Re: [R] registry vulnerabilities in R
Update: The IT people agreed to test R separately. R is now approved and RStudio is not. The folks at RStudio are baffled as to why all those registry entries are being recorded. They directed me to the source code which details the known accesses to the registry during installation. I have not yet followed the link. I suspect the registry vulnerability software is flawed, or perhaps their procedures. (Are they installing into a clean image? No idea.) So, limited progress. I may just move my R work to Linux, where the rules are different. Thank you, everyone. Paul Martin On 5/9/2012 12:57 PM, Richard M. Heiberger wrote: One more item. Have you given a copy of the document R: Regulatory Compliance and Validation Issues A Guidance Document for the Use of R in Regulated Clinical Trial Environments http://www.r-project.org/doc/R-FDA.pdf to your security office? It addresses overlapping, not identical, security issues. Rich On 5/9/12, Paul Martinpamar...@alum.mit.edu wrote: I don't have much new to add, but I want to make some clarifying comments: First, there are clearly workarounds available. I am using one now. R is installed on a personal laptop which I bring to work every day. I take extreme care with the nature of the files I move back and forth, and none of this is classified. This is common practice here. Yes, it would be nice if I could get R onto my desktop machine at work. It would save me burning CDs to move plots back and forth. But it's not the end of the world. My ability to get work done is not the issue here. The issue is the following: Is there anything her which is of concern to the R community? I suspect the answer is no, but cannot say anything for sure at this point. The registry analysis tool looks like it is custom software developed by the Air Force. I can't get any specific information beyond that. That is unfortunate, since it would be nice if the tests could be duplicated and confirmed. We will get separate tests on R without RStudio. The registry analysis reports results in two sections: Registry entries added and registry entries modified. There were no vulnerabilities found in the entries modified section. All of the vulnerabilities are listed under entries added. I will let you know if I find out anything else. Certainly the isolated test of the R software without RStudio will be of interest. Thank you all or your comments, Paul Martin On 5/9/2012 10:00 AM, Barry Rowlingson wrote: Someone said: Once R is accepted, you could ask for an RStudio test if you want. I had another thought shortly after my initial email. Suppose yes, R is accepted. Great. You run R. Then you think, Oh, I need ggplot2 (yes you do). Do you then have to get security clearance for every package you want to download from CRAN? Barry __ R-help@r-project.org mailing list https://stat.ethz.ch/mailman/listinfo/r-help PLEASE do read the posting guide http://www.R-project.org/posting-guide.html and provide commented, minimal, self-contained, reproducible code. __ R-help@r-project.org mailing list https://stat.ethz.ch/mailman/listinfo/r-help PLEASE do read the posting guide http://www.R-project.org/posting-guide.html and provide commented, minimal, self-contained, reproducible code.
Re: [R] registry vulnerabilities in R
how about just removing those network related package (including CRAN) from your copy of R? R can be used portably, as long as you have the package you need installed already within your R. -- View this message in context: http://r.789695.n4.nabble.com/registry-vulnerabilities-in-R-tp4619217p4632069.html Sent from the R help mailing list archive at Nabble.com. __ R-help@r-project.org mailing list https://stat.ethz.ch/mailman/listinfo/r-help PLEASE do read the posting guide http://www.R-project.org/posting-guide.html and provide commented, minimal, self-contained, reproducible code.
Re: [R] registry vulnerabilities in R
What about using a Portable Apps style packaging of R? That might solve some of the issues. -- View this message in context: http://r.789695.n4.nabble.com/registry-vulnerabilities-in-R-tp4619217p4623388.html Sent from the R help mailing list archive at Nabble.com. __ R-help@r-project.org mailing list https://stat.ethz.ch/mailman/listinfo/r-help PLEASE do read the posting guide http://www.R-project.org/posting-guide.html and provide commented, minimal, self-contained, reproducible code.
