Anyone run the minime script yet? lol Marque

The PP Guidebook sure devotes a huge amount of space to Python. Obviously they think it is an important new feature, which it is, BUT- It also raised a question, as JeffH has also mentioned, that something this powerful could be mis-used to cause all kinds of havoc on someones computer. We have firewalls and anti-virus software- but what checks sneaky snake-scripts done by sinister snake-heads? No one has yet answered that one...

First piece of advice would be don't accept or use a script from an untrusted source that you don't have the *.py file for. That way you can look at the source. If there's an *.pyc included then delete that and make python recompile it (which it will do automatically) AFTER you take a visual check on the source script.

Wow, where did this forum sneak in from? THis is one of the reasons I am considering getting the PPP... If the price doesn't go up before the 17th, I will. :-)

I don't know about you Snake-heads but I know almost nothing about Python scripts and I am certain most average Poser users out there don't either. A sneaky script could easily slip past most of us Non-Py Bozos... What I think is needed SOON is a Poser Community written (and therefore TRUSTED) Py-Check Utility which would alert people that "this script contains potentially destructive elements" or whatever. Like Anti-Virus software or Firewall software... One last thing- It is my understanding that Py-Scripts load AUTOMATICALLY when PP starts up. I really don't know what exactly this means yet- but what about the Macro's that can be buried in MS-Word documents- or even graphic elements- I think I would like the OPTION of being able to DISABLE Py-Scripts until I feel more comfortable with them...

Sounds like you want something like the Certificate thing that Internet Explorer uses. "This is certified as trustworthy," "This is uncertified," or "The author of this is known to be untrustworthy" kind of thing.

Actually I would like to see something more like a basic Firewall. A Firewall can tell you that something is trying to access the internet (but then many Poser users probably don't even have really good firewall installed)- but, more importantly- - How about DOS file deletion and re-formatting commands? - How about checking for personal information on computers? (The I LUV U Trojan played HAVOC with a SIMPLE VB script) - How about a Python script that simply just Over-Maxed your computer- crashing everything- maybe corrupting all your PP files? Sure- we all take some risks with Poser downloads, but it sounds to me that Python is really POWERFUL and can do many POWERFUL things. That is something to carefully think about...

It should be fairly simple to write something that would scan through a script in question and look for key-words that are potentially dangerous... i.e. commands that create, modify, or delete files, etc. Such a scanner could be written in Python itself.

I agree with Jackmon in that the Python command vocabulary is finite and any words that could be used for evil purposes could be spotted by a scanning script. The rest would be not using *.pyc files, or extension binary libs or dlls from untrusted/unknown sources. Anybody want to chip in on writing the script? Need a simple text sweeper, a dictionary of words of concern and some kind of notification gui.

Attached Link: http://python.org/doc/howto/rexec/rexec.html

Also looking into using Python's restricted execution mode to test scripts... Not sure quite how this works.. Anyone used it.

Well you also have to ask yourself if its worth sticking a virus or something else in a script that goes to a bunch of Poser users. I mean this is a rather small selection of people. Python is used in industry and any attack would be through that area, not some script here. As was stated above, if you get a script that you don't trust, don't use it. For example, I posted Morph Manager but no one to date as asked whether it contains a virus. Also, once someone gets clobbered I'm sure they will quickly post a notification that either the script didn't work or destroyed data. When I used publically posted scripts in the past I'd either wait for a settle down period of a bout a week or two or I'd run RExec on it or just puruse the source script. Never accept a compiled script file if its not from a trusted source. As for the RExec, Python gives the user file IO capabilities as well as other links into the host machine. RExec basically accepts calls to these file io functions but won't act on them and logs actions instead. It provides a false front to the script. You can customize how restrictive the execution environment can be. Again, Python has been used in industry for years. Using scripts can be dangerous but using common sense will avoid a lot of headaches.

But keep in mind Mason that once Python scripts get posted in large amounts the odds are some angry Anti-Renderosity type person could do a lot of damage fast upon a generally non-Python literate user base. I rely upon Norton or McAfee to post warnings about viruses, which otherwise I would never even have any idea existed. ZoneAlarm, etc. allow you you check your Firewall defenses. What STOPS some weasels slipping in some evil code to Non-Py types? It WILL HAPPEN. The Poser Community is ideal because most people are artist types, not programmers... I think a Poser Community Clearinghouse for TESTED and TRUSTED Python scripts would be a GREAT THING. I can tell you that I for one would ONLY use scripts that had some type of clearance like that. There is too much to lose in the way of models, software and time if there is a sudden round of venonmous snake-bites... Remember Pearl Harbor- it was on a quiet Sunday- when everyone was half asleep. When the bullets fly- its too late...

Hmmm ... just one small point here. From what I've seen so far, PoserPython doesn't create .pyc files. I'll have to tinker with it some more but so far this hasn't been the case.

True Fox. Unlike textures or CR2 files a script can do a lot more damage. We may have to divide the upload area into a post area and safe area. That way people can post into the upload area but a script only makes it into the safe area after being checked over. How that process is determined is still up in the air. I'm going to contact Curious Labs and find out what they have crippled in their parser or what safe guards they have put in place. For example, I can't imagine they would support the socket fucntions from python. That and the file IO stuff are the two most dangerous.

I am really glad to hear this Mason, and congratulations on becoming the Forum moderator. I think this Forum will be in great hands now as it really needs someone who knows what is going on... Python is likely the most important and powerful feature Poser has ever had, but unfortunately, there will always be some out there who only want to cause pain and misery... It is interesting that the "serpent" plays a huge role in our mystical beliefs. It is of course the serpent that offered Adam the Apple of Knowledge- forever casting Mankind out of "the Garden". (think about that symbology). And it is the serpent that forms the basis for Medical symbols and beliefs. It is the serpent that represents the "spirit" in Hindu religion and in South American Indian rites... Particularly interesting- Is it just a co-incidence that Prop-Pack, with it's most important new Python Serpent feature, was launched exactly on the new Chinese New Year- the (You Guess It) "Year Of The Snake..."

Damn you Fox! You have uncovered the master plan... bwahahahahaha!

{What STOPS some weasels slipping in some evil code to Non-Py types? } There's also the potential for some of the "smarter" virus types to possibly infect scripts of ANY type. I think. I'm not that big on writing virii, so I don't know for certain. {It is interesting that the "serpent" plays a huge role in our mystical beliefs. It is of course the serpent that offered Adam the Apple of Knowledge- forever casting Mankind out of "the Garden". } There is a school of thought that the "Serpent" in the Bible is "really" a dragon. The words for the two concepts are very similar in many languages of that area, and both can be synonamous with "devil" as well.

Hiya All, May I contribute to this interesting thread. I think the biggest danger is not from peeps with malevolent intentions. But from the script writers with good intentions, but lacking the skills/knowledge in what they are creating, that may inadvertantly cause major damage, and post the scripts before they have fully tested them for side effects! Even CuriousLabs, adds a cautionary note to the use of this tool! I agree with the idea of screening scripts before they are made available on this site! Just in case:)! Worth doing for the peace of mind factor:) Otherwise, I think this is a brilliant addition to Poser. Hope we see some easy step by step tutorial soon! Very soon!! Tribe.

Tribe has a great point - something like four out of five viruses begin their lives as "accidents" created by poor or rushed programmers. Many of them are later "edited" to do more damage or be more "contagious" by malicious programmers, but the majority are (or, at least at one time WERE) created by accident.