feed.xml

<?xml version="1.0" encoding="utf-8"?>
<feed xmlns="http://www.w3.org/2005/Atom">
  <title>1dom</title>
  <subtitle></subtitle>
  <link href="1dom.io/feed.xml" rel="self"/>
  <link href="1dom.io/"/>
  
    <updated>2022-05-29T00:00:00+00:00</updated>
  
  <id>1dom.io</id>
  <author>
    <name>1dom</name>
    <email>dom@1dom.io</email>
  </author>
  
    
    <entry>
      <title>Please write a blog post</title>
      <link href="1dom.io/posts/2020-06-please-write-a-blogpost/"/>
      <updated>2020-06-07T00:00:00+00:00</updated>
      <id>1dom.io/posts/2020-06-please-write-a-blogpost/</id>
      <content type="html">
        <![CDATA[
      <p>This is my first published personal blog post in a long time. Like I'm sure most people in and around tech have, I've threatened to do this for too long. Here's some of the hows and whys, in hope that you'll do the same, if you haven't already.</p>
<h2 id="don't-get-hung-up-on-the-how" tabindex="-1">Don't get hung up on the how <a class="header-anchor" href="#don't-get-hung-up-on-the-how"></a></h2>
<p>I've thought about blogging a lot before. My mistake is normally focusing too much on how to do it, rather than just getting a post published. <a href="https://www.fast.ai/2020/01/16/fast_template/">fast_template</a> offered a quick and simple way. Maybe...</p>
<p>If you're reading this, then it's because that post is sufficient to achieve the core point of a blog - get some info out there.</p>
<h2 id="1-thing-published-is-better-than-0-things-published" tabindex="-1">1 thing published is better than 0 things published <a class="header-anchor" href="#1-thing-published-is-better-than-0-things-published"></a></h2>
<p>If it's not published and readable by others, it's not a blog, it's a personal diary. Realising this made me realise I have a lot of half complete personal diaries over the years.</p>
<p>A personal diary has its place, but it has a different set of benefits to a blog. 2 Notable benefits of a published blog vs an unpublished personal diary:</p>
<ol>
<li><strong>External Feedback:</strong> without external feedback, you're missing out opportunities to learn and improve. Whilst there are benefits to introspection and personal diarying, if you already think 2+2 is 3, you're probably not going to tell yourself that it's actually 4. <a href="https://meta.wikimedia.org/wiki/Cunningham%27s_Law">Cunningham's Law</a> suggests that the internet will if you give it chance.</li>
<li><strong>Informing Others</strong> Nobody else benefits directly from the writing down of knowledge in a personal diary. If just 1 person reads this post, and gets even the slightest bit of benefit, entertainment, or motivation, that means <em>multiple people</em> have received direct value from me publishing this. &quot;More than 1 person benefits&quot; seems generally more beneficial to everyone than &quot;1 person benefits&quot;.</li>
</ol>
<p><em>&quot;But I just need to get another couple of pages done!&quot;</em> - No you don't. 1 page published is infinitely better than 0 pages in achieving the above.</p>
<h2 id="everyone-is-different---you-won't-know-until-you-try" tabindex="-1">Everyone is different - you won't know until you try <a class="header-anchor" href="#everyone-is-different---you-won't-know-until-you-try"></a></h2>
<p>I haven't had a personal blog in probably over a decade. I might be wrong, maybe it's better not to publish, maybe nobody wants to read what you or I have to think or say. A lot of people won't want to. There's possibly even 1 or more people who only have stuff to share that literally <em>nobody else on the planet</em> could get any kind of benefit from.</p>
<p>However, those people are probably in the minority: there are a lot of broad minded folks who take many forms of benefit from many different things people have to share.</p>
<p>The only way you will know if your content is better published or unpublished is to publish it and find out - don't trust what anyone else says on this, me included!</p>
<h2 id="i-want-interesting-things-to-read---it-makes-everything-better" tabindex="-1">I want interesting things to read - it makes everything better <a class="header-anchor" href="#i-want-interesting-things-to-read---it-makes-everything-better"></a></h2>
<p>This is a purely selfish point, but I hope most people agree in the same selfish way. I want interesting things to read. The more people who post personal blogs about their hobbies, interests, passions and professions, the more likely I am to have something interesting to read.</p>
<p>I want you to have more interesting things to read too, so then you're more engaged, interesting, knowledgeable, skilled and open minded when we get the pleasure of interacting. It makes my life easier.</p>
<p>If you've not published a blog before, and you've got at least one half complete website with one pretty much finished but not published post, <em>just do it!</em></p>
<h2 id="tl%3Adr%3B" tabindex="-1">tl:dr; <a class="header-anchor" href="#tl%3Adr%3B"></a></h2>
<p>I published a blog post, and I think you should too. The primary purpose and benefit of a published blog is to get info out there. That is what has the chance to make me a better and more educated person, people other than me better and more educated people, and everyone has a chance at a slightly more interesting life. Who wouldn't want those things? It's not too hard with Github Pages and fast_template.</p>

    ]]>
      </content>
    </entry>
  
    
    <entry>
      <title>AWS CLI Tab Completion</title>
      <link href="1dom.io/posts/2020-06-aws-autocomplete/"/>
      <updated>2020-06-12T00:00:00+00:00</updated>
      <id>1dom.io/posts/2020-06-aws-autocomplete/</id>
      <content type="html">
        <![CDATA[
      <p>If you work with AWS, you've probably used the AWS CLI. It's a command line tool for interacting with Amazon Web Services.</p>
<p>Despite having used AWS for years, I only recently made it down to the <a href="https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-completion.html">end of the config section of the AWS CLI docs</a> and learned that it's possible to setup tab completion:</p>
<pre class="language-bash"><code class="language-bash">✔ ~/codeexperiments/1dom <br><span class="token number">12</span>:33 $ aws dynamodb describe-t<span class="token operator">&lt;</span>PRESSED TAB<span class="token operator">></span><br>describe-table      describe-table-replica-auto-scaling     describe-time-to-live </code></pre>
<p>With AWS CLI v1, autocomplete only extends to service names, API actions and some parameters:</p>
<pre class="language-bash"><code class="language-bash">✔ ~/codeexperiments/1dom <br><span class="token number">12</span>:33 $ aws dynamodb describe-table --<span class="token operator">&lt;</span>PRESSED TAB<span class="token operator">></span><br>--ca-bundle              --cli-connect-timeout    --cli-read-timeout       --endpoint-url           --no-sign-request        --profile                --table-name<br>--cli-auto-prompt        --cli-input-json         --color                  --generate-cli-skeleton  --no-verify-ssl          --query                  --version<br>--cli-binary-format      --cli-input-yaml         --debug                  --no-paginate            --output                 --region </code></pre>
<h2 id="aws-cliv2" tabindex="-1">AWS CLIv2 <a class="header-anchor" href="#aws-cliv2"></a></h2>
<p>If you haven't already, I'd highly recommend <a href="https://docs.aws.amazon.com/cli/latest/userguide/install-cliv2.html">upgrading to AWS CLI v2</a>. You probably won't notice much difference day-to-day but it has a <a href="https://github.com/aws/aws-cli/blob/v2/CHANGELOG.rst">bunch of helpful extra little features</a>, including SSO CLI management.</p>
<p>It also expands the autocompletion functionality to include resource names! If your AWS CLI has valid credentials, you can tab complete specific resources in the account that your credentials are configured to access:</p>
<pre class="language-bash"><code class="language-bash">✔ ~/codeexperiments/1dom <br><span class="token number">12</span>:33 $ aws dynamodb describe-table --table-name <span class="token operator">&lt;</span>PRESSED TAB<span class="token operator">></span><br>1domio-statelock</code></pre>
<h2 id="setup" tabindex="-1">Setup <a class="header-anchor" href="#setup"></a></h2>
<p>The AWS docs are pretty comprehensive on <a href="https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-completion.html#cli-command-completion-configure">how to set up autocomplete with various shells and OS.</a></p>
<p>For my personal laptop setup (Fedora 32 &amp; bash), I was able to squash the process to a oneliner. If you're using bash, and <code>aws</code> is in your $PATH, you can probably enable autocomplete with just this:</p>
<pre class="language-bash"><code class="language-bash"><span class="token builtin class-name">echo</span> <span class="token string">"complete -C '<span class="token variable"><span class="token variable">$(</span><span class="token function">which</span> aws_completer<span class="token variable">)</span></span>' aws"</span> <span class="token operator">>></span> ~/.bashrc</code></pre>
<p>If you're using something other than bash, then I'd recommend you scan through the AWS docs on setting up the CLI. The process in most cases is locate the aws_complete binary, and add a line to your shell setup that adds that binary as an autocompleter.</p>
<h2 id="tl%3Adr%3B" tabindex="-1">tl:dr; <a class="header-anchor" href="#tl%3Adr%3B"></a></h2>
<p>AWS CLI has tab completion support, even down to resource names. <a href="https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-completion.html">Go read the AWS docs for instructions on setting it up,</a> or use the oneliner above if you're using bash.</p>