Re: [R] registry vulnerabilities in R
On Tue, May 8, 2012 at 4:10 PM, Paul Martin pamar...@alum.mit.edu wrote: Kirtland Air Force Base has denied approval for the use of R on its Windows network. Some of their objections seem a bit strange, but some appear to be legitimate. In particular, they have detected registry vulnerabilities which are detailed in the attachment. I know nothing about Windows registry vulnerabilities. If any of these issues are legitimate concerns, I would like to see them fixed for everyone's benefit. I would appreciate a referral to the appropriate forum for this information. I am willing to assist in getting questions answered and gathering additional information. My thoughts on this matter will be mitigated by my desire not to get on the no-fly list so I can attend UseR! this year... Firstly we don't know what the NIPRNet is. The analyst does say this [software? process?] can be continued for standalone systems, which seems to imply you can have it on your desktop, but not on NIPRNet. If NIPRNet is some kind of multi-user system running a variant of Windows then maybe the security testing is looking for the sort of problems that occur when you try and mash a single-user operating system into a multi-user environment. We've never had any problems running R on Windows Server OSes. It's always been proprietary software that has insisted on writing to C:\TMP\TEMP.DAT for every user, and with closed source programs we can't change that... Secondly, we don't know what the security analysis tool did. I'm guessing its essentially looking at the difference in the registry before and after installation or running of R/RStudio, or just monitoring registry access. Numerous forbidden file extensions. Numerous registry vulnerabilities Network connections to foreign IP address The file extensions section of this 'security audit' relate to Adobe Acrobat Reader and a registry key with USAF_PKI_SPO in the name. Somehow I don't think R did this. It doesn't mention .r files, which should be one file extension that R uses. So at least that's not forbidden. The long list of registry vulnerabilities is also equally odd. It looks like a standard set of registry keys plus a whole bunch of firewall configuration. Has R tried to modify these? Has R tried to read these? It almost certainly didn't write them. Googling for Windows registry vulnerabilities doesn't find anything specific. It doesn't seem to be a class of security problems. After completing the vulnerability analysis, we decided to decline to approve R/RStudio software on the NIPRNet. We discovered many unmitigated risks and numerous registry vulnerabilities. Above mentioned open source software poses high risks to the NIPRNet. We recommend using software from the Kirtland Base approved list. Here are some examples of the base approved statistical software: Here's where we all face-palmed. High risk? I apologize this may cause interruption in your project. Most proprietary software are safe for NIPRNet use but this one caused some concerns. However, this can be continued for standalone system. Please accept my humble apology. Maybe if you shell out for a proprietary version of R you'll get it approved. So, given the large quantity of unknowns (both known unknowns and unknown unknowns) there's not much we can do. It seems that a security tool which I doubt the analyst understands and which I doubt we are allowed to know much about has just decided to block you. The great irony being of course that open source software is more secure than any close-source proprietary system. Barry Barry __ R-help@r-project.org mailing list https://stat.ethz.ch/mailman/listinfo/r-help PLEASE do read the posting guide http://www.R-project.org/posting-guide.html and provide commented, minimal, self-contained, reproducible code.
Re: [R] registry vulnerabilities in R
On 08/05/2012 11:10 AM, Paul Martin wrote: Kirtland Air Force Base has denied approval for the use of R on its Windows network. Some of their objections seem a bit strange, but some appear to be legitimate. In particular, they have detected registry vulnerabilities which are detailed in the attachment. I suspect their test is wrong, but I can't say for sure, because they apparently tested R within RStudio. I know R didn't have anything to do with most of those registry entries that were listed, and I strongly suspect RStudio didn't either. I'd suggest that if you want to use R, just ask them to test R. It's nice to have the RStudio front end, but you don't need it. Once R is accepted, you could ask for an RStudio test if you want. On the other hand, R is not safe to install, in the sense that it does give programs access to anything the user has access to. I am pretty sure that's also true of at least Matlab and Mathematica in the list of alternatives you were given. Duncan Murdoch I know nothing about Windows registry vulnerabilities. If any of these issues are legitimate concerns, I would like to see them fixed for everyone's benefit. I would appreciate a referral to the appropriate forum for this information. I am willing to assist in getting questions answered and gathering additional information. Thank you, Paul Martin Air Force Research Laboratory Kirtland Air Force Base Albuquerque, New Mexico Original Message Subject: FW: R/RStudio Software Date: Fri, 4 May 2012 15:15:20 -0600 From: Martin, Paul A Civ USAF AFMC AFRL/RVSEF [1]paul.mar...