Hello all, I want to download R and use it for work purposes. I hope to use it to analyse very sensitive data from our clients. My question is: If I install R on my work network computer, will the data ever leave our network? I need to know if the data goes anywhere other than our network, because this could compromise it's security. Is there is any chance the data could go to a server owned by 'R' or anything else that's not immediately obvious, but constitutes the data leaving our network? Thank you Laurence ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Laurence Clark Business Data Analyst Account Management Health Management Ltd Mobile: 07584 556498 Switchboard: 0845 504 1000 Email: Laurence.Clark at healthmanltd.com Web: www.healthmanagement.co.uk ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- CONFIDENTIALITY NOTICE: This email, including attachments, is for the sole use of the intended recipients and may contain confidential and privileged information or otherwise be protected by law. Any unauthorised review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender, and destroy all copies and the original message.<BR><BR>MAXIMUS People Services Limited is registered in England and Wales (registered number: 03752300); registered office: 202 - 206 Union Street, London, SE1 0LX, United Kingdom. The Centre for Health and Disability Assessments Ltd (registered number: 9072343) and Health Management Ltd (registered number: 4369949) are registered in England and Wales. The registered office for each is Ash House, The Broyle, Ringmer, East Sussex, BN8 5NN, United Kingdom. Remploy Limited is registered in England and Wales (registered number: 09457025); registered office: 18c Meridian East, Meridian Business Park, Leicester, Leicestershire, LE19 1WZ, United Kingdom.</font> ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ##################################################################################### Scanned by MailMarshal - M86 Security's comprehensive email content security solution. Download a free evaluation of MailMarshal at www.m86security.com #####################################################################################
On Wed, 8 Aug 2018, Laurence Clark wrote:> I want to download R and use it for work purposes. I hope to use it to > analyse very sensitive data from our clients.Laurence, Good choice.> My question is: > > If I install R on my work network computer, will the data ever leave our > network? I need to know if the data goes anywhere other than our network, > because this could compromise it's security. Is there is any chance the > data could go to a server owned by 'R' or anything else that's not > immediately obvious, but constitutes the data leaving our network?Your sensitive data are no more, and no less, secure than any other data on your desktop computer or the company's network. Assuming company personnel and payroll data are on your local network, and proposals written with Microsoft's tools are happily created by employees, then your client data are equally secure (or at risk) regardless of the application used on them. This is a network security issue, not an R issue. Rich
I consider R to be secure. It is possible, but very unlikely, that there are some back door traps in R where somebody could access your data. There is no software that is 100% secure and R is not 100% secure. Bob On 8/8/2018 11:09 AM, Laurence Clark wrote:> Hello all, > > I want to download R and use it for work purposes. I hope to use it to analyse very sensitive data from our clients. > > My question is: > > If I install R on my work network computer, will the data ever leave our network? I need to know if the data goes anywhere other than our network, because this could compromise it's security. Is there is any chance the data could go to a server owned by 'R' or anything else that's not immediately obvious, but constitutes the data leaving our network? > > Thank you > > Laurence > > > ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- > Laurence Clark > Business Data Analyst > Account Management > Health Management Ltd > > Mobile: 07584 556498 > Switchboard: 0845 504 1000 > Email: Laurence.Clark at healthmanltd.com > Web: www.healthmanagement.co.uk > > ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- > CONFIDENTIALITY NOTICE: This email, including attachments, is for the sole use of the intended recipients and may contain confidential and privileged information or otherwise be protected by law. Any unauthorised review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender, and destroy all copies and the original message.<BR><BR>MAXIMUS People Services Limited is registered in England and Wales (registered number: 03752300); registered office: 202 - 206 Union Street, London, SE1 0LX, United Kingdom. The Centre for Health and Disability Assessments Ltd (registered number: 9072343) and Health Management Ltd (registered number: 4369949) are registered in England and Wales. The registered office for each is Ash House, The Broyle, Ringmer, East Sussex, BN8 5NN, United Kingdom. Remploy Limited is registered in England and Wales (registered number: 09457025); registered office: 18c Meridian East, Meridian Business Park, Leicester, Leicestershire, LE19 1WZ, United Kingdom.</font> > ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- > > > ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- > > > ##################################################################################### > Scanned by MailMarshal - M86 Security's comprehensive email content security solution. > Download a free evaluation of MailMarshal at www.m86security.com > ##################################################################################### > > ______________________________________________ > R-help at r-project.org mailing list -- To UNSUBSCRIBE and more, see > https://stat.ethz.ch/mailman/listinfo/r-help > PLEASE do read the posting guide http://www.R-project.org/posting-guide.html > and provide commented, minimal, self-contained, reproducible code. >
