In Silicon Valley a startup is a vehicle for performing an experiment. The motivation is usually a hypothesis of the form:

If we build and promote this product/service correctly and with the right timing, we will generate a scalable business that will significantly change an existing market or create a new one.

Once a startup has succeeded, it’s possible to construct a narrative showing how the hypothetical assumptions played out as the founders had hoped. For unsuccessful startups, it’s frequently the case that the experiment runs out of funding before the hypothesis has been fully put to the test. The participation of investors adds an implicit constraint to the experiment:

It’s possible to carry this out in stages of funding. The first stage requires $X, and will reach milestone M within T months.

Of course, experiments can and do fail before the money runs out. When this happens, it’s rare that founders acknowledge it and return the remaining funds to investors. Most often, failed startups linger on until they run out of cash. If you’re in Silicon Valley, I bet you already have an example in mind. If you’re not, know that many companies you’ve read about on Techcrunch are ghost ships. Long written off by their investors, they fly on autopilot like Payne Stewart’s jet. They may show signs of life once in a while because employees have to do something (“we just added wings to this boat because we like wings, it probably won’t fly but I’ll write a blog post about how pretty it looks“). Unlike human beings, companies tend to look healthy to outsiders even (and perhaps especially) when they are hopeless.

In my view, this is the worst possible failure mode for the founders. They often spend the remaining funding on keeping the startup alive for as long as possible. Sometimes they downsize, take pay cuts, and stretch the funding to last for years. This behavior is fueled by biases such as the IKEA Effect (people place an irrationally high value on what they have created), or the reluctance to accept that the effort spent thus far (sunk cost) has yielded little value. Some of these startups find metaphorical soft landings, but a startup is less like a physical aircraft and more like an expensive flight simulator.

When I was running my last startup I tried to avoid the above scenario. During the fundraising process I wrote down where I’d need the company to be at certain points in the future in order to want to go on. I saw this as a sort of contract with myself. Lucky for me, we always reached our goals (not always with much room to spare, of course) and were doing well when we were acquired. After that I tried other self-funded experiments by myself, for which I did the same thing. The latest of them was Cointipping, an app for sending small amounts of Dogecoin. I started it in early 2014, and I abandoned after a few months without thinking twice about it.

If I were to start a company today, I’d formalize the process. I’d have a set of minimum goals to accomplish in six months, and a tentative set for six months after that. If when the six months have passed I haven’t reached my goals, I’d fire myself. Otherwise I’d evaluate the next set of goals to see if it still makes sense and adjust it accordingly. Repeat until the company has reached momentum or died trying.

Final thought: this kind of self-imposed accountability is what most politicians abhor: when you’re not motivated to fulfill your promises but you want to keep your job, you do not want to be evaluated based on the results. However, a startup is not about staying in power. It is (to me, at least) about having a realistic chance of building something at scale. There are unlimited ways to do it, and no need to hold on to a particular one because “hey, we still have seven months of runway. Let’s pivot into something that won’t piss off our investors even though we’re not really excited about it.”

I leave you with an episode of the British TV show “Yes, Minister” that inspired this post (the relevant part starts around 5:40).

https://www.youtube.com/watch?v=Bq_KiN3GEEw

A few days ago a neighbor in her eighties offered me a piece of advice regarding my six-month old son: “start a college fund.” For some reason it sounded to me as if she’d told me there’s a great future in plastics. I have no intention of starting a college fund for my son, and this post is an attempt to explain why.

When I entered the workforce in the early nineties I had only one tool to increase my chances of getting the job I wanted: my resume. Looking for a job worked like this:

• scan the job ad section of the newspaper
• choose a few interesting positions
• make copies of my resume and try to get them to the right people
• wait for a call

Some time later when I was on the recruiting side, finding the right person was a costly task. I started with a pile of resumes but only had time for two or three interviews per week; I had to pick promising candidates based on the little signal I had. This was a time before Facebook, LinkedIn or Google; all the information I could reasonably obtain from applicants was in those pieces of paper. Most of us believed that resumes had a high chance of containing lies, because most claims were unverifiable. Probably the easiest ones to verify were someone’s degree and GPA, so we believed that people would have less of an incentive to make those up. For that reason we prioritized candidates from the best schools and with the best grades (assuming their resumes didn’t contain negative signals such as horrendous grammar).