@kirtland.af.mil To: [2]pamar...@alum.mit.edu -Original Message- From: Goel, Suman K Civ USAF AFMC AFRL/RVIO Sent: Friday, May 04, 2012 3:13 PM To: Martin, Paul A Civ USAF AFMC AFRL/RVSEF Subject: RE: R/RStudio Software Mr. Martin, Rstudio is an IDE for writing R code. I installed Rstudio first but it doesn't work without R so I tested them together. When I test a software usually the registry analysis file is blank. But this one happen to have numerous registry vulnerabilities - see attached. Most of them I even don't know if affects the software. Collaboration P2P Host In TCP/Out TCP allowed seemed troubling. Thanks, Suman -Original Message- From: Martin, Paul A Civ USAF AFMC AFRL/RVSEF Sent: Friday, May 04, 2012 2:51 PM To: Goel, Suman K Civ USAF AFMC AFRL/RVIO Subject: RE: R/RStudio Software Ms. Goel, Sorry to bother you again with this, but I have two more questions: 1. Were these vulnerabilities found in both R and RStudio? 2. Could you be more explicit about the registry vulnerabilities? This is the only item where I could potentially get some issues addressed. Even if I cannot get this software on the NIPRNET, I can pass along your discoveries and help the community improve their code. Thank you, Paul Martin -Original Message- From: Goel, Suman K Civ USAF AFMC AFRL/RVIO Sent: Friday, May 04, 2012 2:34 PM To: Martin, Paul A Civ USAF AFMC AFRL/RVSEF Cc: Goel, Suman K Civ USAF AFMC AFRL/RVIO Subject: RE: R/RStudio Software Mr. Martin, Thank you for understanding. Here are some examples of vulnerabilities. Numerous forbidden file extensions. Numerous registry vulnerabilities Network connections to foreign IP address Many vulnerabilities are firewall policies related under restricted services. Once again Thank you, Respectfully, Suman -Original Message- From: Martin, Paul A Civ USAF AFMC AFRL/RVSEF Sent: Friday, May 04, 2012 2:12 PM To: Goel, Suman K Civ USAF AFMC AFRL/RVIO Subject: RE: R/RStudio Software Suman, Thank you for your reply. If it is not too much trouble, could you enumerate the issues you found, so that I can forward the list to the team maintaining the R software? I have no idea what kind of response to expect, but these people should at least be aware of the issues. Thank you. Paul Martin From: Goel, Suman K Civ USAF AFMC AFRL/RVIO Sent: Friday, May 04, 2012 2:07 PM To: Martin, Paul A Civ USAF AFMC AFRL/RVSEF Cc: Motes, Raymond A Civ USAF AFMC AFRL/RVSE; Serafico, Romeo G Civ USAF AFMC AFRL/RVIO; Mickey, Dallas C Civ USAF AFMC AFRL/RVIO; Trujillo, Lloyd P Civ USAF AFMC AFRL/RVIO Subject: R/RStudio Software Mr. Martin, After completing the vulnerability analysis, we decided to decline to approve R/RStudio software on the NIPRNet. We discovered many unmitigated risks and numerous registry vulnerabilities. Above mentioned open source software poses high risks to the NIPRNet. We recommend using software from the Kirtland Base approved list. Here are some examples of the base approved statistical software: SPSS v19.x LISREL v8.x JMP v8.x - Soon to be certify JMP v9 or 10 Matlab v7.x Mathematica v8.x OriginPro v8.x If you like, we can add following statistical software on the base list, which will be available on May 25th.
Re: [R] registry vulnerabilities in R
Not sure if it helps, but Tinn-R could be used as a replacement for RStudio if the main things you were after were the syntax highlighting and R integration. Cheers, Gavin. -Original Message- From: r-help-boun...@r-project.org [mailto:r-help-boun...@r-project.org] On Behalf Of Duncan Murdoch Sent: 09 May 2012 15:57 To: pamar...@alum.mit.edu Cc: r-help@r-project.org Subject: Re: [R] registry vulnerabilities in R On 08/05/2012 11:10 AM, Paul Martin wrote: Kirtland Air Force Base has denied approval for the use of R on its Windows network. Some of their objections seem a bit strange, but some appear to be legitimate. In particular, they have detected registry vulnerabilities which are detailed in the attachment. I suspect their test is wrong, but I can't say for sure, because they apparently tested R within RStudio. I know R didn't have anything to do with most of those registry entries that were listed, and I strongly suspect RStudio didn't either. I'd suggest that if you want to use R, just ask them to test R. It's nice to have the RStudio front end, but you don't need it. Once R is accepted, you could ask for an RStudio test if you want. On the other hand, R is not safe to install, in the sense that it does give programs access to anything the user has access to. I am pretty sure that's also true of at least Matlab and Mathematica in the list of alternatives you were given. Duncan Murdoch I know nothing about Windows registry vulnerabilities. If any of these issues are legitimate concerns, I would like to see them fixed for everyone's benefit. I would appreciate a referral to the appropriate forum for this information. I am willing to assist in getting questions answered and gathering additional information. Thank you, Paul Martin Air Force Research Laboratory Kirtland Air Force Base Albuquerque, New Mexico Original Message Subject: FW: R/RStudio Software Date: Fri, 4 May 2012 15:15:20 -0600 From: Martin, Paul A Civ USAF AFMC AFRL/RVSEF [1]paul.mar...