, Taproot or OP_RETURN?
No. They will use the one with the lowest fees. |
|
|
|
One question I was wondering about: If the "coin owners" have to provide the UTXO, I think they have to rely on a solid group of nodes who archive the whole blockchain and do not prune it, so they can query the UTXOs. Or would this also work if all nodes prune the old blockchain data (e.g. because they're afraid to distribute certain parts of the blockchain)?
It's more like having a large bitwise array (without needing to store any of the UTXOs somehow), where each bit represents a UTXO that has ever been created, as to whether it exists or not. Just so that you understand how the storage savings is supposed to work. This is the simple explanation but the data structure is actually much more complex than that because you not really going to save a lot of space by using an array that does not contain the metadata. |
|
|
|
• OS-agnostic. The PoC works because many AVs carve/scan archives found inside larger binaries. That behavior exists on Linux (proved with ClamAV) and also on Windows/macOS in various engines. It’s about how scanners treat containers embedded in arbitrary files, not about executing anything.
I think the only reason why we haven't seen such as DoS happen in action is because most people are running their nodes on Linux with no AVs. Maybe a couple of folks use Red Hat or CentOS which contains SELinux, but I think SELinux might be different from AVs in that it doesn't quarantine anything and it's more of an exploit-buster. I was unable to send security the test script in the email because : Sorry, we were unable to deliver your message to the following address.
<security@bitcoincore.org>:
550: 5.7.1 Reject for policy reason RULE1_1: Virus/Malware detected
That's a bit ironic. Maybe you should try putting it inside a Pastebin. |
|
|
|
Of course, it was never like a flood of spammers would suddenly join Bitcoin from other networks as soon as Core 30 is released. That part has to be clarified. Door 1 is completely open now. Monsters entering this door can go directly into the whole house including the bedrooms and eat the people living there. This is the "fake public key method", the most harmful of all.
Door 2 is mostly open, some people are trying to close it sometimes but with not much luck. Monsters can enter the kitchen, but not the bedrooms, so the house's inhabitants are a bit safer, but still frequently a monster will be able to eat somebody.[3] This is the "Taproot witness method", the second most harmful.
Door 3 is currently only a bit open. Only small monsters can enter it. But even if the door was completely open, the monsters would only reach a guest room almost nobody of the inhabitants uses, and thus only rarely eat somebody. This is OP_RETURN.
We cannot close Door 1 (see above). Door 2 can be closed but the effect would be limited, because the monsters would then use Door 1 and the number of eaten people would even be higher.
We can however open Door 3. The monsters using this door would not cause much harm. Monsters entering via the other two doors could still enter, but we would have 1/3 less deaths.
This is what Core did lifting the OP_RETURN limits. It will probably not cause the spam (monster waves) to stop, but it could reduce their harm, at least a bit.
I know gmaxwell explained this on a different thread, but I don't see why another implementation (i.e. a house) can't just simply lock all the doors shut, and then use some sort of warp drive to get inhabitants to the other house when something is missing from there. Equivalent to using a cache-miss to retrieve transactions from full nodes to avoid some people from having to keep all those zombie UTXOs on the disk forever. It is destructive, but it's not a majority who are going to use it so it's fine. |
|
|
|
I am not censoring blockchain data, I am merely filtering it. This project depends on unfiltered nodes so there will always be many of these kinds of regular nodes running.
But, you are censoring block chain data. If someone asks for it, you may block it. That is the very definition of censorship. I don't see it that way. If a government censors sites on the internet (let's say they also censor proxies, VPNs and Tor for the purpose of this discussion), then all ISPs in the country are blocking access to the site. You do not have any way of accessing that site again. In Bitcoin, the vast majority of providers will still provide unfettered access to all data through their APIs. This is just a small project that prevents you from requesting certain types of data. I can't (and for the record, will not) try to get other people to block said transaction data; that would undermine Bitcoin anyway. So given the circumstances, how is this new API going to be blocking people from getting said data from elsewhere? I think you just invented this! I'm not worried a CEX may block funds that were confirmed in block 666 because of whatever reason they come up with. They themselves can't know which block their withdrawals are going to get confirmed in.
