![[RSS]](/cgi-bin/w3bl0g/feed.png)
You are in: Root/MBox Documentation. vURL: /mbox/faq.htm.
Introduction
This is the MBox F.A.Q., which aims to answer a few questions about my MBox software.
Table of Contents
m0rd3n1, m0rd3n2, m0rd3n3, and m0rd3n4
Cookies on My Computer?MBox Cookie? What Does It Contain?MBox Query Forms?MBox Variables?MBox Cookie?1.0: General Information [top]
Following is some general information about this document.
1.1: Status of this Document [top]
Here is this document's revision history. The most recent change is listed first.
2009-06-09: Started this document.
This document is maintained by 少佐. Questions and/or comments pertaining to either this document specifically, or MBox in general, should be mailed to mbox-dev@m0rd3n.me.uk∗. Alternatively, you can visit the prototypical MBox and ask for Major.
2.0: General Questions [top]
Following are answers to common general questions concerning MBox.
2.1: I Want the MBox Code! Where Do I Get It? [top]
You can find the live source code set here. MBox currently consists of 1 Perl source code file, 1 javascript file, about 15 Perl package files, a few GIFs and maybe PNG files, and a small raft of little CSS / HTML files. At present, only the code files themselves are available for your perusal; this is because I'm lazy.
MBox also generates a few data files during normal operation; none of these are
available for download from the source tree page (or even accessible over the
Web) because they are all specific to my personal instance of MBox and some of
the files (such as USERS) contain sensitive data.
I shall eventually provide a base MBox setup in a ZIP file, but the only documentation will be here at m0rd3n.me.uk and you'll have to do most of the legwork of setting up MBox yourself. As I said before, I'm lazy. :-)
2.2: Can I Copy / Use the MBox Code? [top]
Sure you can, provided that you abide by the terms of at least v2.0 of the GNU GPL. Here it is∗. If you want to reuse my code in your own projects, you must abide by the terms set out in the document to which I just linked you.
2.3: Why Are Usernames Different Colors? [top]
MBox natively supports four different groups of user. Each group has their username displayed in a different color so that it's easy to tell at a glance who belongs to what group. (N.B.: The Sysop may have disabled colored usernames, in which case you will only see black ones. This is because some Sysops live to make life suck for the rest of us.)
Owner
Administrator
Registered
Guest
The Guest user is a standard user. If you are a Guest, you're 'renting' your username. You can use your username until you close your browser window or navigate away from MBox, at which point someone else will be able to use it. A Guest username is available to everyone, although may only be used by one person at a time.
The Registered user has a username that's protected by a password only s/he knows. If you're a Registered user, then you effectively own your username (i.e. you have exclusive access to it and authority to use it, something which even the Sysop doesn't have). No-one else can use your username but you (unless you have told them your password like a dumbass).
The Administrator user has a password-protected username that has some extra privileges attached to it. If you're an Administrator user, then you have the ability to ban Guest / Registered users who are creating problems in chat. You can lift bans you have placed, but you can't lift a ban that was placed by a different Administrator. You will be able to see the IP addresses and rDNS names (if enabled) of all users except Owner-class users (this class includes the Sysop if s/he decides to join the chat).
The Owner user has a password-protected username that's like a horny Administrator username on crack. If you have an Owner-class username, then you have the ability to ban any Guest, Registered or Administrator user. You can also lift any ban that has been placed by any Administrator. What you can't do, is lift bans that were placed by other Owner-class users. There should be only one Owner-class username per instance of MBox in order to make spam / damage control easier.
I added the different types of username with specific goals in mind. The purpose of Owner names is to provide a way to resolve disputes between Administrator names, whose purpose is to resolve disputes between Registered and Guest names. There is a hierarchy here in terms of purpose, but that does not mean that one class of user is somehow "better" than any other class. Each of us is a human being, and everyone makes mistakes.
2.4: Why MBox? [top]
MBox is a nickname that was given to the program by user MikuJess fairly
early into the program's development. It used to be called Morden's Chat Box
(or That Fucking Chat Widget Thing to its friends).
