

Show HN: Socrates.io - clean and shareable markdown - ianstormtaylor
http://socrates.io/

======
saurik
As this project is using Firebase, despite it using randomized keys (which
makes it seem like something vaguely "secure", in that other people probably
would be unable to guess the key of your document and start messing with you
or reading what you wrote), it is trivial to iterate and find all of the other
documents people are editing by dumping the database.

To demonstrate, open up a JavaScript Console (such as the Chrome inspector or
something; I assume this won't be problematic in other browsers, but it does
involve a callback to an anonymous function typed into the console, and I
don't do much JavaScript to know if that will cause some weird protected scope
error in some browsers) and plug in the following:

    
    
        new Firebase(Socrates.firebaseUrl).once('value', function(snapshot) {
            var val = snapshot.val();
            for (var i in val.documents) {
                var doc = val.documents[i];
                console.log(doc.id + ': ' + doc.title + '\n' + doc.body);
            }
        })
    

The output will be the identifiers, titles, and contents of every document in
the database (including one which seems to be the developers of Socrates.io
trying to come up with a way to charge for people using the beta, including
examinations of which payment processor to use, etc.; I'm now quite curious if
they realized that was public... it's not bad or anything).

~~~
ivolo
hey, one of the authors here. We did realize this. This is a weekend hackathon
project to allow the hacker news community to write nice clean markdown.

Firebase offers security, but we just didn't get around to using yet.

You shouldn't choose to use it for sensitive information, but for Github
readmes and other already public content, it's a great tool.

~~~
saurik
Ok, when I was last talking to them[1], they did not have anything at all for
security but a vague idea that it was important and a possible "would
something like this work?" that was more about securing the API than the data
;P. Their FAQ still states they are working on it, but maybe they have
something more in-depth now for the beta users (such as yourselves)?

[1] <https://twitter.com/Firebase/status/190954896764305408>

The pretty sane and "simple" (easy to implement on the server, but difficult
for developers to use correctly) way of doing it is something like StackMob or
Parse's ACL feature (but even that tends to be misused, and as soon as data
can be shared between users is almost impossible to get right without using
custom server-side logic, which these kinds of companies are now supporting).

(FTR, I try to hit on these things pretty hard, as I'm highly concerned that
these online middleware companies are short-changing the importance of
security in the cloud, if not often in their implementations then almost
always in their documentation and tutorials. I gave a talk at 360|iDev this
year discussing solutions like StackMob and Parse, doing live demos of ripping
keys out of apps and dumping their databases.)

(One of the apps I ran into--which I did not demo dumping data from during
that talk ;P, although I did show a totally anonymized snippet of the kind of
data it was storing--was an online dating matchup app that was storing all of
its offline Facebook full-access auth tokens trivially accessible in StackMob,
along with all of the "private" messages sent between the users... all of this
despite the app supporting nicknames for "anonymity" and listing "security" as
one of its defining features :(.)

(Firebase, to their extreme credit, is very honest about the fact that your
data is all public: it is the very first question in their FAQ, and they state
the situation 100% clearly and entirely outright. "However, it’s not ready for
widespread use yet, so _right now all data in Firebase is publicly
accessible_. Please keep this in mind when building apps!" <\- emphasis is
thankfully theirs, not mine ;P)

~~~
jamest
(Firebase Founder here)

Saurik - We're glad that there are people like you searching for holes in
services like Firebase. Hopefully it'll keep making all of us better. Please
keep doing it.

As ivolo noted, we do have a security feature set we're testing. It has taken
a little while to build something that is both functional and usable. We're
pretty confident we've got something that our users will love.

Excited to show you soon!

------
infogulch
Oh my god. That website has javascript that adds and removes a pipe "|" to the
end of the page title, and it looks like a blinking caret for text input.

My OCD is going insane.

~~~
JasonFruit
The effect would be a lot nicer if it stopped when the tab lost focus. I would
prefer not doing it at all, but my tastes are not everyone's.

~~~
ianstormtaylor
Just fixed it to use the page visibility API to do just that. Thanks for the
idea!

