Manually Configuring Some MacOS Apps

Just wanted to keep a list of manual configuration items for each macOS app, in case anyone also finds them useful as well.

Brave (FF UI is freezing when waking from sleep)

Firefox

  • about:config
    • gfx.webrender.all = true
    • gfx.direct2d.disabled = true
    • layers.acceleration.disabled = true

TextMate

  • command_line
    • defaults write com.macromates.TextMate disableTypingPairs -bool YES

macOS (Beware of the Monterey bugs ! :/ memory leaks :/ !)

Manually Configuring Some MacOS Apps

Apologies in advance!

There’s something about the ARC4 algorithm that still fascinates me to this day… it’s just fun to play with!

function rc4md(m) {
    var r = [], s = [], i = 0, j = 0, x, y, z;
    for (z = 0; z < 256; z++) {
        s[z] = z; r[z] = z;
    }
    var c, l = m.length, n = (l + (256*16));
    for (z = 0; z < n; z++) {
        if ((l > 0) && (z < l)) { c = m.charCodeAt(z); }
        else { c = s[j]; }
        i = ((i + 1) % 256);
        j = (((j << 1) ^ (s[i] + c)) % 256);
        x = s[i]; s[i] = s[j]; s[j] = x;
        x = ((s[i] + s[j] + s[c]) % 256);
    }
    for (y = 0; y < 32; ++y) {
        r[y] = (r[y] ^ s[x]);
        x = ((x + r[y]) % 256);
    }
    var o = "", h = "0123456789abcdef";
    for (y = 0; y < 32; y++) {
        o += (h.charAt(r[y]>>4) + h.charAt(r[y]&0xf));
    }
    return o;
}

var z = "", m = ["", "0", "a", "abc", "acb", "abcd", "abce", "the quick brown fox jumps over the lazy dog"];
for (var k in m) {
    z += (rc4md(m[k]) + " " + m[k] + "\n");
}
console.log(z);
c4f07823199b0dfd9418ab8415083f3d85d15ad5d4c229203e6ea763feb01da6  
c2c5ccdbe63e2261f7e53841beecab1242343ae8bb5991d19c97bc3b48b30b17 0
1a1a495a699dc2dcedc40001d601a87280e1290b5263db09c7cbfccf2b0b88b6 a
38a4d510dc954a41878e473f6f6921a38e928fb5774df9b0294049b1643f947a abc
5a0003fbf1c21edf325a6962ac15a6a5a808d9cc3d7c4fc2b631d51ed04b0c3c acb
d0e49d9b400f270e251d791585f8995e8fc2fc36e5358ead14738f2ba76cc562 abcd
a9a142efbd65b7b2670fc586f1baf6a3d2b7dc405e0d82a6bfc7b040e02b99c3 abce
630d3d40f42930bc3a7eb94ee6d1fdd4210dfaf542da4771e21f21d02f35f385 the quick brown fox jumps over the lazy dog

Apologies in advance!

Macbook-Pro M1-Max 14 [mega-thread-blog-post]

The beginning of the ARM laptop journey!


[Mon Oct 18 2021 – Pre-order-day]
[Custom build-to-order processing]
[Shipping from a place far far away — AI SHANGHAI, CN]

[UPS – Welp… I’m trying! :/]
[X-RAY Vision]

Well it finally came through! The size and thinness make it very portable at 14-inches, although it does feel a bit heavier in weight, similar to how my old Powerbook G4 felt. The liquid retina display is smoother, crisper, taller, and more vibrant at a 16:10 aspect ratio, in addition to the extra menubar space and smaller bezels. The keyboard key travel feels solid, firm, springy, and has a satisfyingly-mechanical “clickity-clackity” type of sound to it. Speakers are full and warm. Touchpad is responsive and accurate. The old-school ports are back including MagSafe, HDMI, and SD-Card, in addition to the amazing convenience of TouchID. This machine feels like the modern-retro car equivalent of a laptop computer, the way a proper computer should be, for pros!

Cons: One thing missing is the 802.11ac-3×3 radios (it only has a two-by-two)

Intel-free since pre-2023 ! 🙂

[Perfection]
[Darwin Kernel 21.1.0 root:xnu-8019.41.5 arm64]

[Extra Battery Savings made for the M1 Max SoC]
Macbook-Pro M1-Max 14 [mega-thread-blog-post]

Apple M1 Max – Finally Replacing My Last Intel Machine

So I’ve placed an order for my first ARM laptop to finally replace my five year old 2017 Macbook Air (the last Intel processor)(I’m going all-in on ARM) !

