GH Security Topic

Hello

Im new here. so im trying to write a pro-tips question with answers post. Hope it helps. Hope it opens your eyes for safety.

I couldn’t find any subject on security in this forum or GH related so deeming it a business risk, i thought this subject should be part of the forum - but it’s nice to see a unaffected field. Also it would be nice to share any incidents - it might avoid any of us repeating the same mistake! We adapt and hopefully work smarter faster and longer with this in mind - i do so professionally.

Also, I dont want to scare anyone but it’s a serious risk if you download and open a GH file. Not sure your AV will smell it or see it coming - if there’s some obfuscated phyton code that deletes or encodes any files available to the user!

Beware of parametric Greek Horses (i made an animal pun on GH!) as they say.

How?

Im admin of my PC (could be linux or mac - dont know) so i give the right to download and open a gh file in rhino. I can do almost anything on my PC with possibly catastrophic results (not if but when since i download “code” come the net) which might cost you an IT tech budget you’ll regret (assuming you didn’t loose the disk encryption key too - saved on the locked out computer!).

These things really happen!

My experience
I work in a highly secure IT environment since 20 years (no Rhino/CAD anywhere kind of company but equally complex and data rich). My home PC runs Rhino for hobbies.

Trades off between perf and restricting stupid users doing stupid things (at work).

So the message here is:
Im worried about downloading a Grasshopper script that could do bad things on my PC.

What are basic and advanced protection against this?

I would like to share basics of security to avoid disasters:
Use a non-admin user to run Rhino,

  • Run Rhino on a VM or via RDP (yuk for perf)
  • Restricted file access and Local security lock in (on windoze/nix for example)
  • Restrict per project directory (read on all projects but only write on current project directory)
  • Backup and serialize changes instead of overwriting the same file - trust me on this.
  • AV/FW/fishing user education.

Threats:

  • scripts
  • save file as path… allowed…
  • i haven’t explored yet the rest (like pen testing). But it’s a concern. Yet, i can’t help wonder at the wonderful and amazing examples all over this forum and other videos.

But i was wondering what less intrusive ways exist? (GPOs on windows, cloud vm sessions (yuk))…

Any user methods/rules/discipline to follow you find productive or safer?

What other key factors help avoid disaster in your shop or company (and keep perf to a maximum)?

Obviously any security measure is a recurrent pain and fact of life. Not trying to scare anyone. Just saying it’s happened before in other programs with macros enabled…

Design and prosper
Xavier

1 Like

One thing you could do to lock things down a bit is to delete the python plugin and the ScriptingComponents gha — this would prevent any c#, vb.net, or python scripts from executing on your machine. This would limit you (you couldn’t use any scripting components or borrow scripts from others) but it would probably enhance security somewhat. Each new plugin/gha you download might conceivably hide a threat — but you could limit yourself to installing plugins you trust (open source, for example). Not ironclad by any means but would limit risk considerably. Beyond that, I actually think a remote virtual machine is a good option. I myself use Paperspace frequently for this purpose (more for convenience than for security!)

And frequent write-once-only incremental backups. You should do that anyway if you have important data. You could even use a service like github to frequently back up your important data with a full history record.

or get a journaling file system with tiered storage+cloud replication - though that could get costly.

Didn’t think of Git that way… Thanks!

First testing the downloads in a safe vm/pc to check that it’s safe would be worth the effort.

Wouldn’t this also be true of any Rhino plugins/scripts?

Just because there are no incidents, doesn’t mean they already happend. Its always a great risk of downloading executable code. I just think that the awareness is simply missing.