I originally wrote MBox as an exercise in Perl/AJAX programming, because I wanted a chat on my site, and as an antidote to the multifarious bug-ridden pieces of chat software that litter The Intarwebs of today. It was also meant to be a respite for a community of which I used to be a part, but that community doesn't bother with it.
MBox has bugs, the same as any other piece of real-world software, but the bugs it has aren't deal-breakers. Double-posting - a problem that plagues almost every piece of chat software ever written - was eliminated a while ago, for instance, and the live portion of the message processing subsystem will not slow down appreciably even if millions of messages have been archived by the system. It also recovers gracefully from DNS and other network failures.
MBox doesn't need Flash for anything, and in fact requires nothing other than a suitable javascript-enabled Web browser or mobile device in order to work. This, again, is unlike just about everything else out there. It has a bunch of other features, like a simple bot and visual themes, but most people don't find those interesting so I've just listed the important ones here.
2.5: Why Is MBox Free? [top]
Because I don't believe in the concept of making money out of something I love doing. The second I made any money out of programming a pet project, my interest in the project would die. It has happened before, and I learned from the experience.
The code has been released to the world under the GNU GPL (refer to § #2.4) because I hate the idea of proprietary software but, more critically, it has been released to the public in the hope that someone, somewhere, might learn something from some of the code contained within its files.
The code has been released further as a form of 'self-auditing.' I believe that bugs in the code will be found more quickly if the code is openly viewable by all. Having the code openly perusable by people also allows me to show that my code does what it says on the tin and nothing else. Have I mentioned that I hate proprietary software?
Finally, I don't believe the quality of MBox's software is good enough to be professional software. Rest assured however that. even if MBox was professional grade, it would still be both open-source and free.
2.6: Are Messages Sent Using MBox Encrypted? [top]
No. I have no plans to add end-to-end encryption into MBox. It would be an awesome feature to have, but the logistics of actually adding such a thing to MBox would suck rat balls. Remember that MBox works over HTTP, and HTTP is inherently stateless. Maintaining information required for end-to-end encryption over the HTTP protocol would be highly dicey, and I doubt that the end result of such endeavors would end up being very secure anyway.
I did implement HMAC-MD5∗ login authentication∗ in order to protect users' passwords, but that alone was very difficult to do.
If I ever go insane and attempt to build in end-to-end encryption, it will probably be a system which uses the based on the Rijndael∗ block cipher, as I have some limited experience with that.
2.7: How Do I Report a Bug in MBox? [top]
Either Email me about it∗ or visit the prototypical MBox and tell me about it there (I can be found there either as Major or 0xDEADBEEF). Be sure to tell me the following information:
- Which operating system your computer uses;
- Which browser you're using and what version it is;
- The things you did, in the order you did them, at the time the bug appeared
- Possibly information from the test page;
- Any other information you think might assist me in finding the bug
The more information you can provide me with from the get-go, the faster I should be able to resolve the bug.
2.8: Is MBox Vulnerable to Spamming? [top]
Not really. Obviously, a human could spam MBox, but automated tools (which form the vast bulk of spam) appear to fail when it comes to spamming it. This is due to a number of accidental features I built into MBox:
- All chat URLs used by MBox are stored in a javascript file which is separate from the HTML chat page itself;
- All chat URLs used by MBox are assembled by javascript using at least one variable (and often also the result of at least one function call);
- The text entry boxes and buttons on the HTML page are dynamically loaded via javascript after the page has been loaded
Even if all of the above fail to stop a spambot (i.e. if the spambot is
running as a javascript-aware browser plugin), it is trivial to add the spammy
rDNS name to data/blacklist/WILDCARDS or to the relavent alphabetical
blacklist index file.
At the time of writing I haven't encountered a spambot that is capable of executing and understanding enough javascript to get at the kinds of dynamically-assembled chat URLs used by MBox.
3.0: Logging In, Logging Out, User Sessions [top]
Following are answers to common questions about logging in and logging out.
3.1: What Does 'Session ID Expired' Mean? [top]
When you log in, MBox provides you with a Session ID. This is a unique cryptographic hash which represents you for the duration of your login. Think of it as an access token. When the Session ID is generated, MBox records it along with your computer's IP address. When your browser receives your Session ID, it stores it in a cookie.
