DON'T GET HACKED Using Stable Diffusion Models! DO This NOW!

Подписаться 153 тыс.

Просмотров 104 тыс.

50% 1

We recently got a cool trend in the Stable Diffusion community where basically everyday we get plenty of super cool models trained with Dreambooth by the community but is this completely safe? Can downloading these models actually get your computer hacked? So in this prevention/tutorial video, I will explain what is a pickle and what is unpickling, how to be safe when downloading these models, and also I will show you how to download and install 2 security pickle scanners so that you can scan every model you download in search for malicious codes. Be safe people!
Have ever downloaded from a shady website? Let me know in the comments!
▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬
SOCIAL MEDIA LINKS!
✨ Support my work on Patreon: / aitrepreneur
⚔️ Join the Discord server: bit.ly/aitdiscord
▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬
Runpod: bit.ly/runpodAi
%pip install gdown
!gdown drive.google.c...
Stable Diffusion Pickle Scanner:
github.com/zxi...
pastebin.com/Q...
picklescan --huggingface
Python Pickle Malware Scanner:
github.com/mma...
pastebin.com/K...
To read if you want to know more:
splint.gitbook...
huggingface.co...
Special thanks to Royal Emperor:
- DanO..
Thank you so much for your support on Patreon! You are truly a glory to behold! Your generosity is immense, and it means the world to me. Thank you for helping me keep the lights on and the content flowing. Thank you very much!
#stablediffusion #dreambooth #stablediffusiontutorial #cybersecurity
▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬
WATCH MY MOST POPULAR VIDEOS:
RECOMMENDED WATCHING - My "Stable Diffusion" Playlist:
►► bit.ly/stabled...
RECOMMENDED WATCHING - My "Tutorial" Playlist:
►► bit.ly/TuTPlay...
Disclosure: Bear in mind that some of the links in this post are affiliate links and if you go through them to make a purchase I will earn a commission. Keep in mind that I link these companies and their products because of their quality and not because of the commission I receive from your purchases. The decision is yours, and whether or not you decide to buy something is completely up to you.

Опубликовано:

12 сен 2024

Ссылка:

Скачать:

Готовим ссылку...

Добавить в:

Мой плейлист

Посмотреть позже

Комментарии : 330

@Aitrepreneur Год назад

HELLO HUMANS! Thank you for watching & do NOT forget to LIKE and SUBSCRIBE For More Ai Updates. Thx

@MacGuffin1 Год назад

Has this happened in the wild? Can't we just hash the model and check against people who can (professionally)scan 5 gig pickles?

@Tampsey Год назад

Humans? where?

@Spanu96 Год назад

LOL LOL LOL, very hard to not say it when you say not to.

@IntiArtDesigns Год назад

Finally, someone addresses the security concerns. THANK YOU.

@Aitrepreneur Год назад

Better to prevent than cure :)

@IntiArtDesigns Год назад

@@Aitrepreneur Absolutely.

@devnull_ Год назад

Took quite a while...

@JonathonBarton Год назад

@@Aitrepreneur I looked into this a couple weeks ago, and I think you covered it really well - the only thing that I think you left out was that pickle has MANY more legitimate uses for python programmers, but it's *possible* to use it to for malicious purposes - and that the rules that you (should be) using for your daily internet activities (have an AV program, have a Malware program, only download from trusted sources, etc.) are going to be sufficient for _most_ people's use. i.e. If you're a less-technical user and are only getting models from Huggingface (or especially if you're getting NO additional models besides 1.4), then _there's no need to panic and go through all these extra hoops_

@axelanderson2030 Год назад

Lmao, I was aware of pickle vulnerabilities before SD, and the first thing I thought was, "fuck me I have to write a pickle verifier don't I". Thank god someone did it already

@Firespark81 Год назад

Known about this for a little over a week now. This is a big deal and I have not seen anyone else make a video about it. Thanks for bringing awareness. Be safe everyone its a jungle out there.

@foxdog9332 Год назад

It's been talked about for months now look up pickling python

@asterpw Год назад

I'll just wait for other people in the community to verify a new checkpoint is safe before downloading it. There's no way popular checkpoints won't be scrutinized

@gamedev251 Год назад

so are like the big ones like the basic stablediffusion and dreamshaper ok?

