Protonmaps; Stateful Counting; Hetty
We talked a bit about cartography last time, introducing Felt, a slick, collaborative cartography platform. But, what if you just need a map and don't want to rely on any third party, save your web hosting provider?
Back in March, Brandon Liu (@bdon) posted this article,
"Rethinking the Free Tier for Maps" on the Protonmaps[GH] blog. In it, Brandon raises some great points about tile servers, including costs, starting with some positive comments regarding consumption-model-pricing-based SaaS services:
"In theory, consumption pricing is good for both vendors and customers. It lets companies capture mindshare via a free tier: developers, more than anyone else, love free stuff, especially when learning new tools for personal side projects. It also lets them charge much, much more for use cases with high willingness to pay, such as heavily trafficked retail websites, popular social media applications, or enterprise deployments."
"Most developer services that come to mind fit the consumption pricing model perfectly - indie projects pay nothing, startup companies buy a medium-sized plan, and heavy usage is priced in after clicking the Contact Us button. However, a lot of mapping use cases do not fit the consumption pricing model."
Brandon posits that this SaaS model may not be right for most mapping use-cases:
"[M]any useful applications of maps, even those that are important infrastructure for society, have high traffic but low ability to pay [and] discover they can't afford a higher tier after launch.
"[T]he SaaS model means the vendor must track usage, which means applications must always connect to the public Internet. […] Mapping applications are always dependent on a third party."
"[V]endors rely on convincing customers that the service they provide is too difficult and complex to run themselves [and] creates strong disincentives for the creation of simple, modular software that can be adapted and re-used.
(Brandon said quite a bit more than those heavily excerpted bits, so you should definitely check out the entire article.)
So, what is Protonmaps? Protomaps is a mapping system based on vector tiles that also has a DIY set of map tile downloads and a free renderer, meaning you can host the map yourself, avoiding Protonmaps CDN and SaaS entirely.
Protonmaps is far from the only self-hosted maps game in town, but I felt Brandon's forthright discussion points were worth a read by more folks than just myself.
One bit of commentary I'll close this section with is that every third-party resource/widget you use on a public website/app offers up your users to said third-parties. Back in my day (perhaps, “back in the early days of the web”) "DIY" literally meant "do it yourself". All bits were on web servers we controlled, so only we saw any traffic y’all might have made to us.
I'm not discounting the utility of SaaS, but the wanton use of embedded third-party resources has led us into a privacy and safety hole that I'm not sure we can dig ourselves out of any time soon.
I've been meaning to include Robert David Graham's (@erratarob) reimagining of the classic
wc utility here for a while.
Rob built superior state machines for ASCII and UTF-8 encoded documents. And, by "superior", I mean both clever and wicked fast:
How did Rob do this? Well, he's an excellent communicator and submitted his work to an issue of PoC||GTFO [GH rendered PDF]. That link goes to a mirror of the individual article, as most folks do not want to download a 60MB PDF file.
Rob's great at getting folks to think about things in different ways (something you'll learn painfully well if you do hit the twitter follow button). I can almost guarantee you'll find the article a fun and thoughtful read, even if you're not a programmer by hobby or trade.
Hetty [GH] "is an HTTP toolkit for security research. It aims to become an open-source alternative to commercial software like Burp Suite Pro, with powerful features tailored to the needs of the infosec and bug bounty communities."
Essentially, Hetty is a "machine in the middle" (MITM) proxy server, supporting the concept of "projects", enabling security researchers to find and report web application flaws. While the authors directly mention Burp Suite, there are similar contenders in this proxy space, including mitmproxy and proxify (to name just two), but Hetty aims to help with organization of projects, something you have to do manually with those other two, but which is a core feature of Burp Suite.
Presently, Hetty's features include:
Machine-in-the-middle (MITM) HTTP proxy, with logs and advanced search
HTTP client for manually creating/editing requests, and replay proxied requests
Intercept requests and responses for manual review (edit, send/receive, cancel)
Scope support, to help keep work organized
Easy-to-use web-based admin interface
Project-based database storage, to help keep work organized
If you think these MITM proxies are just for cybersec folk, think again. I find them invaluable for preserving websites, introspecting network connections (these days, more sites are using debug interrupts when one opens Developer Tools to introspect a site, forcing one to apply workarounds…the proxy mechanism can significantly east this frustration).
I'm going to poke at Hetty a bit more, but its features are thin (they may be fine for bug bounty hunters), and I get plenty of mileage from free Burp Suite and the other tools I've mentioned.
Happy Monday! To any readers in the U.S. West/Southwest: try to keep cool! ☮