MBox cross-checks your IP address against your Session ID whenever you do something in chat (such as post a message) as a security precaution. If your current IP address is different from the one you had when you logged in, you'll get the 'Session ID Expired' error.
If you receive this error, all you need to do is log in again.
3.2: How Do I Reset My Password? [top]
At present there is no way of doing this. The original MBox would allow users to change their password while logged in, but the rebuilt MBox currently lacks that feature.
3.3: How Do I Log In? [top]
Type your registered username into the small text box that's at the far left of your browser window, and (optionally) type your avatar URL into the box that's just to the right of the first box. Click the "Log In" button. The boxes will go away and be replaced by a single small text box and two buttons. Enter your password into the text box, then click the "Log In" button. N.B.: If you want to cancel your login attempt at this stage, click the the "Cancel" button.
You should now be logged in. If you receive an error message, you probably entered the wrong password. Check that your [CAPS LOCK] wasn't engaged and that you typed the right password in.
3.4: How Do I Log Out? [top]
Simply click the "Log Out" button!
3.5: How Do I Find Out Who's Online? [top]
Just above the text area's buttons, near the bottom of the screen, you'll see a bar that has some links, a flashing disk icon, and some numbers on it. The part of this bar with numbers on is your Online Presence bar. You'll see that there are four categories shown here: Admin(s), User(s), Guest(s), and Lurker(s).
Simply hover your mouse point over each category, and the current list of online usernames within that category will pop up on your screen. Just click anywhere on the chat window to dismiss the pop-up (it will go away on its own eventually).
4.0: Posting Messages [top]
Following are answers to common questions about posting messages.
4.1: How Do I Post a Message? [top]
If you don't have a registered username: type the name you want to use into the small text box that's at the far left of your browser window; type the URL of your avatar into the next box along (this is optional); type your message into the big box below the two buttons, then either press [ENTER] or click the "Post!" button.
If you have a registered username and are logged in: type the URL of your avatar into the next box along (this is optional); type your message into the big box below the two buttons, then either press [ENTER] or click the "Post!" button.
4.2: What Is an Avatar? [top]
An Avatar is simply an image that gets displayed along with your messages.
All of the standard MBox visual themes support these, although two of the
themes (Terminal and Y!Chat) don't display them.
4.3: How Do I Set an Avatar? [top]
First of all, you need an image. You can use any image that's already on the 'Net, or you can upload your own to some Webspace or a site such as http://tinypic.com/∗.
Once you have your image online, type its URL into the text box that's to the left of your "Post!" button, and your image will appear alongside the next message you post. MBox will remember your avatar URL for you unless you clear your browser's cookies or log out.
4.4: I Tried to Post But Received a 'server slow' Error? [top]
This error is usually caused by network congestion. Wait a couple minutes, then try posting your message again. MBox only forgets your message if it successfully posts, so you shouldn't have to type it in twice if you receive this error.
4.5: I See Smileys! How Do I Type Them? [top]
Here is the current list of smileys that are usable within MBox. You can save
an extra character by typing their SHORT codes (if applicable). Otherwise,
you can just use the LONG codes.
LONG SHORT NUMBER MEANING :-)) :)) 00 Laughing :-) :) 01 Happy :-(( :(( 02 Crying :-( :( 03 Sad :-> :> 04 Conspirational :-p :p 05 Facetious :-d :d 06 Cheesy Grin :-o :o 07 Surprise /:-) /:) 08 Curious :-| :| 09 Deadpan >:-d< >:d< 10 Sympathetic ;;-) ;;) 11 Flirtatious :-b :b 12 Nerdy :-* :* 13 Kiss **== 14 American Flag! :-l :l 15 Irritated :"-> :"> 16 Embarrassed ;-) ;) 17 Winking :-/ 18 Puzzled :-\ 18 Puzzled >:-) >:) 19 Devilish >:-f >:f 20 Fingerfuck Sign >:-b >:b 21 Birdie Flip
Note that smiley 18 (Puzzled) is listed twice above. This is because it has
two different LONG codes. Also note that this one has no SHORT codes;
this is because the smiley formatter would end up breaking hyperlinks.