I invented quite a few things, but to gain mass adoption, they need to be marketed. And I'm a quite bad marketer.  |
|
|
|
|
Maybe the vulnerability is reproducible on a Windows system.
That's what over 90% of cyberattacks target.
Perhaps advanced endpoint AV software would be able to flag the EICAR string itself and then lock down access to the file to just Bitcoin Core. But personally I think the outcome will be the same as ClamAV for consumer AV programs.
It's more of a DoS risk though. Imagine taking down a bunch of nodes just by embedding a problematic string inside a transaction. Core is fuzz-tested a lot though, so hopefully it can handle such exceptions gracefully.
|
|
|
|
|
CSAM is obviously the most talked-about use case but there's other more niche ways that datacarriers could be (ab)used that are illegal in at least some governments, for example there is malware which I have talked about many times, in addition to C2 payloads for said malware, but there are other things like gore, Nazi propaganda, terrorist cell writing & media, suicides, as well as things that aren't illegal but are obnoxious to most users such as porn, Ordinals and 100KB textual spam like "aaaaaaaaaa".
This post is not an argument against increasing the datacarrier size limit, but it's simply to highlight the potential for misuse of any data storage system.
|
|
|
|
https://x.com/LukeDashjr/status/1965539551117472174For years, there has been FUD that Bitcoin's blockchain could be criminalised by storing CSAM on it.
For years, the answer has always been that Bitcoin doesn't support data storage, and the offending content is not the blockchain itself, but the additional software used to transform the blockchain into CSAM.
By sanctioning data storage, Core 30 is eliminating that argument. There will no longer be any additional software required, your Bitcoin node itself will provide CSAM on demand, using a well-defined and officially supported format.
The very reason "CSAM on the chain" was FUD, is being _destroyed_ by Core 30. They are making it a _true_ accusation. No amount of obfuscation will change this fact.
This is not the _only_ reason to reject Core 30. But even if it was, it would _still_ be strong reason to do so.
Sep 10, 2025 I disagree with Dashjr's assessment that this is FUD. Because simply making a statement: "We allow all kinds of data on our network" does not remove any liability from the users. If anything, it increases their liability, because then LE can tell the courts that the developers were aware of its use for that. Has everyone forgotten about the Roman Storm trial already? Oh and by the way, this same fate awaits eXch developers if they get caught. By converting Core into some decentralized form of Amazon S3, you are enabling new use cases, but you are also opening up massive risks to 3rd party developers who expose these datacarrier methods to users via software, if the users abuse these methods in ways that it's illegal by their governments. (Reading it again, I see we even agree on some points.) |
|
|
|
It's a fork of Bitcoin Knots, cut out from bitcoinknots/bitcoin:29.x-knots branch.
I dislike the name a lot and I find it wrong that they just changed a character from Bitcoin Knots to Bitcoin Knobs.
I don't think the word Knobs is being used in this context to indicate a dummy, but rather in the sense of control panel switches which can be adjusted. Unless the README or the maintainer's social media posts are clearly provocative, in which the other meaning could be implied. |
|
|
|
Allow me to turn this around: so you're building a database of CP, malware and more, basically highlighting the bad parts inside the blockchain. That sounds much worse than having them lost in large amounts of data.
I can definitely see this causing a Streisand effect if this goes wrong, yeah. Right now we at least do not know where in the blockchain this data is being stored, if at all. But a counterargument is that I fear that CEXes and large institutional companies might create their own solution involving a whitelist of transactions and blocks, and apply the same KYC scrutiny that we are seeing now with addresses. To put it simply, they might invent "taint" for raw transactions and blocks, and then make it really hard to use their services unless you have coins from "clean transactions/blocks". If this happens it will make the whole of Bitcoin even less pseudonymous. So this work is to hopefully create a blueprint for avoiding that fate. My version does not censor any transactions, because they can be obtained elsewhere due to the decentralized nature of Bitcoin. Personally i don't see the point. Even if you use RPC call such as decoderawtransaction, the arbitrary data isn't human readable/viewable. It still requires additional effort from developer to decode and show it properly.
