Hacker Newsnew | past | comments | ask | show | jobs | submit | Arrowmaster's commentslogin

The problem with this tactic is the need to go get the Yubikey every time you make a new account.

reply


Actually, this is now a solved problem. Root-of-trust pattern.

- Use Bitwarden or similar

- Set BW to recognize the Yubikey as one (of several, incl. TOTP ('Authenticator') code) second factor.

- On all other sites and services, generate passkeys (which are essentially virtual yubikeys) and save them in BW.

- In BW, save the password and TOTP. BW itself, on another device (or in a separate incarnation - e.g. the desktop app when authenticating the browser extension) is now your everyday means of authenticating to BW.

- BW-stored passkey is now your standard means of authentication for e.g. GitHub, Google, etc

- Put the yubikey in a safety deposit box

- Bravo, you have a very professional trust system

reply


Apologies for asking you to repeat yourself. I'm not following this step.

"In BW, save the password and TOTP. BW itself, on another device (or in a separate incarnation - e.g. the desktop app when authenticating the browser extension) is now your everyday means of authenticating to BW."

Can you rephrase it and be specific which passwords and TOTP you mean?

reply


So Bitwarden can store _the password and TOTP for Bitwarden itself_. (!) I actually keep this in an entry entitled 'How meta!' because I'm cute and silly.

So, let's say you're sitting down in front of a fresh install of Bitwarden. You can go to your phone in your pocket and get the password and TOTP and then set Bitwarden to not require a password for 30 days.

Similarly, let's say you've installed the desktop app for Bitwarden but not yet the browser extension. You can look up the BW password and TOTP in the desktop app and use that to authenticate the browser extension. Or vice versa! T

reply


Store only the backup key. It would be crazy to have a single key.

reply


Thumbs are one of your stronger fingers. In contrast the pinky is by far the weakest but we have dedicated it to almost every modifier and outlying key. I currently use an Elora from SplitKB so I can't speak to the Moonlanders thumb cluster, but if you find one you like it's a massive difference in how much usage you can get out of your thumbs while typing.


Thumbs can get overuse injuries: https://getreuer.info/posts/keyboards/thumb-ergo/index.html

I have used ergo keyboards with thumb clusters for several years now. After a while, even though switching to a split ergo keyboard alleviated wrist pains, I developed thumb discomfort.

In the end I solved it by only frequently using the resting key of each thumb (space and backspace). And using the other thumb keys for infrequent things. I use homerow mods to have all modifiers in the alpha block.

if you find one you like it's a massive difference in how much usage you can get out of your thumbs while typing

Until they start to hurt. It can take a few years (just like wrist pains). Be careful!


The Elora I use follows the circular thumb cluster format so I have three keys per thumb that can be used with little movement the rest are for rarely used layer switches and such. One of those three is for often used layers.

I have homerow mods configured but still need to work on using them more. Unfortunately a lot of what's best for typing conflicts with what's best for gaming. Almost every example split layout puts space on the right half and I move it to the left. Still need shift and control on pinky holds. And the Elora has an exaggerated pinky stagger but swapped to WQSD makes an almost perfect diamond, but at the expense of the old Q now being A is below instead of above and Z is really far away.


For me the biggest benefit of thumb keys isn't finger strength, it's the fact that the thumb is separated from the rest of the hand. It's really easy to hit a thumb key while hitting any other key on the "main" part of the keyboard. Whereas on a traditional keyboard, typing something like shift-T or ctrl-R requires stretching out your hand.


It's really easy to hit a thumb key while hitting any other key on the "main" part of the keyboard.

Mirrored home row mods are even much nicer (IMO).


Thumbs are also less agile than all the other fingers, so having it move around a lot is not great.

Also, RSI on your thumb (especially with smartphone usage) is very common.

So yes, you should probably have the most frequent keys on your thumbs but only very few (I'd say 1-2).


I'm in the middle of submitting PRs to multiple projects because they are compiling on ubuntu-latest and forcing a glibc 2.38 requirement. These are multiplatform projects where most or none of the devs use Linux.

The first project I was able to change their workflow to build inside a 20.04 container. The other project uses tauri and it requires some very recent libraries so I don't know if an older container will work.

Do you have any documentation or generic recommendations for solving these issues caused by blindly using GitHub Actions for all compilations?


> The first project I was able to change their workflow to build inside a 20.04 container.

