94 messages in org.blender.bf-committersRe: [Bf-committers] "Security" gets i...| From | Sent On | Attachments |
|---|---|---|
| Daniel Salazar - 3Developer.com | Apr 27, 2010 5:59 pm | |
| Matt Ebb | Apr 27, 2010 6:17 pm | |
| Benjamin Tolputt | Apr 27, 2010 7:09 pm | |
| Benjamin Tolputt | Apr 27, 2010 7:25 pm | |
| Matt Ebb | Apr 27, 2010 7:32 pm | |
| Benjamin Tolputt | Apr 27, 2010 7:57 pm | |
| Campbell Barton | Apr 28, 2010 1:03 am | |
| Daniel Salazar - 3Developer.com | Apr 28, 2010 1:14 am | |
| Remo Pini | Apr 28, 2010 1:34 am | |
| Benjamin Tolputt | Apr 28, 2010 2:36 am | |
| horace grant | Apr 28, 2010 4:28 am | |
| Benjamin Tolputt | Apr 28, 2010 7:05 am | |
| horace grant | Apr 28, 2010 7:56 am | |
| Remo Pini | Apr 28, 2010 8:32 am | |
| Nery Chucuy | Apr 28, 2010 8:41 am | |
| Raul Fernandez Hernandez | Apr 28, 2010 8:58 am | |
| male...@licuadorastudio.com | Apr 28, 2010 9:30 am | |
| Bassam Kurdali | Apr 28, 2010 9:55 am | |
| Raul Fernandez Hernandez | Apr 28, 2010 10:58 am | |
| Makslane Rodrigues | Apr 28, 2010 1:52 pm | |
| horace grant | Apr 28, 2010 2:28 pm | |
| Matt Ebb | Apr 28, 2010 2:34 pm | |
| Charles Wardlaw | Apr 28, 2010 2:58 pm | |
| Makslane Rodrigues | Apr 28, 2010 3:15 pm | |
| Tom M | Apr 28, 2010 3:16 pm | |
| Ruslan Merkulov | Apr 28, 2010 4:33 pm | |
| Charles Wardlaw | Apr 28, 2010 5:09 pm | |
| joe | Apr 28, 2010 5:21 pm | |
| Benjamin Tolputt | Apr 28, 2010 5:31 pm | |
| Ruslan Merkulov | Apr 28, 2010 5:40 pm | |
| Benjamin Tolputt | Apr 28, 2010 6:44 pm | |
| Martin Poirier | Apr 28, 2010 8:01 pm | |
| amrp...@gmail.com | Apr 28, 2010 8:27 pm | |
| Charles Wardlaw | Apr 28, 2010 8:44 pm | |
| Benjamin Tolputt | Apr 28, 2010 8:56 pm | |
| Martin Poirier | Apr 28, 2010 9:02 pm | |
| §ĥřïñïďĥï Ŗäö | Apr 28, 2010 9:03 pm | |
| Harley Acheson | Apr 28, 2010 9:31 pm | |
| Benjamin Tolputt | Apr 28, 2010 11:22 pm | |
| Ruslan Merkulov | Apr 29, 2010 12:10 am | |
| Tony Mullen | Apr 29, 2010 3:08 am | |
| Kevin Roy | Apr 29, 2010 3:30 am | |
| Charles Wardlaw | Apr 29, 2010 3:39 am | |
| horace grant | Apr 29, 2010 5:03 am | |
| Thomas Dinges | Apr 29, 2010 5:13 am | |
| Martin Poirier | Apr 29, 2010 5:57 am | |
| Benjamin Tolputt | Apr 29, 2010 5:58 am | |
| (Ry)akiotakis (An)tonis | Apr 29, 2010 6:13 am | |
| Charles Wardlaw | Apr 29, 2010 6:16 am | |
| Raul Fernandez Hernandez | Apr 29, 2010 6:35 am | |
| Charles Wardlaw | Apr 29, 2010 6:41 am | |
| Benjamin Tolputt | Apr 29, 2010 6:46 am | |
| Benjamin Tolputt | Apr 29, 2010 7:11 am | |
| Raul Fernandez Hernandez | Apr 29, 2010 8:10 am | |
| Knapp | Apr 29, 2010 8:54 am | |
| Michael Judd | Apr 29, 2010 10:55 am | |
| Martin Poirier | Apr 29, 2010 10:59 am | |
| Michael Judd | Apr 29, 2010 11:13 am | |
| Michael Fox | Apr 29, 2010 3:26 pm | |
| Benjamin Tolputt | Apr 29, 2010 4:41 pm | |
| Benjamin Tolputt | Apr 29, 2010 4:46 pm | |
| Benjamin Tolputt | Apr 29, 2010 5:03 pm | |
| Martin Poirier | Apr 29, 2010 5:08 pm | |
| Benjamin Tolputt | Apr 29, 2010 5:09 pm | |
| horace grant | Apr 29, 2010 5:26 pm | |
| Ken Hughes | Apr 29, 2010 5:47 pm | |
| Ken Hughes | Apr 29, 2010 5:52 pm | |
| Ken Hughes | Apr 29, 2010 5:54 pm | |