4.6: Why Is There No Graphical Smiley Menu in MBox? [top]
Lolwut?
Are you serious? Smileys are ubiquitous nowadays. The smiley codes used by MBox are the same ones used by the average cellphone. You do send messages to other people using your cellphone sometimes, right? This is no different from that.
Lazy.
4.7: How Do I Insert Blank Lines / New Lines Into My Messages? [top]
As you may or may not already know, pressing [ENTER] in the message entry box posts your message. To insert blank lines or newlines into your message, hold down [SHIFT] and press [ENTER]. [SHIFT] indicates that you don't want to post your message just yet.
When done entering your message, simply press [ENTER] alone as normal to post your message.
5.0: Cookie Stuff [top]
5.1: What Are the m0rd3n1, m0rd3n2, m0rd3n3, and m0rd3n4
Cookies on My Computer? [top]
Those are cookies from the old version of MBox. The only cookie MBox uses
nowadays is a single cookie called MBox which contains everything that was
contained in the old m0rd3n1-m0rd3n4 cookies.
You can just delete the m0rd3n1-m0rd3n4 cookies. They won't come back.
5.2: What Is the MBox Cookie? What Does It Contain? [top]
The MBox cookie is where MBox keeps your current settings - your username
(if guest), avatar URL (if present), Session ID (if logged in), and selected
visual theme. Here's the contents of my MBox cookie (I'm logged in as
Major here) so that you can see what one looks like.
[start]|m0rd3n.me.uk/img/avatars/major.png|99c72f91100c46d41eabae468971cdb0|gray[end]
If you opt to delete the MBox cookie, then all your custom settings will
be forgotten until next time you either log in or post a Guest message.
6.0: Techie Stuff [top]
Following are answers to common general questions concerning MBox.
6.1: What Are the MBox Query Forms? [top]
Here's the current list of implemented queries. There are 22 of these.
mbox.cgi mbox.cgi?q=null mbox.cgi?q=code mbox.cgi?q=cli&m=[URL-encoded command string] mbox.cgi?q=update&last=[most recently seen message id] mbox.cgi?q=form mbox.cgi?q=online mbox.cgi?q=arch&p=[page number] mbox.cgi?q=plink&last=[message id] mbox.cgi?q=arcdmp&p=[page number]&last=[most recently seen message id] mbox.cgi?q=test&p=[test page identifier] mbox.cgi?q=post&m=[URL-encoded message] mbox.cgi?q=login1&u=[URL-encoded username] mbox.cgi?q=login2&u=[URL-encoded username]&r=[hashed challenge response] mbox.cgi?q=login3 mbox.cgi?q=regsta&u=[URL-encoded username] mbox.cgi?q=regcom&u=[URL-encoded username]&p=[hashed password string] mbox.cgi?q=regdecl&u=[URL-encoded username] mbox.cgi?q=chgcps&n=[URL-encoded username with new capping] mbox.cgi?q=ban&n=[URL-encoded username]&r=[URL-encoded reason] mbox.cgi?q=unban&n=[URL-encoded username] mbox.cgi?q=search[&n=user|text][&t=uname|snippet][&d=YYYY-MM-DD|YYYY-MM|YYYY]
As you may be able to gather, all of MBox's core functionality is accessible
by calling mbox.cgi.
6.2: How Was My Session ID Generated? [top]
A chunk of randomness was generated, consisting of maybe 12 characters. Some more random stuff was generated, with your IP address tacked onto the end of it. The first chunk of random stuff was hashed against the second chunk to give an intermediate ID, then the intermediate ID was hashed against the Provisional Session ID that your browser returned after doing some math using your password when you logged in. This is how your Session ID was generated.
If the ID wasn't unique when it was generated - meaning, if it was already
present in the SESSIONS database - then MBox would have repeated all of the
preceding steps until it was unique.
6.3: What Are the MBox Variables? [top]
Here is a list of all the current MBox variables. There are currently 36
variables. The list is divided up according to who can change values using
/set.