    ]]>
      </content>
    </entry>
  
    
    <entry>
      <title>Switching from Jekyll to 11ty</title>
      <link href="1dom.io/posts/2021-10-switch-to-11ty/"/>
      <updated>2021-10-27T00:00:00+00:00</updated>
      <id>1dom.io/posts/2021-10-switch-to-11ty/</id>
      <content type="html">
        <![CDATA[
      <p>Despite talking about how and why <em>everyone else</em> should write a blog, I have clearly ignored my own advice and instead spent time switching this blog from Jekyll to <a href="https://www.11ty.dev/">11ty</a>, a JS based static site generator. It was fun to mess around with 11ty and Github actions, and it gives me something to write about.</p>
<p><strong>NOTE</strong>: <em>I originally wrote this around Sept/Oct '21. I've been playing with eleventy internally, but only just got round to pushing and publishing Jan '22.</em></p>
<h2 id="why-change-from-jekyll" tabindex="-1">Why change from Jekyll <a class="header-anchor" href="#why-change-from-jekyll"></a></h2>
<p>There's no right or wrong software to use in most cases. I feel a good piece of software shouldn't get in the way. Jekyll can get in the way by being quite slow as a result of being bloated with age. In Jekyll's defence, it was also largely my own lack of time and patience for Ruby that contributed to the change.</p>
<p>Jekyll was nice when it worked, but I had a few different issues getting it to build with certain plugins and settings in Github actions vs my local machines, and fixing often found me Googling basic Ruby stuff.</p>
<p>I spend my personal and professional time nerding around - I know how much I don't know, and I don't know Ruby. It's probably not hard to learn, but I just don't want to have to learn it <em>right</em> now.</p>
<h2 id="why-change-to-11ty" tabindex="-1">Why change to 11ty <a class="header-anchor" href="#why-change-to-11ty"></a></h2>
<p>I do a lot of writing and note taking in markdown, and 11ty is also a markdown based static site generator, like Jekyll.</p>
<p>I write a bunch of Typescript and Javascript for my day job. It's not my favourite language, but I'm more fluent in it than most other languages these days. 11ty is written in Javascript, so it all feels a lot more familiar to me. It's also a lot quicker, lighter, smaller and easier for me in general compared to Jekyll.</p>
<p>11ty is also one of the newer static site generators, and I like shiny new thing.</p>
<h2 id="for-the-indecisive%3A-running-jekyll-and-11ty-together" tabindex="-1">For the indecisive: running Jekyll and 11ty together <a class="header-anchor" href="#for-the-indecisive%3A-running-jekyll-and-11ty-together"></a></h2>
<p>Just in case I wanted to go back, I extracted my 2 - 3 posts from Jekyll into a separate folder outside the Jekyll hierarchy. I then setup <a href="https://github.com/yinkakun/eleventy-duo">eleventy-duo</a> and symlinked the posts folder in there. In github, I now also have 2 actions: one which builds Jekyll, one which builds 11ty, set to build when either CMS or posts are updated.</p>
<pre class="language-yaml"><code class="language-yaml"><span class="token key atrule">name</span><span class="token punctuation">:</span> Eleventy<br><br><span class="token key atrule">on</span><span class="token punctuation">:</span><br>  <span class="token key atrule">workflow_dispatch</span><span class="token punctuation">:</span><br>  <span class="token key atrule">push</span><span class="token punctuation">:</span><br>    <span class="token key atrule">paths</span><span class="token punctuation">:</span><br>      <span class="token punctuation">-</span> eleventy<span class="token important">*/**</span><br>      <span class="token punctuation">-</span> posts</code></pre>
<p>(I also include <code>workflow_dispatch</code> in most actions so I can kick them off via github UI if needed.)</p>
<p>I was hoping to be able to get them both working flawlessly together, I created separate Github Action workflows for Jekyll and 11ty, triggering each on changes to its own folder. However, minor differences around post handling thwarted me: I had to manually move the post dates from the filenames into the frontmatter for 11ty.</p>
<p>It probably is possible to get 11ty to use Jekyll's post dates, or vice-versa, but I'd already decided I preferred 11ty - and it was hardly a vast anthology of posts to manually update - so there was no need to get the Jekyll side working. I might pick it up again later if I try another static site generator.</p>
<h2 id="conclusion" tabindex="-1">Conclusion <a class="header-anchor" href="#conclusion"></a></h2>
<p>11ty powers this blog now. It's faster and newer than Jekyll, and a lot easier if you're familiar with JS. Ultimately, both are markdown based static site generators, so it's easy to migrate. It's probably possible to have a fully working hybrid where the same set of content markdown files power a few different static site generators to see how they compare, but that's overkill here, for the time being.</p>
<p>I'm starting to feel like these sorts of migrations and tech stack swaps are almost a right of passage for anyone exploring static site generators - especially for a personal blog!</p>