@kirtland.af.mil To: [2]pamar...@alum.mit.edu -Original Message- From: Goel, Suman K Civ USAF AFMC AFRL/RVIO Sent: Friday, May 04, 2012 3:13 PM To: Martin, Paul A Civ USAF AFMC AFRL/RVSEF Subject: RE: R/RStudio Software Mr. Martin, Rstudio is an IDE for writing R code. I installed Rstudio first but it doesn't work without R so I tested them together. When I test a software usually the registry analysis file is blank. But this one happen to have numerous registry vulnerabilities - see attached. Most of them I even don't know if affects the software. Collaboration P2P Host In TCP/Out TCP allowed seemed troubling. Thanks, Suman -Original Message- From: Martin, Paul A Civ USAF AFMC AFRL/RVSEF Sent: Friday, May 04, 2012 2:51 PM To: Goel, Suman K Civ USAF AFMC AFRL/RVIO Subject: RE: R/RStudio Software Ms. Goel, Sorry to bother you again with this, but I have two more questions: 1. Were these vulnerabilities found in both R and RStudio? 2. Could you be more explicit about the registry vulnerabilities? This is the only item where I could potentially get some issues addressed. Even if I cannot get this software on the NIPRNET, I can pass along your discoveries and help the community improve their code. Thank you, Paul Martin -Original Message- From: Goel, Suman K Civ USAF AFMC AFRL/RVIO Sent: Friday, May 04, 2012 2:34 PM To: Martin, Paul A Civ USAF AFMC AFRL/RVSEF Cc: Goel, Suman K Civ USAF AFMC AFRL/RVIO Subject: RE: R/RStudio Software Mr. Martin, Thank you for understanding. Here are some examples of vulnerabilities. Numerous forbidden file extensions. Numerous registry vulnerabilities Network connections to foreign IP address Many vulnerabilities are firewall policies related under restricted services. Once again Thank you, Respectfully, Suman -Original Message- From: Martin, Paul A Civ USAF AFMC AFRL/RVSEF Sent: Friday, May 04, 2012 2:12 PM To: Goel, Suman K Civ USAF AFMC AFRL/RVIO Subject: RE: R/RStudio Software Suman, Thank you for your reply. If it is not too much trouble, could you enumerate the issues you found, so that I can forward the list to the team maintaining the R software? I have no idea what kind of response to expect, but these people should at least be aware of the issues. Thank you. Paul Martin From: Goel, Suman K Civ USAF AFMC AFRL/RVIO Sent: Friday, May 04, 2012 2:07 PM To: Martin, Paul A Civ USAF AFMC AFRL/RVSEF Cc: Motes, Raymond A Civ USAF AFMC AFRL/RVSE; Serafico, Romeo G Civ USAF AFMC AFRL/RVIO; Mickey, Dallas C Civ USAF AFMC AFRL/RVIO; Trujillo, Lloyd P Civ USAF AFMC AFRL/RVIO Subject: R/RStudio Software Mr. Martin, After completing the vulnerability analysis, we decided to decline to approve R/RStudio software
Re: [R] registry vulnerabilities in R
On May 9, 2012, at 9:57 AM, Duncan Murdoch wrote: On 08/05/2012 11:10 AM, Paul Martin wrote: Kirtland Air Force Base has denied approval for the use of R on its Windows network. Some of their objections seem a bit strange, but some appear to be legitimate. In particular, they have detected registry vulnerabilities which are detailed in the attachment. I suspect their test is wrong, but I can't say for sure, because they apparently tested R within RStudio. I know R didn't have anything to do with most of those registry entries that were listed, and I strongly suspect RStudio didn't either. I'd suggest that if you want to use R, just ask them to test R. It's nice to have the RStudio front end, but you don't need it. Once R is accepted, you could ask for an RStudio test if you want. On the other hand, R is not safe to install, in the sense that it does give programs access to anything the user has access to. I am pretty sure that's also true of at least Matlab and Mathematica in the list of alternatives you were given. Duncan Murdoch Just as an FYI, in response to Barry's post on this thread, NIPRNet is the US Dept of Defense (DOD) private network that supports the transmission of sensitive, but unclassified, information. It is hosted by DOD private routers, primarily for internal use, while providing external access as well. Some may know it by it's former name MILNet and it has a classified private network counterpart, known as SIPRNet. As a consequence, the level of security oversight is higher and more restrictive than what one might find on typical commercial or academic networks. Regards, Marc Schwartz __ R-help@r-project.org mailing list https://stat.ethz.ch/mailman/listinfo/r-help PLEASE do read the posting guide http://www.R-project.org/posting-guide.html and provide commented, minimal, self-contained, reproducible code.