| Benjamin Tolputt | Apr 29, 2010 5:55 pm | |
| Benjamin Tolputt | Apr 29, 2010 5:57 pm | |
| Benjamin Tolputt | Apr 29, 2010 6:13 pm | |
| Roger Wickes | Apr 29, 2010 6:13 pm | |
| Benjamin Tolputt | Apr 29, 2010 6:25 pm | |
| Michael Judd | Apr 29, 2010 6:39 pm | |
| Benjamin Tolputt | Apr 29, 2010 6:58 pm | |
| Martin Poirier | Apr 29, 2010 7:22 pm | |
| Benjamin Tolputt | Apr 29, 2010 9:24 pm | |
| Campbell Barton | Apr 29, 2010 9:46 pm | |
| Michael Judd | Apr 29, 2010 9:48 pm | |
| Benjamin Tolputt | Apr 29, 2010 11:28 pm | |
| Luke Frisken | Apr 30, 2010 2:01 am | |
| Roger Wickes | Apr 30, 2010 4:52 am | |
| Ton Roosendaal | Apr 30, 2010 5:06 am | |
| Jason Wilkins | Apr 30, 2010 10:54 am | |
| jonathan d p ferguson | Apr 30, 2010 11:56 am | |
| Benjamin Tolputt | Apr 30, 2010 5:39 pm | |
| Ruslan Merkulov | Apr 30, 2010 7:04 pm | |
| Jason Wilkins | Apr 30, 2010 7:52 pm | |
| Tom M | Apr 30, 2010 8:06 pm | |
| Benjamin Tolputt | Apr 30, 2010 11:20 pm | |
| Benjamin Tolputt | Apr 30, 2010 11:23 pm | |
| Jason W. | Apr 30, 2010 11:43 pm | |
| jsplifer | May 1, 2010 1:45 am | |
| horace grant | May 1, 2010 8:38 am |
| Subject: | Re: [Bf-committers] "Security" gets in the way | |
|---|---|---|
| From: | Benjamin Tolputt (btol...@internode.on.net) | |
| Date: | Apr 28, 2010 11:22:48 pm | |
| List: | org.blender.bf-committers | |
Harley Acheson wrote:
I am a Blender noob, a long-time developer (25 years but very little with C),
but I spend my days as a network administrator for a large-ish network (650
users, 700 computers). So you would naturally think that I would be in the
“theoretical IT types” in favor of high security in Blender.
...
At my very secure network my uses cannot do anything (with python or anything
else)
that could wreck the computer they are using because they don’t run with the
privileges
necessary to do such damage. They are also unable to damage any files but their
own,
and if they manage that they can just restore them themselves from a snapshot
from a few
hours earlier. Or they can have me restore their files from a backup.
Actually, from that I would think you'd be one of those calling for Blender to have an option on installation to ignore security. After all, you are in a network situation someone with knowledge of security has put time & effort into locking down machines & their capabilities. You've obviously got a decent backup system in place and would be knowledgeable in the risks / exploits you'd need to guard the network against.
In fact, aside from the fact I am a developer (HelpDesk & network admin was not my thing), you are very similar to myself in what I know & how I would go about securing my own computing resources. The environment you describe sounds like a well regulated production studio network too: highly networked, strict & frequent backups, and with user accounts designed to be as fool proof as the sys-admin guy can make them.
This is the PERFECT environment for allowing unfettered control over Python as damage will be restricted and the worst that can happen is files the user has access to will be sent out into the Internet to be picked up by whoever compromised their system.