Machine Specs:

  • Macbook Pro: 14-inch Liquid Retina XDR Display
  • Apple M1 Max: 10-core CPU & 16-core Neural Engine
  • Systems on a Chip: 32-GB Unified RAM & 32-core Integrated GPU
  • IO: Three Thunderbolt 4 ports, SDXC card slot, HDMI, Full-Fn-Backlit Keyboard
  • 1TB SSD Storage
  • Touch ID & MagSafe!
  • The end of the x86 era!!

Apple M1 Max – Finally Replacing My Last Intel Machine

Having Fun With: DNS Records + Signed Certificates + Cryptographic Algorithms!

So I was experimenting and if you can get signed certs from let’s-encrypt and dns records from cloud-flare, then you could store your public signed certificate as a set of split txt entries which anyone could verify with a set of trusted root certificates. You can then use the private key to sign an encryption key (stored as another txt record) along with the encrypted message (also another txt record).

This would allow you to sign, store, and send short messages (in a single direction) with confidentiality, integrity, and authenticity all through a plain text protocol (as long as the root certs exist)!

Verification Chain:

  • The message data is hashed into -> The encryption key
  • The encryption key is signed with -> The private key
  • The private signature is decrypted with -> The public key
  • The public key is embedded into -> The signed certificate
  • The signed certificate is verified with -> The root certificates
  • The end verify -> The root certificates + The domain name + The expiry time
# ./dns_fun.sh fossjon.com d

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            04:b3:64:ec:80:70:47:42:2a:8a:ef:b4:11:60:03:9d:23:78
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, O=Let's Encrypt, CN=R3
        Validity
            Not Before: Oct  9 18:35:11 2021 GMT
            Not After : Jan  7 18:35:10 2022 GMT
        Subject: CN=*.fossjon.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:c8:1c:f6:86:b7:b5:45:63:68:7b:e4:34:10:6e:
                    0c:51:da:73:5b:65:d4:f7:fd:c8:c7:2e:d8:8b:01:
                    2d:c5:67:a4:0e:7a:b6:57:bf:fe:2a:c9:52:4d:38:
                    51:56:a6:08:bb:5a:8f:85:32:88:c0:3c:9b:3e:ad:
                    f9:1a:aa:21:fb:b6:2f:d1:7c:bc:c1:6e:ae:d8:b4:
                    c9:87:a5:69:a4:c5:f9:1d:3a:1f:49:68:94:75:b9:
                    ab:f6:12:9f:56:4c:7f:26:f1:6e:85:9e:1e:66:be:
                    74:e0:01:91:6d:59:cb:0d:34:01:10:5c:b9:43:44:
                    52:07:6a:ca:3f:83:1e:41:6c:51:5a:a6:fa:20:8f:
                    33:40:76:90:ab:4d:04:6f:33:70:f0:09:c7:38:25:
                    26:15:70:d6:f9:f4:e6:b6:71:11:e0:7a:c6:04:86:
                    30:c9:56:f0:14:6e:9e:66:60:b3:7d:2b:42:a4:b9:
                    fb:6d:73:4f:26:2e:17:aa:a8:64:72:e2:f5:a8:b1:
                    17:8d:f4:db:a8:10:fc:70:ff:1b:cc:78:6f:04:84:
                    e0:fc:1d:15:72:de:41:bd:14:c5:26:72:3e:56:2a:
                    aa:1d:9f:1a:3c:17:40:91:21:7e:2a:b4:8a:c2:ab:
                    79:0f:dd:21:13:a1:2e:da:6a:a3:92:49:e7:f1:58:
                    36:bf
                Exponent: 65537 (0x10001)