    ]]>
      </content>
    </entry>
  
    
    <entry>
      <title>Free legacy Google Domain Apps is going away. Degoogle, selfhost more.</title>
      <link href="1dom.io/posts/2022-02-google-domain-apps-going/"/>
      <updated>2022-02-06T00:00:00+00:00</updated>
      <id>1dom.io/posts/2022-02-google-domain-apps-going/</id>
      <content type="html">
        <![CDATA[
      <p>My main internet account is my Domain Apps account from 2007. It provides me with all the standard Google tools (Mail, Calendar, Docs etc.) and basically enterprise Google for a custom domain, free of charge. The service isn't going away completely - there is an &quot;upgrade to paid&quot; option - but the use of a custom domain on free services is. Whilst all good things come to an end, this one is going to be particularly painful for me.</p>
<p><a href="https://support.google.com/a/answer/60217">The G Suite legacy free edition will no longer be available starting July 1, 2022.</a></p>
<h2 id="my-%22legacy-google-domain-apps%22-account-has-been-my-primary-account-for-~15-years" tabindex="-1">My &quot;legacy Google Domain Apps&quot; account has been my primary account for ~15 years <a class="header-anchor" href="#my-%22legacy-google-domain-apps%22-account-has-been-my-primary-account-for-~15-years"></a></h2>
<p>I moved my personal domain onto Google Domain Apps around November 2007 - it is by far one of the longest running internet accounts I have. The only service I have that predates it is the domain registration itself (which is still on my Dad's account as it was my 11th birthday present!)</p>
<p>I always knew this could happen, so I tried to minimise my usage of &quot;sign in with Google&quot; and other more complex service offerings, but with apparently limited success. I still haven't figured out the full impact: I need to verify what happens with my contacts, calendar events, subscriptions, channels, music, playlists, TV &amp; films, apps, files, documents, spreadsheets and the myriad of other features my Google account has acquired over the decades.</p>
<p>Since these types of accounts were only available up until 2012, anyone in this position is going to be having to unpick 10+ years of usage - you are not alone.</p>
<h2 id="i-read-about-this-from-arstechnica-before-google" tabindex="-1">I read about this from Arstechnica before Google <a class="header-anchor" href="#i-read-about-this-from-arstechnica-before-google"></a></h2>
<p>Sorry to be the bearer of bad news if you're impacted by this and this is the first you're reading of it. The first I read of it was from <a href="https://old.reddit.com/r/selfhosted/comments/se7ht8/good_news_legacy_g_suite_users_will_be_able_to/">this Reddit post</a>. This article talks about how Google notified people a week ago, and has had a lot of push back, so is relenting somewhat:</p>
<p><picture><source type="image/avif" srcset="/img/SSOOtvCIwV-838.avif 838w" sizes=""><img alt="Arstechnica article, published 01/27/2022, 6:50 PM" loading="lazy" decoding="async" src="/img/SSOOtvCIwV-838.jpeg" width="838" height="282"></picture></p>
<p>This is the first e-mail I have to my Google hosted e-mail explaining the changes:</p>
<p><picture><source type="image/avif" srcset="/img/hSsNUkmOKj-758.avif 758w" sizes=""><img alt="E-mail from Google, published 01/27/2022, 11:25 PM" loading="lazy" decoding="async" src="/img/hSsNUkmOKj-758.jpeg" width="758" height="208"></picture></p>
<p>The e-mail was sent after the follow-up article on the change. From the comments, I wasn't the only one to hear late.</p>
<h2 id="this-is-probably-happening-for-agility-and-money" tabindex="-1">This is probably happening for agility and money <a class="header-anchor" href="#this-is-probably-happening-for-agility-and-money"></a></h2>
<p>Any nerd with one of these accounts over the past few years probably has a tale or 2 of not being able to use particular services because of weird legacy domain account quirks. The intent and implementation of these accounts has changed over the decades as Google morphed Google Domain Apps into GSuite and then into Workspace. Maintaining backwards compatibility can be hard, and pre-2012 accounts have inevitably gotten a little messy and consequently expensive.</p>
<p>It would be interesting to know if Google's increase in popularity and revenue over 20 year has outpaced the increase in upkeep costs of these accounts.</p>
<p>Regardless, an obsessive focus on always trying to make the latest and greatest things often requires some of the not so latest and not so greatest things to be put out of their misery. &quot;Very Agile&quot; some say, pivot, fail fast etc. Cynically: this is because they're not making enough money, but in reality, I clearly benefit from Google's new products, otherwise I wouldn't have gotten so locked-in. So it's probably both agility and money, and I benefitted from that, until I didn't.</p>
<h2 id="google-do-this-a-lot%2C-normally-to-less-popular-things-i-don't-use" tabindex="-1">Google do this a <em>lot</em>, normally to less popular things I don't use <a class="header-anchor" href="#google-do-this-a-lot%2C-normally-to-less-popular-things-i-don't-use"></a></h2>
<p>Not only is there a <a href="https://en.wikipedia.org/wiki/List_of_Google_products#Discontinued_products_and_services">wiki page section on discontinued services</a> but an <em><a href="https://en.wikipedia.org/wiki/Category:Discontinued_Google_services">entire Wikipedia category on discontinued Google services.</a></em> This says to me that I've been incredibly lucky to have not been hugely inconvenienced by Google discontinuations so far.</p>
<p>I should remember not to not get too comfortable with Google services, or any service that isn't mine. If I can't choose when the service stops, then then it's not mine and in an ideal world, I shouldn't make it part of my core infrastructure.</p>
<h2 id="moving-forward%3A-a-blessing-in-disguise%2C-an-opportunity-to-diversify-and-selfhost-more." tabindex="-1">Moving forward: a blessing in disguise, an opportunity to diversify and selfhost more. <a class="header-anchor" href="#moving-forward%3A-a-blessing-in-disguise%2C-an-opportunity-to-diversify-and-selfhost-more."></a></h2>
<p>I really enjoy self-hosting my own software and services where possible. I enjoy the learning, and the independence, and the warm fuzzy productivity feelings. I wish I could go onto say how I'm going to replace <em>all</em> of my Google dependencies with self-hosted alternatives. However, hosting services that involve other people is different for me - that turns it from a fun hobby into another obligation. E-mail in particular, falls into that category.</p>
<p>Regardless, this can still be seen as an opportunity to diversify: the situation is so much more challenging and stressful because my Google account has become a single point of failure for multiple services. It's been worrying and useful to be forced to think about how much of my daily online life is through Google.</p>
<h2 id="some-alternatives-needed-for-calendar%2C-app-store-and-paid-content." tabindex="-1">Some alternatives needed for calendar, app store and paid content. <a class="header-anchor" href="#some-alternatives-needed-for-calendar%2C-app-store-and-paid-content."></a></h2>
<p>For e-mail, I'll most likely look for an alternative e-mail provider. I don't expect my e-mail for free (keeping up with modern anti spam technologies needed to keep e-mail flowing deserves recognition!) but I'd rather not pay Google for it. I have no good reason for this want-to-not-pay-Google, other than hurt feelings. I will also try and do better avoiding using my e-mail provider as my identity provider (so no more &quot;Sign in with Google&quot;.)</p>
<p>For file management, I already make heavy use of <a href="https://syncthing.net/">syncthing</a>, so I'll move any existing storage (including camera backup) over to that. I've already got that configured also with an incremental offsite backup with <a href="https://restic.net/">Restic</a> and <a href="https://www.backblaze.com/b2/cloud-storage.html">B2</a>.</p>
<p>I'll also look into calendar options, as well a degoogled mobile phone options with my next phone upgrade. I don't know yet if switching to alternative app stores would solve content lock in completely, but FOSS oriented alternatives like <a href="https://f-droid.org/">F-Droid</a> look like they should. There's also de-googled android options to consider too, like <a href="https://e.foundation/">/e/</a> and <a href="https://www.lineageos.org/">LineageOS</a>.</p>
<h2 id="duckduckgo-has-improved!" tabindex="-1">DuckDuckGo has improved! <a class="header-anchor" href="#duckduckgo-has-improved!"></a></h2>
<p>I haven't given <a href="https://duckduckgo.com/">DuckDuckGo</a> a try in about 5 years either, but in a totally-not-bitter-response-to-being-asked-to-pay, I've installed the DDG browser extension and switched my default search provider.</p>
<p>Last time I tried this, I lasted a few days before getting frustrated that DuckDuckGo wasn't able to read my thoughts like Google. This time, however, I've not really noticed a real drop in search quality. Although I do miss Google's cached page link alongside search results. DuckDuckGo's solution is a <a href="https://help.duckduckgo.com/duckduckgo-help-pages/features/cache/">!cache bang</a> which is just a slightly less convenient way to get to the same (Google powered ¬_¬) thing.</p>
<h2 id="credit-where-credit's-due%2C-google-is-pretty-good." tabindex="-1">Credit where credit's due, Google is pretty good. <a class="header-anchor" href="#credit-where-credit's-due%2C-google-is-pretty-good."></a></h2>
<p>As hard done by and personally attacked as this Google decision has made me feel, that's because they've provided such fundamental services to me. I've tried other e-mail providers for various reasons, and few have come close to gmail in terms of speed, accessibility, antispam, convenience and integration. The frustration in this post is a testament to the comfort and convenience that the Google ecosystem has provided me.</p>
<p>Their services have typically been cutting edge, resilient, convenient and generally free, so thanks for that.</p>
<h2 id="realistically%2C-i-will-probably-not-be-able-to-fully-degoogle%2C-but-i-could-be-less-dependent" tabindex="-1">Realistically, I will probably not be able to fully Degoogle, but I could be less dependent <a class="header-anchor" href="#realistically%2C-i-will-probably-not-be-able-to-fully-degoogle%2C-but-i-could-be-less-dependent"></a></h2>
<p>The only thing I can think of now without obvious non-Google options is my paid content associated with my account. Although my Google account has been such a core part of my life for 15 years, I will be surprised if I manage to get rid of it completely - I'm certain I will have overlooked something.</p>
<p>However, I will be looking to be less dependent on Google. I think it is a realistic target to be in a position where I don't need to be logged into a Google account 24/7 for a convenient personal tech life.</p>
<p>This means I will ultimately switch onto a free gsuite account, whilst self hosting some more services, or taking on one or two new regular online services where self-hosting is neither feasible nor fun.</p>
<h2 id="conclusion" tabindex="-1">Conclusion <a class="header-anchor" href="#conclusion"></a></h2>
<p>I'm grumpy that a great free thing I've had for 15 years is effectively holding itself ransom. I shouldn't be surprised though, Google discontinue services a lot. Whilst there's going to be some short term inconvenience, it's a nice opportunity to explore some alternatives and change approach to avoid single points of failure. Google has been good to me, but is definitely being less good to everyone compared to early 00's Google. I guess now it's time for me to try ween myself off it, and onto some more open things.</p>