ADMINISTRATORS+ o topiclock - Prevent Guest users from changing the topic o topic - Holds the current topic OWNER(S) o -autoxmas - Makes the special Xmas script active each year o -colorednames - Shows usernames in access-dependant colors o -emotes - Enable ":" (Y!) and "/me" (IRC) emotes o -motd - Holds Message of The Day o -sysop - Holds sysop's name o -sysopemail - Holds sysop's email address o -presencetimeout - Presence sensing timeout o -debuglock - Protects debug tools o -varlock - Protects variable manipulation tools o -admintools - Protects admin tools o -botname - The username of the bot o -w00tnames - Enable cool usernames (currently broken, do not enable) o -dupcheck - Enable duplicate-use protection for Guest usernames o -rdns - Enable reverse DNS lookups o -guestscanpost - Enable Guest message posting o -archive - Enable access to the Message Archive o -blockspam - Enable anti-spam blacklist o -logins - Enable logins o -presence - Enable online presence sensing o -registration - Enable username registration o -avatars - Enable avatars o -bbcode - Enable BBCode o -turkeycode - Enable TurkeyCode o -smileys - Enable smileys o -permalinks - Enable plinks o -autolinks - Enable wiki-style autolinking o -shorturls - Enable URL shortening o -showurldomain - Enable Slashdot-style domains after URLs (if shortened) o -nofollow - Enable linkspam limiting NO-ONE o -active - Whether system is enabled o -botactive - Whether bot is enabled o -readonly - Whether databases are write-protected o -server - Server's hostname / port# o -url - Direct chat URL
7.0: Bot Stuff [top]
Following are answers to common general questions concerning MBox's built-in
bot (named "MBot-tan" in the prototypical MBox).
7.1: Why Is There a Bot In Chat? [top]
The bot is mainly there as a 'hook' into the message-processing pipeline, and
to keep track of MBox's various internal system variables. The bot responds
to command words prefixed with the "/" character, which allows a user to
trigger the bot's built-in functions (if the user's access level is sufficient
for the function in question to be triggered).
7.2: What Does the Bot Do? [top]
Right now, not much. The bot has a Magic 8-ball emulator built in ("/ask"),
and an option chooser function ("/choose"). The value of system variables
(of which there are many) may be queried using "/get" and changed by using
"/set". A list of all system variables can be obtained by using "/vars",
and online help for all commands is available using "/help".
Finally, the bot provides access to MBox's username ban system (via "/ban",
"/unban", and "/isban"). Note that the username ban facility is only
accessible to administrators and to the chat owner.
7.3: Is the Bot Necessary? [top]
Yes and no. The necessary functions of the bot, such as variable state
management, happen silently and transparently. Optional functions which may
generate visible bot responses may be deactivated in one of two ways: by an
admin placing a ban on the bot's username, or by the owner setting the
'-botactive' variable to 'no'.
When the bot is deactivated, its name disappears from the Online Users Bar, and it will no longer generate any response to user input.
8.0: Your Privacy [top]
Following are answers to common general questions concerning users' privacy.
8.1: What Information Does MBox Store, Why, and For How Long? [top]
MBox is frugal in the information it stores about its users, and careful with how that information is used.
Every message posted will have the poster's username, IP address, current rDNS, and avatar URL stored along with the message and the time the message was posted. The IP, username and rDNS may be required by an administrator in order to issue an anti-spam ban, the avatar URL is used to display your avatar picture next to your message, and the time is used to display the timestamp on your message. These pieces of information persist for as long as the Message Archive persists (i.e. theoretically forever or until that particular message is deleted by a user or admin). Note that the IP and rDNS that are stored with your message are only guaranteed to be accurate at the time you posted your message.
When you registered your user account MBox saved your username, a cryptographic
hash representing your password, some flags, and a 0 (your post count at the
time). At no point is your password ever transmitted across the Internet.
The cryptographic hash representing your password cannot be used to log into
your account because of the way MBox authenticates each user during their
login. Only your actual password can log you into your own account, so it's
important that you never forget your password. Your username, flags,
cryptographic hash, and post count are stored by MBox until such time as your
account is manually removed by the chat owner.
