Online voting

I’ve been fascinated with the topic of online voting for a long time, so I was interested, but not terribly surprised to read that the FBI claims foreign hackers penetrated state election systems.

My thoughts on online voting have changed as I’ve grown older.

In high school and college I said technology is the future! It’s insane that we’re still using paper and pencil for something so important. Computers are better at counting than humans. Yay e-voting!

Then I realized that you can’t trust individual company or organization with that much power & any trusted online voting software would have to be open source so that it could be independently verified by security experts everywhere.

Then I learned more about how many 0-day vulnerabilities exist and are being stock-piled by state actors for every layer of the stack. Our routers, firmware, operating systems, browsers, popular code libraries, etc. It’s all been compromised. You can’t trust any of it. So you’d have to open-source the hardware too & probably keep the whole thing air-gapped from the internet. And still that might not be enough!

Today, I believe there’s no way to secure a system (electronic or not) without publishing a log of every vote cast. This gets tricky when you have secret ballots, but there are a couple ways to handle it. The first way would to be to allow people to choose whether they want their ballot to be public or private. That way you’d end up with enough public votes that you should be able to tell whether the election was massively rigged or not (assuming you expect the private votes to follow the same distribution as the public ones). The second option would be to assign everyone a private one-time key when they vote — a receipt they can look up later. Everyone can then look up the key from their voting receipt on the public log and make sure their vote was tallied correctly. The second option has the benefit of keeping secret ballots, but you’d need a separate way to verify that the number of lines in the public log is the same as the number of people who showed up to vote. That can be solved by publishing a list of who showed up to vote.

Of course, we can’t know for sure that we’ve had a fair election while the NSA dragnet continues to exist. We would never know which candidates were forced to drop out from those in power using their access to surveillance intel to blackmail a candidate or leak their dirty secrets to the press.


Make a map from your spreadsheet

Looking for an easy way to work with location data or make a map from a spreadsheet? My latest project, GeoSheets is a free Google Spreadsheets add-on that I built with a couple friends.

Geosheets lets you quickly and easily work with location data in a spreadsheet and do things like:

  • Geocode addresses
  • Look up metadata for an address (like the neighborhood or region)
  • Normalize location-based data (convert “California” to “CA”, etc)
  • Plot a bunch of addresses on a map
  • Customize and share the map with your friends!

We spent a lot of time making sure it was simple to use and creating your first map is as easy as:

=GEO_MAP(A1:A5, “map”)

Check out some examples or documentation and try it out for yourself.


Exporting Robinhood investments to CSV

I recently discovered Robinhood. It’s a mobile trading platform that let’s you invest in the stock market without paying any trading fees. I can’t shake the feeling that 0-fee trading is going to be one of those game-changes that creates a whole range of new applications that weren’t possible before. Quantopian is an early example, but I bet there will be more.

If you’re new to Robinhood, feel free to use my Robinhood referral link when you sign up to get a free share of a randomly selected stock when you fund your account.

Robinhood is currently only available on mobile and it doesn’t have any of the charts and graphs you would find on any other trading platform. Here’s a little python script I cooked up that will let you export your Robinhood trades to a .csv file you can import into Google Finance or whatever tool you use to track your investments.

Before running this code, make sure you have python & pip installed on your computer. You can either view the code on Github or if you trust me, open your terminal and run the following commands. If you have git installed, you can fetch the files you need using:

git clone

Otherwise, manually download the files. Then:

cd robinhood-to-csv
pip install -r requirements.txt

The script will request your credentials then prompt you for a filename like this:

Robinhood username:
1 queued trade and 11 executed trades found in your account.
Choose a filename or press enter to save to `robinhood.csv`:

Can’t remember which social login method you used?

Once upon a time we used usernames and passwords to sign into websites. Unless you used multiple email addresses, your password was the single piece of information you had to remember. With password services like LastPass and 1Password, you didn’t have to remember anything.

But then sites started offering social login via Facebook, Twitter, Google, LinkedIn, Amazon, Github, Yahoo, Instagram and a whole host of other authentication options. Oops, you have accounts on all of those services. You can’t remember which one you used to sign up. Maybe you guess wrong and end up with two separate accounts that you can’t figure out how to merge. Ever been there? You’re not alone.