Re: [R] registry vulnerabilities in R
Someone said: Once R is accepted, you could ask for an RStudio test if you want. I had another thought shortly after my initial email. Suppose yes, R is accepted. Great. You run R. Then you think, Oh, I need ggplot2 (yes you do). Do you then have to get security clearance for every package you want to download from CRAN? Barry __ R-help@r-project.org mailing list https://stat.ethz.ch/mailman/listinfo/r-help PLEASE do read the posting guide http://www.R-project.org/posting-guide.html and provide commented, minimal, self-contained, reproducible code.
Re: [R] registry vulnerabilities in R
On May 9, 2012, at 11:00 AM, Barry Rowlingson wrote: Someone said: Once R is accepted, you could ask for an RStudio test if you want. I had another thought shortly after my initial email. Suppose yes, R is accepted. Great. You run R. Then you think, Oh, I need ggplot2 (yes you do). Do you then have to get security clearance for every package you want to download from CRAN? Barry That will depend upon their internal procedures/policies. Presuming that the initial hurdle for R itself is overcome, for third party packages, whether from CRAN or elsewhere, Paul might see if the folks involved in the review process would allow him to install these to a local private folder tree, where it may be possible that security related concerns may be more mitigated and provide more flexibility than if for a system-wide install. In other words, see if there is some way to, in effect, sandbox the additional components, that would be acceptable. A quick review of the lengthy output that Paul provided in the original post seems to suggest that the majority, if not all, of the registry related issues are specific to R-Studio itself and not to R. Third party packages, of course, may have additional code that can perform a variety of activities (access/modify local system resources, access external IP's, etc.), so it would not be a surprise to me that there may need to be a package by package review and approval process. Of course, the mere process of downloading and installing CRAN or other packages means that access to external IP's would be required, which appear to be part of the restrictions. It would be interesting to find out how updates over the net are handled for the approved applications. Are these allowed or are they controlled by a central authority? So an internal discussion would be required to understand how R would fit within the policy and procedure constraints in place. It is clear that despite the subject heading for this thread, registry related issues are only a part of the underlying problem. It would also be of value to know how other folks, operating in similar 'restricted' environments, either inside or outside the U.S., have overcome these issues, so that Paul may learn from their experience. We do, for example, get posts here now and then from folks with U.S. .mil domain e-mail addresses. So there appear to be folks using R in such environments, unless they are using R, but not on DOD owned systems. Regards, Marc __ R-help@r-project.org mailing list https://stat.ethz.ch/mailman/listinfo/r-help PLEASE do read the posting guide http://www.R-project.org/posting-guide.html and provide commented, minimal, self-contained, reproducible code.
Re: [R] registry vulnerabilities in R
I don't have much new to add, but I want to make some clarifying comments: First, there are clearly workarounds available. I am using one now. R is installed on a personal laptop which I bring to work every day. I take extreme care with the nature of the files I move back and forth, and none of this is classified. This is common practice here. Yes, it would be nice if I could get R onto my desktop machine at work. It would save me burning CDs to move plots back and forth. But it's not the end of the world. My ability to get work done is not the issue here. The issue is the following: Is there anything her which is of concern to the R community? I suspect the answer is no, but cannot say anything for sure at this point. The registry analysis tool looks like it is custom software developed by the Air Force. I can't get any specific information beyond that. That is unfortunate, since it would be nice if the tests could be duplicated and confirmed. We will get separate tests on R without RStudio. The registry analysis reports results in two sections: Registry entries added and registry entries modified. There were no vulnerabilities found in the entries modified section. All of the vulnerabilities are listed under entries added. I will let you know if I find out anything else. Certainly the isolated test of the R software without RStudio will be of interest. Thank you all or your comments, Paul Martin On 5/9/2012 10:00 AM, Barry Rowlingson wrote: Someone said: Once R is accepted, you could ask for an RStudio test if you want. I had another thought shortly after my initial email. Suppose yes, R is accepted. Great. You run R. Then you think, Oh, I need ggplot2 (yes you do). Do you then have to get security clearance for every package you want to download from CRAN? Barry __ R-help@r-project.org mailing list https://stat.ethz.ch/mailman/listinfo/r-help PLEASE do read the posting guide http://www.R-project.org/posting-guide.html and provide commented, minimal, self-contained, reproducible code.