    ]]>
      </content>
    </entry>
  
    
    <entry>
      <title>Ulauncher speeds up my computer usage</title>
      <link href="1dom.io/posts/2022-02-ulauncher/"/>
      <updated>2022-02-12T00:00:00+00:00</updated>
      <id>1dom.io/posts/2022-02-ulauncher/</id>
      <content type="html">
        <![CDATA[
      <p><a href="https://ulauncher.io/">Ulauncher</a> is great - it's an app launcher for linux. When I press <code>Ctrl + Space</code> it opens a search bar, with some suggestions. Typing a few letter pops suggestions that, when selected, trigger different actions and shortcuts. It was created around 2014 and still appears to be under active development. Here are some things I like about it, along with a summary of the extensions I use and their quirks.</p>
<p><img src="/images/ulauncher-demo.gif" alt="Ulauncher demo from ulauncher.io"></p>
<h2 id="reduce-navigation-and-lost-time" tabindex="-1">Reduce navigation and lost time <a class="header-anchor" href="#reduce-navigation-and-lost-time"></a></h2>
<p>It's really helpful for quickly switching between things. In particular, I have a huge amount of browser tabs open all the time, and often several vscode windows and other mess. If I type e.g. <code>vs</code>, a list of all my recent vscode projects appear,<code>1d</code> is enough to search and pop the source for the project &amp; file in vscode where I'm writing this. Then <code>bt</code> lists all my current browser tabs, and <code>loc</code> will search and pop an existing browser tab with  <code>localhost:8080..</code> which has dev/preview of the page I'm writing.</p>
<p>In the before times, I would normally click through a bunch of browser and vscode windows at each step, getting sidetracked along the way.</p>
<p>I've been using Ulauncher for a few weeks now and I think I'm spending less time looking for things and getting lost. I even find myself using Ulauncher instead of native app shortcuts like command palettes or <code>Ctrl/Alt + </code> combinations, because it will popup anywhere I press <code>Ctrl + Space</code>. The suggestions also mean I don't have to blindly learn complex combinations.</p>
<h2 id="extensions-are-plentiful-but-that's-a-blessing-and-a-curse." tabindex="-1">Extensions are plentiful but that's a blessing and a curse. <a class="header-anchor" href="#extensions-are-plentiful-but-that's-a-blessing-and-a-curse."></a></h2>
<p>For Ulauncher, extensions are easy to write, install and use. There's even a <a href="https://ext.ulauncher.io/">convenient catalogue</a>. Extensions are installed by pasting the github URL into Ulauncher</p>
<p>Being both easy to develop for, under active development and being more than a few years old has created some maintenance and backwards compatibility issues with some extensions. This forced me to hunt down fixed forks for abandoned extensions, but also made it easy for me to contribute my own improvements to others.</p>
<h2 id="my-most-regularly-used-extensions" tabindex="-1">My most regularly used extensions <a class="header-anchor" href="#my-most-regularly-used-extensions"></a></h2>
<p>In very approximate usage order:</p>
<ul>
<li><strong><a href="https://github.com/mikebarkmin/ulauncher-obsidian">obsidianmd</a>:</strong> adds <code>on</code> to search notes and <code>od</code> to launch daily note. NOTE: daily note file/folder path are pulled from the periodic notes plugin if enabled, even if the daily note in there is disabled.</li>
<li><strong><a href="https://github.com/brpaz/ulauncher-brotab">ulauncher-brotab extension</a>:</strong> <code>bt</code> to switch browser tabs. I started writing this myself, but found someone beat me to it, so I raised a <a href="https://github.com/brpaz/ulauncher-brotab/pull/13">PR</a> with some tweaks. You can install from <a href="https://github.com/1dom/ulauncher-brotab">my repo</a> if this PR still isn't merged.</li>
<li><strong><a href="https://github.com/brpaz/ulauncher-vscode-projects">vscode-projects</a></strong>: adds <code>vs</code> for opening vscode projects. I had to install <code>project manager</code> vscode plugin too.</li>
<li><strong><a href="https://github.com/souhaiebtar/ulauncher-windows-switcher">window-switcher</a>:</strong> adds <code>ws</code> to switch windows. Note, this is a fork of the <a href="https://ext.ulauncher.io/-/github-beajeanm-ulauncher-windows-switcher">one listed on the extension store</a> which has been abandoned.</li>
<li><strong><a href="https://github.com/pywkm/ulauncher-spotify">spotify-player</a>:</strong> <code>sp</code> for play/pause/skip spotify. This is less popular and just does play/pause/skip/current track compred to the spotify-api extension. However, this extension stays local and doesn't require any spotify auth.</li>
<li><strong><a href="https://github.com/noam09/ulauncher-maim">maim</a> :</strong> adds <code>ss</code> for screenshots</li>
<li><strong><a href="https://github.com/kuenzelit/ulauncher-firefox-bookmarks">firefox-bookmarks</a>:</strong> adds <code>f</code> to search/launch firefox bookmark</li>
<li><strong><a href="https://github.com/friday/ulauncher-clipboard">clipboard</a>:</strong> adds <code>c</code> for clipboard history. I've not got into the habit of using this one yet, but it feels like it should be useful.</li>
</ul>
<p>I've also added at least 1 extra shortcut:</p>
<ul>
<li><strong><a href="https://www.duckduckgo.com/">DuckDuckGo</a></strong>: <code>d</code> followed by search term, passed to: <code>https://duckduckgo.com/?q=%s&amp;kp=-2&amp;kl=uk-en</code>. Search params are from <a href="https://duckduckgo.com/params">DuckDuckGo URL Parameters docs</a></li>
</ul>
<p>I'd like to also add in the future:</p>
<ul>
<li>something for changing my monitor arrangements for docker, undocked and VR</li>
<li>focusing active video conferencing browser tab</li>
</ul>
<h2 id="conclusion" tabindex="-1">Conclusion <a class="header-anchor" href="#conclusion"></a></h2>
<p>Ulauncher is really helpful, being able to jump straight to where I want to be from anywhere else reduces cognitive load and opportunities for distraction and forgetfulness on a computer. The real power comes from it's super intuitive extensions, although be prepared to have to sometimes think a little to get some of them working due to lack of extension maintenance or ongoing Ulauncher development.</p>

