GNU Licenses, Hacking of open source software

Hello Blender Artists and Community,

I have been enjoying watching Blender develop off and on over the past 10 years, and would like to openly post these comments and questions.

I just upgraded some hardware and am considering making a $100 donation to Blender Foundation, once I can be sure Blender will be a good choice for my intended uses. I know that is not a ton of money, but I would like to contribute financially. In addition, I have been considering a personal contribution that would be a basic guide to Blender’s modeling functionality for users coming from a Sketchup background. It took me a while to uncover some of Blender’s modeling capabilities that match the simple workflow of Sketchup, which I know are not really that tricky to master but were a bit of a mystery for me for a while.

There are a few reasons I mention this, and I’m hoping that by asking the following questions I might shed some light of some security and intellectual property questions I have.

First:
As per Blender’s GNU license, is Blender software considered a gift, as per typical legal definitions of a gift in US law? Are there any strings attached to the use of Blender that forego the rights of private property, personal intellectual property and copyright by the users of Blender?

Second:
Due to the inherent nature of Open Source software, is there greater potential for unscrupulous individuals to insert hacking mechanisms into Blender or other open source code? Could malicious code be inserted into .blend files that would allow for some bastard suffering from sociopathy that would open it and a user’s computer up to hacking and theft? I’d like to stress here that I would really enjoy adding certain items to a Blender Open Cloud, but I don’t want to allow a sociopath to sabotage or steal models, etc. because they think that will score a “win,” for them.

Third:
I know this may sound a little out there, but unfortunately my experience has been that just after installing the 3 programs Blender, GIMP and Inkscape as test deployments I have suffered what seems to be hacking and hijacking of my Windows 10 OS platform. It may be coincidence, and it almost seems as though there is an intended effort to make open source applications appear prone to attack in the eyes of my peers. Pretty rotten outcome.

Fourth:
I am aware that someone has been engaged in some stalking behavior may have obtained Windows “backdoor,” hacking methods typically available only to law enforcement. In light of all of this I’d like to offer a

$$$$$ -------- REWARD -------- $$$$$
For any persons who can provide evidence of hacking that leads to a civil court judgment in my favor for hacking or unlawful tampering or sabotage with respect to my system. Are there any white hat hackers out there also enthusiasts of Blender who would like to see if they can obtain some form of evidence? Let me know. I will make a sizeable portion of any civil judgment I can obtain to persons who can obtain evidence leading to a judgment. It’s about self determination and the principle, not the money for me. Anyone interested please let me know.

Thanks for any answers and input!

Unless you downloaded some Blender build from an unknown person on an unknown website, you should be safe from the idea of Blender as a platform to hijack your system (as nothing can formally get into Master without permission from the core team).

To minimize the chance of builds containing malicious, always stick to the Blender buildbot page or graphicall.org.

Technically, there could be some safety issues with python scripts embedded in a .blend file you download from an unknown source. blender does have python scripts auto disabled for this very reason, and I have never actually heard of any cases where that has happened. But the python access to system resources is deep, and it wouldn’t be difficult to insert some code.

But blender itself should be perfectly secure.

Join the blender cloud for a year instead of just donating a 100 bucks.

I don’t know what a gift is according to the US legal system, so I am going to answer the second part of your question. Due to its license, Blender is everyone's software. Therefore it is partly your software, as in your property. What you do with it (i.e. the models you create) belong to you and you alone, as in: it is your intellectual property and you have every rights on it, no one can take that away from you (not even the Blender Foundation).

People already mentioned it, you have to get the software from trusted source(s).

People already mentioned it, you have to get the software from trusted source(s). Plus if Windows got hacked, my principal suspect would be Micro$oft.

3 programs Blender, GIMP and Inkscape as test deployments I have suffered what seems to be hacking and hijacking of my Windows 10 OS platform

if you grabbed them from the software websites

https://inkscape.org/en/download/windows/

then it is SAFE

if however you got it from some random site???
or cnet or softpedia ???
then there might ALSO be installed other CRAPWARE

but that likelihood is VERY VERY VERY SLIM

a BETTER source for your issues would be Windows10 it’s self and all the CRAPWARE and BLOATWARE that the OEM PRE INSTALLED!!