This can likely be answered for R itself, but R itself (without additional packages) is very limited. As soon as you install packages, it all depends on the package you install and if you trust the authors of these packages. As far as I know, there is no code checking for security on CRAN (please correct me if I am wrong!). The advantage of R and open source: you can always look into the source code and see yourself. And as this can be done, and R is not written by a single person or company, the likelihood of a backdoor in R is very very low (lower than in many commercial products I would say). Cheers, Rainer> On 8 Aug 2018, at 18:40, rsherry8 <rsherry8 at comcast.net> wrote: > > I consider R to be secure. It is possible, but very unlikely, that there are some back door traps in R where somebody could access your data. There is no software that is 100% secure and R is not 100% secure. > > Bob > > On 8/8/2018 11:09 AM, Laurence Clark wrote: >> Hello all, >> >> I want to download R and use it for work purposes. I hope to use it to analyse very sensitive data from our clients. >> >> My question is: >> >> If I install R on my work network computer, will the data ever leave our network? I need to know if the data goes anywhere other than our network, because this could compromise it's security. Is there is any chance the data could go to a server owned by 'R' or anything else that's not immediately obvious, but constitutes the data leaving our network? >> >> Thank you >> >> Laurence >> >> >> ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- >> Laurence Clark >> Business Data Analyst >> Account Management >> Health Management Ltd >> >> Mobile: 07584 556498 >> Switchboard: 0845 504 1000 >> Email: Laurence.Clark at healthmanltd.com >> Web: www.healthmanagement.co.uk >> >> ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- >> CONFIDENTIALITY NOTICE: This email, including attachments, is for the sole use of the intended recipients and may contain confidential and privileged information or otherwise be protected by law. Any unauthorised review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender, and destroy all copies and the original message.<BR><BR>MAXIMUS People Services Limited is registered in England and Wales (registered number: 03752300); registered office: 202 - 206 Union Street, London, SE1 0LX, United Kingdom. The Centre for Health and Disability Assessments Ltd (registered number: 9072343) and Health Management Ltd (registered number: 4369949) are registered in England and Wales. The registered office for each is Ash House, The Broyle, Ringmer, East Sussex, BN8 5NN, United Kingdom. Remploy Limited is registered in England and Wales (registered number: 09457025); registered office: 18c Meridian East, Meridian Business Park, Leicester, > Leicestershire, LE19 1WZ, United Kingdom.</font> >> ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- >> >> >> ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- >> >> >> ##################################################################################### >> Scanned by MailMarshal - M86 Security's comprehensive email content security solution. >> Download a free evaluation of MailMarshal at www.m86security.com >> ##################################################################################### >> >> ______________________________________________ >> R-help at r-project.org mailing list -- To UNSUBSCRIBE and more, see >> https://stat.ethz.ch/mailman/listinfo/r-help >> PLEASE do read the posting guide http://www.R-project.org/posting-guide.html >> and provide commented, minimal, self-contained, reproducible code. >> > > ______________________________________________ > R-help at r-project.org mailing list -- To UNSUBSCRIBE and more, see > https://stat.ethz.ch/mailman/listinfo/r-help > PLEASE do read the posting guide http://www.R-project.org/posting-guide.html > and provide commented, minimal, self-contained, reproducible code.-- Rainer M. Krug, PhD (Conservation Ecology, SUN), MSc (Conservation Biology, UCT), Dipl. Phys. (Germany) University of Z?rich Cell: +41 (0)78 630 66 57 email: Rainer at krugs.de Skype: RMkrug PGP: 0x0F52F982 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 488 bytes Desc: Message signed with OpenPGP URL: <https://stat.ethz.ch/pipermail/r-help/attachments/20180809/84663dec/attachment-0002.sig>
Hiya,
I work in a very security conscious organisation and we happily use R. The
average user can only use R via RStudio Server, with a limited number of
packages available, so that adds an additional level of control.
That said, are you sure that the sentence 'a few people on a mailing list
said it would be alright' is going to convince your IT department of the
harmlessness of R?
Cheers,
Katharina.
--
Dr Katharina Fritsch B.Sc. M.Sc. MRSC
Chemical Modeller, Chemical and Process Modelling
E.
katharina.fritsch at nnl.co.uk
T.
