[R] Security issue

[Barry Rowlingson]

Hanek Martin wrote:
> Hello,
> 
> I am trying to convince our IT Manager that R is as safe as possible
> from IT security point of view - could you point me to something on
> the web / some reasons for why this is true? I do not think he has a
> specific concern but does not know the software and would like to
> understand the security implications.
> 

  To add to Brian's note that rightly says 'R can only do what a user 
can do anyway', I'll point out that R doesn't open any network ports so 
doesn't expose the machine that way. Unless of course you run a network 
server in R (is there a server package on CRAN?).

  I can think of crazy ways where R might be involved in an exploit - 
for example if the malicious party poisoned your DNS, then if you tried 
to install a package from CRAN, a fake DNS entry for cran.r-project.org 
would mean you instead got a package from a malicious party's web site, 
and hence you'd be running the wrong code. It would take a lot of work 
though - I suspect the intersection set of R programmers and black-hat 
hackers is pretty small. And if the hacker can poison the DNS 
effectively then there's plenty of easier exploits to do.

  And anyway, it's probably easier to get malicious R code by just 
announcing it on R-help. A message of "I've written this package to do 
XXYYZ" and a non-CRAN URL might get some people to bite. But the same 
applies to just about anything you download from the net - browser 
extensions, screen savers, add-on applications and so forth.

  R mitigates against this by having open source code for its core and 
CRAN add-on packages. Perhaps your IT Manager should only sanction the 
use of packages from CRAN? Although enforcing this wouldn't be easy.

  So yes, R is as safe as possible, for most values of 'safe' and 
'possible'.

Barry