Re: [R] registry vulnerabilities in R
On Wed, May 9, 2012 at 12:46 PM, Paul Martin pamar...@alum.mit.edu wrote: I don't have much new to add, but I want to make some clarifying comments: First, there are clearly workarounds available. I am using one now. R is installed on a personal laptop which I bring to work every day. I take extreme care with the nature of the files I move back and forth, and none of this is classified. This is common practice here. Yes, it would be nice if I could get R onto my desktop machine at work. It would save me burning CDs to move plots back and forth. But it's not the end of the world. My ability to get work done is not the issue here. The issue is the following: Is there anything her which is of concern to the R community? I suspect the answer is no, but cannot say anything for sure at this point. The registry analysis tool looks like it is custom software developed by the Air Force. I can't get any specific information beyond that. That is unfortunate, since it would be nice if the tests could be duplicated and confirmed. We will get separate tests on R without RStudio. The registry analysis reports results in two sections: Registry entries added and registry entries modified. There were no vulnerabilities found in the entries modified section. All of the vulnerabilities are listed under entries added. During the installation process its only the installer that sets any registry values, not R itself. Using the standard installer that comes with R it asks you whether you want to save version numbers in the registry and whether you want to create an association for RData files. If you uncheck those then the installation does not set any registry values. -- Statistics Software Consulting GKX Group, GKX Associates Inc. tel: 1-877-GKX-GROUP email: ggrothendieck at gmail.com __ R-help@r-project.org mailing list https://stat.ethz.ch/mailman/listinfo/r-help PLEASE do read the posting guide http://www.R-project.org/posting-guide.html and provide commented, minimal, self-contained, reproducible code.
Re: [R] registry vulnerabilities in R
I spoke to someone in the military who did some investigation. This is his response 1. I'm sorry that I don't have anything good to report. The military is cautious with it's networks and I'm no longer able to use R at work. I don't know anything about this registry issue but the show stopper for me even trying to get R on the military network is CRAN. All that r-project checks on contributed applications is if they load (or compile as necessary) cross-platform. I could make an argument for the security of the Core functionality of R but not for the contributed packages. On 5/8/12, Paul Martin pamar...@alum.mit.edu wrote: Kirtland Air Force Base has denied approval for the use of R on its Windows network. Some of their objections seem a bit strange, but some appear to be legitimate. In particular, they have detected registry vulnerabilities which are detailed in the attachment. I know nothing about Windows registry vulnerabilities. If any of these issues are legitimate concerns, I would like to see them fixed for everyone's benefit. I would appreciate a referral to the appropriate forum for this information. I am willing to assist in getting questions answered and gathering additional information. Thank you, Paul Martin Air Force Research Laboratory Kirtland Air Force Base Albuquerque, New Mexico __ R-help@r-project.org mailing list https://stat.ethz.ch/mailman/listinfo/r-help PLEASE do read the posting guide http://www.R-project.org/posting-guide.html and provide commented, minimal, self-contained, reproducible code.
Re: [R] registry vulnerabilities in R
On 09/05/2012 2:04 PM, Gabor Grothendieck wrote: On Wed, May 9, 2012 at 12:46 PM, Paul Martinpamar...@alum.mit.edu wrote: I don't have much new to add, but I want to make some clarifying comments: First, there are clearly workarounds available. I am using one now. R is installed on a personal laptop which I bring to work every day. I take extreme care with the nature of the files I move back and forth, and none of this is classified. This is common practice here. Yes, it would be nice if I could get R onto my desktop machine at work. It would save me burning CDs to move plots back and forth. But it's not the end of the world. My ability to get work done is not the issue here. The issue is the following: Is there anything her which is of concern to the R community? I suspect the answer is no, but cannot say anything for sure at this point. The registry analysis tool looks like it is custom software developed by the Air Force. I can't get any specific information beyond that. That is unfortunate, since it would be nice if the tests could be duplicated and confirmed. We will get separate tests on R without RStudio. The registry analysis reports results in two sections: Registry entries added and registry entries modified. There were no vulnerabilities found in the entries modified section. All of the vulnerabilities are listed under entries added. During the installation process its only the installer that sets any registry values, not R itself. Using the standard installer that comes with R it asks you whether you want to save version numbers in the registry and whether you want to create an association for RData files. If you uncheck those then the installation does not set any registry values. That's correct. And with a small change to the installer script, even that can be suppressed. (For anyone interested: you need Uninstallable=no near the top of the Inno Setup script; if using the regular build, that's in the file RHOME/src/gnuwin32/installer/header1.iss.) Duncan Murdoch __ R-help@r-project.org mailing list https://stat.ethz.ch/mailman/listinfo/r-help PLEASE do read the posting guide http://www.R-project.org/posting-guide.html and provide commented, minimal, self-contained, reproducible code.