@bizentino Год назад

@@gamedev251 if you find them in an official page and from the proper creators, you are good to go. Just read the comments just in case.

@mjdevlog Год назад

Thank you K! Finally someone explains the pickle scanner thing to the average consumer coz the github page for all of them are just confusing.

@SPINNINGMYWHEELS777 Год назад

it's incredible. life changing. I just wonder when all y'all gonna find employment.

@Saimsboy Год назад

And the final and most important layer... 1.-Never run untrusted software out of a virtual machine, or... 2.-Never run untrusted software on your personal PC. If you abide by these rules, you'll be safe.

@Aitrepreneur Год назад

I mean there are even viruses that can recognize that you are using a virtual machine and still infect your main machine...it's scary

@ianjohnson3546 Год назад

So where is a good guide on installing local SD in a VM with a Windows host? I've tried a few times to find a good tutorial but unsuccessful so far. Most of the guides seem to focus on Linux hosts or on just using WSL in Windows rather than a proper VM.

@junehanabi1756 Год назад

@@dieselbaby It depends on how sandboxed is the problem, for example, if you install vmware/virtualbox tools into that environment then you are by definition creating a deeper bridge between the host and client, even though this bridge is still largely sandboxed, it opens up many possible vulnerabilities that can be exploited (Filesystem or driver exploits, etc...) If your virtual machine has access to the internet then you have network vulnerabilities it can use. But even not installing tools and not giving internet access, code within the virtual machine always has some way to access some level of detail about the host software and host machine, this is how it's detectable that your in a vm, there could be exploits in this basic access to gain deeper access to the host machine. Another problem that's probably more common in vmware is certain configurations can open up access to other virtual machines and by extension the host machine. If I remember right, some virtualization engines will have additional security options you can enable to further isolate the instance. This is why updating tools, updating your computer, updating your software, and updating your drivers is so important because if anything gets old exploits can become known and used. Virtual Machines are not a perfect world.

@axelanderson2030 Год назад

git gut -> learn to identify malware -> profit it's only taken me like years and years of experience.

@ppehrson Год назад

No. This video is just about that. An AI model is hardly software you run. It is data. But it has the ability to execute code without your knowledge, that still doesn't make it software. I mean, since the models require software to handle them, I claim the models in themselves are not software, but data files.

@swannschilling474 Год назад

Thanks for teaching us about pickles!! 😁 Its really good info that Huggingface has the option to check the models and scans them beforehand...did not know about it before!! Thanks for the info!! 😇

@Aitrepreneur Год назад

Glad it was helpful!

@st.michaelthearchangel7774 Год назад

Really sad that people will live as scumbag scammers, trying to steal and lie from people. Thanks for making this video.

@Eirikur_ Год назад

Unsafe pickles is why I have been too paranoid to actually download any new models

@GamingDaveUK Год назад

Had no idea the models could even be dangerious! thank you for teh ways to check them

@Aitrepreneur Год назад

You bet!

@jenerub Год назад

Damn man, I hadn't even thought about that. Thanks for teaching us about this

@djzigoh Год назад

Thanks for the video, as fas as i know this is why safetensor format was put into place . From their Github: "This repository implements a new simple format for storing tensors safely (as opposed to pickle) and that is still fast".

@DjSligs Год назад

This might be the most important video yet, thank you so much

@Aitrepreneur Год назад

Glad it was helpful!

@festro1000 Год назад

It was inevitable, with how ground breaking this technology is it would make sense (from a cyber criminal's PoV) to target open source AI. Years ago when I was volunteering at a computer repair shop (mid 2000s) we used to recommend people used Apple products (heresy I know), as few enough people were using it it didn't make sense for criminals to write malware for it rather than the widespread windows market, however as more people started adopting Apple products the the very obscurity that obscured them for the longest time was no longer applicable, that and how expensive they are started making them a target as they had not only the numbers but also the demographic cyber criminals were after. Basically we have the (largely) same thing here, an insanely popular field of software that everyone is installing makes a great vector to infiltrate people hopping in to the AI craze, and the open nature of open-source makes it as easy to proliferate as it is to patch.