+44 (0)1925 289387
@uknnl
National Nuclear Laboratory Limited, 5th Floor, Chadwick House,
Birchwood Park, Warrington, WA3 6AE, UK
www.nnl.co.uk
-----Original Message-----
From: R-help [mailto:r-help-bounces at r-project.org] On Behalf Of Laurence
Clark
Sent: 08 August 2018 16:10
To: 'r-help at r-project.org'
Subject: [R] security using R at work
Hello all,
I want to download R and use it for work purposes. I hope to use it to analyse
very sensitive data from our clients.
My question is:
If I install R on my work network computer, will the data ever leave our
network? I need to know if the data goes anywhere other than our network,
because this could compromise it's security. Is there is any chance the data
could go to a server owned by 'R' or anything else that's not
immediately obvious, but constitutes the data leaving our network?
Thank you
Laurence
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Laurence Clark
Business Data Analyst
Account Management
Health Management Ltd
Mobile: 07584 556498
Switchboard: 0845 504 1000
Email: Laurence.Clark at healthmanltd.com
Web: BLOCKEDhealthmanagement[.]co[.]ukBLOCKED
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
CONFIDENTIALITY NOTICE: This email, including attachments, is for the sole use
of the intended recipients and may contain confidential and privileged
information or otherwise be protected by law. Any unauthorised review, use,
disclosure or distribution is prohibited. If you are not the intended recipient,
please contact the sender, and destroy all copies and the original
message.<BR><BR>MAXIMUS People Services Limited is registered in
England and Wales (registered number: 03752300); registered office: 202 - 206
Union Street, London, SE1 0LX, United Kingdom. The Centre for Health and
Disability Assessments Ltd (registered number: 9072343) and Health Management
Ltd (registered number: 4369949) are registered in England and Wales. The
registered office for each is Ash House, The Broyle, Ringmer, East Sussex, BN8
5NN, United Kingdom. Remploy Limited is registered in England and Wales
(registered number: 09457025); registered office: 18c Meridian East, Meridian
Business Park, Leicester, Leicestershire, LE19 1WZ, United Kingdom.</font>
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
#####################################################################################
Scanned by MailMarshal - M86 Security's comprehensive email content security
solution.
Download a free evaluation of MailMarshal at BLOCKEDm86security[.]comBLOCKED
#####################################################################################
______________________________________________
R-help at r-project.org mailing list -- To UNSUBSCRIBE and more, see
BLOCKEDstat[.]ethz[.]ch/mailman/listinfo/r-helpBLOCKED
PLEASE do read the posting guide
BLOCKEDR-project[.]org/posting-guide[.]htmlBLOCKED
and provide commented, minimal, self-contained, reproducible code.
*****************************************************************************
This message was received by the Cloud Security Email Gateway
and was checked for Viruses and SPAM by the Cloud Security Email Management
Service.
Please forward any suspicious or unwanted emails to "Spam Helpdesk"
*****************************************************************************
This e-mail is from National Nuclear Laboratory Limited ("NNL"). This
e-mail and any attachments are intended for the addressee and may also be
legally privileged. If you are not the intended recipient please do not print,
re-transmit, store or act in reliance on it or any attachments. Instead, please
e-mail it back to the sender and then immediately permanently delete it.
National Nuclear Laboratory Limited (Company number 3857752) Registered in
England and Wales. Registered office: Chadwick House, Warrington Road, Birchwood
Park, Warrington, WA3 6AE.
Hello Laurence. Taking a pragmatic approach. If the data is so valuable and secret but also needs some analysis in R, here is suggested steps to minimise security risks. 1. Plan the analysis up front, what exactly what you want and the outcomes. 2. Take a laptop with Internet, install R and all packages needed for the planned analysis. 3. Unplug ethernet and turn off blue tooth and wifi. So no internet access at all. 4. Bring your secret data via USB or cd. 5. Perform the R analysis and export reports and figures etc to safe place. 6. Delete R, the data and all packages from laptop before using online again. A bit extreme and may still be some risk but its minimal as the analysis was done offline, and you removed R etc after. But now have a set of R results. Just an idea. John. On 8 Aug 2018 16:53, "Laurence Clark" <Laurence.Clark at healthmanltd.com> wrote:> Hello all, > > I want to download R and use it for work purposes. I hope to use it to > analyse very sensitive data from our clients. > > My question is: > > If I install R on my work network computer, will the data ever leave our > network? I need to know if the data goes anywhere other than our network, > because this could compromise it's security. Is there is any chance the > data could go to a server owned by 'R' or anything else that's not > immediately obvious, but constitutes the data leaving our network? > > Thank you > > Laurence > > > ------------------------------------------------------------ > ------------------------------------------------------------ > ---------------------------------------------------------- > Laurence Clark > Business Data Analyst > Account Management > Health Management Ltd > > Mobile: 07584 556498 > Switchboard: 0845 504 1000 > Email: Laurence.Clark at healthmanltd.com > Web: www.healthmanagement.co.uk > > ------------------------------------------------------------ > ------------------------------------------------------------ > ---------------------------------------------------------- > CONFIDENTIALITY NOTICE: This email, including attachments, is for the sole > use of the intended recipients and may contain confidential and privileged > information or otherwise be protected by law. Any unauthorised review, use, > disclosure or distribution is prohibited. If you are not the intended > recipient, please contact the sender, and destroy all copies and the > original message.<BR><BR>MAXIMUS People Services Limited is registered in > England and Wales (registered number: 03752300); registered office: 202 - > 206 Union Street, London, SE1 0LX, United Kingdom. The Centre for Health > and Disability Assessments Ltd (registered number: 9072343) and Health > Management Ltd (registered number: 4369949) are registered in England and > Wales. The registered office for each is Ash House, The Broyle, Ringmer, > East Sussex, BN8 5NN, United Kingdom. Remploy Limited is registered in > England and Wales (registered number: 09457025); registered office: 18c > Meridian East, Meridian Business Park, Leicester, Leicestershire, LE19 1WZ, > United Kingdom.</font> > ------------------------------------------------------------ > ------------------------------------------------------------ > ---------------------------------------------------------- > > > ------------------------------------------------------------ > ------------------------------------------------------------ > ---------------------------------------------------------- > > > ############################################################ > ######################### > Scanned by MailMarshal - M86 Security's comprehensive email content > security solution. > Download a free evaluation of MailMarshal at www.m86security.com > ############################################################ > ######################### > > ______________________________________________ > R-help at r-project.org mailing list -- To UNSUBSCRIBE and more, see > https://stat.ethz.ch/mailman/listinfo/r-help > PLEASE do read the posting guide http://www.R-project.org/ > posting-guide.html > and provide commented, minimal, self-contained, reproducible code. >[[alternative HTML version deleted]]
Hi Katherina. Good point you make. What makes your IT department happy with the use of R studio server? What are the safe packages? Can I trust your answer? :) John. On 9 Aug 2018 10:38, "Fritsch, Katharina (NNL) via R-help" < r-help at r-project.org> wrote:> Hiya, > I work in a very security conscious organisation and we happily use R. The > average user can only use R via RStudio Server, with a limited number of > packages available, so that adds an additional level of control. > That said, are you sure that the sentence 'a few people on a mailing list > said it would be alright' is going to convince your IT department of the > harmlessness of R? > Cheers, > Katharina. > > -- > > Dr Katharina Fritsch B.Sc. M.Sc. MRSC > Chemical Modeller, Chemical and Process Modelling > > > E. > katharina.fritsch at nnl.co.uk > T. > +44 (0)1925 289387 > @uknnl > > National Nuclear Laboratory Limited, 5th Floor, Chadwick House, > Birchwood Park, Warrington, WA3 6AE, UK > > www.nnl.co.uk > > > -----Original Message----- > From: R-help [mailto:r-help-bounces at r-project.org] On Behalf Of Laurence > Clark > Sent: 08 August 2018 16:10 > To: 'r-help at r-project.org' > Subject: [R] security using R at work > > Hello all, > > I want to download R and use it for work purposes. I hope to use it to > analyse very sensitive data from our clients. > > My question is: > > If I install R on my work network computer, will the data ever leave our > network? I need to know if the data goes anywhere other than our network, > because this could compromise it's security. Is there is any chance the > data could go to a server owned by 'R' or anything else that's not > immediately obvious, but constitutes the data leaving our network? > > Thank you > > Laurence > > > ------------------------------------------------------------ > ------------------------------------------------------------ > ---------------------------------------------------------- > Laurence Clark > Business Data Analyst > Account Management > Health Management Ltd > > Mobile: 07584 556498 > Switchboard: 0845 504 1000 > Email: Laurence.Clark at healthmanltd.com > Web: BLOCKEDhealthmanagement[.]co[.]ukBLOCKED > > ------------------------------------------------------------ > ------------------------------------------------------------ > ---------------------------------------------------------- > CONFIDENTIALITY NOTICE: This email, including attachments, is for the sole > use of the intended recipients and may contain confidential and privileged > information or otherwise be protected by law. Any unauthorised review, use, > disclosure or distribution is prohibited. If you are not the intended > recipient, please contact the sender, and destroy all copies and the > original message.<BR><BR>MAXIMUS People Services Limited is registered in > England and Wales (registered number: 03752300); registered office: 202 - > 206 Union Street, London, SE1 0LX, United Kingdom. The Centre for Health > and Disability Assessments Ltd (registered number: 9072343) and Health > Management Ltd (registered number: 4369949) are registered in England and > Wales. The registered office for each is Ash House, The Broyle, Ringmer, > East Sussex, BN8 5NN, United Kingdom. Remploy Limited is registered in > England and Wales (registered number: 09457025); registered office: 18c > Meridian East, Meridian Business Park, Leicester, L > eicestershire, LE19 1WZ, United Kingdom.</font> > ------------------------------------------------------------ > ------------------------------------------------------------ > ---------------------------------------------------------- > > > ------------------------------------------------------------ > ------------------------------------------------------------ > ---------------------------------------------------------- > > > ############################################################ > ######################### > Scanned by MailMarshal - M86 Security's comprehensive email content > security solution. > Download a free evaluation of MailMarshal at BLOCKEDm86security[.] > comBLOCKED > ############################################################ > ######################### > > ______________________________________________ > R-help at r-project.org mailing list -- To UNSUBSCRIBE and more, see > BLOCKEDstat[.]ethz[.]ch/mailman/listinfo/r-helpBLOCKED > PLEASE do read the posting guide BLOCKEDR-project[.]org/ > posting-guide[.]htmlBLOCKED > and provide commented, minimal, self-contained, reproducible code. > ************************************************************ > ***************** > This message was received by the Cloud Security Email Gateway > > and was checked for Viruses and SPAM by the Cloud Security Email > Management Service. > Please forward any suspicious or unwanted emails to "Spam Helpdesk" > ************************************************************ > ***************** > > > This e-mail is from National Nuclear Laboratory Limited ("NNL"). This > e-mail and any attachments are intended for the addressee and may also be > legally privileged. If you are not the intended recipient please do not > print, re-transmit, store or act in reliance on it or any attachments. > Instead, please e-mail it back to the sender and then immediately > permanently delete it. > > National Nuclear Laboratory Limited (Company number 3857752) Registered in > England and Wales. Registered office: Chadwick House, Warrington Road, > Birchwood Park, Warrington, WA3 6AE. > > ______________________________________________ > R-help at r-project.org mailing list -- To UNSUBSCRIBE and more, see > https://stat.ethz.ch/mailman/listinfo/r-help > PLEASE do read the posting guide http://www.R-project.org/ > posting-guide.html > and provide commented, minimal, self-contained, reproducible code. >[[alternative HTML version deleted]]
> If I install R on my work network computer, will the data ever leave our > network?As far as I know, if you run R locally (and not, say, on an amazon EC2 instance) your data - indeed anything about you or your machine - will only leave your desktop if you download and run an R package that transfers data intentionally. I don't know of _any_, but there are 10000 or so out there and I've probably used less than a hundred of them over the last decade. Other than malice, I can't imagine why an R package would upload data to anywhere else, but I suppose it's conceivable that someone has a server farm out there for doing parallel MCMC and has written a package to access it, and that might be a use-case for data upload. Again, I don't know of one. But here are three things that don't depend on a mailing list opinion. a) If you are genuinely concerned, airgap. Only run sensitive data on machines that are not connected to the outside world. Install any necessary packages from local .zip on USB drives or something. b) Install something like wireshark and test for unexpected outgoing traffic on a dummy data set before applying the package to anything sensitive. c) Have your IT department mark R as an unauthorised package (in your machine's firewall/security package) for TCP/IP transport so that R cannot talk to the internet.* *That is a pain as the ability to download packages on demand is really helpful. However, it does mean that you can restrict _just_ R and does not require an airgap. ******************************************************************* This email and any attachments are confidential. Any use...{{dropped:8}}
The section I'm working in runs a facility for sensitive research data (https://www.uio.no/english/services/it/research/sensitive-data/). Our users use R (along with other analysis software). We don't consider R safe or unsafe, but have designed the services so that it should not be possible (or at least very difficult) for sensitive information to leak out of the network. I would say that your best bet is to expect all analysis software to have security holes or be compromised, and design your setup/network around that assumption. -- Regards, Bj?rn-Helge Mevik -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 832 bytes Desc: not available URL: <https://stat.ethz.ch/pipermail/r-help/attachments/20180809/3c512239/attachment-0002.sig>