Could malicious code be inserted into .blend files that would allow for some bastard suffering from sociopathy that would open it and a user’s computer up to hacking and theft?

I resemble that remark !!
we are NOT all BAD all the time , just a bit of a gray hat

https://blenderartists.org/forum/showthread.php?376618-Add-on-Extrude-and-Reshape check this thread for an addon which works like pushpull tool of sketchup.

Could malicious code be inserted into .blend files that would allow for some bastard suffering from sociopathy that would open it and a user’s computer up to hacking and theft?

The following goes for pretty much every program written in an unsafe language like C/C++:

Chances are the program contains programming errors that, with sufficient effort, would allow somebody to execute arbitrary code when a maliciously prepared piece of data is processed. This is the reason you have to update your Browser almost every week, because those errors are found and exploited on a regular basis, through malicious websites or advertising.

On top of that, all the file format parsing for .blend files is home-grown and certainly not written with security in mind. What really saves us all from an epidemic of maliciously prepared .blend files is that nobody really gives a shit about hacking Blender users in particular. The .blend file format is extremely obscure and its users aren’t particularly interesting. Economically, it wouldn’t make a lot of sense to make the effort to find the exploit and spread the malicious files. The situation is entirely different for popular formats like PDF, programs like Adobe Reader are often vulnerable to malicious files, often spread by e-mail.

Anyhow, if you want to be perfectly safe, don’t process data of any kind using a computer.

Downloading software from its original web site doesn’t guarantee safety. All it takes is that someone manipulates the web site and uploads a modified binary*, or a man in the middle attack - the latter being very easy if your computer is compromised to begin with.

*Which has happened with open source software before, see http://transmissionbt.com/keydnap_qa/

let´s just stop using software!

There’s a big difference between joining the Blender Cloud and donating to the Development Fund. Spending money on the Cloud means it gets put into the Blender Institute/Blender Animation Studios projects, only a part of it will be spent on Blender development. Donating to the Dev Fund on the other hand means 100% of it will be put into Blender development.
It’s up to you to decide if you only want to put your money into development or into the BI projects too (and all the Cloud content). Joining the Cloud is a great investment, however it is still super important that we keep the Dev Fund alive and wealthy.

Yes this is of course possible, but this point can be made for every program available through the WWW. As BeerBaron said, “if you want to be perfectly safe, don’t process data of any kind using a computer”. You can’t even trust your toaster nowadays.
The point is, compared to other security risks the world of computers has for us, downloading popular (open source) software from trusted sources (like the manufacturer website) is safe. It is far more dangerous to use Microsoft products than it is to use Blender builds from blender.org servers.

Please read the FAQ for Artists on Blender.org. This should clear up most of your questions.

Open source software is generally regarded as more secure by virtue of the fact that the source code is available (and therefore auditable) by anyone. That said, Blender is not specifically developed with computer security in mind. It would not be difficult at all to insert malicious code in a .blend file. Granted, some of that is mitigated a bit by the “trusted file” feature (by default all .blend files are initially loaded as “untrusted” to prevent this sort of thing). That said, despite Blender’s general popularity within its niche, it’s still a pretty small niche relative to the overall size of the computing world. The likelihood of anyone using Blender as an attack vector is very small.

I assume that you’re downloading these packages from their respective official websites. If that’s the case, then barring a man-in-the-middle attack that specifically spoofs those sites for you or those sites being hijacked themselves, it’s pretty unlikely that those are the sources of any bad behavior on your computer. That said, even if there’s a man-in-the-middle attack (unlikely, but still more likely than the official sites being compromised), most of those sites, I believe, offer an md5 checksum that can help validate the authenticity of your download.

Good luck with that.

All in all you got the answers
so i’ll just add

  • Windows are protecting you against possible attacks, suspicious software (unsigned are blocked)
  • About exploitation and forces dealing with the Cyberworld, explore or experience the DEFCON Conference