WME Safe Scripts?

Discussion for the unofficial, community-developed addons, extensions and scripts built for the Waze Map Editor.

The official index of these tools is the Community Plugins, Extensions and Tools wiki page.

Moderators: Unholy, bextein, JustinS83, Glodenox

Forum rules
Discussion for the unofficial, community-developed addons, extensions and scripts built for the Waze Map Editor.

DO NOT START a new thread unless it is about a new idea. Keep discussion of existing tools within the main thread for that tool.

The official index of these tools is the Community Plugins, Extensions and Tools wiki page.

Re: WME Safe Scripts?

Postby berestovskyy » Mon Jul 01, 2019 7:34 am

Hey DrivingWithBill,
Sorry, it's a bit long read.

Are WME scrips safe?
I have a bad news. Not only there are some obfuscated scripts, but on top of that some scripts download their parts from internet runtime. Basically, it means that you never know what you are running: you check the source code now, there is no guarantee you run the same code a minute later.

This runtime download property of a script also renders useless any validations or approvals, as the script might be changed anytime.

JavaScript is safe by default?
Nowadays, Spectre and Meltdown vulnerabilities are in the wild. Have a look at the original Spectre paper for an example attack implementation in JavaScript: https://spectreattack.com/spectre.pdf

It's just a few lines of code.

Virtual Machine to the rescue?
Another bad news. The Spectre attack technique might be used across host/guest boundaries. It's harder, but there is a possibility.

What do you do?
Use open source scripts, which never download their parts from the internet. If you are able to run a specific version of the script locally, the script is quite safe. You can review this specific version or ask someone to review it.

The WME Validator and some other scripts are like this: open source, no internet dependencies.

Scripts to avoid?
The last bad news for today. We had a precedence with an obfuscated script having some "extra" functionality. I can't go into details, as the author of that script still have moderator privileges on this forum...

So just be careful ;)
berestovskyy
 
Posts: 896
Joined: Fri Jul 15, 2011 1:50 pm
Has thanked: 324 times
Been thanked: 816 times

WME Safe Scripts?

Postby DrivingWithBill » Wed Jun 19, 2019 4:39 pm

Greetings,
To start I know that my tinfoil hat is on too tight, and I also want to THANK ALL of the script writers out there, without them editing would be so much more difficult. As I get to be more accustom to using scripts I have noticed the hundreds and hundreds that exists and there appears to be little information out there about safety of these scripts. We are in essence adding a powerful unknown set of code onto our computer without fully knowing what it may do. I get that there are reasons why sometimes the code is hidden, and I recognize event if it was fully visible many would not know what it is actually doing.

However I think there is also value in verification of these scripts. I dont think this would be difficult, it looks like many are already developed by a team of editors who would quickly and easily be able to vouch for things, however as one off scripts come online maybe it would be wise for a senior editor to give their stamp of approval. Maybe it is enough for a script to make it to the WME Script List, who knows. I dont think there are bad actors out there per-se but in the age of internet security we should be at least aware of the possibility of abuse and take steps to protect the editors in the community.

I appreciate the countless hours spent by script writers and dont want to discourage them with this post. I also feel it is important to at least raise these topics, or provide guidance to the editing community on best ways to protect oneself.
-Drivingwithbill

this space intentionally left blank
DrivingWithBill
Area Manager
Area Manager
 
Posts: 215
Joined: Tue Jun 19, 2018 4:09 am
Location: Long Island Native, Visit CT often
Has thanked: 31 times
Been thanked: 12 times

Re: WME Safe Scripts?

Postby DrivingWithBill » Thu Jun 20, 2019 1:11 am

Thank you for your thoughtful insight and suggestions.
-Drivingwithbill

this space intentionally left blank
DrivingWithBill
Area Manager
Area Manager
 
Posts: 215
Joined: Tue Jun 19, 2018 4:09 am
Location: Long Island Native, Visit CT often
Has thanked: 31 times
Been thanked: 12 times

Re: WME Safe Scripts?

Postby DrivingWithBill » Mon Jul 01, 2019 6:39 pm

This is disappointing to hear. Also problematic if an unscrupulous character did do something and that they are STILL a trusted member of the community and therefore unable to disclose what hacking activity they did.
-Drivingwithbill

this space intentionally left blank
DrivingWithBill
Area Manager
Area Manager
 
Posts: 215
Joined: Tue Jun 19, 2018 4:09 am
Location: Long Island Native, Visit CT often
Has thanked: 31 times
Been thanked: 12 times

Re: WME Safe Scripts?

Postby dude495 » Sun Jul 21, 2019 2:13 pm

Is it possible, absolutely. Is it probable from an WME Script Author, absolutely not. The scripting team in WME are trusted editors within the community. We aren't out to get you or anyone else for that matter, we all share the same goals to better Waze. If you have questions regarding a specific script, feel free to ask any other community member and they'll tell you whether thats a legit script or not as most scripts used are used by many and red flags would get around fairly quickly.