~~~
benjoffe
Looks like it only alternates between the two states (flashing and not
flashing), so if the page is opened as a new tab (i.e. not focused to begin
with) then the flashing occurs when the tab is not focused.

~~~
ianstormtaylor
Yup good call, the first call to the interval shouldn't assume focus

------
drhayes9
Also check out Dillinger.io: <http://dillinger.io/>

Dillinger can link and upload to Dropbox and Github as well. It's also open
source: <https://github.com/joemccann/dillinger>

------
gkoberger
Nicely done!

To stop it from breaking the back button in Firefox, try using:

    
    
      history.replaceState();
    

[https://developer.mozilla.org/en-
US/docs/DOM/Manipulating_th...](https://developer.mozilla.org/en-
US/docs/DOM/Manipulating_the_browser_history#The_replaceState%28%29.C2.A0method)

------
charleshaanel
Congrats on your taking action. It puts you ahead of 90% of the people who
read and don't execute.

A few questions....

*Is your project for fun or for profit?

If the latter, what pain does it alleviate, whom is it targeted towards and
before you created it, was there any indication they wanted a solution strong
enough to pay someone for the answer

(to elucidate, skip to 1:03
[http://www.youtube.com/watch?v=K9m9vPAlb_0&feature=relat...](http://www.youtube.com/watch?v=K9m9vPAlb_0&feature=related)
)

~~~
gbog
> for fun or for profit?

It occurred to me that not only there are many other reasons to write code,
but also that the two reasons you mention are of the weakest sort.

~~~
charleshaanel
That's because you're not an entrepreneur - fair enough. A person who wants to
build a sustainable business however, has to solve urgent problems and
generate profits for stakeholders (not relevant if you're a socialist).

Did you watch the PG vid?

~~~
cubicle67
Poe's Law is strong with your two comments here.

------
Tiktaalik
A nice feature would be to be able to swap the planes so that you have the
option to write on the right and have the formatted output on the left.

Mou, the great markdown editor on OS X, is also set up as this web app, with
the formatted output on the right and the input area on the left, without an
option to switch it.

Am I weird for wanting to type on the right? Is this some odd "handedness"
issue? (I'm right handed)

------
CWIZO
Looks awesome, great job! One thing though: if you have a YT video embedded
(like in the example) and you edit some text or whatever, the video keeps
flashing. I'm guessing you are refreshing the whole right pane. It's rather
annoying and creates needless requests to YT (not that they'd notice, but
still).

~~~
ianstormtaylor
Yeah we debounced the Youtube rendering by 1 second for that reason, but it
still flashes if you aren't typing continuously =\

------
saurik
Apparently, was attempting to (ab)use GitHub for a hosting provider, and so is
now offline for being over quota.

~~~
mayop100
Works for me...

~~~
saurik
In the interim (between my and your comments) they stopped doing that (the
URLs are now relative to socrates.io, as opposed to being absolute off of
raw.github.com).

------
laacz
It would be really nice, if Socrates had syntax highlighting for Markdown. I'd
suggest using Ace, if it was not too much for that simple task. Maybe write
your own? Also, I'd love if somebody made a simple Wordpress plugin for this
type of writing. Relaxing and easy.

------
groby_b
Nice! Small nit: If you're referencing an URL - i.e. [My text][1] and that URL
happens to be a YouTube video, it removes the text and embeds the video.
Probably not the desired effect.

(Or maybe it is. I'm not an embedder ;)

------
endlessvoid94
A friend and I built Tou (a web clone of Mou) a few months ago. It supports
dropbox and HTML5 local storage :-)

<http://tou.whiskeydrivendevelopment.com>

~~~
pyrotechnick
It appears in need of a little maintenance (broken tables) but I like this.
Nice work.

~~~
endlessvoid94
ah yes, it's been awhile and it looks like some of the JS is broken.

thanks

------
andrew_k
Going back to "Edit" mode in Safari seems to be broken
<http://dl.dropbox.com/u/1229269/Screenshots/58.png>

~~~
ianstormtaylor
Darn, my guess is it's flexbox weirdness, since Safari only supports the old
spec. I tried to fallback to the old spec when possible, but that could be
something that was never fixed since the old spec was abandoned... sorry about
that!

------
johtso
There's some strange behavior going on with the back navigation. Seems to
endlessly cycle through different posts.

------
ceejayoz
Breaks when your content gets lengthy, as your position in the editor and the
preview don't match up.

------
fredsters_s
awesome as always ian

------
allenlsy
It seems that we cannot type source code directly into it. pre><code> has no
effect

------
twodayslate
I am not a fan how every single youtube link is automatically embedded on the
page.

~~~
pyrotechnick
fork

------
jameswyse
Are there any open source markdown editors like these I can use on my own
sites?

~~~
jonpaul
Yes. Dillinger [<http://dillinger.io> \-
<https://github.com/joemccann/dillinger>] and Escrito
[<http://escrito.herokuapp.com/> \- <https://github.com/dmfrancisco/escrito>]

------
khetarpal
Nice and clean! Keep it up guys!

------
lightyrs
I like it. Good work!

------
robertwalsh0
Can one make tables?

------
BuzzKilla1960
api?

~~~
webbruce
Really great UI design, I love it.

