Greetings Central PA Bitcoiners!
We had a great educational meetup two Saturdays ago. I love seeing new faces at meetups, especially educational events! Curiosity and thirst for knowledge are wonderful virtues, and in my experience, largely determine one's trajectory down the bitcoin rabbit hole. Keep learning, and keep stacking skills!
Our next meetup is a coffee meetup this coming Sunday, September 28th, at 1pm. The venue is Denim Coffee in Mechanicsburg...come find us in the back room. Parking is plentiful; there is ample parking behind the café, and street parking out front is also available.
No op-ed this week. Instead, I'll share a blog article from a few years ago that was influential for me. Influential for my password/passphrase habits, anyway.
Trezor published this blog on passphrase strength in 2019 (AKA "the before time"), and was one of my introductions to diceware passphrases. Six years ago, Trezor was a bit more respected amongst bitcoiners than they are now. There weren't many viable options for bitcoin only hardware devices then (Mk1 Coldcard anyone?) and Trezor was the device that many used for their bitcoin cold storage. Many of the bitcoin only devices we use and love today run software that are descendant from Trezor's source code. Great content.
Medium
Is your passphrase strong enough?
There are various approaches to creating a good passphrase for your wallet. You can go with something that is quick to type but not so…
Enjoy the rest of your week, and hope to see you at the meetup on Sunday!
Keep stacking sats, and keep stacking skills.
~
@Lonelypumpkins
Central PA Bitcoiners
Greetings Central PA Bitcoiners!
We've got an educational meetup lined up for this Saturday! Our educational meetups feature a presentation, and the topic for Saturday's meetup is "Stacking Sats or Stacking Shares?". If you're new to bitcoin or new to our meetup group, this is a great function for you to attend.
2025 has been a year that has seen bitcoin come further into the spotlight of legacy financial media and the mainstream consciousness in general. Turn on a legacy financial news show, or pull up Yahoo Finance, and most days there will be a headline about bitcoin. New financialized products have become available: spot ETF's, bitcoin treasury company stock, as well as bond/money market products offered by bitcoin treasury companies.
What's the difference between MSTR, IBIT, and self-custody bitcoin? Although each has an exchange rate that correlates with BTCUSD, there are important differences.
Topics...
What's the purpose of bitcoin ETF's?
What's the value proposition of bitcoin treasury companies?
Individuals' freedom of choice vs an organization's restricted options
Stacking sats & stacking skills
Ideas for leveling up your skills and setup
We'll begin at 1pm on Saturday, Sept 13th, at the Simpson Library in Mechanicsburg. Beginners welcome! Hope to see you there! Reminder: in addition to our quarterly educational meetups, we have monthly coffee meetups at 1pm on the fourth Sunday of every month at Denim Coffee in Mechanicsburg. The next coffee meetup is on Sunday, Sept 28th.
-------------------------------
There's one important technical news story to talk about from the past week week. News recently broke of a supply chain attack that can potentially affect wallets that use a certain node package manager (NPM) for javascript libraries.
Here's the breakdown: when developers build wallets, they usually don't build them from scratch. One popular building block developers have is to use existing code libraries. As an analogy, if you're trying to build a ten story building, using one of these NPM libraries is like starting with the foundation and first couple of floors established already, which makes work a lot faster and easier. This week we learned the downside: if there's an issue in one of these code libraries, it can potentially affect all of the downstream software that builds upon it. Which wallets build upon this NPM? A lot.
What can this malicious code do? When you're building a transaction, it can replace the recipient's address with the attacker's address. Not only are they replacing the address, they are using addresses that resemble portions of the intended recipient's address. This means that if you're trying to send to an address that ends in xyz, the attacker can insert one of their own addresses that also ends in xyz. They know that many people only check the first few and last few characters of an address, rather than parts of the middle, or the whole thing.
This is where hardware wallets really shine. When using a hardware wallet that has a screen, addresses can be verified before transactions are signed, guarding against this attack. By verifying the address before signing, an attacker's address can be detected and the attack thwarted. When entrusting your hodl, it can't be stressed enough how valuable hardware devices are to protecting against such attacks.
Mitigation Strategies:
For hardware wallets: Verify the full address on the device's screen before signing; compare it to the intended recipient. Avoid signing if there's any discrepancy.
Switch to non-NPM software like Sparrow Wallet for compatible hardware (e.g., Trezor, Ledger, BitBox, Jade, Keystone).
For hardware devices without screens (e.g., BitKey, Tapsigner): Avoid on-chain transactions until updates are released.
General advice: Check full addresses (not just first/last characters), especially for large transactions. There is no undo in Bitcoin—take time to verify.
Unless you're willing to take the risk, refrain from sending hot wallet on-chain transactions until situation becomes more clear
Stay informed as the situation evolves.
Use open-source, air-gapped, bitcoin-only, screen-equipped hardware wallets for best security, and always verify addresses.
Slow down and never panic! Ask for help from trusted contacts if you need help or advice.
-------------------------
Hope to see you this Saturday!
~lonelypumpkins
Central PA Bitcoiners