    ]]>
      </content>
    </entry>
  
    
    <entry>
      <title>OnlyKey is like a YubiKey, but more versatile.</title>
      <link href="1dom.io/posts/2022-02-onlykey/"/>
      <updated>2022-05-21T00:00:00+00:00</updated>
      <id>1dom.io/posts/2022-02-onlykey/</id>
      <content type="html">
        <![CDATA[
      <p>The most widely known security key is probably the YubiKey. I've had a YubiKey 5c and YubiKey Nano for several (4+) years now, and have had an OnlyKey for around a year. YubiKeys are useful and convenient for OTP codes, and also FIDO/U2F, but having only 1 button is a big limiting factor.</p>
<p>The OnlyKey feels a lot more versatile. Here are some thoughts on what's good and bad about the YubiKey and the OnlyKey, and why I much prefer and recommend an OnlyKey instead for most.</p>
<p><picture><source type="image/avif" srcset="/img/yV5oMflwaV-1578.avif 1578w" sizes=""><img alt="YubiKey nano, OnlyKey, YubiKey 5c" loading="lazy" decoding="async" src="/img/yV5oMflwaV-1578.jpeg" width="1578" height="1123"></picture></p>
<p><em>I intended this post to be a short post with just enough info to remind myself how and why I use the OnlyKey, but I got a little carried away (more on that later...), and it ended up long enough to justify setting up <a href="https://www.npmjs.com/package/markdown-it-table-of-contents">markdown-it-table-of-contents</a> which also lead to <a href="https://www.npmjs.com/package/markdown-it-anchor">markdown-it-anchor</a>. Enjoy!</em></p>
<p><div class="table-of-contents"><h2>Contents</h2><ul><li><a href="#yubikeys-are-okay">YubiKeys are okay </a><ul><li><a href="#yubikey-for-otp-works-reasonably-well%2C-even-on-android-in-places">YubiKey for OTP works reasonably well, even on Android in places </a></li><li><a href="#yubikey-and-gpg-enables-a-lot-but-is-lots-of-moving-parts.">YubiKey and GPG enables a lot but is lots of moving parts. </a></li></ul></li><li><a href="#onlykey-regular-features-and-usage">OnlyKey regular features and usage </a><ul><li><a href="#its-glorious-buttons">Its glorious buttons </a></li><li><a href="#6-buttons%3A-2-profiles-%26-self-destruct">6 buttons: 2 profiles &amp; self-destruct </a></li><li><a href="#2-actions-per-button%2C-per-profile.-passwords%2C-otp%2C-key-combinations-etc.">2 actions per button, per profile. Passwords, OTP, key combinations etc. </a></li><li><a href="#only-set-password-entry-on-long-button-presses%2C-and-probably-avoid-automating-submit.">Only set password entry on long button presses, and probably avoid automating submit. </a></li><li><a href="#key-layout%3A-otp-short-press%2C-password-long-press%2C-profile-e-mail-at-the-end.">Key layout: OTP short press, password long press, profile e-mail at the end. </a></li><li><a href="#ssh-setup-is-super-easy%2C-using-trezor's-agent">SSH setup is super easy, using Trezor's agent </a><ul><li><a href="#some-handy-aliases">Some handy aliases </a></li><li><a href="#a-quick-poke-around-the-implementation---accessible%2C-but-a-bit-rough">A quick poke around the implementation - accessible, but a bit rough </a></li></ul></li></ul></li><li><a href="#other-useful-onlykey-features">Other useful OnlyKey features </a><ul><li><a href="#onlykey-challenge-codes---necessary-evil.">OnlyKey challenge codes - necessary evil. </a></li><li><a href="#backing-up-a-security-key-isn't-always-possible-or-a-great-idea">Backing up a security key isn't always possible or a great idea </a><ul><li><a href="#but-onlykey-does-it-in-quite-a-cool-way">But OnlyKey does it in quite a cool way </a></li></ul></li><li><a href="#hold-2-for-a-reminder-of-button-functions">Hold 2 for a reminder of button functions </a></li></ul></li><li><a href="#is-onlykey-a-good-idea%3F">Is OnlyKey a good idea? </a><ul><li><a href="#not-a-full-replacement-for-a-password-manager">Not a full replacement for a password manager </a></li><li><a href="#less-popular-and-less-oversight-than-yubikey">Less popular and less oversight than YubiKey </a></li><li><a href="#rough%2C-but-opensource-and-actively-developed-code">Rough, but opensource and actively developed code </a></li><li><a href="#is-it-secure%3F-relatively%2C-for-the-right-people%2C-like-me%2C-i-think">Is it secure? Relatively, for the right people, like me, I think </a></li></ul></li><li><a href="#what-do-others-think-of-the-onlykey%3F">What do others think of the OnlyKey? </a><ul><li><a href="#the-onlykey-implementation-is-definitely-messy-and-controversial">The OnlyKey implementation is definitely messy and controversial </a></li><li><a href="#the-creators-aren't-perfect%2C-but-clearly-know-some-stuff">The creators aren't perfect, but clearly know some stuff </a></li><li><a href="#as-much-as-i-like-the-user-experience%2C-others-don't">As much as I like the user experience, others don't </a></li></ul></li><li><a href="#conclusion">Conclusion </a></li></ul></div></p>
<h2 id="yubikeys-are-okay" tabindex="-1">YubiKeys are okay <a class="header-anchor" href="#yubikeys-are-okay"></a></h2>
<p>They're smaller and with fewer features than the OnlyKey, but probably hold the <em>&quot;nobody ever got fired for buying IBM&quot;</em> status amongst security keys.</p>
<h3 id="yubikey-for-otp-works-reasonably-well%2C-even-on-android-in-places" tabindex="-1">YubiKey for OTP works reasonably well, even on Android in places <a class="header-anchor" href="#yubikey-for-otp-works-reasonably-well%2C-even-on-android-in-places"></a></h3>
<p>Adding YubiKey as OTP device works really well in most cases. E.g. adding YubiKey as a second factor on an AWS account just requires to you press the button in the console saying you want it, and then press the button on the YubiKey when prompted, and you're done.</p>
<p>I also added YubiKey as a second factor to my preferred password manager, KeepassXC, as that supports mobile devices. With the 5c, I was able to plug it into my phone's usb, and unlock KeepassXC on Android. I even designed and 3D printed a small watch strap mount for my 5C for easier access! (<a href="/static/yubikey_5c_watchstrap_holder.scad">OpenSCAD</a> or blender-rounded <a href="/static/yubikey_5c_watchstrap_holder.3mf">3MF file</a>, if you're interested.)</p>
<h3 id="yubikey-and-gpg-enables-a-lot-but-is-lots-of-moving-parts." tabindex="-1">YubiKey and GPG enables a lot but is lots of moving parts. <a class="header-anchor" href="#yubikey-and-gpg-enables-a-lot-but-is-lots-of-moving-parts."></a></h3>
<p>I ended up leaning a lot on GPG to get the functionality I wanted from the YubiKey, but that lead to a lot of moving parts. You need to have GPG all setup, generate keys on your device, setup smartcard mode, configure your SSH agent, ensure the appropriate daemons are running etc.</p>
<p>Even with some <a href="https://github.com/drduh/YubiKey-Guide">very comprehensive documentation</a>, some things just felt janky:</p>
<ul>
<li>Ensuring the GPG agent was up and running correctly was challenging, and I'd often have to run some extra steps when I used my YubiKey to get it working.</li>
<li>Using GPG for SSH, on different flavours and configs of linux, particularly with multiple terminal open across multiple apps, it was 50/50 as to if the PIN prompt would come through on the active TTY.</li>
<li>The number of slots on the YubiKey was finite in a lot of cases, so at the time, only 1 GPG identity was conveniently supported.</li>
<li>Using GPG effectively allowed me to avoid having to directly use <code>ykman</code>, the yubikey manager.</li>
</ul>
<p>Ultimately, the YubiKey felt like just an OTP/authenticator type device. I wanted a convenient and versatile security key.</p>
<h2 id="onlykey-regular-features-and-usage" tabindex="-1">OnlyKey regular features and usage <a class="header-anchor" href="#onlykey-regular-features-and-usage"></a></h2>
<h3 id="its-glorious-buttons" tabindex="-1">Its glorious buttons <a class="header-anchor" href="#its-glorious-buttons"></a></h3>
<p>Immediately, you can understand why this device is more versatile. The keypad. It offers an obvious solution to the TTY pin problem I had with the YubiKey:</p>
<p><picture><source type="image/avif" srcset="/img/sTA-Ct0XwX-200.avif 200w" sizes="200"><img alt="OnlyKey" loading="lazy" decoding="async" src="/img/sTA-Ct0XwX-200.jpeg" width="200" height="323"></picture></p>
<p>The buttons are similar to the YubiKey's capacitive touch, this means no moving parts. The rubber case that comes with the OnlyKey has button holes that guide your finger tips to the right place. If anything, the buttons are almost too easy to press, but do need to be pressed by something conductive, like a human.</p>
<h3 id="6-buttons%3A-2-profiles-%26-self-destruct" tabindex="-1">6 buttons: 2 profiles &amp; self-destruct <a class="header-anchor" href="#6-buttons%3A-2-profiles-%26-self-destruct"></a></h3>
<p>Once setup, to use the OnlyKey, you plug the device in and enter a pin code. There are 3 possible configurable pins:</p>
<ul>
<li>2 pins for 2 different profiles</li>
<li>1 self destruct</li>
</ul>
<p>Putting in a profile pin unlocks the key and turns on a different colour light to indicate the profile. That profile is a completely separate and unique set of keys, passwords and configuration.</p>
<p>This is super helpful: 1 profile for work, 1 profile for personal, determined by the pin you initially enter to unlock the device.</p>
<p>Enter an incorrect pin 10 times, or enter the self destruct pin, and the OnlyKey wipes itself. Without the self-destruct, a 6 digit keypad would be feasible to brute force any convenient length value.</p>
<h3 id="2-actions-per-button%2C-per-profile.-passwords%2C-otp%2C-key-combinations-etc." tabindex="-1">2 actions per button, per profile. Passwords, OTP, key combinations etc. <a class="header-anchor" href="#2-actions-per-button%2C-per-profile.-passwords%2C-otp%2C-key-combinations-etc."></a></h3>
<p><picture><source type="image/avif" srcset="/img/tp3LxC530Z-1007.avif 1007w" sizes=""><img alt="OnlyKey app homescreen showing 1 profile" loading="lazy" decoding="async" src="/img/tp3LxC530Z-1007.jpeg" width="1007" height="660"></picture></p>
<p>When the OnlyKey is unlocked, pressing any of the individual buttons briefly will trigger an action, which can be customised in the desktop app. Holding a button for 1.5s will trigger a different action.</p>
<p>These actions can be different authenticator OTP codes, or keying in different passwords, or even key combinations for common shortcuts.</p>