I dug into some real data from a company I worked with that offers multiple login options. For each 1,000 legitimate login attempts, there were 531 successful logins and 112 password resets. In other words, people were having a far harder time signing in than I would have imagined. If you run your own site, I recommend you look at your own data. My guess is you’ll be as surprised as I was at how few login attempts are successful.

If your site offers multiple login options, there’s an easy way you can remove this pain and increase your site usage. Set a cookie that remembers which authentication method was used to create their account along with any services that have been linked. Then use that data to highlight the options that can actually be used to sign in and hide everything else.


Fresh paint

I just pushed a new design for this site. Despite my infrequent posting, I’m still getting decent traffic every day from Google. The makeover was long overdue as the previous design from 2007 was starting to feel quite dated.

My goal was to design something that felt more modern and works better on mobile. Clean and simple. Focus on the content. I’m still running on WordPress, but I hacked up a new theme that uses Twitter Bootstrap to make it responsive and the Lato font to make it pretty.

I’ve switched the comments over to Facebook. Requiring commenters to use their real identity is the best way I know to deal with spam. I can’t import old comments into Facebook, so I’ll be using Disqus for historical posts.



Want to be more disciplined?

I love this quote from the founder of Dropbox, Drew Houston:

The hardest-working people don’t work hard because they’re disciplined. They work hard because working on an exciting problem is fun.

Want to be more disciplined? How about finding something you truly care about instead?



I’ve written before about the injustice of our prison system in the United States. I continue to be horrified by the racism and unfairness shown in the enforcement of our laws. The deprivation of anyone’s liberty is not something that should be taken lightly, and certainly never for the sake of financial gain. It should go without saying, but neither should rape ever be the punchline of a joke.

I’ve been really impressed with John Oliver’s Last Week Tonight. He’s hilarious, but more importantly, he’s not scared to tackle hard but important issues head on. This episode about prison is no exception.


Introducing my latest startup, Forage

I’ve always hated going to the grocery store. It’s such a pain to figure out what to make, how to get to the store and then find everything I need. I’m sick of throwing away food that I don’t eat in time. And why do I need to buy a $8 container of cumin when I only need 1 tsp!?!

I’m stoked to finally share what I’ve been working on for the last few months. Today we’re launching Forage — delicious meals that you can cook at home in 20 mins or less. All the ingredients are pre-measured so you can explore new types of dishes without all the waste.

I’d love to have you check it out. If nothing else, sign up to take advantage of some free food!


Inalienable rights

When I visited Hiroshima and the Peace museum there, I was blown away by the forgiveness exhibited by the Japanese people. Walking around that museum was one of the most moving experiences of my life. We called it the “cry museum”. There’s something wrong with you if you can walk through that museum without shedding a tear. The museum is a memorial for the atomic bomb victims and it shows the price of war in a very up-close and uncomfortable way.

Today I stumbled on this TED talk by George Takei on Why I love a country that once betrayed me:

Once again, I found myself blown away by the unbelievable amount of forgiveness by the Japanese people.

I was also reminded of how much I appreciate the ideals on which the United States was founded — the idea that all people are created equal. The idea that all people have an inalienable right to life, liberty and the pursuit of happiness.

Today there are countless examples of inequality in our country. It’s so easy to be discouraged. Takei’s story is certainly a solemn reminder of how easily we can slip away from these founding principles. Bono likes to talk about the “blind spots of our age”. We look back on the injustice we displayed to Japanese Americans with horror and disgrace. What are the things we’re accepting today that history will judge us for?

Those inalienable right are still worth defending.


The security hole I found on

I found a security hole on Amazon last August. While looking at their HTTP headers, I happened to notice that the entire domain was susceptible to clickjacking attacks. If I could trick you into clicking anywhere on a webpage I controlled, I could get you to buy any product that’s available for sale on Amazon. By the way, that includes any fake products that I added to Amazon myself. For the hack to work, you needed to be signed into your Amazon account and have one-click purchasing turned on. I created a working proof-of-concept that looked like this:


Clicking either button caused an instant purchase of the movie Click (get it?). I resisted the temptation to use the exploit to send myself a million dollars worth of free Amazon gift cards, and instead responsibly disclosed it to the Amazon security team. It took them months to fix it, but the security hole has finally been closed using the x-frame-options header that I recommended.

This hack is classic clickjacking. I created a transparent iframe containing a product page on that had been carefully positioned so when you think you’re clicking on my page, you’re actually clicking the “Buy now” button on their site instead. Here’s the code for the no longer working proof of concept.