Hello,
I am trying to convince our IT Manager that R is as safe as possible from IT
security point of view - could you point me to something on the web / some
reasons for why this is true? I do not think he has a specific concern but does
not know the software and would like to understand the security implications.
Thanks in advance
Best Regards
Martin Hanek
Actuarial Analyst
Glacier Reinsurance AG
Churerstr. 78
CH-8808 Pfäffikon SZ
T +41 55 417 3431
F +41 55 417 3434
martin.hanek@glacierre.com
www.glacierre.com<http://www.glacierre.com/>
This e-mail, including any attachments, is for the inten...{{dropped:12}}
Well, of course it isn't true -- no piece of software is 'as safe as possible'. I think some IT managers would prefer not to run any OSes on their machines -- now, that is pretty safe (especially if they are then switched off to say energy). You haven't told us your OS -- and that usually means it is Windows (or Mac OS). A reasonable question then is 'is R as safe than Windows'. However when you start R it says R is free software and comes with ABSOLUTELY NO WARRANTY. so you are not going to get any warranty about this. But it seems faintly ludicrous to ask if R is safe if you run an unsafe OS -- R is as safe as the system calls it uses (and any others you manage to run via exploits, although I am unaware of known exploits -- the few reports have been on at-the-time obsolete versions of R). So just don't actually run R in an admnistrator account. On Wed, 2 Apr 2008, Hanek Martin wrote:> Hello, > > I am trying to convince our IT Manager that R is as safe as possible > from IT security point of view - could you point me to something on the > web / some reasons for why this is true? I do not think he has a > specific concern but does not know the software and would like to > understand the security implications.But surely that is his job! Our Computing Manager certainly has it in his job description -- and he does allow R on our systems (owned by non-administrator accounts).> Thanks in advance > > Best Regards > Martin Hanek > Actuarial Analyst > Glacier Reinsurance AG > Churerstr. 78 > CH-8808 Pf??fikon SZ > T +41 55 417 3431 > F +41 55 417 3434 > martin.hanek at glacierre.com > www.glacierre.com<http://www.glacierre.com/> > > This e-mail, including any attachments, is for the inten...{{dropped:12}} > >-- Brian D. Ripley, ripley at stats.ox.ac.uk Professor of Applied Statistics, http://www.stats.ox.ac.uk/~ripley/ University of Oxford, Tel: +44 1865 272861 (self) 1 South Parks Road, +44 1865 272866 (PA) Oxford OX1 3TG, UK Fax: +44 1865 272595
Hanek Martin wrote:> Hello, > > I am trying to convince our IT Manager that R is as safe as possible > from IT security point of view - could you point me to something on > the web / some reasons for why this is true? I do not think he has a > specific concern but does not know the software and would like to > understand the security implications. >To add to Brian's note that rightly says 'R can only do what a user can do anyway', I'll point out that R doesn't open any network ports so doesn't expose the machine that way. Unless of course you run a network server in R (is there a server package on CRAN?). I can think of crazy ways where R might be involved in an exploit - for example if the malicious party poisoned your DNS, then if you tried to install a package from CRAN, a fake DNS entry for cran.r-project.org would mean you instead got a package from a malicious party's web site, and hence you'd be running the wrong code. It would take a lot of work though - I suspect the intersection set of R programmers and black-hat hackers is pretty small. And if the hacker can poison the DNS effectively then there's plenty of easier exploits to do. And anyway, it's probably easier to get malicious R code by just announcing it on R-help. A message of "I've written this package to do XXYYZ" and a non-CRAN URL might get some people to bite. But the same applies to just about anything you download from the net - browser extensions, screen savers, add-on applications and so forth. R mitigates against this by having open source code for its core and CRAN add-on packages. Perhaps your IT Manager should only sanction the use of packages from CRAN? Although enforcing this wouldn't be easy. So yes, R is as safe as possible, for most values of 'safe' and 'possible'. Barry
Hello Martin,
I can tell you from my experience that quite a few insurance companies in the
London Market use R.
If this is not enough, the following document might help you do find some good
arguments:
http://www.actuaries.org.uk/files/pdf/proceedings/giro2006/Maynard.pdf
Best regards,
Markus
Markus Gesmann ?Associate Director?Libero Ventures Ltd, One Broadgate, London
EC2M 2QS
tel: +44 (0)207 826 9080? dir: +44 (0)207 826 9085?fax: +44 (0)207 826 9090
?www.libero.uk.com
A Lehman Brothers Company
AUTHORISED AND REGULATED BY THE FINANCIAL SERVICES AUTHORITY
-----Original Message-----
From: r-help-bounces at r-project.org [mailto:r-help-bounces at r-project.org]
On Behalf Of Hanek Martin
Sent: 02 April 2008 10:27
To: r-help at R-project.org
Subject: [R] Security issue
Hello,
I am trying to convince our IT Manager that R is as safe as possible from IT
security point of view - could you point me to something on the web / some
reasons for why this is true? I do not think he has a specific concern but does
not know the software and would like to understand the security implications.
Thanks in advance
Best Regards
Martin Hanek
Actuarial Analyst
Glacier Reinsurance AG
Churerstr. 78
CH-8808 Pf?ffikon SZ
T +41 55 417 3431
F +41 55 417 3434
martin.hanek at glacierre.com
www.glacierre.com<http://www.glacierre.com/>
This e-mail, including any attachments, is for the inten...{{dropped:12}}
This message is intended for the personal and confidential use for the
designated recipient(s) named above. If you are not the intended recipient of
this message you are hereby notified that any review, dissemination,
distribution or copying of this message is strictly prohibited. This
communication is for information purposes only and should not be regarded as an
offer to sell or as a solicitation of an offer to buy any financial product, an
official confirmation of any transaction or as an official statement of Libero
Ventures Ltd. Email transmissions cannot be guaranteed to be secure or
error-free. Therefore we do not represent that this information is complete or
accurate and it should not be relied upon as such. All information is subject
to change without notice.
Markus Gesmann <Markus.Gesmann at libero.uk.com> wrote in news:5B78F43018FC3D488411E5F4903362E318EEE9E197 at OBG-EXC-01.OBG:> If this is not enough, the following document might help you do find > some good arguments:http://www.actuaries.org.uk/files/pdf/proceedings/giro2006/Maynard.pdf That link is dead, ... perhaps one of: http://www.actuaries.org.uk/__data/assets/pdf_file/0013/30136/Maynard.pdf http://www.actuaries.org.uk/__data/assets/powerpoint_doc/0006/22578/Maynard.ppt -- David Winsemius