Re: [R] Security issue

From: Barry Rowlingson <b.rowlingson_at_lancaster.ac.uk>
Date: Wed, 02 Apr 2008 13:11:49 +0100

Hanek Martin wrote:
> Hello,
>
> I am trying to convince our IT Manager that R is as safe as possible
> from IT security point of view - could you point me to something on
> the web / some reasons for why this is true? I do not think he has a
> specific concern but does not know the software and would like to
> understand the security implications.
>

  To add to Brian's note that rightly says 'R can only do what a user can do anyway', I'll point out that R doesn't open any network ports so doesn't expose the machine that way. Unless of course you run a network server in R (is there a server package on CRAN?).

  I can think of crazy ways where R might be involved in an exploit - for example if the malicious party poisoned your DNS, then if you tried to install a package from CRAN, a fake DNS entry for cran.r-project.org would mean you instead got a package from a malicious party's web site, and hence you'd be running the wrong code. It would take a lot of work though - I suspect the intersection set of R programmers and black-hat hackers is pretty small. And if the hacker can poison the DNS effectively then there's plenty of easier exploits to do.

  And anyway, it's probably easier to get malicious R code by just announcing it on R-help. A message of "I've written this package to do XXYYZ" and a non-CRAN URL might get some people to bite. But the same applies to just about anything you download from the net - browser extensions, screen savers, add-on applications and so forth.

  R mitigates against this by having open source code for its core and CRAN add-on packages. Perhaps your IT Manager should only sanction the use of packages from CRAN? Although enforcing this wouldn't be easy.

  So yes, R is as safe as possible, for most values of 'safe' and 'possible'.

Barry



R-help_at_r-project.org mailing list
https://stat.ethz.ch/mailman/listinfo/r-help PLEASE do read the posting guide http://www.R-project.org/posting-guide.html and provide commented, minimal, self-contained, reproducible code. Received on Wed 02 Apr 2008 - 12:09:17 GMT

Archive maintained by Robert King, hosted by the discipline of statistics at the University of Newcastle, Australia.
Archive generated by hypermail 2.2.0, at Wed 02 Apr 2008 - 12:30:26 GMT.

Mailing list information is available at https://stat.ethz.ch/mailman/listinfo/r-help. Please read the posting guide before posting to the list.

list of date sections of archive