But why would you do that? You’re exposed to virtually everything: fire/natural disaster, burglary, hardware failure, malware/network attacks—anything would be devastating in your situation. If a blend file is potentially a catastrophic point of failure to your financial security, it should be a wake up call. You need to change your habits so you’re not so vulnerable.
I actually think it is very reasonable to worry about security in this case. I can definitely see how downloading a .blend file that requires you to enable ‘Auto Run Python Scripts’ to function properly is a huge risk of security. If enabled Python scripts run from a file automatically can do pretty much anything to the machine the way I understand. While it is true that you are a very unlikely target of an attack like that if you were, the attack would very likely be successful and would take the attacker disturbingly little effort to carry out. It does however seem logical to me to manage your digital assets on a separate machine that you would not use for ANYTHING else instead of using another PC to run Blender. Managing digital assets will probably not require much in terms of hardware and computing power, that Blender and other software might need so it can probably be a cheep netbook. Plus it would avoid risks from other potential sources that occur in a PC dedicated for regular use. Thinking that one operating system is more secure than another is really dangerous as well in my opinion.
To me this sounds like a really good advice. Plus why would someone post this on a public forum to inform everyone of the terribly insecure situation?..
This habit is a huge time gain for me, I can save much time by doing this.
I always have an encrypted copy of my data on external drive, I even consider to store them on the cloud as soon as I am sure the encryption is unbreakable.
Note: The data is always encrypted. If my computer is stolen, one still needs the (very long and difficult) master password to open the safe.
Note 2: I change that password regularly.
just a tip if you want a tiny bit of “security”;
stay away from products of Adobe, Autodesk, Apple, Microsoft, Dropbox and many many others.
Every subscription model is security wise terrible, since they are all
“phoning home” worst you can do is using a cloud, its literally saving your files on someone else’s hard drive.
closed source is terrible since you have no way of seeing the code nor security what they have actually implemented.
A couple years ago, there was an uproar here on this forum
because the US military/defence industry/Navy is using Blender for
the development of items within the military or so.
To make it short; once a military contractor or sector is using a program, you can be sure that the programs
they use got a deep look into the code to secure the defence of a country.
the strengths of open source is basically;
you can if you are that much concerned, deep dive into the code and check if it fits your purposes, change and adapt it to your own needs.
Open source can be a security risk as well. Just because it is open source does not mean that people with good intentions are going to check it. You may as well argue that open source makes it easier for attackers to find weaknesses.
AES 128 or 256 bit encryption is currently still definitely unbreakable. That helps, but I believe that would not save you from a key-logger that can be executed from .blend file.
That can easily be prevented though by making sure you’re not downloading and installing addons from random and otherwise unfamiliar websites.
You can practically be sure that addons from Blender.org, the Blender Market, and other main portals will be (largely) free of malicious instructions, but less so if you’re downloading from some relatively obscure blog site by a person who is never seen in the community.
I am talking about scripts in .blend files. If I understand it correctly, there are no security limitations about what a Python script can do (please correct me if I am wrong) and it seems reasonable to me that there should not be because it would seriously get in the way of working in a lot of cases. A text block with python code can be saved with .blend file, if it’s name ends in .py it can be set to ‘Register’ that means it will be executed on loading the file if Auto Run Python Scripts is enabled which is pretty convenient if you work a lot with rigging for example. In that scenario Blender would be a huge security risk if that is forgotten. Somebody may ask you for some help for example to have a look at their blend file…
I am talking about scripts in .blend files. If I understand it correctly, there are no security limitations about what a Python script can do (please correct me if I am wrong) and it seems reasonable to me that there should not be because it would seriously get in the way of working in a lot of cases.
That is true and it is a big risk.
A text block with python code can be saved with .blend file, if it’s name ends in .py it can be set to ‘Register’ that means it will be executed on loading the file if Auto Run Python Scripts is enabled which is pretty convenient if you work a lot with rigging for example.
You can (and should) at least exclude paths to not execute scripts from (e.g. “Downloads”).
nevermind…
This is paranoia on an almost laughable level. If you’re not downloading shady .blends and python scripts left and right and running them with no protections enabled, then Blender is just as secure as any other piece of software for an average computer user. As someone whose day job is TS-level and above cybersecurity tool development, trust me when I say that unless you’re engaging in some very stupid activities as an end user, simply connecting to BlenderArtists (and paypal, and your bank’s online portal, and the internet in general) has put you at a million times more risk than using Blender even semi-intelligently ever will.
That seems to be the problem. It is not secure like most software we use, but it’s mostly because how we use it. As someone who’s day job includes design, trust me, we as end users do engage in some very stupid activities. One does not need to be stupid to do that. It happens because of selective attention in our brain. We cannot dedicate 100% of attention to everything, it gets divided. So if you are using a PC and doing some other stuff, maybe thinking of some personal problems, talking to someone, checking Facebook on your phone and it happens that you do all of it at the same time, how much attention is there left to dedicate to cyber security? I can definitely understand how myself or even the smartest people can engage in some very stupid activities without being stupid in general. I believe we all do regularly. It makes sense to try and minimize the risk by the design of the environment we are in. For example choosing to use a dedicated more secure PC for sensitive stuff.
Please use facts first before creating false statements.
Blender and Nvidia prop. drivers are the only softwares that I use which have no (or nontransparent) security standards.
We are talking about minimum security checks before any release of a software.
What has PayPal to do with security risks?
What has a bank account to do with security risks?
I don’t see any further risks in these, you always need (at least) one party to provide the services for online trading.
In this case, if he fear a file could be infected ( who is virtually the case for any file )… he just dont download or run files outside is own one.
Are you using Blender as root? (you should not of course). One more step for security would be to save sensitive data without giving write permissions to the user. And do not mount by default the partition where you save the sensitive data. As I say, one more step. I am not saying that this can not remain vulnerable.
Anyway you should encrypt and backup your data in various different storage media. I have lost more data due to broken storage media and user mistakes, than due to any virus/malware.
I think SSDs (esp. Samsungs) are doing a very good job in this regard, old hard drives are more likely to cause problems.
For now I am using only one copy but additionally I will consider cloud storage as soon as I am sure about the encryption.
What do you consider minimum security checks?
In other words, it’s not secure at all and the only thing protecting you is the obscurity of whatever file formats and programs you are using, relative to the effort of finding an exploit. Applications are not sandboxed by default, user-level access is all that is needed to run ransomware, for instance.
What’s a “shady” .blend file or script anyway? Is anybody really auditing the stuff they download before they run it? People are trained to not open email attachments, but they willingly download and open files from blendswap by the dozens.
As someone whose day job is TS-level and above cybersecurity tool development, trust me when I say that unless you’re engaging in some very stupid activities as an end user, simply connecting to BlenderArtists (and paypal, and your bank’s online portal, and the internet in general) has put you at a million times more risk than using Blender even semi-intelligently ever will.
So what? That doesn’t mean you should disregard one over the other. A targeted attack against the Blender userbase would almost certainly be successful. It’s just that so far, nobody bothered.
- Checking for vulnerabilities of code changes. AFAIK, Canonical uses tools to check these.
- Having a team for instant updates/reaction on known cases. Ubuntu is very quick at this.
- Ubuntu contains a lot of Debian codes https://www.debian.org/security/