Over the course of the next decade (and especially in the software industry) this started to change. First, people became searchable. The best software developeres often had a web page or some online trace of their work. LinkedIn slowly started making resumes irrelevant: the chances of being found out are much higher if you lie on your LinkedIn page. GitHub made it much easier to know if someone can write code.

When I look for software developers today and want to decide whether someone is worth meeting, the college signal has a tiny influence compared to everything else. As I said four years ago, I probably won’t interview someone who doesn’t have a LinkedIn profile and a GitHub account with some activity. I do not think the college signal is worthless though: to me, being able to stick with at least four years of structured coursework and tests is an indicator of consistency, discipline, and a certain type of intelligence.

If someone asks me the question “I want to become a professional software developer. With that objective, is college worth the investment?” my answer is no. This is one of the reasons I became involved with Platzi: it that’s your goal, it gives you a much better ROI.

Of course there are other fields for which a formal education and certification is still important (medicine is the most obvious one). Also, there are other reasons to go to college besides increasing your value as a worker: it’s a life experience, a good way to meet like-minded people, and it provides a good place to learn from others (of course not the only place or even the best, as was the case before the internet). Unfortunately I do not believe those reasons justify the cost of college in the US for someone who’s not quite wealthy. I’m sure the deans of Ivy League universities would entertain a different opinion, given that the future of their industry depends on the perceived value of their services. What they won’t say is that the commoditization of degrees caused by the expansion of their business means that having one is no longer the differentiator it was one or two generations ago.

In conclusion, I don’t think it will be indispensable for my son to pay hundreds of thousands of dollars to become a successful professional. He may choose to do so if he wants to enter a field requiring access to expensive laboratory equipment, or one requiring legal certification monopolized by universities. However, there’s a growing list of professions that will employ smart and resourceful people regardless of where or how they acquired their skills.

Next week 114 startups will be presenting at the YCombinator Demo Days. That’s a huge number; I’ve been looking into some of them and it’s overwhelming. To me, incubator demo days bring to mind the Hunger Games: a number of extremely driven founders compete for investor attention and money over the course of a few hours. Interestingly this is more like a real game: nobody will die (hopefully), and there are multiple chances to participate in it. If I were playing, I’d focus on maximizing my chances of getting the ideal investors for my company. So who are those ideal investors?

Let’s use the following definition: an investor is someone who gives you money in exchange for ownership in your company. By that definition, the minimum value from an investor is the amount of money he/she contributes. Obviously it’s possible to get much more out of an investor. These are my criteria for choosing:

• All else being equal, pick someone who was a funded entrepreneur once. You can’t be a teacher without having been a student. You can’t become a pilot if you haven’t been a passenger first. If I had to pick between two investors, I’d prefer the one who was in my shoes once. There are a number of reasons beyond empathy. If nothing else, this person must have faced some of the problems you are having or will have.
• Have at least one investor who’s well connected in your target market or industry. I’d be very skeptical of a medical startup who had zero doctors as investors, for example. So many rich doctors in the US and you couldn’t convince one to invest? Do you at the very least have an investor who’s a respectable healthcare industry insider? Besides the credibility, having someone motivated to introduce you to their peers can be extremely valuable.
• For some startups, an investor with a megaphone is essential. Of course, there are different types of megaphones. A large following on Twitter is an obvious one, but there are others. In certain niches some people have loud voices that don’t translate into thousands of social media followers. On the other hand, having a celebrity with a million followers as an investor may not give you the attention you need. The more of an introverted nerd you are, the more you need others with a vested interest in helping you promote your product or service.
• An investor with no time for you might as well be just money. Suppose you have the ideal investor with all the previous properties, but he/she never replies to your emails. This is more common than you’d think. Some successful people have too many investments and too little time. One of the traits of (what I consider) good investors is that they know when they can be helpful. When I reached out to my IndexTank investors with specific asks, they always stepped up. How do you know if this will be the case? Ask their portfolio companies. They perform their due diligence on you, and of course you must do the same. When I was raising money for IndexTank and things were heating up, we got substantial interest from desirable investors that I’d never met in person. If I was inclined to let someone into the round, I made up a rule: I’d have to meet in person and chat for a while before taking their money. That meant many hours of driving in the Bay Area, but it was worth it.

The corollary of this is that a desirable startup is the one that has choices. If you can’t convince the investors your company needs, that’s a problem you need to solve first. Picking undesirable investors just because they are the only ones who want you is the same as marrying the first person who’ll say yes. I won’t tell you how to make your company attractive, at the very least you’d have to buy me coffee 🙂

Also keep in mind that the odds are never in your favor. It wouldn’t be fun if they were.

