[Bf-committers] Blender security paranoia

Benjamin Tolputt btolputt at internode.on.net
Tue Mar 23 23:38:13 CET 2010


While I can understand your viewpoint and, to a large extent, share it -
it is not paranoia if people are out to get you. As soon as Blender
becomes a large enough target, malware writers will target the users for
use in their botnets &/or phishing schemes. It is not an "if" it is a
"when". For the larger applications, they simply add their malware to
the plethora of key-gens & cracks on the web (working or otherwise); but
this is not a vector for Blender being free to begin with. Python
scripts (be they through custom UI's, .blend files, or add-on) are a
perfect method in which to do this - because hiding the malware is
damned easy.

Right now, much as I would like to say otherwise, Blender is too small a
target. The number of people that would download and install the malware
through a .blend file or a keymap script numbers in perhaps the dozens
(at most) before the issue is detected - not enough to make it worth the
time to put together. As Blender gets more popular though, the value of
getting malware to the users increases. Python's design allows for easy
malware development/insertion and, due to Blender being so integrated
with it, it will always be the biggest security flaw of the application.
You can ignore the issue and (for now) that's probably OK. But as
Blender gets bigger - the risk factor increases. Sooner or later it WILL
need to be dealt with.

-- 
Regards,

Benjamin Tolputt
Analyst Programmer



More information about the Bf-committers mailing list