@bunnybal Год назад

Thanks for all your helpful videos 🥰

@Aitrepreneur Год назад

Thanks so much for the tip ;)

@temanor Год назад

@@Aitrepreneur lol

@Comm0ut Год назад

Part of basic computer security is not using one PC for every task, or at minimum not using one OS installation or instance for every task. If nothing important lives on one's toy machine (or virtual machine) that OS install is safely expendable. Hardware is cheap at a level useful for shopping and communication and one can remote into those boxes while using their gaming/toy PC for toy uses.

@iamYork_ Год назад

You red my mind... I was just looking into pickles myself... Now I am hungry...

@Aitrepreneur Год назад

It's best on a burger ;)

@iamYork_ Год назад

@@Aitrepreneur hHAHAHAH truth

@iamYork_ Год назад

@@Aitrepreneur but tried a new model I found on hugging face today and suddenly automatic1111 stopped working... I need a pickle for more than one reason...

@Aitrepreneur Год назад

Which one?

@iamYork_ Год назад

@@Aitrepreneur so not a hack... was able to decipher it... it was the dreambooth extension causing the errors... either way looking forward to some pickles...

@sergentboucherie Год назад

5:09 another possibility is to use someone else's computer and see if it gets hacked. If the computer is fine after a while then install it on your computer, if it is not fine then congratulations, your computer is safe.

@Alex52YT Год назад

Rip grandmas laptop

@purposefully.verbose Год назад

if this is something you'd do purposefully, then you need to replace that B in your name with a D. ;)

@zvit Год назад

You tell us you'll get mad if we use LOL, and then you joke about pickles...

@hitlab Год назад

Does anyone know if we should be concerned about embeddings downloaded from Hugging?

@TheCheng101 Год назад

Thanks so much, its like you see all, i was wondering about this issue and even tried for myself, glad i was at least moving in the right direction

@Aitrepreneur Год назад

Glad it helped

@bobburger8927 Год назад

Should I be worried if all I have is the original "model .ckpt" file from your Super SD 2 video, and have "git pull" enabled for updates to the web UI in the "webui-user .bat" file?

@KrakenCMT Год назад

Peter Piper picked a peck of Python Pickles.... Haha, Sorry... :)

@ennnafnlaus2904 Год назад

Okay, I was managing to take this seriously through most of the video, with all of the references to pickle scanners, but as soon as you brought up pickle inspectors, I could no longer restrain the laughter ;)

@Aitrepreneur Год назад

Sorry :D

@Because_Reasons Год назад

Automatics automatically unpickles them I believe.

@camclare Год назад

we need to be making our own models on our own machines, no cloud, headless linux os on USB for those with 6GB cards asap

@ujjvalw2684 Год назад

making your own model is very exhausting and resource heavy task tho.. no?

@matTmin45fr Год назад

Thank you for making things easier for everyone ! Awesome job !

@Aitrepreneur Год назад

No problem 👍

@hackclaces Год назад

You and your vids are a great contribution to the community thanks a lot man!

@CL-sw7qv Год назад

Thank you - new subscriber here! The thought occurred to me, but you really helped bring to light these security concerns! I hope others will see this video, and become aware of the potential dangers.

@g.kirilov1352 Год назад

This is valid concerns, but the scanners only catch obvious malicious code. You can write malicious code in many ways that will not get detected. Saying that the scanner will help is alas misleading. It will not. Best advice is to just use reputable stable diffusion models like runway and compvis and just do your own dreambooth.

@ChaosTheory666 Год назад

Was looking for this comment before making a similar one.

@Alex52YT Год назад

0:34 what Model is it?

@MemesnShet 11 месяцев назад

Dayum this video is great because i installed a bunch of those custom models recently

@singebkdrft Год назад

You can also run stable diffusion inside of a docker or podman container on your own computer.

@Santriell Год назад

Hey ! Pickles are not cucumbers ! They're a totally different genus ^^

@Melodias102 Год назад

Can your main antivirus software detect these ckp. Virusea as well? Or do need the pickle scanner no matter what?