It occurred to me that trying to give startup advice to a founder is somewhat like coaching a marathon runner during the race: it’s not completely useless, but you’d want to start months or years earlier. Of course, as an investor you don’t have that luxury; you typically meet founders at mile 2 or 3 (e.g. YC, AngelList, demo days). This why there are so many startup advice posts by investors. I find it more interesting to think about those who want to start a startup, and who believe they’re ready for it. These are a few questions that I’d want a potential founder to ask him/herself:

• Are you extremely competitive? The Silicon Valley startup ecosystem is about extreme competition. You will be competing for funding of course: an investor has limited money and attention. You’ll be competing for talent, press coverage and obviously for users/customers/eyeballs. And often it’s not a “you win some, you lose some” situation. For example, funding is usually “you lose lots, maybe you win one.”
• Do you like selling? The above activities are not about building, they are about convincing others to give you something (money, resources, time, attention). If you like to build things but are terrible at selling, you’ll be competing against the best. It won’t be a fair fight.
• Have you ever stuck with a multi-year goal despite unfavorable odds? Things like college obviously don’t count, because they are designed for your success. What does? Perhaps having worked thousands hours to get really good at something, especially if you didn’t seem particularly talented at it (a sport, a musical instrument).
• Are you ok with doing mundane/boring stuff most of the time? Building a business is mostly boring work. Writing code is usually not boring (if you like it), but if you’re doing things right you won’t be coding for long. Or building hardware, or designing, or whatever. You’ll be attracting employees, keeping them excited, figuring out how to make money flow into your company (both through sales and investments). You’ll be dealing with lawyers, landlords, service providers. Giving presentations, tweeting, perhaps writing articles and/or interacting with the media. Your involvement with your product will decrease over time; if you really like product development (think Steve Jobs) you’ll either neglect other tasks or do it in your “free time.”

If not one of the potential founders is extremely competitive, I’d say don’t even bother. You’ll get crushed. If you’re lucky it will be quick and obvious, if not you won’t even know it for some time. Maybe you can learn to be competitive, but I have my doubts.

If you don’t like selling, see if you can force yourself to do it for a while. At the very least you must be decent at it, and not hate it. If you can’t or won’t… good luck.

If you haven’t done anything really hard that took years, why is that? If you’ve given up on too many things, that’s a bad sign. If you’ve accomplished something significant but it did not seem that hard, you have hope. Be honest with yourself regarding your ability to deal with an adverse situation for a long period of time. This one is hard to predict, so you may have to take a risk and see.

Do you really, really like coding? As in, is it really important for you to get better at building things, to hone your craft? That’s something to overcome. Startups are about getting people to use your stuff and eventually paying you by any means necessary. Nobody cares if your service or product is powered by beautiful code, minimum-wage employees, magic or impeccably logical Vulcans. Many aspects of your company will be barely good enough because you’ll be operating at your limits. If your software (or in general whatever is under the hood) is too good, it probably means you are sacrificing aspects that you can’t afford. Worse, you don’t even know it because you don’t get feedback from users who don’t exist, or from investors who rolled their eyes after you left the room.

The reason most of us only hear about the interesting aspects of startups is obvious: they make for good entertainment. Boring, mundane work is not news. It is, however, what can make you a successful business person if you do it right and get lucky.

This clip never gets old. Founder life is sometimes like this, often much less exciting.

Here’s a mildly interesting puzzle: suppose you have an ordered sequence (e.g. the numbers 1 to 10). How would you randomly divide it into partitions such that any possible partition is equally likely? Your partitions can have anywhere between one and ten elements. One example partition could be [1 2 3 4] [5] [6 7] [8] [9 10].

Before I give you the solution, here are a couple of hints:

• There are four possible partitions of three elements:

  [1] [2] [3]
  [1 2] [3]
  [1] [2 3]
  [1 2 3]

• If you were to run your function a large number of times, you would expect each one of those to occur close to 25% of the time.

In Clojure, you could test your random partition function like this:

(frequencies
 (take 100000
       (repeatedly #(random-partition [1 2 3]))))

And if your function worked properly, you’d expect your output to look like:

{((1 2 3)) 24726, ((1) (2) (3)) 25049, 
((1) (2 3)) 25077, ((1 2) (3)) 25148}

A good way to look at this problem is to first calculate the number of possible partitions. If we think of the sequence as a piece of tape that we can cut, we realize that for three elements there are two places to cut. More generally, for N elements there are N-1 cutting points. At every point we can choose to cut or not to cut, which means that there are 2^(N-1) possible partitions.