Which would make the developer liable, but there aren't strong legal protections for node runners yet. I would say its index/long list to content that deemed illegal.
It's going to be a hash table of SHA256 checksums, exactly which part of the transactions or blocks are going to be hashed I haven't figured it out yet. I think the main risk here is not just altering data but the precedent it sets. Once you create an API that edits blockchain responses, you’ve basically introduced a middle layer of truth that people have to trust. Bitcoin’s whole foundation is that the data is verifiable and final, no one edits it for you.
If you're creating a service to sanitize for legal reasons, that's fair but it should be clear to the end user that they’re interacting with a filtered view. That way, you keep the trust model intact without creating confusion or accidental reliance on a modified dataset.
I specifically said that it's not suitable for use for verifying blockchain data i.e. nodes. The API specifications will be exactly the same as Bitcoin Core JSON-RPC. I don't think there is a global consensus on what data is right or wrong, and I think Bitcoin's database should NOT be censored.
I am not censoring blockchain data, I am merely filtering it. This project depends on unfiltered nodes so there will always be many of these kinds of regular nodes running. |
|
|
|
Their BTC is also being moved to an address that received a transaction with an OP_RETURN message similar to the ETH address. I wonder if these are really law enforcement wallets or if it’s a ruse by TradeOgre to try to cover up a rugpull. Do you really think that Canadian law enforcement will write official statements inside a crypto transaction? |
|
|
|
Hi guys, this is a draft which I am going to try to create for the wider Bitcoin community, in particular for anybody who needs to get blockchain data quickly but doesn't want to expose themselves to any potential legal ramifications for transmitting various forms of illegal content that has been embedded on the blockchain. Right now the definition is very vague, and I am not a lawyer so I'm only going to filter things that are widely accepted to be illegal. (like CP, malware etc.) The offending content will simply be replaced with a null object, and the RPC request/response stays exactly the same otherwise. This means nobody has to rewrite their software. There is no proof of concept yet, just this tweet I sent to crypto twitter a few minutes ago SHA256 checksums of the stack or the witness data will be stored on a centralized server where apps can opt-in to receiving filtered txn data to shield them from legal risks of serving illegal content embedded on the blockchain. This is something I want to do. Don't hate. Watch. @adam3us A separate frontend can be made to sanitize Bitcoin Core RPC responses. Specifically, it will replace illegal media with a null object.
This will be designed to be used by all bitcoin applications except for verification software, in order to mitigate legal risks. I recognize that this development will be quite unpopular with many people, and also that I'm aware that nobody is currently prosecuting node runners or application developers ( yet!), however it is going to be quite an interesting research for me to undertake, and I'm also going to post the finished product to the Bitcoin mailing list when I'm done. |
|
|
|
Arteta certainly devised an excellent strategy for this match, which ultimately put Bilbao under pressure, leading to Bilbao's defeat by Arsenal, conceding two goals from Martinelli and Trossard. Bilbao must now acknowledge that Arsenal is clearly superior and accept that Arsenal has taken the three points. Arsenal started this season well, and Arsenal fans certainly want the team to perform consistently and win, ultimately becoming champions. Now, Arsenal must prepare again for their next matches in the Premier League and the Champions League, with Olympiakos set to be Arsenal's next opponent in the Champions League. What do you think will happen? Will Arsenal win against Olympiakos or not?
Arteta plays terrorist football. They just hold out for set pieces and try to kill the play. It works on most opponents, but some teams with dominant pressing can get past them. That is just one basic thing I have been observing from Xabi Alonso's men. It has been two games straight they have play with a man down and they become victorious, by getting the 3 points. For me the way I see real Madrid is this, they tend to play by coming back to their right mentality when they are on pressure, we can clearly see this in their game against Sociedad and now their first game with Marseille. To me before that red card we can all see that real Madrid was not playing as expected, and this is one part they needs to improve if they really wants to compete in this champions league, because looking at the champions league we have so many interesting team that looks fully ready to compete. But I will basically say it will be to early to look down on their performance with just this first game.