Secret_key_123-77cf362ab2442e3fa3062d06adb571f0ea92647f0ba137300a272767d6ea0834

this is just a test of the emergency broadcast system, this is not the real thing!
#!/bin/bash

d="$1" ; z="$2" ; m="$3" ; k="$4"
echo

if [ "$z" == "e" ] ; then
  h=$(echo "$m" | openssl dgst -sha256 -r | awk '{ print $1 }' | tr -d '\t\r\n')
  t="${k}-${h}"

  e=$(echo "$m" | openssl enc -aes-256-cbc -e -k "$t" -S 00 | base64 -b 255)
  echo "$e" ; echo

  s=$(echo -n "$t" | openssl rsautl -sign -inkey privkey.pem | base64 -b 255)
  echo "$s" ; echo

  p=$(cat crt.pem | grep -iv '^---' | base64 -d | base64 -b 255)
  echo "$p" ; echo
fi

if [ "$z" == "d" ] ; then
  c=$(dig "z.pubcrt.$d" txt +short | tr -d ' "\n' | base64 -d | base64 -b 64)
  ( echo '-----BEGIN CERTIFICATE-----' ; echo "$c" ; echo '-----END CERTIFICATE-----' ) > /tmp/crt.pem

  t=$(openssl x509 -text -noout -in /tmp/crt.pem | grep -i 'exponent' -B 64)
  echo "$t" ; echo

  v=$(dig "z.pubkey.$d" txt +short | tr -d ' "\n' | base64 -d | openssl rsautl -verify -certin -inkey /tmp/crt.pem)
  echo "$v" ; echo

  o=$(dig "z.pubmsg.$d" txt +short | tr -d ' "\n' | base64 -d | openssl enc -aes-256-cbc -d -k "$v")
  echo "$o" ; echo
fi

Having Fun With: DNS Records + Signed Certificates + Cryptographic Algorithms!

Using Cloudflare NS Records For Better Web Proxying & DNS Service

So I decided to switch the nameserver records on my fossjon.com domain over to Cloudflare’s service for two different reasons. One is that they offer more advanced https reverse proxying tech along with a better dns management interface as well! I still have the domain registered with Google Domains as they also offer pretty good mx record email forwarding via gmail.

Cloudflare won’t let you directly rewrite the HTTP HOST header field anymore, however, they will let you setup a more advanced HTTP JavaScript worker process. This process can handle the incoming web proxy requests along with the outgoing responses and perform some modifications on them. This is an extremely powerful framework and it behaves more like a proper reverse proxy server would!

/* worker */
addEventListener("fetch", event => {
  event.respondWith(handleRequest(event.request))
});

async function handleRequest(request) {
  /* request */
  var url = new URL(request.url);
  url.hostname = "fossjon.wordpress.com";
  //url.pathname = url.pathname.replace(/\/*$/mig, "") + "/";
  var repHost = new RegExp(url.hostname, "mig");
  var reqHost = request.headers.get("host");
  const response = await fetch(url, request);

  /* response */
  const newHead = new Response(response.body, response);
  for (var keyVal of newHead.headers.entries()) {
    if (keyVal[0].toLowerCase().includes("location")) {
      var newHost = keyVal[1].replace(repHost, reqHost);
      newHead.headers.set(keyVal[0], newHost);
    }
  }
  const resText = await response.text();
  const newBody = resText.replace(repHost, reqHost);

  /* return */
  return new Response(newBody, newHead);
}

Note: It seems like CF offers a better DNS API service, however, I couldn’t yet find a DNS backup button to help save all my records locally (hacky webarchive file but at least it’s sorted nicely).

javascript:(function(){
var t = document.getElementsByTagName("table")[0];
var s = t.getElementsByTagName("tr");
var m = {}, l = [], z = 1;
for (var i=0; i<s.length; ++i) {
  var d = s[i].getElementsByTagName("td");
  if (d.length > 4) {
    var k = d[2].innerText.trim();
    if (k.endsWith(".com")) { k = "@"; }
    if (!(k in m)) { m[k] = {"r":[]}; l.push(k); }
    var r = d[1].innerText.trim();
    if (!(r in m[k])) { m[k][r] = []; m[k]["r"].push(r); }
    m[k][r].push([d[3].innerText.trim(), d[4].innerText.trim()]);
  }
}
var b = "style='border: 1px solid black;padding: 4px;white-space: nowrap;'";
var o = "<table style='padding: 8px;'><tr><th "+b+">No.</th><th "+b+">Time</th><th "+b+">Record</th><th "+b+">Type</th><th "+b+">Value</th></tr>";
l.sort();
for (var i in l) {
  var k = l[i];
  m[k]["r"].sort();
  for (var j in m[k]["r"]) {
    var r = m[k]["r"][j];
    m[k][r].sort();
    for (var d in m[k][r]) {
      o += ("<tr><td "+b+">"+z+"</td><td "+b+">"+m[k][r][d][1]+"</td><td "+b+">"+k+"</td><td "+b+">"+r+"</td><td "+b+">"+m[k][r][d][0]+"</td></tr>"); ++z;
    }
  }
}
o += "</table>";
document.head.innerHTML = document.head.innerHTML.replace(/script/ig, "xscript");
document.body.innerHTML = o;
})();
Using Cloudflare NS Records For Better Web Proxying & DNS Service