<h3 id="only-set-password-entry-on-long-button-presses%2C-and-probably-avoid-automating-submit." tabindex="-1">Only set password entry on long button presses, and probably avoid automating submit. <a class="header-anchor" href="#only-set-password-entry-on-long-button-presses%2C-and-probably-avoid-automating-submit."></a></h3>
<p>Key entry configuration can do complex stuff. I was able to setup a spare Google account login to happen, including entering the username, pressing return, entering a password, waiting a few short seconds, then entering a 6 digit authenticator OTP code, and pressing return.</p>
<p><picture><source type="image/avif" srcset="/img/XI4t62rtqm-952.avif 952w" sizes=""><img alt="OnlyKey app slot configuration screen" loading="lazy" decoding="async" src="/img/XI4t62rtqm-952.jpeg" width="952" height="674"></picture></p>
<p>Although it was satisfying to know I could do this, it was a bad idea. Accidentally pressing the button anywhere else apart from the username field on a Google login page was... chaotic. It would definitely, eventually, lead to accidentally typing out a username and password and sending it in a Slack channel or Teams chat or similar.</p>
<h3 id="key-layout%3A-otp-short-press%2C-password-long-press%2C-profile-e-mail-at-the-end." tabindex="-1">Key layout: OTP short press, password long press, profile e-mail at the end. <a class="header-anchor" href="#key-layout%3A-otp-short-press%2C-password-long-press%2C-profile-e-mail-at-the-end."></a></h3>
<ul>
<li>1 - short press: password manager OTP</li>
<li>1 - long press: password manager extra long complex password</li>
<li>2 - short press: IDP 1 OTP</li>
<li>2 - long press: IDP 1 extra long complex password</li>
<li>3 - short press: some other service OTP</li>
<li>3 - long press: some other service extra long complex password</li>
<li>6 - short press: profile e-mail</li>
</ul>
<p>I use a variation of this setup. Each number corresponds to a service, with the e-mail often being the username for these services. Pressing 6 will type my e-mail anywhere.  Having OTP on short press also means most accidental presses - at worst - dump a random number, rather than a secret.</p>
<h3 id="ssh-setup-is-super-easy%2C-using-trezor's-agent" tabindex="-1">SSH setup is super easy, using Trezor's agent <a class="header-anchor" href="#ssh-setup-is-super-easy%2C-using-trezor's-agent"></a></h3>
<p>This is probably one of my favourite features of the OnlyKey. It uses <a href="https://thoughts.t37.net/a-step-by-step-guide-to-securing-your-ssh-keys-with-the-ledger-nano-s-92e58c64a005">libagent</a>, the same approach as the <a href="https://blog.trezor.io/trezor-firmware-1-3-4-enables-ssh-login-86a622d7e609">Trezor security key SSH agent</a> and also supports the <a href="https://thoughts.t37.net/a-step-by-step-guide-to-securing-your-ssh-keys-with-the-ledger-nano-s-92e58c64a005">Ledger Nano S</a> hardware wallet.</p>
<p>To onboard a new service, generate the <code>authorized_keys</code> entry with <code>onlykey-agent</code>:</p>
<pre class="language-bash"><code class="language-bash">$ onlykey-agent username@host<br>ssh-ed25519 ASAAC3NzaC1lPOTATOIDwqxTbTLthb0MSgGeSXZEUEOHZwxJ/M7EJfXPt7Z8iM <span class="token operator">&lt;</span>ssh://username@host<span class="token operator">|</span>ed2551<span class="token operator"><span class="token file-descriptor important">9</span>></span></code></pre>
<p>The username@host part is used as a seed to derive a unique pair from a single private key on the device. This is a really satisfying solution to being able to the problem of only being able to store a finite set of unique identities.</p>
<p>Then to use that with something that uses SSH:</p>
<pre class="language-bash"><code class="language-bash">$ onlykey-agent username@host -- <span class="token function">git</span> pull</code></pre>
<h4 id="some-handy-aliases" tabindex="-1">Some handy aliases <a class="header-anchor" href="#some-handy-aliases"></a></h4>
<p>2 terminal aliases help here too, 1 for the git command itself, and one for other commands that might depend on git creds, such as installing packages from private repos:</p>
<pre class="language-bash"><code class="language-bash"><span class="token builtin class-name">alias</span> <span class="token assign-left variable">okgit</span><span class="token operator">=</span><span class="token string">"onlykey-agent myusername@github.com -- git"</span><br><span class="token builtin class-name">alias</span> <span class="token assign-left variable">okg</span><span class="token operator">=</span><span class="token string">"onlykey-agent myusername@github.com --"</span><br>okgit pull<br>okg <span class="token function">yarn</span> <span class="token function">install</span> </code></pre>
<h4 id="a-quick-poke-around-the-implementation---accessible%2C-but-a-bit-rough" tabindex="-1">A quick poke around the implementation - accessible, but a bit rough <a class="header-anchor" href="#a-quick-poke-around-the-implementation---accessible%2C-but-a-bit-rough"></a></h4>
<p>SSH with OnlyKey really is almost too convenient. I assumed this did some pure bash funky subshell stuff, overriding some magical <code>SSH_*</code> env vars I wasn't aware of to set a default identity. Poking through the source for <code>onlykey-agent</code> though, I was wrong. It's basically all Python, and implements <a href="https://github.com/romanz/trezor-agent/blob/e4d16a361aaeb15ff3f7bc5d9d0b891eb87b2dbe/libagent/ssh/protocol.py">its own SSH client</a>, with each supported hardware device defining <a href="https://github.com/romanz/trezor-agent/blob/e4d16a361aaeb15ff3f7bc5d9d0b891eb87b2dbe/libagent/device/onlykey.py">its own interface to its cryptographic functions</a> for that SSH client to use.</p>
<p>When you invoke <code>onlykey-agent</code>, it <a href="https://github.com/romanz/trezor-agent/blob/e4d16a361aaeb15ff3f7bc5d9d0b891eb87b2dbe/libagent/ssh/__init__.py">grabs all your parameters</a>. Based on those, it then gathers everything else required. It then create the SSH client connection using the implementation above. When using it with single commands, any parameters after <code>--</code> are passed to the SSH client to run. If creating an interactive shell with <code>-s</code>, <a href="https://github.com/romanz/trezor-agent/blob/e4d16a361aaeb15ff3f7bc5d9d0b891eb87b2dbe/libagent/ssh/__init__.py">it grabs <code>SHELL</code> env var and uses that as the command to run your standard terminal experience.</a></p>
<p>It's not the most beautiful or cared for Python code in the world, but it gets the job done. <a href="https://dev.to/mpixel/deconstructing-onlykey-agent-401l">Someone who seems far smarter and did a far more thorough anlysis of this agrees</a>.</p>
<h2 id="other-useful-onlykey-features" tabindex="-1">Other useful OnlyKey features <a class="header-anchor" href="#other-useful-onlykey-features"></a></h2>
<h3 id="onlykey-challenge-codes---necessary-evil." tabindex="-1">OnlyKey challenge codes - necessary evil. <a class="header-anchor" href="#onlykey-challenge-codes---necessary-evil."></a></h3>
<p>Some OnlyKey functions have a challenge code. This means you will be prompted to enter some digits on the OnlyKey itself when you use onlykey-agent. You can turn this off, but I leave it on. The purpose is to ensure functions can't be done without physically having access to the key. If this is disabled, anyone one who has compromised the computer over the internet could use the key, meaning the unique physical factor to the authentication is lost.</p>
<p>The challenge code is implemented <a href="https://github.com/romanz/trezor-agent/blob/e4d16a361aaeb15ff3f7bc5d9d0b891eb87b2dbe/libagent/device/onlykey.py">largely in the OnlyKey specifics part of libargent</a> and I haven't really experienced the same TTY issues I had with GPG agent pin entry setup for the YubiKey. The YubiKey issue was exacerbated by also needing to provide input to the TTY, but with OnlyKey, the input is done via the buttons on the key itself.</p>
<p>It can be a little inconvenient having to enter a bunch of codes for each private dependency on larger projects still, but it can be disabled in the onlykey-app.</p>
<h3 id="backing-up-a-security-key-isn't-always-possible-or-a-great-idea" tabindex="-1">Backing up a security key isn't always possible or a great idea <a class="header-anchor" href="#backing-up-a-security-key-isn't-always-possible-or-a-great-idea"></a></h3>
<p>Creating backups for security keys can be an awkward topic. A truly secure hardware key will have some unique special configuration that exists only on that device's hardware and cannot be extracted. Even if your computer is riddled with malware, OTP and signatures from a secure USB security key should still be relatively safe as the malware can't get to the secrets in the hardware device. But if you <em>can</em> backup that unique special configuration, then someone can get to that backup remotely, they could load that backup onto a blank key and all of a sudden you're compromised.</p>
<p>Even if they can't get to the backup, if they can remotely access your machine with the key connected, and initiate a backup of the key from the computer, you're going to have an equally bad time.</p>
<h4 id="but-onlykey-does-it-in-quite-a-cool-way" tabindex="-1">But OnlyKey does it in quite a cool way <a class="header-anchor" href="#but-onlykey-does-it-in-quite-a-cool-way"></a></h4>
<p>With OnlyKey, unlock the key with a profile pin, and then hold down the 1 key for 5+ seconds, and it will type out its own backup of that profile:</p>
<pre><code>-----BEGIN ONLYKEY BACKUP-----
CbE3xf0RXmX5eajdD1LSqlZ1c1gn2JqMO8Psqy2/eT15T+kmhR1pmqHW/7jnW//Um1+K0j4Y/4jZ
...7 lines removed for brevity &amp; paranoia...
s1z9dz+z2swrJs4tyk+i8SkV3mkOAV5HEEijrUkfRCR247vGIYLvcqWde5um/49NregP+pQ7w1H0
PfQIveqIyqPnI/szmjqVx97XmfESCJTlf4JLRDNl
--FXsW/gSy55Gneb+Soau0PoF1Eu5Q6M/shRxCiZJeIiw=
-----END ONLYKEY BACKUP-----
</code></pre>
<p>Restoring can be done by setting an OnlyKey with the same backup pin, and then using the onlykey-app. Backups are per profile.</p>
<p>If you want a super-safe setup, you shouldn't be really be able to even take a backup of a security key, but then if you lose the key, you're equally up the creek. <a href="https://www.yubico.com/blog/backup-recovery-plan/">Yubico's answer to backups is also vague on specifics</a>.</p>
<p>For my own personal use though, I assess the risk and convenience of this type of backup mechanism and approach to be significantly more appealing than the risk and convenience of not being able to backup a key, and having to have 2 actively setup keys in existence.</p>