Nevertheless, good win from real Madrid and well needed 3 points from Xabi's men.
"Penalti a Favor del Real Madrid"  Just kidding, I didn't actually watch that match. They seemed really lucky to win by two penalties though. Feel bad for Trent pulling his hamstring after just 5 minutes. |
|
|
|
Reputable casinos will not send you dirty currencies. Only casino platforms that are built to receive scam money can do that. I have heard story of fake casino site, that is used to wash dirty money and some also take the money of users.
They won't do that, but AML scoring companies will assign them a risky classifier anyway. It's telling that they even have their own category ("Gambling" or even "Illegal Gambling". which should really just be "Unlicensed Gambling" if you ask me!), as in they don't want you to send coins from a casino to an exchange. Not like they are going to freeze it or anything, but the risk classifier frowns on it for some reason. |
|
|
|
Holy molly, there was actually a free UCL fantasy sponsored by SB on their discord channel with the announcement a few weeks ago, I completely forgot too, it's just really tough to keep up with just every single thing these days.
I will be participating in the UCL festivities, but not by joining any predictors or fantasy. I have a very large position on Liverpool to win the UCL. If the odds increase to 32% chance then I will win a lot of money. Wish me luck guys. |
|
|
|
That's one "feature" I really dislike! The notion of "taint" is completely arbitrary, so they can selectively apply it. But also, they're basically saying they'll take dirty criminal coins as long as they get a higher fee.
I wonder how they manage 'tainted' coins, exchangers who use third-party liquidity partners. Obviously, they found a way to prevent LP from freezing their funds. Do they share that extra fee among themselves? Personally I wouldn't be surprised if they just ran that money through one of the mixers and meanwhile complete your exchange using clean coins they have in reserve. That would explain why they charge higher rates. Well I guess that's the least we can expect when you can pass dirty coins through Brian Armstrong or the DoJ if you are large enough, and it suddenly becomes clean again. |
|
|
|
They made it clear in the message that all other services remained functional. Also, the maintenance is not from their own end but from their partners (suddenly informed them of unplanned maintenance) more like emergency maintenance which they didn't plan for initially. There are two things involved here: firstly, it's not longer new that keeping your funds in exchange wallet deprived you absolute control of your assets and secondly, your privacy is at stake. The blockchain.com will definitely share your KYC documents with their partners if need be. Although, nothing is new here regarding exchange services, they have full control over your assets and determine when you can have access to them. You either stay away from them or bear with them in a case like this.
"Partners" here sound like liquidity providers, so if they are having some problems with their withdrawal system, then it is natural that blockchain.com withdrawals are disabled. May I ask why anybody is still using this service though? Even if you just want to use their exchange, there are so many better exchanges out there that don't seem so fragile. |
|
|
|
LOL good luck with that. I don't think the US government has ever investigated itself. The way this sounds like, is that this "investor company" is probably just part of WLFI itself, and since WLFI has strong ties to Trump, who is president right now, and thus is above the SEC, then what exactly do they think they are trying to accomplish here? It doesn't make any sense. |
|
|
|
You say college degrees are useless, but did you know that most CEOs, leaders and people holding high positions in corporations have college degrees? It would be short-sighted to hastily declare that college degrees are useless just because a small portion of college graduates are unemployed without looking at the big picture.
They aren't bachelors' degrees though... they are MBAs and PhDs. You're not going to become a CEO with just a bachelors' degree. Your options are to "complete" higher education as in get all the diplomas they have to offer, and then you can be a scientist/politician/executive, or you drop out and go into entrepreneurship, because it's not worth it to spend $50k over 4 years to get a bachelors'. |
|
|
|
|
No, not for now, but only because I am too lazy to upgrade my software and like putting it off for several months.
A more important problem to me than the datacarriers is whether my Bitcoin download will be secure, which I do not trust with Luke-jr's hardware ever since the hack (and the "clean-up" which was never really 100% due to never formatting).
|
|
|
|
|
Show Posts