With this in mind a straightforward solution to the problem is:

• traverse the sequence from left to right
• toss a coin at every cutting point
• leave it alone if it’s heads, cut if it’s tails

Note that you don’t even need to know the length of the sequence in advance. In fact, you could start cutting an infinite sequence and grab the first few random pieces (i.e. stop after a certain number of tails).

Here’s my Clojure implementation of this algorithm:

(defn random-partition [xs]
  (lazy-seq
   (when (seq xs)
     (loop [i 1]
       (if (zero? (rand-int 2))
         (recur (inc i))
         (let [[a b] (split-at i xs)]
           (cons a (random-partition b))))))))

And a much more concise one based on partition-by, courtesy of Gary Fredericks via the #clojure irc channel on Freenode:

(defn random-partition [xs]
  (partition-by (fn[_] (rand-nth [true false])) xs))

You can take 10 random pieces of the natural numbers with:

(take 10 (random-partition (range)))

and expect a result like:

((0) (1) (2) (3) (4 5 6 7) (8 9 10) (11 12) (13 14 15) (16 17) (18 19))

Please do not use this puzzle as an interview question 🙂

“There is a small satellite orbiting an unremarkable planet 50 light years from Earth. In spite of its tiny size, this floating cube of metal and silicon carries a load of paramount importance to the infrastructure of our galaxy. Inside its computer resides the Big Developer Matrix. As you can infer from its name it is fairly large, and it contains information about developers. More specifically software developers, because it was created by software developers. Each row of this matrix represents a company, and each column a developer. Every cell contains a binary value, which means either HIRE or DON’T HIRE.

The Big Matrix is rather sparse, and it is widely used by software managers across the Milky Way. In fact, it is the standard tool for hiring decisions pretty much everywhere. There are some fringe planets like Earth who rarely query the Big Matrix, and nobody is quite sure why. One of the maintainers of the software suspects it may have to do with a mismatch between the latency of communications and the average life spans of humans.”

— The author of this post, just now.

Unfortunately for us humans, we have little choice but to conduct technical interviews. We need an answer to the question of whether we want to hire someone or not, and we don’t have the time to really assess someone level of technical competence. Many try to approximate the Big Matrix with a series of progressive Bloom filters: techniques that tell you DON’T HIRE this person or INCONCLUSIVE. FizzBuzz is a good example of a Bloom filter question. I’ve never asked it to anyone and I don’t think I will; if you have to ask that question, you probably should rethink your pre-interview selection process.

One of the things I dislike about FizzBuzz is that it reminds me of customs forms with questions such as “have you ever been a member of the Communist party?” It’s almost insulting, and there is no way to show that you’re a good developer by coding FizzBuzz. There are questions that serve a similar purpose, while at the same time giving the candidate an opportunity to show off some skills. Here’s an example of a question that I like, even though I’ve never asked it:

Write some code that calculates how many numbers under a million (positive integers) have digits that add up to 42.

Why do I like this question? For one, it doesn’t require any specific knowledge besides basic programming techniques and math. Anybody who spent some time programming in some language should know enough to solve that in a few lines. Also, it has a mundane element that you normally encounter in real-life programming: one straightforward way of answering the question involves converting integers to strings and back. Furthermore, it lends itself to elegant functional solutions. Finally, getting the reference is an added bonus for personality fit 🙂

I asked this question on Twitter a couple of nights ago just for fun, and got some quick responses. The first one, in Haskell:

.@dbasch length (filter (==42) ((map (sum . map (read . return) . show) [1..100001])))

— Values Alchemist •ᴥ• (@bitemyapp) July 31, 2014

another one, in Python:

@dbasch python3: sum(1 for x in range(1, 1000000) if sum(map(int, str(x))) == 42) — Adam Midvidy (@amidvidy) July 31, 2014

Clojure:

(count (filter (fn [n] (= 42 (reduce + (map #(Integer. (str %)) (str n))))) (range 1000000)))

— noisesmith (@noisesmith) August 1, 2014

Ruby:

.@dbasch (1…1000000).select{|i| i.to_s.each_char.map(&:to_i).inject(:+) == 42}.size # => 6062

