Skip to main content Welcome to manual! Thank you for taking a look. May reading this page bring you enlightenment and sureness.

Manual

This is a message board where you can write things for others to read.

Features You May Recognize

These Features May Be Confusing At First

Known Issues aka Features

Terminology and Notation

item

An item is one "something" that has been added to the message board. Items are the most basic elements, on which everything else is built.

Everything that happens on the message board is an item. For example, a text that someone has posted is an item, and so is a user profile, a vote, a reply, etc.

Items are stored as plain text files (.txt), one of the most common and supported file formats, so that they can be easily inspected.

Items are identified with a 40-digit "hash", which looks like this: 6b50a8112fde3a6276cb0c5b9cd8c949bc1625d0. Sometimes you may see it shortened, like this: 6b50a811..

(more to come)

epoch time

Most timestamps are currently in epoch time. This is the number of seconds since the beginning of the Unix Epoch, and is (for the foreseeable future) a 10-digit number, beginning with 15. Example: 1557587720.

Clients/Browsers

An attempt is made to support every browser. If there is a problem, please report it.

The basic features of the website, including reading, posting, replying, and voting, has been tested in the following browsers:

Client-side JS signing works in modern browsers, tested in:

Stack

How to use GPG

Summary for Experts

Creating a profile: Generate a PGP key, post public key.

Posting stuff as your profile: sign with GPG, paste into textbox.

More descriptive version

You will need to generate a key and then sign your messages. Piece of cake.

Read This First

GnuPG
https://www.gnupg.org/

Read the GnuPG home page to familiarize yourself.

Android

OpenKeychain
https://www.openkeychain.org/about/

Apple iOS, iPhone, iPad

PGP Everywhere
http://pgpeverywhere.com/

Apple macOS

GPG Suite
https://gpgtools.org/

Microsoft Windows

Gpg4Win
https://www.gpg4win.org/

More Options

OpenPGP Software
https://www.openpgp.org/software/

Creating Your Profile, AKA Key Pair

You can post your messages anonymously. Anonymous posting is very easy. Why even bother creating a profile?

You will need to create a key pair. Look for this option in your software and use it. (More detailed guides to come.)

GPG is traditionally used for email, but you do not have to provide your address for this forum. In fact, we recommend that you either leave the field blank or add gibberish to it. Otherwise, your email address will be accessible by anyone, including spambots.

The key pair is stored on your device. If it is important to you, keep it safe, and back it up.

Tokens

Actions like replying, voting, configuring, etc. is done with text-based tokens.

Remember to include tokens in your signed message.

Replies

Example token: >>0123456789abcdef

On a line by itself, this will reference message with that ID (git's "SHA-1")

Voting

Example: addvote/0123456789abcdef/legit/1550000000/2753939054945

This will add a vote of "legit" to the same item, with a timestamp of 15500... The last bit is the anti-CSRF checksum, which is currently ignored if the message is signed, but verified by the server (and signed) at the time of reading from access.log

Configuration

Example: setconfig/key=value

Restricted to admin, unless config/anyone_can_config=1 and/or config/signed_can_config=1.

Settings under the admin/ tree are always restricted to admin.

Value is a string. If value looks like an item identifier (40-character-long lowercase hex string = [a-f0-9]{40}), a lookup will be attempted.

If lookup succeeds, the config will be set to that item's contents, after signature parsing. Otherwise, the value will be treated as a string.

Hashtags

#example

Translates to a tag-item vote being added.

Vouching

Example: addvouch/F82FCD75AAEF7CC8/20

Adds 20 vouch points to fingerprint F82FCD75AAEF7CC8.

Requires signing by admin user.

Timestamp and Client Fingerprint

Example: addedtime/759434a7a060aaa5d1c94783f1a80187c4020226/1553658911

Example: addedby/766053fcfb4e835c4dc2770e34fd8f644f276305/2d451ec533d4fd448b15443af729a1c6

Records item as having been added at that time and/or by that client ID.

Event

Schedules an event.

Example: addevent/1551234567/3600/csrf

Params: start time (epoch), duration (seconds)

Writing As Yourself

To write something under your new profile, you will need to sign your text.

First, write the text that you want to post. Once you have finished writing it, save it to a .txt file.

Look for the command to "Sign" (not encrypt) your text in your GPG software.

Some software has no such option. In this case, you should use the "Encrypt" command, but ensure that the "To:" field is blank.

You should end up with a big block of text that begins with "-----BEGIN PGP SIGNED MESSAGE-----"

Copy this entire block of text, including the ----- part, and submit it via the Write page.

That's it!

Uploading Your Public Key

Look for the option to export your public key in your software.

You should end up with a block of text that starts with "-----BEGIN PGP PUBLIC KEY BLOCK-----".

Copy the whole thing, including the ----- part, and submit it via the Write page.

You have now aliased your name to your key fingerprint.

Commands

Introduction

Commands are in the form of simple tokens, length-constricted, ASCII only.

Adding a Vote

Voting is the process of applying a tag to an item.

item + tag [+ author] = vote

A voting token has the following parameters

addvote/hash/time/tag/checksum

The checksum is generated on the server, using the following formula:

MD5( concat(file hash, ballot creation time, secret) )

The secret string is stored in config/admin/secret, and a random one is automatically generated if the config is empty.

Example:


Profile Menu Link

The "Profile" item in the top menu is italicized when you are signed in through the Web UI.

This is done as a subtle signed in status indicator without disclosing the user's information to shoulder surfers.

Signing With Command-Line GPG

Check GPG Version

gpg --version

If you don't have GnuPG installed, go here: https://www.opengpg.org/

Generate Key Pair

gpg --gen-key

Export Public Key

gpg --armor --export

Sign Message in Text File

gpg --clearsign example.txt

Sign Message After Typing It

gpg --clearsign

Start typing your message. When you're finished, press Enter, then ^D (Ctrl+D).

Admin Stuff

There is planned support in the near future for roles, multiple admins, etc. in the near future.

That said, this software currently supports two roles: Admin, and Server. Both are optional.

Admin User

The Admin key is set by putting the admin's public key, ASCII-armored, into hike/admin.key.

This user currently holds the following special powers:

Vouch

The addvouch token can only be used by the admin.

Remove

The remove tag, when applied by the admin user, will cause an item to be removed at the nearest opportunity.

All of the tokens in the removed item are undone at the next rebuild.

SetConfig

The setconfig token can always be applied by the admin.

Settings under the config/admin/ directory can only be set by the admin user.

Server Key

The Server key is set by first generating or importing the whole key into the server's keychain.

The Server key is used for signing (and in the process also timestamping) various events that happen on the server.

This ensures that the items were not posted by a random.

The following actions are currently server-signed:

Admin user changes. Server-signed notice is posted.

Version changed. Server-signed "changelog" is posted, which includes the comment from the current version's commit, as well as all the previous commits that came before it, up to the most recent commit included in a changelog.

Client fingerprint and timestamp for items that are posted where the user requests this.

Cloning

You can easily clone this message board.

There are no "secrets" stored here (e.g. passwords, private keys, password hashes), except the anti-CSRF salt.

Any signing accounts are controlled by the users' private keys.

An hourly zip of the entire site can be downloaded here: /hike.zip, including the git repo.

The scripts are on GitHub here: github.com/gulkily/hike.

Other Questions

Please ask them using the Write page.