Re: [R] registry vulnerabilities in R
Thanks Rich and Paul: This gets back to my original comment in this thread. I believe that CRAN repositories simply rely on whatever security software (malware checking, etc.) that the hosts provide; R/CRAN do nothing, as you said. This results in a whole new and almost certainly wholly impracticable level of security protection to validate, so it is doubtful that anything can be done to address the concerns. Again, as you said. As always, authoritative (dis?) confirmation by R Core experts required to validate by statement. -- Bert On Wed, May 9, 2012 at 11:10 AM, Richard M. Heiberger r...@temple.edu wrote: I spoke to someone in the military who did some investigation. This is his response 1. I'm sorry that I don't have anything good to report. The military is cautious with it's networks and I'm no longer able to use R at work. I don't know anything about this registry issue but the show stopper for me even trying to get R on the military network is CRAN. All that r-project checks on contributed applications is if they load (or compile as necessary) cross-platform. I could make an argument for the security of the Core functionality of R but not for the contributed packages. On 5/8/12, Paul Martin pamar...@alum.mit.edu wrote: Kirtland Air Force Base has denied approval for the use of R on its Windows network. Some of their objections seem a bit strange, but some appear to be legitimate. In particular, they have detected registry vulnerabilities which are detailed in the attachment. I know nothing about Windows registry vulnerabilities. If any of these issues are legitimate concerns, I would like to see them fixed for everyone's benefit. I would appreciate a referral to the appropriate forum for this information. I am willing to assist in getting questions answered and gathering additional information. Thank you, Paul Martin Air Force Research Laboratory Kirtland Air Force Base Albuquerque, New Mexico __ R-help@r-project.org mailing list https://stat.ethz.ch/mailman/listinfo/r-help PLEASE do read the posting guide http://www.R-project.org/posting-guide.html and provide commented, minimal, self-contained, reproducible code. -- Bert Gunter Genentech Nonclinical Biostatistics Internal Contact Info: Phone: 467-7374 Website: http://pharmadevelopment.roche.com/index/pdb/pdb-functional-groups/pdb-biostatistics/pdb-ncb-home.htm __ R-help@r-project.org mailing list https://stat.ethz.ch/mailman/listinfo/r-help PLEASE do read the posting guide http://www.R-project.org/posting-guide.html and provide commented, minimal, self-contained, reproducible code.
Re: [R] registry vulnerabilities in R
One more item. Have you given a copy of the document R: Regulatory Compliance and Validation Issues A Guidance Document for the Use of R in Regulated Clinical Trial Environments http://www.r-project.org/doc/R-FDA.pdf to your security office? It addresses overlapping, not identical, security issues. Rich On 5/9/12, Paul Martin pamar...@alum.mit.edu wrote: I don't have much new to add, but I want to make some clarifying comments: First, there are clearly workarounds available. I am using one now. R is installed on a personal laptop which I bring to work every day. I take extreme care with the nature of the files I move back and forth, and none of this is classified. This is common practice here. Yes, it would be nice if I could get R onto my desktop machine at work. It would save me burning CDs to move plots back and forth. But it's not the end of the world. My ability to get work done is not the issue here. The issue is the following: Is there anything her which is of concern to the R community? I suspect the answer is no, but cannot say anything for sure at this point. The registry analysis tool looks like it is custom software developed by the Air Force. I can't get any specific information beyond that. That is unfortunate, since it would be nice if the tests could be duplicated and confirmed. We will get separate tests on R without RStudio. The registry analysis reports results in two sections: Registry entries added and registry entries modified. There were no vulnerabilities found in the entries modified section. All of the vulnerabilities are listed under entries added. I will let you know if I find out anything else. Certainly the isolated test of the R software without RStudio will be of interest. Thank you all or your comments, Paul Martin On 5/9/2012 10:00 AM, Barry Rowlingson wrote: Someone said: Once R is accepted, you could ask for an RStudio test if you want. I had another thought shortly after my initial email. Suppose yes, R is accepted. Great. You run R. Then you think, Oh, I need ggplot2 (yes you do). Do you then have to get security clearance for every package you want to download from CRAN? Barry __ R-help@r-project.org mailing list https://stat.ethz.ch/mailman/listinfo/r-help PLEASE do read the posting guide http://www.R-project.org/posting-guide.html and provide commented, minimal, self-contained, reproducible code. __ R-help@r-project.org mailing list https://stat.ethz.ch/mailman/listinfo/r-help PLEASE do read the posting guide http://www.R-project.org/posting-guide.html and provide commented, minimal, self-contained, reproducible code.
