Identity Removal Tips

Deleting Reddit Account

To truly delete you reddit account, you have to individually delete all the comments you’ve ever made.  This takes a long time, but is worth it.  Then you can just delete your account – the posts and comments you left will remain with your username deleted.


Go to the Posts section and delete posts to your heart’s content.

Jobvite app on Android

unnamedBob Hite and I created an app to search Jobvite on Android devices.  Soon, we’ll be adding functionality to register a referral ID as well as a company to allow people to find job openings in their company and share them with people using other apps.


The app is hosted here.

NamecoinToBind Setup with Debian

I finally got NamecoinToBind working with bind in Debian. If you don’t know what Namecoin is, check this out (it’s pretty nerdy, so be prepared). I ran into some snags with network configuration, specifically when static-ing the IP of my DNS server. So far, I’ve registered one domain in namecoin, erik.bit. You can see the activity on this record here. If you have a working bind server, you can use NamecoinToBind to periodically create zone files for the .bit TLD. Currently, these zone files can create some issues in bind though, so you have to do the following in your bind configuration:

check-names master ignore;
check-names slave ignore;
check-names response ignore;

This basically allows things like -.bit to work, which is insane:

hank@shelob ~ $ nslookup "\-.bit"
Name:	-.bit

Password security limitations of various websites

After reading , I decided to go through and do a nice password cleansing. After a few years of “good password policies” being trumpeted around, I thought I’d find a majority of website accepting large (> 16-digit) alpha-numeric-symbolic passwords. This was a terrible assumption, and as I’ve been going through and finding these limitations, I’ve been sending complaints to each customer service department. Just a note, the passwords I’m trying are more than 20 characters with symbols, numbers, and uppercase and lowercase letters. Here’s a summary:

Site Notes Result
Amazon Allows the password. Gold Star!
Discover Card Allows the password. Gold Star!
Chase Doesn’t allow symbols.
Ally 16 character maximum!
Fidelity 12 character maximum, no symbols!
Instructables Allows the password. Gold Star!
LinkedIn Allows the password. Gold Star!
Kiva Allows the password. Gold Star!
Yahoo Allows the password. Gold Star!
Mt. Gox Allows the password. Gold Star!
Dwolla Allows the password. Gold Star!
CampBX Allows the password. Gold Star!
Paypal 20 character maximum!
Allstate Passwords must be 6 to 10 characters, certain symbols not allowed (<, >)!
Geico 16 character maximum! Only allows certain special characters!
Github Allows the password. Gold Star!
Site5 Allows the password. Gold Star!
IMDB Allows the password. Gold Star!
Ebay 16 character maximum!
Etrade Strange invalid character error, not a stated limitation. Further investigation shows no special characters are allowed.
Newegg Allows the password. Gold Star!
Netflix 4-10 characters.

The really alarming part is most of the failures I ran into had to do with banking/money. Why do these sites put limits on user password security? It seems like that’s the last place you would want these kinds of limitations. It’s hilarious that sites like IMDB, which I don’t expect strong security from whatsoever, allow me to use more secure passwords than my bank accounts. I especially love this from Etrade – they don’t specify what character was invalid, or that there are any invalid characters that could be entered:

Upon further investigation, I found out they don’t allow special characters.

I also love how Netflix apparently allows a 4-character password! That’s secure, huh!

Got some new vanity bitcoin addresses

I generated these using vanitygen.


The first two even work in firstbits (1erikg and 1manatee)!


I also got a litecoin vanity address:


I generated it like this:

./vanitygen -o vanity.out -X 48 -ik Lerikg

Bitcoin Brainfungus

So, I’ve been “fungusing,” as my friend Geet would put it, on Bitcoin lately. I got myself into a bit of a pickle lately, and I wanted to document what happened and what I did to resolve it. Basically, I’m trying to create physical bitcoins from exceedingly cheap materials. Currently, my plan is to use plastic pirate gold coins with round hologram tamper evident stickers, and under the stickers jam a QRcode or just a label with the private key. This way, you can peel off the tamper evident sticker to redeem the coin. The materials per unit will run about 10 cents (3.5 cents for the plastic, 6 cents for the sticker, plus a label/printout/whatever). There are other places where you can get physical world bitcoins, but they’re expensive! Casascius has some really nice ones for a bit more than a 2 USD premium at current prices:

I’m hoping to make it so these bits of plastic have about zero sentimental value – just pirate coins with numbers thrown on them – but they still seem like money for some reason. I might eventually experiment with metal versions.