@ravnf6039 Год назад

That particular model could be "Anything v3"? I saw people on Reddit speculating about the origin of the model Also great video man, i did run some rest to my models but it's not common practice for everyone so glad to see someone addressing this

@xarc2672 Год назад

i really wanted to try that model it looks awesome, but now i'm too scared 😆even if the pickle scan says that it is fine

@ravnf6039 Год назад

@@xarc2672 You could try it with a colab notebook that doesn't require Drive, there are notebooks out there that uses automatic1111, if I remember correctly you could find one searching for "automatic1111 colab Voldemort" or something like that

@ravnf6039 Год назад

@@Avenger222 the one by delaadams or the one by delos?

@ravnf6039 Год назад

@@Avenger222 Probably the one that made the torrent was the bad actor, i used both (Delcos and Deltaadams) i everything fine. I took the risk with the anything model but if the only option is a torrent I'm not downloading that shit, unless seem interesting but in that case I use a VM to execute that a see what happens

@civi41588 Год назад

Sometimes trying to explain something complex that is easy to you, results into confusion. Many of us didn't understand 3/4 of the video and just wanted to know how to safely instal models :/

@texx8205 Год назад

This is all nice and all but to open pickle those scanner scripts imports needed pickle module which could be theoretically used by some malicious code later on. So by running completely harmless scanner now you are potentially opening the door for the attack later on. Not really sure what to think about this...

@kamransayah Год назад

Thanks for keeping us safe! I checked your channel again right now and I think you need to show some love to your home page and customize it! Even if you don't want to make a trailer video for your home page, it's not a bad idea to let the last video load up for new people! Anyway, I just noticed that and I thought it was worth mentioning! Have a great day OVERLORD!

@Aitrepreneur Год назад

Good point! I will

@Roughneck7712 Год назад

What’s funny is that there will be people who jump through hoops like this to protect themselves while using SD but won’t bat an eye when they download a video off P07nHvb five minutes later

@ianjohnson3546 Год назад

Tells us no LOLs allowed, moments later @1:35 tells a joke.

@asriel7823 Год назад

Very useful guide. But what if you converted the ckpt into safetensor locally using a converter extension for SD Automatic1111? Does that still contain the malicious code if ever it has some in it after the conversion? But I'm afraid loading the ckpt file in the converter might also run the code in the background just by doing so...

@DeusExRequiem Год назад

Wonder how long before the pickle scanner gets added by default to SD UI

@adriansozio Год назад

Just add them to the bat file yourself, before running SD

@ujjvalw2684 Год назад

@@adriansozio genius

@canvapikltd6305 Год назад

Thank you for your video, always is good learning from aliens! cheer from planet Heart

@dreamzdziner8484 Год назад

You are AI overlord for a reason❤🔥🙏🏽

@middleman-theory Год назад

The Stable Diffusion Pickle Scanner operation doesn't work. I click on the .bat file, and all I get is a blank scan_output.txt file. UPDATE: Nevermind, I rewatched your video and followed the instructions EXACTLY AS YOU SAID THEM and now it works correctly.

@DarkFoxes Год назад

**Me who's just been using websites like playground ai and Novel ai :** Alright I'll be off then

@DoctorKusanagi 10 месяцев назад

stable diffusion seems to ignore negative prompts now you put anything regarding nsfw or nudity it just does the opposite no matter what you write in negative prompts

@alexsanders8881 Год назад

Friend, first of all congratulations for the video, by the way, is it possible to train a model and during that training pause to continue on another day? Thanks

@erickbarsa5433 Год назад

Hey Aitrepreneur! I'm trying to execute the SD Pickle Scanner method but the bat file is just showing me the first text line you had on screen, The name of the first model but no scanning results. Is there something I'm missing? / any solution?

@zaidabouzeid4463 Год назад

did you figure this out?

@erickbarsa5433 Год назад

@@zaidabouzeid4463 Nope, seems like no one has an answer to this

@rychei5393 Год назад

OMG, this is SO confusing!

@peekD_ Год назад

Where do people even find such models to try from the community? I am trying to make a model to change my photos of me into cool artistic / anime style etc by training a model (To get Lensa like results) But I'm wondering if maybe theres already a model out there

@FluorescentApe Год назад

Does anyone know how legit the website civitai is?