Re: [R] registry vulnerabilities in R
I am totally ignorant on these matters, but .. R is open source statistical software written largely for (and used a lot by) academics for research. So I would not be surprised if it has security vulnerabilities. As usual, the GPL explicitly exempts the R organization from any responsibility on these matters. R comes with no guarantees. That said, you'd have to check with R core about how they try to defend against errant code being deposited on CRAN and distributed. AFAICS, they do a damn good job. Ar least, I've never heard of complaints of problems. -- Bert On Tue, May 8, 2012 at 8:10 AM, Paul Martin pamar...@alum.mit.edu wrote: Kirtland Air Force Base has denied approval for the use of R on its Windows network. Some of their objections seem a bit strange, but some appear to be legitimate. In particular, they have detected registry vulnerabilities which are detailed in the attachment. I know nothing about Windows registry vulnerabilities. If any of these issues are legitimate concerns, I would like to see them fixed for everyone's benefit. I would appreciate a referral to the appropriate forum for this information. I am willing to assist in getting questions answered and gathering additional information. Thank you, Paul Martin Air Force Research Laboratory Kirtland Air Force Base Albuquerque, New Mexico Original Message Subject: FW: R/RStudio Software Date: Fri, 4 May 2012 15:15:20 -0600 From: Martin, Paul A Civ USAF AFMC AFRL/RVSEF [1]paul.mar...@kirtland.af.mil To: [2]pamar...@alum.mit.edu -Original Message- From: Goel, Suman K Civ USAF AFMC AFRL/RVIO Sent: Friday, May 04, 2012 3:13 PM To: Martin, Paul A Civ USAF AFMC AFRL/RVSEF Subject: RE: R/RStudio Software Mr. Martin, Rstudio is an IDE for writing R code. I installed Rstudio first but it doesn't work without R so I tested them together. When I test a software usually the registry analysis file is blank. But this one happen to have numerous registry vulnerabilities - see attached. Most of them I even don't know if affects the software. Collaboration P2P Host In TCP/Out TCP allowed seemed troubling. Thanks, Suman -Original Message- From: Martin, Paul A Civ USAF AFMC AFRL/RVSEF Sent: Friday, May 04, 2012 2:51 PM To: Goel, Suman K Civ USAF AFMC AFRL/RVIO Subject: RE: R/RStudio Software Ms. Goel, Sorry to bother you again with this, but I have two more questions: 1. Were these vulnerabilities found in both R and RStudio? 2. Could you be more explicit about the registry vulnerabilities? This is the only item where I could potentially get some issues addressed. Even if I cannot get this software on the NIPRNET, I can pass along your discoveries and help the community improve their code. Thank you, Paul Martin -Original Message- From: Goel, Suman K Civ USAF AFMC AFRL/RVIO Sent: Friday, May 04, 2012 2:34 PM To: Martin, Paul A Civ USAF AFMC AFRL/RVSEF Cc: Goel, Suman K Civ USAF AFMC AFRL/RVIO Subject: RE: R/RStudio Software Mr. Martin, Thank you for understanding. Here are some examples of vulnerabilities. Numerous forbidden file extensions. Numerous registry vulnerabilities Network connections to foreign IP address Many vulnerabilities are firewall policies related under restricted services. Once again Thank you, Respectfully, Suman -Original Message- From: Martin, Paul A Civ USAF AFMC AFRL/RVSEF Sent: Friday, May 04, 2012 2:12 PM To: Goel, Suman K Civ USAF AFMC AFRL/RVIO Subject: RE: R/RStudio Software Suman, Thank you for your reply. If it is not too much trouble, could you enumerate the issues you found, so that I can forward the list to the team maintaining the R software? I have no idea what kind of response to expect, but these people should at least be aware of the issues. Thank you. Paul Martin From: Goel, Suman K Civ USAF AFMC AFRL/RVIO Sent: Friday, May 04, 2012 2:07 PM To: Martin, Paul A Civ USAF AFMC AFRL/RVSEF Cc: Motes, Raymond A Civ USAF AFMC AFRL/RVSE; Serafico, Romeo G Civ USAF AFMC AFRL/RVIO; Mickey, Dallas C Civ USAF AFMC AFRL/RVIO; Trujillo, Lloyd P Civ USAF AFMC AFRL/RVIO Subject: R/RStudio Software Mr. Martin, After completing the vulnerability analysis, we decided to decline to approve R/RStudio software on the NIPRNet. We discovered many unmitigated risks and numerous registry vulnerabilities. Above mentioned open source software poses high risks to the NIPRNet. We recommend using software from the Kirtland Base approved list. Here are some examples of the base approved statistical software: SPSS v19.x LISREL v8.x JMP v8.x - Soon to be certify JMP v9 or 10 Matlab v7.x Mathematica v8.x OriginPro v8.x If you like, we can add following statistical software on the base list, which will be available on May 25th. Minitab v16.x SAS v9.x Maple v15.x In addition,