I figured out how to generate physical-world-friendly coins using the code found here:

Basically, it seeds the random number generator with entropy from good old OSX, then proceeds to generate a bunch of private keys. It finds private keys that conform to the mini key format discussed here:

So, I went on a quest to figure out how to extract the public key from this private key. It turns out there’s some interesting elliptic curve math involved, and tools exist to somewhat securely dump out the associated data for a public key. The best one I found was the following:

This allows you to locally (yes, in javascript delivered by SSL) dump all relevant information about a private key. I proceeded to key in the private key to the Wallet Details tab, and I got all the information I needed. Next, I sent 5 bitcents (currently trading for about fifty cents USD) to the compressed address. This is where things got weird. After a bit, I noticed the transaction had propagated here:

So, I went to my Mt. Gox account and tried to redeem the private key as a deposit method. It said it was valid, but had no bitcoins associated with it. Uhoh…
Then I tried using the compressed private key. Still no go. I tried everything listed on the bitaddress page, and nothing would let me recover the address.
After a bunch of time, I finally got bitcoind compiled on OSX and properly connecting to bitcoin-qt. I added the address using the following command:

./bitcoind importprivkey L3tUmpNLdfPDMuYDpzNqfwFbCJo6sCkxCahyLibYEm4M9qAHbpZ2
error: {"code":-4,"message":"Error adding key to wallet"}

Oh of course – I forgot to unlock my wallet before doing this. This is how you fix that:

read x && ./bitcoind walletpassphrase "$x" 300 && unset x

This will read your password from STDIN, run it into the bitcoin client and have it store it for 300 seconds, then unset it from the shell. Sure, there are more secure ways to do this, but this is so quick and easy! Finally, I was able to import the private key using the command I showed first (it worked this time, but took a while). It automatically picked up the 5 bitcent balance and added it to my wallet balance (yay!). Here’s a screenshot of the key data I was working with (it’s useless now since I’ve transferred all the BTC out of this account):

As you can see, the private minikey at the bottom is really short (22 characters). I’ll probably be creating an instructable if the whole coin idea works out.


I finally got my QRCode printing down with 30% error correction built in, so I can embed the bitcoin logo front and center on the QRCode itself. Here’s an example:

This contains the private key for a wallet with a single satoshi in it. Here’s the address I used to fill the account:

I was able to print the above QRCode in color, then scan it directly into the Mt. Gox app under Transfer -> Redeem. Here’s the result:

Now all I need is a sword!

I have my bow.

And now I have MY AXE.

Flickr Tag Error: Bad call to display set '72157629238255479'

Error state follows:

  • stat: fail
  • code: 95
  • message: SSL is required

It was made by the hand of Anders Stromstedt in Sweden, who looks totally awesome:

The axe feels fantastic, looks fantastic, and has a very sharp edge. I can’t wait to go chop some stuff with it.

More Content Security Policy work

Firefox seems to be the only browser strictly enforcing the X-Content-Security-Policy header at the moment. This is both good and bad: good because it doesn’t adversely effect me here in my Chrome bubble, and bad because it seems to effect some of my readers. I installed Firefox 9 to debug the issue, and ended up with this policy:

The only problem with this is I had to whitelist all of github. This is a problem, because provided one could post script tags in comments on here, they could just link to a raw script in their repository and the policy is meaningless. Without path support in the standard grammar, I can’t properly integrate with github. I hope they add this support so I can do something like the following:

That would at least make it a little harder to do XSS. Of course, they offer subdomains, so this still doesn’t fix the problem. The only way to fix it is to whitelist explicit paths without wildcards. This is more verbose, but it would be better.

In closing, I like CSP, and I think it’s a good idea, but it’s still in early stages after a couple years, and needs a bit of work.

The Smashrun Fusion Mashup: Part 2

So, I finished the first version of my FusionRunner script mentioned in the previous post. Currently, it takes all the runs from Google Fusion Tables and imports them into Smashrun after massaging the data. You can see a list of my “runs” (they’re really walks so far) Click a run to see more details. The following features are currently supported:

  • Caching of Google OAuth tokens/secrets on the filesystem
  • Ability to convert terribly formatted Fusion Table rows from My Tracks into something usable
  • Importing of all runs into Smashrun with tags based on activities

The following features are the next steps:

  • Tracking which runs have already been imported to Smashrun (probably using another Fusion Table!)
  • Contacting Smashrun and asking about including elevation data and maybe map data

I’ve emailed Smashrun, so let’s hope they get back to me. Here’s a current version of the program for your perusal: