Readit News logoReadit News
qyckudnefDi5 commented on macOS dotfiles should not go in –/Library/Application Support   becca.ooo/blog/macos-dotf... · Posted by u/zdw
watersb · 3 days ago
XDG directories for macOS dotfiles is my hill to tilt windmills.

To make it extra fun, my $HOME directory is immutable:

   chflags uchg "${HOME}"
(Simply setting it read-only would work too.)

Preventing arbitrary writes in $HOME breaks things, but it's actually quite rare.

I should document this setup. Or perhaps it's better to keep the madness to myself...

qyckudnefDi5 · 2 days ago
I'm curious if you make your home directory immutable, where do you store your files like pdfs etc?
qyckudnefDi5 commented on Show HN: PunchCard Key Backup   github.com/volution/punch... · Posted by u/ciprian_craciun
ciprian_craciun · 3 months ago
Provided that the information one wants to keep safe is sensitive and important long term, there are two main issues with printing (either text, QRCode, or anything):

* (paranoia) can you trust your printer not to leak the secret? (either in local memory, or to send it to its cloud mother-ship?) you can encrypt your information and print that, but then you are back to square one: where do you backup the password;

* and most importantly, long term resilience: given that with normal printers you can only print on soft materials (like paper, or perhaps plastic), they won't last floods, fire, and other unlikely events; (even if one laser etches some information on a steel sheet, I don't know how resistant to abrasions it is;)

However, by actually drilling holes into a metal sheet, the only way to permanently make the data irrecoverable, is to destroy the object completely.

qyckudnefDi5 · 3 months ago
For point 1 I recall the creator of Age, Filippo Valsorda suggesting something similar:

>The .age-recipients files also include the public key for an offline disaster recovery key. I generated the key with age-keygen, encrypted it with age -p, printed the ciphertext as a QR code, and wrote the random passphrase in pen. This is a bit convoluted, but I don’t trust printers. All this was done in a tmpfs, so nothing reached storage. Only had to do this once, and have been using that key as the anchor for all my disaster recovery data. https://words.filippo.io/dispatches/passage/

qyckudnefDi5 commented on A Formal Analysis of Apple's iMessage PQ3 Protocol [pdf]   usenix.org/system/files/c... · Posted by u/luu
conradev · 4 months ago
It requires two physical security keys. You can promote the hell out of it, but having to buy and set up security keys is going to stop most people.
qyckudnefDi5 · 4 months ago
You don't need security keys to enable ADP. You need to setup a Recovery Contact or create a Recovery Key.
qyckudnefDi5 commented on Widespread power outage in Spain and Portugal   bbc.com/news/live/c9wpq8x... · Posted by u/lleims
mike_hearn · 4 months ago
This sounds big enough to require a black start. Unfortunately, those are slow and difficult.

If an entire nation trips offline then every generator station disconnects itself from the grid and the grid itself snaps apart into islands. To bring it back you have to disconnect consumer loads and then re-energize a small set of plants that have dedicated black start capability. Thermal plants require energy to start up and renewables require external sources of inertia for frequency stabilization, so this usually requires turning on a small diesel generator that creates enough power to bootstrap a bigger generator and so on up until there's enough electricity to start the plant itself. With that back online the power from it can be used to re-energize other plants that lack black start capability in a chain until you have a series of isolated islands. Those islands then have to be synchronized and reconnected, whilst simultaneously bringing load online in large blocks.

The whole thing is planned for, but you can't really rehearse for it. During a black start the grid is highly unstable. If something goes wrong then it can trip out again during the restart, sending you back to the beginning. It's especially likely if the original blackout caused undetected equipment damage, or if it was caused by such damage.

In the UK contingency planning assumes a black start could take up to 72 hours, although if things go well it would be faster. It's one reason it's a good idea to always have some cash at home.

Edit: There's a press release about a 2016 black start drill in Spain/Portugal here: https://www.ree.es/en/press-office/press-release/2016/11/spa...

qyckudnefDi5 · 4 months ago
This guy grids!
qyckudnefDi5 commented on Shell-secrets – GPG-encrypted environment variables   github.com/waj/shell-secr... · Posted by u/mgarciaisaia
pluto_modadic · 4 months ago
for a newer password manager... https://github.com/FiloSottile/passage
qyckudnefDi5 · 4 months ago
Looks like FiloSottile may have switched from passage to 1Password:

https://bsky.app/profile/filippo.abyssdomain.expert/post/3l5...