<h3 id="hold-2-for-a-reminder-of-button-functions" tabindex="-1">Hold 2 for a reminder of button functions <a class="header-anchor" href="#hold-2-for-a-reminder-of-button-functions"></a></h3>
<p>When configuring the OnlyKey, you can label each slot. Unlocking the key and then holding down the 2 key will type out all the slots and labels as a reminder of how the profile is configured. This works even without the app. E.g. the output for the key layout suggestions above would be:</p>
<pre><code>1a passmanager OTP
2a idp OTP
3a someother OTP
4a 
5a 
6a email
1b passmanager pass
2b idp pass
3b someother pass
4b 
5b 
6b 
For OnlyKey on-the-go visit https://apps.crp.to
</code></pre>
<p>One thing I did notice when putting this together though, is that you have to hold the 2 key for 5 seconds to get this output. On a couple of occasions, I didn't hold for long enough and dumped <code>idp pass</code> password.</p>
<p>I haven't really used this functionality, but I still think it's cool it exists and can be used without any setup using keyboard input.</p>
<h2 id="is-onlykey-a-good-idea%3F" tabindex="-1">Is OnlyKey a good idea? <a class="header-anchor" href="#is-onlykey-a-good-idea%3F"></a></h2>
<p>On the whole, I think so, yes - but it's not perfect.</p>
<h3 id="not-a-full-replacement-for-a-password-manager" tabindex="-1">Not a full replacement for a password manager <a class="header-anchor" href="#not-a-full-replacement-for-a-password-manager"></a></h3>
<p>There are not enough slots for lots of passwords, but a desktop password manager also is more convenient in most cases. Most of my computer usage is at my home desk, with my OnlyKey within arms reach plugged into my dock. Accessing the OnlyKey is convenient but still requires me to relinquish control of a mouse or keyboard. Password managers can have an awareness of what's being logged into, so can find and instantly populate all of those fields automagically. OnlyKey requires you to press a button to tell it what it should do.</p>
<p>So for convenience and scale, I aim to have my most commonly used or not-password-manager-managed passwords configured on some of the OnlyKey long press actions, and the remaining ~75% in KeepassXC.</p>
<h3 id="less-popular-and-less-oversight-than-yubikey" tabindex="-1">Less popular and less oversight than YubiKey <a class="header-anchor" href="#less-popular-and-less-oversight-than-yubikey"></a></h3>
<p>Very few people I speak to are aware of the OnlyKey. Lots of who have worked in tech have heard of YubiKey. Yubico who do the YubiKey are also a relatively large company with a large enterprise customer base. This should bring tighter controls, more stringent processes, more sets of eyes etc. It can also leads to diffusion of responsibility and other scale related quality and security issues.</p>
<p>The OnlyKey, is by CryptoTrust:</p>
<blockquote>
<p>CryptoTrust is an innovative provider of specialized secure solutions for businesses and individuals. As an independent security-consulting firm, CryptoTrust’s consultants have years of industry experience in Cybersecurity and internationally recognized security credentials. The specialized experience of CryptoTrust in the DoD and financial services industries enables development of customized security products and services that meet high assurance security standards.</p>
</blockquote>
<p><a href="https://crp.to/t/">CryptoTrust Team page</a></p>
<p>The OnlyKey app, website, docs and generally everything else associated with them makes them out to feel like a significantly smaller operation. This isn't necessarily bad, but it means the OnlyKey probably isn't as battle-tested as YubiKey.</p>
<h3 id="rough%2C-but-opensource-and-actively-developed-code" tabindex="-1">Rough, but opensource and actively developed code <a class="header-anchor" href="#rough%2C-but-opensource-and-actively-developed-code"></a></h3>
<p>My own personal assessment is that some of the OnlyKey python code is not the best. But I also think it feels like it's written by security nerds, rather than software engineering nerds. I don't think there's anything wrong with this and would probably be my preference. However, it does mean software engineering nerds will and do have meltdowns about how it looks.</p>
<p>The OnlyKey is fully open source. You can even get the <a href="https://github.com/trustcrypto/OnlyKey-Firmware">device firmware</a>. Even if the code is a little bit messy, at least that's possible to see, acknowledge and fix, which wouldn't be the case with closed source alternatives. The developer(s?) of OnlyKey actively respond to reviews and posts of their code too.</p>
<p>YubiKey firmware is largely closed source. They have <a href="https://www.yubico.com/blog/secure-hardware-vs-open-source/">a blog post on it</a> which is basically a very long way of them saying <em>&quot;it was too much money, time and/or effort with too much risk&quot;</em>.  I see why they took that decision, that's their tradeoff for their target market. Whether the OnlyKey is a good idea probably comes down to the intended use and market.</p>
<h3 id="is-it-secure%3F-relatively%2C-for-the-right-people%2C-like-me%2C-i-think" tabindex="-1">Is it secure? Relatively, for the right people, like me, I think <a class="header-anchor" href="#is-it-secure%3F-relatively%2C-for-the-right-people%2C-like-me%2C-i-think"></a></h3>
<p>Indeed, some people will scoff at the OnlyKey:</p>
<blockquote>
<p>the marginally lower levels of entropy in the hardware random number generator might introduce predictability into key generation leading to blah blah blah</p>
</blockquote>
<p>or</p>
<blockquote>
<p>that chip is potentially susceptible to hardware decapsulation and probing for physical malicious fault injection blah blah blah</p>
</blockquote>
<p>But security often comes down to behavioral economics. Could someone hack this OnlyKey? Like most things: probably somehow. However, nothing I have access to is worth the incredible amounts of time and focus that would be required to successfully coordinate and execute these attacks.</p>
<p>Nothing is 100% secure. If you are the sort of person who is likely to be targeted by people capable of successfully identifying, intercepting and tampering specifically with your security hardware, then maybe these high effort attacks become a concern. Rather than state sponsored attackers though, for most individuals, the biggest threats are probably script-kiddie automated attacks, keylogging malware and password leaks/reuse. Based on this, I think the OnlyKey would be an appropriate and legitimate improvement for the security of most.</p>
<h2 id="what-do-others-think-of-the-onlykey%3F" tabindex="-1">What do others think of the OnlyKey? <a class="header-anchor" href="#what-do-others-think-of-the-onlykey%3F"></a></h2>
<p>I found a few interesting other discussions on the internet. Internet security nerds are capable of incredible analyses and brutal conclusions. Here are a couple of notable things I found</p>
<h3 id="the-onlykey-implementation-is-definitely-messy-and-controversial" tabindex="-1">The OnlyKey implementation is <em>definitely</em> messy and controversial <a class="header-anchor" href="#the-onlykey-implementation-is-definitely-messy-and-controversial"></a></h3>
<p>If you're of a technical persuasion, then I think these 2 links are the best resources for an independent assessment of the OnlyKey implementation:</p>
<ul>
<li><a href="https://news.ycombinator.com/item?id=21884184">Hackernews post with a bunch of nerds tearing into it</a></li>
<li><a href="https://dev.to/mpixel/deconstructing-onlykey-agent-401l">dev.to/mpixel with a less critical but thorough analyses of the SSH key derivation, including the challenges of following it - very well done.</a></li>
</ul>
<p>They demonstrate extensively that the code is controversial. It's probably not written by a large mature development team, but more likely by 1 or 2 individuals. The code is hard to follow at times, including for people far far more capable than me, and there are a fair few little quality issues.</p>
<h3 id="the-creators-aren't-perfect%2C-but-clearly-know-some-stuff" tabindex="-1">The creators aren't perfect, but clearly know some stuff <a class="header-anchor" href="#the-creators-aren't-perfect%2C-but-clearly-know-some-stuff"></a></h3>
<p>The discussion in those 2 links gets quite hard and overly critical in places I think, particular the HN post. However, the authors continue to respond, pointing out a lot of misconceptions in places, and actively accepting and pushing fixes for legitimate issues raised.</p>
<p>I don't think software without issues is possible, so all we can really aspire for is software with active, enthusiastic and capable maintainers.</p>
<h3 id="as-much-as-i-like-the-user-experience%2C-others-don't" tabindex="-1">As much as I like the user experience, others don't <a class="header-anchor" href="#as-much-as-i-like-the-user-experience%2C-others-don't"></a></h3>
<p>These 2 reviews are less technical and more about usage and experience:</p>
<ul>
<li><a href="">https://www.scrye.com/wordpress/nirik/2020/04/03/onlykey-review/</a></li>
<li><a href="">https://jekko.com/2018/11/19/onlykey-color-review-best-u2f-security/</a></li>
</ul>
<p>They both don't recommend the OnlyKey, but for less technical reasons such as an ugly engineer's UI, or security concerns for entering the physical pin in a coffeeshop, or criticisms about the durability of the keychain or branding. These don't really impact me but support the argument that these things aren't for everyone.</p>
<h2 id="conclusion" tabindex="-1">Conclusion <a class="header-anchor" href="#conclusion"></a></h2>
<p>What is &quot;secure enough&quot; is relative, and depends on your threat model which will be informed by your own risk appetite based on your circumstances. For the vast majority of people, if you're looking for another factor for an MFA setup, OnlyKey is definitely more secure than nothing, and more versatile than most.</p>
<p>OnlyKey is a newer and less popular security key than others, and as a result, it's still a little bit rough around the edges. This might make it inappropriate for those who might be target of APTs or state sponsored attackers, but if you're one of those people, you probably know that. However, the creators do know their stuff, and are actively improving OnlyKey.</p>
<p>And finally, the OnlyKey is a fun little device to nerd around with, far more so than a YubiKey. 🤓</p>

