[Bf-committers] Please turn off Auto Run Python Scripts by default
Chad Fraleigh
chadf at triularity.org
Fri Jun 7 23:57:22 CEST 2013
On Fri, Jun 7, 2013 at 2:48 AM, Thomas Dinges <blender at dingto.org> wrote:
> Hi,
> this is a bad idea (especially the first one).
> Adobe Reader also doesn't tell me on first start "Thanks for using Adobe
> Reader, be aware of evil .pdfs".
>
> I bet inexperienced people will get afraid reading that and come to the
> conclusion, that this blend format is very insecure and shouldn't be
> used at all.
> I am sure we can improve security, without frightening our user base. ;)
>
While the threat exists and is trivial to exploit, maybe users _should_ be
afraid. :\
Imagine if users had been more wary about opening emails from unknown
sources, that the "I Love You" virus wouldn't have run a muck as badly (and
this doesn't even accounting all the other attachments blindly opened by
users).
I'm not saying that blind fear (and not being unable to tell the difference
of "what" to be afraid of) is any good.. but when the alternative is highly
vulnerable ignorance, which is worse. Sure.. users can turn it off in their
preferences (and load window?), but only if they know the threat exists to
begin with.
I have the feeling that most novice/intermediate users of blender think of
the .blend files no differently than a text or JPEG file. That it isn't a
"program" that can do just about anything it likes beyond the editor
(baring an "un"-intentional bug in the viewer/editor like a buffer overflow
vulnerability), but simply 3D modeling data.
I mean realistically, how hard would it be for someone with a little too
much [spare] time on their hands to write a python autorun script that
scans for other .blend files and infects them with copies of itself
(including a malicious payload presumably)? <<-- Lets just hope NOBODY
takes that as a challenge. =|
Anyone that thinks turning users off because of blender being too nagging
is a problem, just wait until some mass infection spreads through the
community.. then you'll see users turned off _and_ pissed. Did we learn
nothing from Microsoft's "convenience over security" mistakes?
-Chad
More information about the Bf-committers
mailing list