— Abe Voelker (@abevoelker) July 31, 2014

One of my favorites, in C and bash:

.@dbasch echo ‘main(){for(int i=0,s,n;i<1e6;++i){s=0,n=i;while(n){s+=n%10;n/=10;}(s==42)?printf(“%i “,i):0;}}’|gcc -xc -&&./a.out|wc -w — Adam Midvidy (@amidvidy) July 31, 2014

One I did in Clojure, without using strings and using recursion:

(count (filter #(= 42 %)
               (map (fn d [n]
                      (if (> 10 n)
                        n
                        (+ (mod n 10) (d (quot n 10)))))
                     (range 1e6))))

One in Forth by @technomancy:

s dup if 10 /mod recurse + then ; : f 0 1000000 0 do i s 42 = if 1 + then loop ;

I couldn’t fit a Java version into a tweet, but someone did it with Java 8:

class S{public static void main(String a[])
{int i=0,j=0;for(;i++<1e6;j+=(i+"").
chars().map(x->x-48).sum()==42?1:0);System.out.print(j);}}

@ejenk reduced the Haskell version to:

length . filter (== 42) . fmap sum . replicateM 6 $ [0..9]

There were a few other good solutions. The shortest were in languages like sed or Wolphram, which allowed the authors to “cheat” somewhat.

Conclusion

I will never get to ask the 42 question in an interview. If I did, I wouldn’t expect a candidate to show off code-colfing skills. I might ask about performance considerations for a larger space, and be pleasantly surprised if the candidate pondered solving the problem  mathematically for a second.

While this particular question may seem very easy in the comfort of your browser and favorite editor, it’s not trivial in the context of an interview. Always remember that technical interviews are very stressful; some of the best candidates I interviewed had sweaty palms upon entering the room. Even the best of us sometimes forget to bring a towel.

Note: this is a post from 2011. It used to be on the IndexTank blog which no longer exists, so I’m putting it up here. —

When I interview a candidate here at IndexTank, I take it very seriously and try to be at the top of my game. I have to prove to this person that it’s worth choosing our company over others. Desirable candidates have many choices, so I’m competing with every hot tech company in the Bay Area.

Candidates often forget this fact. I expect them to bombard me with questions about where we are going, what I’m thinking, what it’s like to work here. Maybe even ask me a hard technical question, it’s only fair. I plan for ample interview time for this reason.

It turns out, the majority of the people don’t do this. They simply put on their best face, answer every question and try to sell themselves. Some ask questions everyone should ask, such as the financial situation of the company. Very rarely someone probes me to see if they would like to have me as their boss.

In a previous post I mentioned an interview I had at Netscape in 1998. I can freely talk about that one; Netscape has been effectively dead so long that younger generations may think it was a brand of milk chocolate.

It all started when a got a call from Netscape through a friend who had joined a few months before and recommended me. That was enough for them to fly me over to the Bay Area for an interview a week later. Arrived from Pittsburgh late at night, drove from SFO to a generic hotel in Mountain View where I spent the evening reading about how Netscape was doing. They had just announced that they would be releasing their source code to the public, which was very intriguing to me.

I remember arriving at Netscape, a gigantic campus that used to belong to HP. Maybe they had four thousand employees at the time. I was told that I was interviewing to replace employee #7 (everyone talked about their own employee number) who was leaving because he was fully vested that month (red flag).

At first glance I was impressed with the place. People with purple hair roller-skating around the office with their dogs. It was my first encounter with the “creative minds of Silicon Valley” in their natural environment.

During lunch came another red flag. One manager talked about how they were a bit bummed because Yahoo had just surpassed their market valuation. Both companies were public at the time, and it was right when the Nasdaq was starting to take off like a rocket (which turned out to be the Challenger if you pardon the bad taste of my pun).

What really sealed it for me where the technical interviews. The first guy who interviewed me was a C guru. He spent most of the interview talking about himself and asked me one trivia question: why is EOF in C defined as -1 (btw, this is platform dependent). Look it up if you’re interested. This was a prelude to explain a hideous bug he’d been fighting based on that behavior and how proud he was about it.

Another guy asked me a few “aha” questions which I got (I was really into puzzles and brainteasers at the time). They were unrelated to programming for the most part. The only hard programming question was how to traverse a binary tree with two pointers and without using a stack. Good luck figuring that one out during an interview.