Would be interesting to get more context why move from storing passwords locally to an online service.

qyckudnefDi5 commented on About Google Chrome's "This extension may soon no longer be supported" (2024)   github.com/gorhill/uBlock... · Posted by u/0x000042
Angostura · 6 months ago
I'm happy with 1Blocker in Safari
qyckudnefDi5 · 6 months ago
I like Wipr. Simpler design IMHO.
qyckudnefDi5 commented on Age is a simple, modern and secure file encryption tool, format, and Go library   github.com/FiloSottile/ag... · Posted by u/gjvc
FiloSottile · a year ago
_o/ hi all, age author here! age is the one of my projects that grew most organically into an ecosystem. It's always great to see what people build with it. Happy to answer any questions.

Here are some previous discussions

132 points on Feb 26, 2023 | 77 comments | https://news.ycombinator.com/item?id=34936504

126 points on Sept 26, 2022 | 54 comments | https://news.ycombinator.com/item?id=32980141

113 points on June 11, 2022 | 33 comments | https://news.ycombinator.com/item?id=31705670

494 points on Sept 6, 2021 | 88 comments | https://news.ycombinator.com/item?id=28435613

466 points on Dec 27, 2019 | 199 comments | https://news.ycombinator.com/item?id=21895671

and here some related resources

- a list of age ecosystem projects https://github.com/FiloSottile/awesome-age

- the format specification https://c2sp.org/age

- the Go library docs https://pkg.go.dev/filippo.io/age

- the CLI man page https://filippo.io/age/age.1

- the large reusable test suite (which I should write about!) https://c2sp.org/CCTV/age

- an interoperable Rust implementation by @str4d https://github.com/str4d/rage

- an official TypeScript implementation https://github.com/FiloSottile/typage (based on libsodium.js in the latest version, and on pure-js Noble libraries on main)

- a YubiKey plugin by @str4d https://github.com/str4d/age-plugin-yubikey

- the plugin protocol specification https://c2sp.org/age-plugin

- a Windows GUI by @spieglt https://github.com/spieglt/winage

- a discussion of the authentication properties of age https://words.filippo.io/dispatches/age-authentication/

- a discussion of the plugin architecture https://words.filippo.io/dispatches/age-plugins/

- a discussion of a potential post-quantum plugin https://words.filippo.io/dispatches/post-quantum-age/

- a password-store fork that uses age instead of gpg https://github.com/FiloSottile/passage (see also: how I use it with a YubiKey https://words.filippo.io/dispatches/passage/)

qyckudnefDi5 · a year ago
Have you considered writing passage in Go to integrate age and age-plugin-yubikey as a single binary to make it more convenient to setup and use?
qyckudnefDi5 commented on Age is a simple, modern and secure file encryption tool, format, and Go library   github.com/FiloSottile/ag... · Posted by u/gjvc
tptacek · a year ago
Use specialized backup tools! There are cryptographic constructions designed specifically for backup. You will get better backup and better encryption.
qyckudnefDi5 · a year ago
"Better backup" aside, as I understand that I'd miss out on deduplication and all the other things backup software can do like keeping track of what it has backed up etc.

"Better encryption": Can you explain why age's encryption isn't sufficient if it's recommended for encrypting files? Really want to understand how it's recommended for encrypting and sharing a file over an untrusted channel like email, but not recommended to encrypt a file and upload it to an untrusted server.

qyckudnefDi5 commented on Age is a simple, modern and secure file encryption tool, format, and Go library   github.com/FiloSottile/ag... · Posted by u/gjvc
WhyNotHugo · a year ago
If you make a second backup tomorrow, you'll end up with a new (huge) encrypted tar. restic handles deltas when creating a second backup, and writes new files so that tools like rsync or rclone have to do less work to upload the new data.

That said, I don't see anything strictly _wrong_ with your approach.

qyckudnefDi5 · a year ago
No deduplication is a tradeoff I'm willing to make for simplicity and less things that can go wrong :)
qyckudnefDi5 commented on Age is a simple, modern and secure file encryption tool, format, and Go library   github.com/FiloSottile/ag... · Posted by u/gjvc
qyckudnefDi5 · a year ago
I know there are specialized backup tools like restic or borg, but I like to keep things simple.

Is using age like this to encrypt my files before uploading them to untrusted cloud storage not ok?

tar > age > cloud

Some comments mention signing with minisign. Should I be doing that like this:

tar > age > minisign > cloud

q

u/qyckudnefDi5

KarmaCake day7August 5, 2024View Original