@borisvokladski5844 Год назад

Thanks for showing the security concerns + the guide to run SD on Runpod. Now I'm more secure than before + I save money by running SD in Runpod because of the insane price of electricity in my country + I can generate more images per time on a RTX A5000 card in Runpod than on my gamer PC with a GTX 1070 card. It is a triple win.

@dasso7547 Год назад

Bravo ! Excellent video and happy new year :)

@SeththeMasterGamer Год назад

This is why I only tested them on huggingface in a web window. Thought the same thing…

@ewaburda2965 Год назад

And how about the basic Automatic's local SD? Not gonna lie, I'm worried avery time I launch this thing.

@cotes42 Год назад

yes but what defines "malicious" code inside the pickel file? is there a team of people working on a database of deffinitions?

@henriquegonfer7750 Год назад

Very important video. There is a lot of torrents for models on web that do not have a link on huggingface or other trusted sites

@ShimizuIzumi Год назад

AUTOMATIC1111's WebUI has a scanner built in, I tried loading a model and it blocked it and printed to the console that it has potential malicious code in it.

@Antares2 Год назад

What about safetensors-files? Are they safe from this? I see that pickescan doesn't scan them.

@Adam-kx9gi Год назад

all i got was an empty scan output txt file

@Plagueheart Год назад

I am more worried about if it doesn't checks encrypted strings because at the moment it looks like it checks checks imports and blacklisted API calls. The only way to check encrypted strings is to execute the code and let it unravel itself. Best way to check this is inside a VM environment

@sarpsomer Год назад

Super helpful super informative. THANKS !!!!

@xdeathknight72x Год назад

Great video. I saw people on reddit mention a model that was 300gb that was some giant Anything model from China and I was like "who the fuck is gonna download and trust that!?"

@Aitrepreneur Год назад

I don't remember seeing a model like that but yes there is a chinese model right that everyone is afraid of, I'll show it off tomorrow

@user-gm1se3rn1f Год назад

how do i upload my model to google drive?

@eonfluxparadox Год назад

Does this also apply to safetensor files? Or is that 100% safe?

@nawnie8615 Год назад

I'd be careful using possible unsafe .ckpt on your personal Google account. Run pod, paperspace, or vast, store a lot less information about you then Google does. My worry is a model that injects malicious code into the images them selves.

@Heico321 Год назад

I hope you protected your SD webUI with a password (GRADIO_AUTH). Otherwise, by default anyone could access your RunPod, which also doesn't seem very secure.

@sampsmusik Год назад

This was good and hopefully a lot of people see this before trying to get all those sweet ckpts

@AnimeCoffeeShow Год назад

a good research is always the best prevention

@alinerdelav Год назад

So which pages are the best for downloading models hugface and the one where the best model you ever downloaded from your last video?

@Lindsey_Lockwood Год назад

Can you setup a sandbox environment to run the models in on your PC locally?

@GarethOwenFilmGOwen Год назад

So basically don't do or download any stuff that you don't need to And have anti malaware bytes on your pc

@myhearn Год назад

Could you do a tutorial on using .safetensors

@hatuey6326 Год назад

thanks so much for the information. I used only hugginface for the models but i've installed the pickle scan thanks to you !!

@Aitrepreneur Год назад

Glad I could help!

@Snafu2346 Год назад

is this just for checkpoints that are possibly infected or does it concert textual inversion files?

@justanotherhuman3668 Год назад

Is stable diffusion and automatic1111 safe to begin with? I want to train my own models but I’m worried about the safety of downloading these files

@ProfessorDJ-px3mc Год назад

Of course, nothing is 100% but if you run SD in google colab and 'copy to drive' the shared google colab file, would you be safe from backdoor pickle google drive attacks? (Since you are saving it to your own drive). I'm guessing there is a very low probability when running the code in colab of infecting local disk files (since it is cloud based), the only major danger would be to your google account. Just curious if 'saving a copy' would counteract that since it's not shared with anybody. Thanks!