Star Cert via Let’s Encrypt via DNS TXT via Docker Container (manual process)

Source Code: https://github.com/stoops/dockerssl

If you want to get a wild-card certificate with let’s-encrypt then you’ll have to use the DNS verification method. I made an example Docker file and script that can quickly and easily spin up a Debian container to install and run the certbot application. You can then connect to the container via a local URL (http://127.0.0.1:8080/) and interact with the process to setup the TXT record and then verify the DNS entry and then download the signed cert chain + key pem files!

Note: I do wish Google had API access to their Domains service which would allow for automated TXT records!

$ c=fullchain.pem ; k=privkey.pem ; openssl x509 -noout -modulus -in $c | md5 ; openssl rsa -noout -modulus -in $k | md5

ca7e9eba4cde42a000038aa7dae8680b
ca7e9eba4cde42a000038aa7dae8680b
$ openssl x509 -text -noout -in fullchain.pem

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            04:b3:64:ec:80:70:47:42:2a:8a:ef:b4:11:60:03:9d:23:78
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, O=Let's Encrypt, CN=R3
        Validity
            Not Before: Oct  9 18:35:11 2021 GMT
            Not After : Jan  7 18:35:10 2022 GMT
        Subject: CN=*.fossjon.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:c8:1c:f6:86:b7:b5:45:63:68:7b:e4:34:10:6e:
                    .....
                    79:0f:dd:21:13:a1:2e:da:6a:a3:92:49:e7:f1:58:
                    36:bf
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Key Identifier:
                34:94:9E:5B:B9:3C:11:0C:F3:33:3E:A1:C4:41:DA:61:64:ED:1D:97
            X509v3 Authority Key Identifier:
                keyid:14:2E:B3:17:B7:58:56:CB:AE:50:09:40:E6:1F:AF:9D:8B:14:C2:C6
            Authority Information Access:
                OCSP - URI:http://r3.o.lencr.org
                CA Issuers - URI:http://r3.i.lencr.org/
            X509v3 Subject Alternative Name:
                DNS:*.fossjon.com
            X509v3 Certificate Policies:
                Policy: 2.23.140.1.2.1
                Policy: 1.3.6.1.4.1.44947.1.1.1
                  CPS: http://cps.letsencrypt.org
    Signature Algorithm: sha256WithRSAEncryption
         48:aa:26:6c:2e:fe:ed:a8:14:3e:80:12:c3:0b:c5:f5:95:5c:
         .....
         f2:0f:4c:9d:4e:d5:df:18:4a:cd:b3:a2:be:3e:57:2f:fc:d0:
         8e:c2:03:3e
$ openssl s_client -connect lo.fossjon.com:8443

CONNECTED(00000003)
---
Certificate chain
 0 s:/CN=*.fossjon.com
   i:/C=US/O=Let's Encrypt/CN=R3
 1 s:/C=US/O=Let's Encrypt/CN=R3
   i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
 2 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
Server certificate
subject=/CN=*.fossjon.com
issuer=/C=US/O=Let's Encrypt/CN=R3
---
No client certificate CA names sent
Server Temp Key: ECDH, X25519, 253 bits
---
SSL handshake has read 4628 bytes and written 289 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 5A9CA7F699D780CFD9FAFBC197FDBA14FC4307F225CE6C90E55CE0658E3055F8
    Session-ID-ctx:
    Master-Key: C84D32162158587663310FB67F482AE63CA9F964158B74C1E40806D8915E1B25AFB3DC2F22E15D58450F7CFCA0FAA8B4
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 48 82 2b be 43 84 b1 13-11 7a e5 bf 39 97 89 55   H.+.C....z..9..U
    0010 - 43 41 ce 61 42 f8 16 e7-89 28 67 af 8d 73 6d 5c   CA.aB....(g..sm\
    0020 - 60 c0 13 20 cc e9 77 0d-5a 34 73 50 85 23 57 b0   `.. ..w.Z4sP.#W.
    0030 - 10 fd 8e c7 6b d4 37 8b-59 4e f4 30 b3 46 b4 d7   ....k.7.YN.0.F..
    0040 - aa c6 79 ff c0 f9 50 c2-54 f0 8e ca 64 3e 49 15   ..y...P.T...d>I.
    0050 - f5 42 fa 29 12 73 a6 f2-92 b0 a8 e0 9f 13 fa 89   .B.).s..........
    0060 - d1 8c c0 93 19 bf ea 81-32 0c 86 e7 37 42 f8 20   ........2...7B.
    0070 - f6 9d 94 d3 38 d8 c9 38-07 9f b6 99 79 b5 43 6a   ....8..8....y.Cj
    0080 - c5 11 fd a1 30 3a d6 e0-74 d3 ba b6 6f 35 47 f4   ....0:..t...o5G.
    0090 - eb c9 af c3 0f 69 95 9f-d1 4c f2 21 80 cc b5 db   .....i...L.!....
    Start Time: 1633812734
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---
^C
Star Cert via Let’s Encrypt via DNS TXT via Docker Container (manual process)