If I ask you that question during an interview and you answer it correctly, there are three possibilities:

• you’re super smart
• you knew the answer beforehand and are a good actor
• you lucked out into the solution and are reasonably smart

Not a lot of information. But most importantly, it says little about whether you’re capable of fixing horrendous bugs in the Mac version of Netscape Navigator (release 4, now with extra bloat!).

I had been a big fan of Netscape until then. I left the building that evening with mixed feelings. Nobody seemed excited about open-sourcing the code, the original people were leaving, the coder gurus projected strange attitudes to a lowly candidate. I didn’t want to work there. It turned out I never had to make a decision because they didn’t call me back. A few months later they were acquired by AOL, who proceeded to gut the company and turn netscape.com into yet-another-portal.

I still thank them for flying me over from Pittsburgh, rental car, hotel and meals paid. That’s how I came to the Bay Area for the first time and thirteen years later I’m still here.

If you liked this post, follow me on Twitter. If you didn’t, thanks for reading this far 🙂

Problem: owning cryptocurrency is hard. That’s right, just owning it. Most people have no idea where to start. Want to buy bitcoins? Sure, you can sign up for any of the major exchanges. You just need a bank account, a credit card, a phone number. Fill up these forms with black ink and go to the next window. Most people on this planet won’t even bother unless they have a compelling reason. If you own cryptocurrency, have you convinced any friends or family members to even take your crypto-money as a gift? At the very least you’d have to create a “paper wallet” for them, or help them install geeky software that’s easy to screw up (Bitcoin Qt, I’m looking at you).

The idea for cointipping.com came to me a few weeks ago, after having dinner with my friend Sean Grove. He has a habit of insisting on paying for our dinners, and likes to refuse my cash. After sharing some delicious Chinese, I told him I’d send him some Dogecoins for my share of the check. He could refuse my dollar bills, but he’d have to take my crypto-coins.

When I got home, I told Sean to get a Cryptsy account and tried to do an internal transfer of 35k dogecoins. I gave him my referral link, he opened an account, I asked him for his internal trade key (33c21fd675a31442d263dcd923ce974ba71425f1). I made the transfer, and it took about three days for the coins to show up on his Cryptsy account. We never knew exactly why.

I didn’t want to create work for Sean, so the alternative would have been to print out a paper wallet with 35k dogecoins and give it to him. It would look like this:

What would you do if I gave you a piece of paper with that on it? Probably file it in a drawer and forget about it.  Enough is enough, I thought. In the famous words of Samuel L. Jackson, I’d had it with the monkey-fighting bureaucracy in this Monday-to-Friday blockchain. Why couldn’t it be as easy as getting this in front of Sean’s face?

Let’s reduce the barrier to entry, shall we? Nobody needs to download software or create a wallet to take your cash. You’ll grab my $20 bill even if you don’t have your wallet with you, or if you can’t look up your bank account number.

So about three weeks ago I went into a coding frenzy and came back to the surface with cointipping.com in its current form. Sure, it’s an MVP. It reeks of Bootstrap, and it lacks some basic usability features (thanks Sean for all your help with the UI, the technical details would make for an interesting post). I try to be security-conscious, and I’m backing up everything hourly. Still, there is no guarantee that the site won’t go up in flames, losing $25 worth of dogecoins in the process (that’s the current amount in the online wallet). Forgive me, I’m just one rusty old hacker.

Still, it serves one purpose: it does make it really easy to put dogecoins in the hands of people who know absolutely nothing about cyptocurrency. Sean can leave his coins on the site and forget about them until it’s worth his time to figure out what to do with them. He could withdraw them whenever, of course. He can always tip other people through the site, some of whom might withdraw them straight to their wallets. Easy breezy beautiful!

Before all my readers rush to deposit their life savings into cointipping.com, let me warn you:

This is a flimsy little site that I developed as a side project. It may get hacked. It may disappear. I respond for all the funds deposited, but I may get hit by a bus. Think of this as some loose change you may carry in your pocket to drop into a tip jar at a coffee shop. Maybe one day it will be a bank, but most likely it won’t. Don’t risk any money that you wouldn’t mind forgetting in the pocket of a shirt that you just took to the laundromat.

With all that out of the way, happy tipping. To the moon, fellow shibes!