Unfortunately, most people downloading and playing with Blender will NOT be in such an environment. They'll be user tinkering around with Blender in an unsecured network, without backups, with a file system fully accessible to a compromised Blender installation, and (most importantly) without the knowledge there might be a danger in opening scene file they downloaded from the web.
Yes, it is easy to make a python script that steals passwords or deletes your
files, just
as it is easy to do so in any programming language. The danger potentially
lurking in
an evil blend file is the same as in any program you could download from the
internet.
While stealing your passwords and deleting your files is bad, the most common use of malware at the moment is in the creation of nodes in a bot-net. These are usually just outlets for spam and participants in DDOS attacks. You might also lose passwords and/or have your files deleted, but the commercial success of hacking machines for this purpose is limited,.
Bot-nets on the other hand are profitable for the criminal organisations that "sponsor" such malware development. A bot-net can send out millions of emails from Nigerian Royalty, phallic herbal pharmacies, and banks seeking verification of your username & password. These ARE profitable enterprises, as is the use of bot-nets to blackmail gambiling sites & the like with the threat if DDOS attacks (backed up by taking them offline for an hour or so first).
Also, in the minds of most end-users "opening" a document (or .blend) they got off the web is very different to "running" a program they downloaded. This is reinforced by the fact that one is asked whether they want to open a file or save it (in Chrome & FireFox) for documents and only given the choice of saving the file if it has a recognised application extension. And, for the most part, applications that allow opening files that might give unauthorised access to the users computer tend to pop-up a warning of such ("This files has macros which may do X, Y, & Z. Do you wish to enable them when loading? Yes. No"). Leading me into...
There isn’t any comparison to Word and Excel macro viruses or other types of
threat.
Blend files just don’t have the same audience, or the ability to quickly
propagate. You
either need fast self-replication or very fast and wide direct distributions in
order keep
it from self-limiting and to isolate the writer of the threat from getting
caught.
Seriously… try to imagine a scenario where you could cause mischief in some way
with
an autoexecuting Blend that would be long-lasting and leaves you anonymous, and
therefore out of jail. Blend file just aren’t traded and shared the way the Word
files are.
We’ve had the ability to run scripts on load for years and this threat has yet
to surface.
Yes, Word & Excel documents are more popular. No debating that... but claiming that because someone hasn't exploited a security hole yet means it is not likely to happen is something I find VERY surprising coming from a network admin. Security holes can exist for years (when unpatched) before someone finds a way to use them in a leap-frog attack. This particular security hole allows for completely unhindered access to whatever the Blender application has access to, from the file system to the network. Python tells you what operating system you are on and it is relatively trivial to include a Base64 encoded application or three in text blocks of the blend file. One could easily leap-frog an attack based on knowing what OS is running, extracting the appropriate program, and running it. Or I could just look for important files on the machine and start uploading them to the distributed bot-net.
Can anyone from the Durian team honestly tell me they locked down the machine they tested the results of the recent sprint on? I mean, the rigs already had script in them - who is to say no-one changed that and added in some malicious code? These are developers and people intimately familiar with the problems that this might cause and hiding one's identity behind a hotmail/yahoo address is not difficult. And that is something thought up in the last five minutes. Someone with actual experience in compromising systems and a reason to spend some time thinking about it I am POSITIVE would find a way to use an unrestricted remote execution exploit.
So for me this isn’t a “security hole”, but just what any program can
potentially do. You
have the weigh the risks and deal with all the possibilities. My users are much
more likely
to accidentally delete files themselves than have something else do it for them.
For you, it might be. For someone not in your well-protected set of users, there is more to consider. Most people do NOT expect opening a document or scene file to execute arbitrary code. While I know it is POSSIBLE, I would think such behaviour in any application other than one *dedicated* to running arbitrary scripts a bug that should be fixed.
We need to stop looking at what we, as educated & experienced developers, admins, and studio artists, are used to and start looking at what the average person downloading Blender off of the website would expect. I highly doubt a poll of said end-users would answer the question "Would you accept opening a downloaded file in Blender to open the contents of your computer to someone on the Internet?" in the positive.
_______________________________________________ Bf-committers mailing list Bf-c...@blender.org http://lists.blender.org/mailman/listinfo/bf-committers