@unknownuser3000 Год назад

I have 130 models but I created most so I know they're safe lol...just checked its 264! I save every 1000 steps so 20 files is one model concept at different steps, so is prob actually about 50 or 50 models. Is too many, my model folder is over 500 gb :(

@unknownuser3000 Год назад

Still gonna use this to scan before posting since I can't post my models to huggingface. Thanks for the information!

@poponium Год назад

Again, many thanks Aitrepreneur !

@Aitrepreneur Год назад

My pleasure!

@Al-Musalmiin Год назад

what if i use .safetensors files only? do i still have to worry about the pickles?

@Cola-42 Год назад

Why are we talking about pickles!? Now I'm hungry.

@devnull_ Год назад

Pickling = serialization, unpickling = deserialization.

@pavilionlakebooks8479 Год назад

I'll stick to online SD version

@nikoleifalkon Год назад

Please if you can do a video about Pytorch and the infamous Cuda error memory, nobody in RU-vid has a solution and the only video available for that is a clickbait using Windows Page Memory as the solution.

@IllD. Год назад

picklescan command isn't recognized after install wtf.

@MrArrmageddon Год назад

Has anyone heard if the leaked NovelAI Model was infected or not? I have not heard anything. And just for the record I would "not" recommenced using that model because it's morally wrong. And we would never do that. But if someone where to use it. Has anyone heard of any problems so far?

@Bleachhitmanhollow Год назад

i get this when i try for the second one 'pip' is not recognized as an internal or external command, operable program or batch file.

@serenditymuse Год назад

You need to say more so that those of us who actually are quite tech savvy can evaluate the risk and how to detect and block in efficiently. A pickle in python pickles object data NOT code normally. And if you want to do something extra like pickle code somehow you need a cooperative unpickler. I would be surprised if both ends were that uncontrolled. In particular you cannot pickle code in python. in 15 years of python work I have never seen it done. There seems to be a lot of confusion in that saying you can pickle an "object" implies to someone you can pickle its methods. It is not so. But then I see lambda layers thrown in which are not a pickle at all but a different think like a zip file of code equivalent. Different beast I wish people would not call a "pickle". Looking into the Keras lambdas a bit more, which are NOT to be confused with general code outside a models processing flow like AWS lambdas and such or lambda functions in python itself or more powerful lambdas in other languages. As I understand it these are strictly to do additional changes of inputs to outputs in a model. So they are not general code able to access all kinds of stuff on your computer like some random exploit. I will read deeper but so far I think this is overblown. Prove you can get a virus on your computer from this or point to the proof please.

@francisquebachmann7375 Год назад

At this point i would suggest buying dedicated pc just for ai generative tools, you can run any thing you want without risk on very important stuff. Malware ruins everything.

@captainpumpkinhead1512 Год назад

"No laughs this time!" Tells a joke 1 minute later...

@neuto Год назад

4:45 Is there a way to easily determine the "completely fine" types of pickles?

@purposefully.verbose Год назад

thanks, mate... it's a brave new world out there. appreciate the heads up for these unexpected problems.

@Aitrepreneur Год назад

No worries

@ilahazs Год назад

It's doesnt dangerous if you dont install SD locally, like run it from colab.

@rne1223 Год назад

I don't know about running unknown/malicious files on RunPod. If you don't know any better, it is possible that your instance can be over taken to mine crypto and then you are left with the huge bill.

@roryviner263 Год назад

Did you forget to link the Google Collab you used at 5:45 min?

@IronDruids Год назад

Does your video work with the normal stable diffusion install? Not sure what the super stable diffusion thing was about. I just have the automatic1111 and let a git pull keep everything updated after the install. Nothing is labeled "super stable" in my files. Does this matter for the pickle scanner? This gave me a scare btw. I ignored the advice to only download from hugging face this morning because it looked exciting and it was one of the first things I saw in the morning. That's the danger of catching up on new alerts right after waking up I guess lol. But I downloaded and scanned the model on my computer and everything seems to have passed your video's scan method.

@Aitrepreneur Год назад

Super stable diffusion is my own naming scheme for the automatic1111 and it confused a lot of people, I try my best not to use that name anymore so people don't get confused