Discuss on Hacker News

[I wrote this draft a week ago and forgot about it, but in the light of the Mt. Gox news I decided to post it because someone might find it useful]

Over the past few months I’ve noticed a significant number of forum posts by people losing crypto coins due to their own mistakes. This happens because many do not understand the basic concept of Bitcoin/Altcoin ownership, and the implications when it comes to protecting coins. I’ll try to explain here.

Suppose you roll a die one hundred times and write down the results:  3, 5, 2, 6, 2, 5, 6, 5, … (90 more numbers) … 4, 2. What you have now is a very unique list of numbers. You could repeat the operation billions of times every second for trillions of years and it is extremely unlikely that you would see the same sequence again. If you hadn’t written it down, it would be lost forever. Nobody would be able to reproduce it.

The number of possible sequences of 100 die rolls is about the same order of magnitude as the number of Bitcoin keys. In fact, the procedure I just described is a secure way to generate a key and its corresponding address [there are fewer addresses than keys, so you could generate a secure key with fewer rolls; let’s ignore that for now]

Here are two basic facts that you must know:

1) If you generate a Bitcoin address securely (as described above, for example), deposit money into it, and forget the key, the money is gone. Poof. Nobody can get it back.

2) If you store that key on your computer, anybody who can access your computer can steal all your coins.

The first fact should be obvious by now. Unless there is a problem with the Bitcoin protocol (in which case Bitcoin would become worthless anyway), there is no way to obtain the key for an address. The second fact is obvious too, but most people don’t realize its implications.

Until a few years ago, professional virus writers could not derive a huge amount of value from controlling a remote computer. They could create a botnet, launch distributed denial-of-service attacks, generate fake ad clicks. “Owning” a random computer wasn’t particularly valuable. That was then.

Right now there are probably thousands of computers on the internet that contain the keys to a large amount of crypto wealth. There are a few well-known formats for storing Bitcoin private keys. It is trivial for a virus writer to include a few lines of code that search for those just in case. You might think the solution is to keep your wallet encrypted, and you would be wrong. If malware is running on your computer, it could easily log your keystrokes when you type the password to your wallet. This happens all the time.

Knowing all this, many people opt to keep their bitcoins in an exchange. However, exchanges are not banks. Your money is not protected by governments. Over the past few weeks Mt. Gox (once the largest Bitcoin exchange) has been in the news because there is a significant change that they are insolvent. If they go out of business, chances are their customers will lose all their funds.

What is the solution, then?

First of all, you should not generate a Bitcoin key / address pair on an online computer. The easiest way to do this is to use a trusted, open source wallet on an offline computer, make a backup of the keys and securely erase the hard drive (or never connect tot he internet again). Perhaps the easiest way to do it is to boot a volatile Ubuntu from a USB drive (and ignore any requests to connect to a network).

Now that you know that your keys are not accessible via the internet, the question is how to store them. This is a more difficult problem because there is a conflict: on one hand you don’t want to have your keys in just one place. It’s best to have a few copies in different locations. On the other hand the more copies you have, the higher the chances that someone might find one. So far the best solution to this problem is BIP38 encryption (warning: highly technical document). The gist: instead of storing copies of the keys in a usable format, you keep them encrypted. If your passphrase is strong enough (e.g. at least four English words truly picked at random), then nobody should be able to decrypt and use your key.

There is still one more problem left: what if you lose or forget the passphrase? What if something happens to you? It does make sense to write down the passphrase, and store it separately from the keys. Perhaps you can give the passphrase to a trusted family member, and leave the location of the keys in your will. At this point there won’t be one solution that works for everyone. Once again, the key point to remember is that if any piece of information needed to restore a Bitcoin key is lost, the bitcoins are lost.

Complicated, isn’t it? My conclusion is that cryptocurrencies have a way to go before they can be as user-friendly as established payment technologies. In the meantime, don’t let this happen to you:

Over the past few days, someone has been sending tiny amounts of bitcoin (one satoshi) to thousands of addresses. Those transactions are unlikely to be confirmed, but they do show up on blockchain.info for now. Here’s one example:

The satoshis come from two vanity addresses: 1Enjoy… and 1Sochi…

If you click on the first address as I write this, you will see that its most recent transaction contains a link with the text “Play and win BTC”

The link leads to what looks like a bitcoin gambling site, bitwars dot org. I’m not linking to it for obvious reasons.

Some googling shows it has been done before. Here’s a discussion on Stackexchange. If you have received these tiny amounts and wondered what they are about, now you know. You can safely ignore them. Just like life, spam will always find a way.