If you fear the extremely rare chances of something bad happening, then use your own discretion on whether or not to install it.
Dan B - New York SM - Pakistan CM
Waze New York & NYC Social Media
New York Partnerships Coordinator
iOS & WME ßeta Tester
Waze USA & Pakistan Mentor


[ img ]
dude495
PartnerCoordinator
PartnerCoordinator
 
Posts: 432
Joined: Sun Feb 23, 2014 2:05 am
Location: Texas
Has thanked: 130 times
Been thanked: 301 times

Re: WME Safe Scripts?

Postby dude495 » Tue Jul 23, 2019 1:40 pm

Mvan231 wrote:I never really had much thought about devious activity with the scripts, but there are certainly some concerns with running scripts of any type from any source unless you understand what is going on inside of them


Just like downloading software from the internet, don't install it unless you know its from a trusted source.
Dan B - New York SM - Pakistan CM
Waze New York & NYC Social Media
New York Partnerships Coordinator
iOS & WME ßeta Tester
Waze USA & Pakistan Mentor


[ img ]
dude495
PartnerCoordinator
PartnerCoordinator
 
Posts: 432
Joined: Sun Feb 23, 2014 2:05 am
Location: Texas
Has thanked: 130 times
Been thanked: 301 times

Re: WME Safe Scripts?

Postby iainhouse » Wed Jun 19, 2019 6:40 pm

As Justin said, the vast majority of scripts aren't hidden in any way. The source code is out there in the open, available for anyone to see. And it's a damned good thing that it is - I like, many other script authors, got started by looking at the existing scripts to see how they worked. I could never have got as far as I have without liberally "borrowing" from my colleagues. "Standing on the shoulders of giants". :mrgreen:

Apart from that, the most popular scripts are being produced by long-standing members of the Waze community. They have topics here on the forum where they publish details, discuss issues and answer questions. Even if you only know the script-writers Waze username, you still know it's someone who has a history and a reputation to lose if they try something dodgy - and doing so without it being spotted would be tough.

I don't think you will get much take-up for any sort of semi-official verification process. After all, the senior script writers already have enough to do maintaining their own scripts, and may not want to make themselves responsible for saying that another script is safe.

But this is a community - and it can work like that. For a start, you could look at the code yourself, or ask someone who knows a bit of programming to do so. From there it can work up the chain: if you can't work out what it's doing, there may be a topic on the forum for the script where you can ask. If there isn't such a topic, there's no reason why you can't create one and ask about a particular script.

At the end of the day, you're right - scripts can potentially do harmful things. You have to rely on the community. Do your fellow editors use it? Is there an active forum topic for it? Is the author a long-time Waze member, with plenty of activity on the forum?
[ img ][ img ][ img ]
UK AdminsUK WikiWaze FAQWMEFU Script :ugeek:
I want to go to a commune in Vermont and deal with no unit of time shorter than a season
iainhouse
Country Manager
Country Manager
 
Posts: 10316
Joined: Mon Jul 23, 2012 5:16 pm
Location: on the road from London to insanity, with Waze HQ in the driving seat
Has thanked: 2748 times
Been thanked: 8509 times

Re: WME Safe Scripts?

Postby JustinS83 » Wed Jun 19, 2019 4:45 pm

DrivingWithBill wrote:... and there appears to be little information out there about safety of these scripts. We are in essence adding a powerful unknown set of code onto our computer without fully knowing what it may do. I get that there are reasons why sometimes the code is hidden, and I recognize event if it was fully visible many would not know what it is actually doing.


There are only 3-4 scripts that are obfuscated that I know of. All the rest you can open the Tampermonkey dashboard and read the code for them in your leisure time.
Script Writing Community Coordinator
[ img ][ img ][ img ][ img ][ img ]
JustinS83
Waze Global Champs
Waze Global Champs
 
Posts: 1350
Joined: Wed Dec 03, 2014 4:33 am
Location: Franklin, OH
Has thanked: 341 times
Been thanked: 2398 times

Re: WME Safe Scripts?

Postby Mvan231 » Tue Jul 23, 2019 1:39 pm

I never really had much thought about devious activity with the scripts, but there are certainly some concerns with running scripts of any type from any source unless you understand what is going on inside of them
- Mark
Mvan231 (3) MI AM
GLR | Michigan Editor
Wazeopedia :lol: | Engineer :geek: | iOS user :)

[ img ] [ img ]
Mvan231
 
Posts: 833
Joined: Tue Feb 11, 2014 3:05 pm
Location: Great Lakes Region / Michigan
Has thanked: 715 times
Been thanked: 106 times

Re: WME Safe Scripts?

Postby Mythdraug » Mon Jun 24, 2019 10:20 am

I agree with what iainhouse says above, but will acknowledge that I had similar concerns as DrivingWithBill when I was introduced to the scripts. That concern was one of the reasons why I pushed all my editing into a virtual machine that I only use for editing related activities.
Mythdraug
 
Posts: 16
Joined: Thu May 04, 2017 11:26 am
Location: Chicago-land
Has thanked: 15 times
Been thanked: 7 times


Return to Addons, Extensions, and Scripts

Who is online

Users browsing this forum: jm6087, Mythdraug