I would love a world where I could put all my API keys in the TPM so malware couldn't gain persistent access to services after wiping my computer. This would be so easy if more providers used asymmetric keys, like through SSH or mTLS. Unfortunately, many don't, which means that stealing a single bearer token gives full access to services.

There's also the TPM speed issue. My computer takes ~500ms to sign with an ECC256 key with the TPM, which starts to become an issue when running scripts that use git operations in serial. This is a recurring problem that people tend to blame on export controls: https://stiankri.substack.com/p/tpm-performance

In some cases there is a work-around for bearer tokens. If they allow key/cert login to generate the token (either directly, or via oath), and the token can be generated with a short lifetime, you can build something pretty safe (certainly safer then having a not-expiring, or long TTL token in a wallet).

apologies for asking this question here instead of actually doing the research, but it always seemed to be that while putting keys in a secure environment would help against leakage of the private bits, there really isn't a great story around making sure than only authorized requests can be signed. is this a stupid concern?

Yubikey can require touch, and Secretive for Apple Secure enclave can require touch with fingerprint id. Some people disable these, it depends exactly on your use case.

You don’t need Secretive, there is actually Apple native way

I put my ssh keys into the Mac’s TPM and now it asks for a password/touch ID when I use it.

Unfortunately I forget what commands I used

yes, but what's to stop a malicious actor from intercepting a signature request and replacing its own contents in place of the legitimate one. yes you would find out when your push was rejected, but that would be a bit late.

It is not a stupid concern, butt there is architecture around making sure you can't just save a request for later and replay it

> The computer that you are trying to wake up also needs to be connect with an ethernet cable as it is not possible to send a magic packet over wifi.

While WiFi adapters may not support waking up the computer from a WiFi signal, you absolutely can send magic packets over WiFi as they're normally just UDP broadcast frames. Convenient for waking up a desktop from a laptop!

I use a prompt like this that asks for model name and version! It's been effective so far, especially since I have edit history.

Yep. While the Terminal is not an option from the 4 apps listed in the initial screen, it's available from Utilities → Terminal at the top. They even provide a convenient way to access the hard drive from another computer: https://support.apple.com/guide/mac-help/macos-recovery-a-ma...

> Terminal both require an admin password

Not in my testing.

They do, for Enterprise customers only: https://docs.github.com/en/enterprise-cloud@latest/organizat...

They've rolled their host key one time, so there's little reason for them to use it on the host side.

I’d love if they supported an SSH certificate CA for commit signing verification though.

Nice! There's also zstd's flush ability that I've used for streaming robotics data. You can write data and flush it over the network for realtime updates, but the compression stream stays open so it can still reference past messages. This means messages get smaller over time so you don't need to share a dictionary ahead of time. I'm not aware of other compression algorithms that have flushing capability like this.

> binary data to connected clients in tiny messages, each saying “field 5 on object X is now 123”

I wonder how Meta's newer, format-understanding OpenZL would do. I imagine its schemas could be auto-generated from protobuf.

Ah, I have not looked into that, zstd keeps giving.

They moved on to Courgette, then to Zucchini: https://chromium.googlesource.com/chromium/src/+/HEAD/compon...

These are optimized for compiled code though.

> zerobox --secret OPENAI_API_KEY=$OPENAI_API_KEY

Linux by default allows all users to read CLI arguments of running processes. While it looks like your bwrap invocation prevents the sandbox from looking at this process (--unshare-pid), any other process running on your system can read the secret.

That's true and the expected behaviour but I see your point. The example there is not great, I should've used `sk_s123...` to show that you are passing the env var to the sandbox as opposed to setting it on the host, then proxying it. I will update it.

all of GitHub is crashing right now, even though githubstatus.com only mentions pull requests being an issue.

> Interestingly, it was more choppy in Chromium.

Firefox's WebRender is truly a great creation. While Chrome is faster at most things especially involving JS, Firefox puts so much of its rendering on the GPU so moving elements around is incredibly fast.