This approach does _not_ work because you end up with the `node` that runs GitHub Actions not being able to run, certainly this will happen if you end using a sufficiently old container.

> Do you have any documentation or generic recommendations for solving these issues caused by blindly using GitHub Actions for all compilations?

Install these pkgs in an `ubuntu-latest` image:

  - debootstrap debian-archive-keyring
  - software-properties-common
  - schroot fakeroot fakechroot
then

      - name: 'Cache sysroot'
        # This comes after checking out the sources because
        # actions/checkout@v4 cleans $PWD!
        id: cache-sysroot
        uses: actions/cache@v3
        with:
          path: ${{ github.workspace }}/sysroot-DEBIAN_RELEASE
          key: sysroot-DEBIAN_RELEASE-${{ runner.os }}-${{ runner.arch }}-v1

      - name: 'Setup cross-compilation sysroot'
        if: steps.cache-sysroot.oututs.cache-hit != 'true'
        run: |
          set -vx
          SYSROOT_PATH="${{ github.workspace }}/sysroot-DEBIAN_RELEASE"
          echo "SYSROOT_PATH=$SYSROOT_PATH" >> $GITHUB_ENV
          if [ ! -d sysroot-DEBIAN_RELEASE ]; then
            sudo debootstrap --arch=$(dpkg --print-architecture) DEBIAN_RELEASE sysroot-DEBIAN_RELEASE http://archive.ubuntu.com/ubuntu
          fi
          sudo chroot sysroot-DEBIAN_RELEASE apt-get update
          sudo chroot sysroot-DEBIAN_RELEASE apt-get install -y build-essential git wget curl sudo unzip zip autoconf libfreetype6-dev libcups2-dev libx11-dev libxext-dev libxrender-dev libxrandr-dev libxtst-dev libxt-dev libasound2-dev libffi-dev file binutils libfontconfig-dev
          sudo chroot sysroot-DEBIAN_RELEASE apt-get install -y software-properties-common
          sudo chroot sysroot-DEBIAN_RELEASE sudo add-apt-repository ppa:ubuntu-toolchain-r/test
          sudo chown -R $USER:$USER sysroot-DEBIAN_RELEASE
where you replace `DEBIAN_RELEASE` with the release you want to target, and then

  - configure your project's build to use that sysroot.
That's it.

If your project does not support sysroots, make it do so. In general compilers will support sysroots, so it's just a matter of making your build configuration facility support sysroots.


I'm pretty sure it was done on the first one, Halo CE for the original Xbox. The last times I've played it have been coop in the MCC though which skips that part.


Yes, it goes all the way back to the original game. Very nice bit of game design.


I had this happen with fucking Google.

I called them about my Fitbit warranty and the rep needed to verify my account and wanted me to give him the code from SMS that explicitly said in the SMS not to give it to anyone!

No my account did not get hacked afterwards. Yes it was a legit service rep because afterwards he was able to pull up info on my previous warranty claim.


When I see an embedded ad I will immediately know from the type of product if I should ignore it or intentionally avoid that product because most embedded ads come from the worst of the worst companies. Why would they want me watching their ad if it makes me NOT want to buy their product?


The thing that stuck with me after learning about it is that AAA games aren't called AAA because they are supposed to be the best of the best or the most advanced.

AAA games are named after AAA investment ratings. A AAA game is supposed to be the most profitable investment for the publisher paying the upfront investment. And the market has gotten saturated with enough customers that doing new things to get more customers is more risky than doing the same thing to keep your existing customers.


I wonder if the human safety monitor will be informing all riders of where the physical door releases are hidden like the owners manual says you should inform all passengers of in case the vehicle loses power in a collision.

Teslas are a passenger deathtrap waiting to happen.


It doesn't in an indirect way. A friend that worked for Amazon about 5 years ago told me they were even allowed to look at AGPL codebases on the clock because the lawyers were so afraid of it.


I don't use Mastodon because it's too decentralized.

What I mean is I own my own domains but I can't use them on Mastodon without self hosting an entire Mastodon server for one user per domain. Yes there are other implementations of the protocol but none really solve this well in a cheap to run way.

Mastodon's missing feature is identity portability. A user with their own domain should be able to easily use a larger instance to host their identities and be able to migrate them to another instance.


Consider applying for YC's Winter 2026 batch! Applications are open till Nov 10

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: