Hacker News new | past | comments | ask | show | jobs | submit login
Show HN: Socrates.io - clean and shareable markdown (socrates.io)
116 points by ianstormtaylor on Nov 13, 2012 | hide | past | web | favorite | 44 comments



As this project is using Firebase, despite it using randomized keys (which makes it seem like something vaguely "secure", in that other people probably would be unable to guess the key of your document and start messing with you or reading what you wrote), it is trivial to iterate and find all of the other documents people are editing by dumping the database.

To demonstrate, open up a JavaScript Console (such as the Chrome inspector or something; I assume this won't be problematic in other browsers, but it does involve a callback to an anonymous function typed into the console, and I don't do much JavaScript to know if that will cause some weird protected scope error in some browsers) and plug in the following:

    new Firebase(Socrates.firebaseUrl).once('value', function(snapshot) {
        var val = snapshot.val();
        for (var i in val.documents) {
            var doc = val.documents[i];
            console.log(doc.id + ': ' + doc.title + '\n' + doc.body);
        }
    })
The output will be the identifiers, titles, and contents of every document in the database (including one which seems to be the developers of Socrates.io trying to come up with a way to charge for people using the beta, including examinations of which payment processor to use, etc.; I'm now quite curious if they realized that was public... it's not bad or anything).


hey, one of the authors here. We did realize this. This is a weekend hackathon project to allow the hacker news community to write nice clean markdown.

Firebase offers security, but we just didn't get around to using yet.

You shouldn't choose to use it for sensitive information, but for Github readmes and other already public content, it's a great tool.


Ok, when I was last talking to them[1], they did not have anything at all for security but a vague idea that it was important and a possible "would something like this work?" that was more about securing the API than the data ;P. Their FAQ still states they are working on it, but maybe they have something more in-depth now for the beta users (such as yourselves)?

[1] https://twitter.com/Firebase/status/190954896764305408

The pretty sane and "simple" (easy to implement on the server, but difficult for developers to use correctly) way of doing it is something like StackMob or Parse's ACL feature (but even that tends to be misused, and as soon as data can be shared between users is almost impossible to get right without using custom server-side logic, which these kinds of companies are now supporting).

(FTR, I try to hit on these things pretty hard, as I'm highly concerned that these online middleware companies are short-changing the importance of security in the cloud, if not often in their implementations then almost always in their documentation and tutorials. I gave a talk at 360|iDev this year discussing solutions like StackMob and Parse, doing live demos of ripping keys out of apps and dumping their databases.)

(One of the apps I ran into--which I did not demo dumping data from during that talk ;P, although I did show a totally anonymized snippet of the kind of data it was storing--was an online dating matchup app that was storing all of its offline Facebook full-access auth tokens trivially accessible in StackMob, along with all of the "private" messages sent between the users... all of this despite the app supporting nicknames for "anonymity" and listing "security" as one of its defining features :(.)

(Firebase, to their extreme credit, is very honest about the fact that your data is all public: it is the very first question in their FAQ, and they state the situation 100% clearly and entirely outright. "However, it’s not ready for widespread use yet, so right now all data in Firebase is publicly accessible. Please keep this in mind when building apps!" <- emphasis is thankfully theirs, not mine ;P)


(Firebase Founder here)

Saurik - We're glad that there are people like you searching for holes in services like Firebase. Hopefully it'll keep making all of us better. Please keep doing it.

As ivolo noted, we do have a security feature set we're testing. It has taken a little while to build something that is both functional and usable. We're pretty confident we've got something that our users will love.

Excited to show you soon!


Oh my god. That website has javascript that adds and removes a pipe "|" to the end of the page title, and it looks like a blinking caret for text input.

My OCD is going insane.


The effect would be a lot nicer if it stopped when the tab lost focus. I would prefer not doing it at all, but my tastes are not everyone's.


Just fixed it to use the page visibility API to do just that. Thanks for the idea!