    ]]>
      </content>
    </entry>
  
    
    <entry>
      <title>I should write short unstructured posts, or longer structured ones</title>
      <link href="1dom.io/posts/2022-05-writing-reflection/"/>
      <updated>2022-05-28T00:00:00+00:00</updated>
      <id>1dom.io/posts/2022-05-writing-reflection/</id>
      <content type="html">
        <![CDATA[
      <p>I'd like to share more thoughts by posting more on here. I go through phases of motivation to write - these phases often stop I think because I try to haphazardly write more than I'm capable of these days.</p>
<p>For example, I started writing the <a href="/posts/2022-02-onlykey/">OnlyKey post</a> back in February. It was intended to be a quick reminder to myself of how I setup and use the OnlyKey and some things I like about it. This seemed like something I could do in a couple of paragraphs over an an hour or so. I have a similar style - unfinished - post but about the Oculus Quest. In both cases, I feel I hugely underestimated <em>something</em>.</p>
<p>I think because I start out intending to write a short post, I don't come up with any structure in advance, and I quickly start writing. So after some overthinking, a few paragraphs in and I'd realise I haven't even made a dent in what I wanted to communicate, but I had already written more than I'd intended.</p>
<p>I then try to just carry on, but eventually have to stop. I don't want to come back and do anymore writing, because I failed to succeed with a quick post, and it wasn't much fun where I left it, without a plan.</p>
<p>As soon as I'm a few paragraphs in, and I feel I haven't made a dent, and I don't really have a plan, I should stop and recognise I have 2 potential options to avoid disappointment:</p>
<ul>
<li>Accept it's going to be a long post, probably not finished today, and try get excited about breaking it down, and taking a slower, more structured approach to writing it.</li>
<li>Stop. Write a few more words to wrap up, and post it.</li>
</ul>
<p>Here are a few more words to myself: don't overthink <em>everything</em>. Sometimes less is more. Some skills, for me, take practice and upkeep. It looks like writing is one of those skills, and I've neglected it since leaving academia. One of the many reasons to keep trying to write and post more things!</p>

    ]]>
      </content>
    </entry>
  
    
    <entry>
      <title>Free Google Domain Apps NOT going away, this time.</title>
      <link href="1dom.io/posts/2022-05-google-domain-apps-returning/"/>
      <updated>2022-05-29T00:00:00+00:00</updated>
      <id>1dom.io/posts/2022-05-google-domain-apps-returning/</id>
      <content type="html">
        <![CDATA[
      <p>Google changed their mind: <em>&quot;...we’ve added an offer for those using G Suite legacy free edition for non-commercial use, such as individuals and families, to opt out of the transition.&quot;</em></p>
<h2 id="i-received-an-e-mail-saying-non-commercial-use-can-continue" tabindex="-1">I received an e-mail saying non-commercial use can continue <a class="header-anchor" href="#i-received-an-e-mail-saying-non-commercial-use-can-continue"></a></h2>
<p>I received an e-mail titled <em>&quot;[Action Required] Upgrade your G Suite legacy free edition subscriptions to Google Workspace by June 27, 2022&quot;</em> on 24/05/2022 saying:</p>
<blockquote>
<p>Dear Administrator,</p>
<p>We previously notified you that you’ll need to upgrade from the G Suite legacy free edition to Google Workspace by June 1, 2022, or your account would be automatically upgraded. However, we've recently updated our timeline for the transition and you now have until June 27, 2022 to take action.</p>
<p>Along with this change, we’ve added an offer for those using G Suite legacy free edition for non-commercial use, such as individuals and families, to opt out of the transition.</p>
</blockquote>
<h2 id="how%3F-login-to-control-panel-and-go-through-legacy-transition-process." tabindex="-1">How? Login to control panel and go through legacy transition process. <a class="header-anchor" href="#how%3F-login-to-control-panel-and-go-through-legacy-transition-process."></a></h2>
<p>From this support page: <a href="https://apps.google.com/supportwidget/articlehome?hl=en&amp;article_url=https%3A%2F%2Fsupport.google.com%2Fa%2Fanswer%2F2855120%3Fhl%3Den&amp;product_context=2855120&amp;product_name=UnuFlow&amp;trigger_context=a">https://apps.google.com/supportwidget/articlehome?hl=en&amp;article_url=https%3A%2F%2Fsupport.google.com%2Fa%2Fanswer%2F2855120%3Fhl%3Den&amp;product_context=2855120&amp;product_name=UnuFlow&amp;trigger_context=a</a></p>
<blockquote>
<p>For individuals and families using your account for non-commercial purposes, you can continue using the G Suite legacy free edition and opt out of the transition to Google Workspace by clicking <a href="https://admin.google.com/?action_id=SE_SELF_TRANSITION&amp;utm_source=helpcenter">here</a> (requires a super administrator account) or in the Google Admin console.</p>
</blockquote>
<p>Clicking <a href="https://admin.google.com/?action_id=SE_SELF_TRANSITION&amp;utm_source=helpcenter">there</a> and starting the transition process eventually gives an option declare it's non-commercial and keep the account.</p>
<h2 id="so...-good%3F-but-this-just-is-another-reason-to-try-selfhost-and-degoogle-more." tabindex="-1">So... Good? But this just is another reason to try selfhost and degoogle more. <a class="header-anchor" href="#so...-good%3F-but-this-just-is-another-reason-to-try-selfhost-and-degoogle-more."></a></h2>
<p>I wrote a <a href="/posts/2022-02-google-domain-apps-going/">post bemoaning Google's original decision to discontinue free legacy domain apps</a> a few months back. Whilst I appreciate being able to keep the account, the spirit of my original post still stands.</p>
<p>At any moment, Google could change their mind again, so I should still try make some progress on degoogling.</p>

    ]]>
      </content>
    </entry>
  
</feed>