[Bf-committers] "Security" gets in the way

[Ruslan Merkulov]

There are couple of things that can be done to improve the situation:

1) Include a warning message in the splash screen in bold letters
about downloading and opening random .blends and scripts from the
Internet.
2) Create some sort of official content and scripts repository for
Blender with some sort of approving scheme. Maybe create an add-on for
Blender to download and install content approved by community and/or
developers.

So, it boils down to a) educating users about security awareness, b)
creating a network of trust and incidentally making finding and
installing safe content easier.

On Thu, Apr 29, 2010 at 10:23 AM, Benjamin Tolputt
<btolputt at internode.on.net> wrote:
> Harley Acheson wrote:
>> I am a Blender noob, a long-time developer (25 years but very little with C),
>> but I spend my days as a network administrator for a large-ish network (650
>> users, 700 computers). So you would naturally think that I would be in the
>> “theoretical IT types” in favor of high security in Blender.
>> ...
>> At my very secure network my uses cannot do anything (with python or anything else)
>> that could wreck the computer they are using because they don’t run with the privileges
>> necessary to do such damage. They are also unable to damage any files but their own,
>> and if they manage that they can just restore them themselves from a snapshot from a few
>> hours earlier. Or they can have me restore their files from a backup.
>>
>
> Actually, from that I would think you'd be one of those calling for
> Blender to have an option on installation to ignore security. After all,
> you are in a network situation someone with knowledge of security has
> put time & effort into locking down machines & their capabilities.
> You've obviously got a decent backup system in place and would be
> knowledgeable in the risks / exploits you'd need to guard the network
> against.
>
> In fact, aside from the fact I am a developer (HelpDesk & network admin
> was not my thing), you are very similar to myself in what I know & how I
> would go about securing my own computing resources. The environment you
> describe sounds like a well regulated production studio network too:
> highly networked, strict & frequent backups, and with user accounts
> designed to be as fool proof as the sys-admin guy can make them.
>
> This is the PERFECT environment for allowing unfettered control over
> Python as damage will be restricted and the worst that can happen is
> files the user has access to will be sent out into the Internet to be
> picked up by whoever compromised their system.
>
> Unfortunately, most people downloading and playing with Blender will NOT
> be in such an environment. They'll be user tinkering around with Blender
> in an unsecured network, without backups, with a file system fully
> accessible to a compromised Blender installation, and (most importantly)
> without the knowledge there might be a danger in opening scene file they
> downloaded from the web.
>
>> Yes, it is easy to make a python script that steals passwords or deletes your files, just
>> as it is easy to do so in any programming language. The danger potentially lurking in
>> an evil blend file is the same as in any program you could download from the internet.
>>
>
> While stealing your passwords and deleting your files is bad, the most
> common use of malware at the moment is in the creation of nodes in a
> bot-net. These are usually just outlets for spam and participants in
> DDOS attacks. You might also lose passwords and/or have your files
> deleted, but the commercial success of hacking machines for this purpose
> is limited,.
>
> Bot-nets on the other hand are profitable for the criminal organisations
> that "sponsor" such malware development. A bot-net can send out millions
> of emails from Nigerian Royalty, phallic herbal pharmacies, and banks
> seeking verification of your username & password. These ARE profitable
> enterprises, as is the use of bot-nets to blackmail gambiling sites &
> the like with the threat if DDOS attacks (backed up by taking them
> offline for an hour or so first).
>
> Also, in the minds of most end-users "opening" a document (or .blend)
> they got off the web is very different to "running" a program they
> downloaded. This is reinforced by the fact that one is asked whether
> they want to open a file or save it (in Chrome & FireFox) for documents
> and only given the choice of saving the file if it has a recognised
> application extension. And, for the most part, applications that allow
> opening files that might give unauthorised access to the users computer
> tend to pop-up a warning of such ("This files has macros which may do X,
> Y, & Z. Do you wish to enable them when loading? Yes. No"). Leading me
> into...
>
>> There isn’t any comparison to Word and Excel macro viruses or other types of threat.
>> Blend files just don’t have the same audience, or the ability to quickly propagate. You
>> either need fast self-replication or very fast and wide direct distributions in order keep
>> it from self-limiting and to isolate the writer of the threat from getting caught.
>>
>> Seriously… try to imagine a scenario where you could cause mischief in some way with
>> an autoexecuting Blend that would be long-lasting and leaves you anonymous, and
>> therefore out of jail. Blend file just aren’t traded and shared the way the Word files are.
>> We’ve had the ability to run scripts on load for years and this threat has yet to surface.
>>
>
> Yes, Word & Excel documents are more popular. No debating that... but
> claiming that because someone hasn't exploited a security hole yet means
> it is not likely to happen is something I find VERY surprising coming
> from a network admin. Security holes can exist for years (when
> unpatched) before someone finds a way to use them in a leap-frog attack.
> This particular security hole allows for completely unhindered access to
> whatever the Blender application has access to, from the file system  to
> the network. Python tells you what operating system you are on and it is
> relatively trivial to include a Base64 encoded application or three in
> text blocks of the blend file. One could easily leap-frog an attack
> based on knowing what OS is running, extracting the appropriate program,
> and running it. Or I could just look for important files on the machine
> and start uploading them to the distributed bot-net.
>
> Can anyone from the Durian team honestly tell me they locked down the
> machine they tested the results of the recent sprint on? I mean, the
> rigs already had script in them - who is to say no-one changed that and
> added in some malicious code? These are developers and people intimately
> familiar with the problems that this might cause and hiding one's
> identity behind a hotmail/yahoo address is not difficult. And that is
> something thought up in the last five minutes. Someone with actual
> experience in compromising systems and a reason to spend some time
> thinking about it I am POSITIVE would find a way to use an unrestricted
> remote execution exploit.
>
>> So for me this isn’t a “security hole”, but just what any program can potentially do. You
>> have the weigh the risks and deal with all the possibilities. My users are much more likely
>> to accidentally delete files themselves than have something else do it for them.
>>
>
> For you, it might be. For someone not in your well-protected set of
> users, there is more to consider. Most people do NOT expect opening a
> document or scene file to execute arbitrary code. While I know it is
> POSSIBLE, I would think such behaviour in any application other than one
> *dedicated* to running arbitrary scripts a bug that should be fixed.
>
> We need to stop looking at what we, as educated & experienced
> developers, admins, and studio artists, are used to and start looking at
> what the average person downloading Blender off of the website would
> expect. I highly doubt a poll of said end-users would answer the
> question "Would you accept opening a downloaded file in Blender to open
> the contents of your computer to someone on the Internet?" in the positive.
>
>
> _______________________________________________
> Bf-committers mailing list
> Bf-committers at blender.org
> http://lists.blender.org/mailman/listinfo/bf-committers
>