When you are logged into MBox under a registered username, MBox maintains live information about you - your registered username, your IP address, the time at which you logged in, your rDNS, and the randomized Session ID which represents your login to MBox. This information is used to maintain your login across browser instances, to validate that you are in fact the person entitled to be logged in under your registered username, and to maintain your online presence. These pieces of information persist until you log out of your registered username, at which point the live information is erased.
At no point are things such as an email address ever required to use MBox, and neither the chat owner nor any admins will ever ask you for your password. You are never asked for an email address or any form of personally identifiable information (such as a real name) in order to protect your privacy. :-)
8.2: What's In the MBox Cookie? [top]
There are currently two types of MBox cookie - the one that Guest users
have, and the one that registered users have. Both types share the same data
format, which is plain ASCII. Here's the format of the MBox cookie, along
with samples of both types:
FORMAT [start]<username>|<avatar url>|<session id>|<visual theme>[end] GUEST [start]someusername|http://a.b.c/avatar.gif||gray[end] REGISTERED USER [start]|http://a.b.c/avatar.gif|3d89f98012089177f0726b8f94b1a9f8|gray[end]
The MBox cookie is used by MBox to keep your chat session working. If you
disable cookies, chat will break, as MBox will have no way of knowing
either your username or Session ID. You will probably be able to post one
message, but after that everything will reset to its default values. The cookie
is not used to "track" you, or to "slurp your browsing history", or whatever
else the paranoid may think non-executable plain text files are capable of. All
the MBox cookie does is provide MBox with the info it needs to provide you
with chat.
MBox used to require four cookies, one cookie per piece of information, until I decided that four was overkill. It would require none, except that there's no other sane way of implementing persistent HTTP-based logins!
8.3: What Information Does MBox Log, Why, and For How Long? [top]
MBox sometimes logs certain information while the site admin and/or the chat owner are performing system maintenance. Usually, this form of logging is not done. The logged data is fairly standard, and is of the form that's available to any Web server whenever you visit any page anywhere on the 'Net: IP address, browser User-Agent, rDNS name (if any), requested URL, referring DNS name. These log files survive for a maximum of 48 hours, at which point they are deleted.
9.0: Having Trouble? [top]
9.1: MBox Displays, But Hangs With Disk Icons Everywhere. [top]
If this happens it can be caused by a couple of things. If your browser has javascript disabled, this will cause it to happen. MBox requires javascript enabled in order to run. If you are using a script blocker such as NoScript on Firefox, check that it isn't blocking the MBox scripts.
MBox was designed to run on many things, including the iPhone and most recent Web browsers. Some platforms show problems (for instance, scrolling on the iPhone only occasionally works, although everything else does), but you should at the very least be able to use MBox even if it doesn't work quite right on your platform.
9.2: MBox Is White and There Is No Scrollbar! [top]
If everything looks white, and there's no scrollbar, then you're having a theme problem. It happens if your Session ID or cookie is incompatible with the rebuilt version of MBox. The steps to resolve this are as follows:
- Log out if you're logged in, then refresh the page.
- Go to the top of the page and click the 'Default' link that's there.
- Refresh the page a second time.
9.3: Error: "Your browser does not support XMLHTTP!" [top]
You will receive this error on the PSP games console, and on anything that doesn't support the cross-browser XMLHTTP javascript object. XMLHTTP allows MBox to refresh portions of itself with new data without having to refresh its whole display area. If you receive this error, then your Web browser does not meet the minimum requirement for MBox to run.
9.4: What Are the Minimum Requirements for MBox to Run? [top]
The minimum requirements that your Web browser must meet or exceed in order to run MBox are as follows:
- Your Web browser must have javascript enabled;
- Your Web browser must allow first-party cookies to be stored for the Website that hosts MBox;
- Your Web browser must support the standard XMLHTTP object.
- Your Web browser must be a fairly recent one.
Known Web browsers which work (either mostly or fully) with MBox are as follows:
- Google Chrome (all major OSs)
- Konqueror (Linux)
- Mozilla Firefox (all major OSs)
- Opera (all major OSs)
- Internet Exploder (Windows)
- Safari (all major OSs)