Looks like it only alternates between the two states (flashing and not flashing), so if the page is opened as a new tab (i.e. not focused to begin with) then the flashing occurs when the tab is not focused.


Yup good call, the first call to the interval shouldn't assume focus


If I place it as an application tab in Firefox (16), it will highlight the tab because it assumes the content has changed... it doesn't happen always, though.


Also check out Dillinger.io: http://dillinger.io/

Dillinger can link and upload to Dropbox and Github as well. It's also open source: https://github.com/joemccann/dillinger


Nicely done!

To stop it from breaking the back button in Firefox, try using:

  history.replaceState();
https://developer.mozilla.org/en-US/docs/DOM/Manipulating_th...


Congrats on your taking action. It puts you ahead of 90% of the people who read and don't execute.

A few questions....

*Is your project for fun or for profit?

If the latter, what pain does it alleviate, whom is it targeted towards and before you created it, was there any indication they wanted a solution strong enough to pay someone for the answer

(to elucidate, skip to 1:03 http://www.youtube.com/watch?v=K9m9vPAlb_0&feature=relat... )


> for fun or for profit?

It occurred to me that not only there are many other reasons to write code, but also that the two reasons you mention are of the weakest sort.


That's because you're not an entrepreneur - fair enough. A person who wants to build a sustainable business however, has to solve urgent problems and generate profits for stakeholders (not relevant if you're a socialist).

Did you watch the PG vid?


Poe's Law is strong with your two comments here.


sigh


A nice feature would be to be able to swap the planes so that you have the option to write on the right and have the formatted output on the left.

Mou, the great markdown editor on OS X, is also set up as this web app, with the formatted output on the right and the input area on the left, without an option to switch it.

Am I weird for wanting to type on the right? Is this some odd "handedness" issue? (I'm right handed)


Looks awesome, great job! One thing though: if you have a YT video embedded (like in the example) and you edit some text or whatever, the video keeps flashing. I'm guessing you are refreshing the whole right pane. It's rather annoying and creates needless requests to YT (not that they'd notice, but still).


Yeah we debounced the Youtube rendering by 1 second for that reason, but it still flashes if you aren't typing continuously =\


Apparently, was attempting to (ab)use GitHub for a hosting provider, and so is now offline for being over quota.


Works for me...


In the interim (between my and your comments) they stopped doing that (the URLs are now relative to socrates.io, as opposed to being absolute off of raw.github.com).



It would be really nice, if Socrates had syntax highlighting for Markdown. I'd suggest using Ace, if it was not too much for that simple task. Maybe write your own? Also, I'd love if somebody made a simple Wordpress plugin for this type of writing. Relaxing and easy.


Nice! Small nit: If you're referencing an URL - i.e. [My text][1] and that URL happens to be a YouTube video, it removes the text and embeds the video. Probably not the desired effect.

(Or maybe it is. I'm not an embedder ;)


A friend and I built Tou (a web clone of Mou) a few months ago. It supports dropbox and HTML5 local storage :-)

http://tou.whiskeydrivendevelopment.com


It appears in need of a little maintenance (broken tables) but I like this. Nice work.


ah yes, it's been awhile and it looks like some of the JS is broken.

thanks


Going back to "Edit" mode in Safari seems to be broken http://dl.dropbox.com/u/1229269/Screenshots/58.png


Darn, my guess is it's flexbox weirdness, since Safari only supports the old spec. I tried to fallback to the old spec when possible, but that could be something that was never fixed since the old spec was abandoned... sorry about that!


There's some strange behavior going on with the back navigation. Seems to endlessly cycle through different posts.


Breaks when your content gets lengthy, as your position in the editor and the preview don't match up.


awesome as always ian


It seems that we cannot type source code directly into it. pre><code> has no effect


I am not a fan how every single youtube link is automatically embedded on the page.


fork


Are there any open source markdown editors like these I can use on my own sites?



Nice and clean! Keep it up guys!


I like it. Good work!


Can one make tables?


api?


Really great UI design, I love it.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: