Hi everyone! I've been working on CodeMic for the past year and put together a demo. I'd love to hear your feedback.
I built CodeMic to address a gap: books, blogs, and screencasts fall short when it comes to building projects from scratch or exploring large codebases.
With CodeMic, you can record, replay, and share coding sessions right in your IDE: every click, scroll, selection, and modification. Pause, explore, and experiment as the code evolves in real time. It's a more interactive way to learn, document, and share complex projects.
Hi everyone! I've been working on CodeMic for the past year and put together a demo. I'd love to hear your feedback.
I built CodeMic to address a gap: books, blogs, and screencasts fall short when it comes to building projects from scratch or exploring large codebases.
With CodeMic, you can replay coding sessions right in your IDE: every click, scroll, selection, and modification. Pause, explore, and experiment as the code evolves in real time. It's a more interactive way to learn, document, and share complex projects.
> Near the moon’s equator, temperatures reach a blistering average of 250 degrees Fahrenheit (121 degrees Celsius) in daylight and plummet to minus 208 F (-133 C) at nightfall, according to NASA. The harsh temperatures have even dipped below minus 410 F (-246 C), as recorded by the Lunar Reconnaissance Orbiter.
I was surprised by the range of temperature. I mean it makes sense but I guess I never thought about the temperature on the moon.
Thank you very much! Very much in line with the handmade ethos, and I'm hoping to get involved with more handmade (and handmade-like) things in the future. :)
sorry, changing password is not yet implemented. Besides that, there really isn't much of a profile. You only have a username and a password. There's no email or anything else.
No it's not CRDT. I opted for something far simpler:
if (a.modification_time > b.modification_time) ...
that's all. Like some other features I originally planned to implement CRDT but then realized I don't miss it. Since this is not a collaborative editor with multiple users editing the same note, CRDT is not that useful. I think the only situation in which you'd want CRDT for a private note taking app is if you're editing the same note from multiple devices while all are offline.
Ah I see, you are using the LWW (last write wins) strategy. That's useful for some scenarios although not all. How did you implement that portion as well?
I'd love to have a wysiwyg editor. It's just that in my initial tests I couldn't find one that worked well on all platforms. I'll try this one too. Thanks!
Hi there. I'm happy to see people are looking at the code to verify the security. You are right about the notes being in plaintext on the client. Otherwise, you'd have to enter a password every time you open the app. The issue I was trying to solve wasn't really trusting my own system but trusting the server and the middlemen.
About the encryption, adding the username+salt prevents the use of rainbow tables by hackers but hashcat mask attack can be prevented by a strong password to make it infeasible. But yeah, if you pick an all lowercase 8 letter password, it can be cracked pretty quickly.
Also please note that, the server doesn't store the hash but hashes it again with yet another salt and stores the double hash. When logging in, the server issues a long token for the client so that the client doesn't have to store the password or its hash anywhere. Additionally, neither hashes are used for encryption and decryption and each note's encryption is salted differently.
edit: I'd love to hear suggestions on how to improve the situation even for shorter passwords.
Even with a strong password – my laptop today can do 1100 MH/s which makes it quite feasible. One of the potential attack vectors can look like this: a malicious actor takes this and reskins the UI, then hosts and does the marketing, his server stores the NGINX logs with /login requests for some time, preserving the password_hash and username params silently. Then after a while he spends few weeks cracking the passwords for every account and syncs their notes, then parsing them for passwords/sensitive info.
As for suggestions, this could be enforced by making use of a system-level keychain, but I don't know if it is possible within a sandboxed environment like PWA. Some stronger derivation method would help too, like the industry standard is pbkdf2 with at least 600000 iterations for SHA256. Lastly, end-to-end encryption usually implies some kind of protection against man-in-the-middle attack, like a certificate pinning mechanism
Actually I'm using pbkdf2 with 100000 iterations of sha256 for the encryption, but not for hashing the pass. That will certainly add a few orders of magnitude to the infeasibility of cracking the password hash when the server itself is not to be trusted. I'll implement that and thanks for bringing it to my attention.
But I don't think a strong password can be cracked that quickly. Let's say you use a 12 character long lowercase, uppercase, digits and some specials chars. That should give you at least 60^12 possibilities. At 1BH/s, that would take 70k years. Is my calculation wrong?
I built CodeMic to address a gap: books, blogs, and screencasts fall short when it comes to building projects from scratch or exploring large codebases.
With CodeMic, you can record, replay, and share coding sessions right in your IDE: every click, scroll, selection, and modification. Pause, explore, and experiment as the code evolves in real time. It's a more interactive way to learn, document, and share complex projects.