Reddit Refresher Javascript Bookmark

Note: This is only compatible with the good old.reddit.com website!

javascript:(function(){
function w() {
  document.title = (document.title+" . [*]");
  var y = Math.random(), x = new XMLHttpRequest();
  x.onload = function() {
    var c = 0, d = document.createElement("div");
    d.innerHTML = this.responseText;
    var l = d.getElementsByClassName("thing");
    for (var i=(l.length-1); i>=0; --i) {
      var p = (l[i].getAttribute("data-permalink") + "");
      if (!p.startsWith("/r/")) { continue; }
      var f = 0, z = [null, null]; c = 0;
      var m = document.getElementsByClassName("thing");
      for (var j=0; j<m.length; ++j) {
        var q = (m[j].getAttribute("data-permalink") + "");
        if (!q.startsWith("/r/")) { continue; }
        if (q == p) { f = 1; }
        if (!z[0]) { z[0] = m[j]; }
        c += 1; z[1] = m[j];
      }
      if (c > (36-(parseInt(y*5)+1))) {
        z[1].parentNode.removeChild(z[1]);
      }
      if (f == 0) {
        console.log(p);
        z[0].parentNode.insertBefore(l[i], z[0]);
      }
    }
    var a = (new Date() + "").replace(/[ ]*[^ ]*-.*$/, "");
    var h = ("<b><font color='red'>" + a + "</font></b> &nbsp; &nbsp; pop in: ");
    document.getElementsByClassName("menuarea")[0].getElementsByTagName("span")[0].innerHTML = h;
    document.title = ("("+c+") . reddit");
  };
  var s="?", r=location.href;
  if (r.includes("?")) { s="&"; }
  x.open("GET", r+s+"r="+y);
  x.send();
}
w(); setInterval(w, ((9 * 60) + 1) * 1000);
})();
Reddit Refresher Javascript Bookmark

Decided to purchase a domain for 2021

So I thought I’d try something new/different these days and buy a domain again! I’ve purchased some in the past but never made much use of them personally speaking…

Domain Example: fossjon.com/2021/10/06/…a-domain-for-2021/

I chose Google Domains because they offered some extra valuable & useful features:

  • easy record management
    • whois info privacy
    • backup yaml file
  • email forwarding inbound
    • including mx-records
    • including star-matching
  • web redirection proxying
    • including sub-domains
    • including preserve-paths
    • including https-certificates
  • outbound email records (spf+dmarc)

The only thing I can’t do is send email outbound with a domain address via gmail itself (without an extra smtp server setup) because Google removed the ability to modify the FROM field in the message headers directly with an alias email (it now requires a persistent external smtp auth login)!

Edit: If you can find a third-party smtp mail provider that allows you to add & verify email aliases more easily, you can instruct gmail to connect to that external smtp server with your other account and then you’ll be able to send email from an alias address via gmail directly!

Got a score of 85 which is not-too-bad for a super-simple domain-name email address!
 

$ dig fossjon.com txt | grep -i spf

fossjon.com.		550	IN	TXT	
"v=spf1 include:_spf.google.com include:_spf.mail.yahoo.com ~all"

# dig fossjon.com txt +short | grep '!' | tr -d '"' | base64 -d
Decided to purchase a domain for 2021