Hanek Martin wrote: > Hello, > > I am trying to convince our IT Manager that R is as safe as possible > from IT security point of view - could you point me to something on > the web / some reasons for why this is true? I do not think he has a > specific concern but does not know the software and would like to > understand the security implications. >
To add to Brian's note that rightly says 'R can only do what a user can do anyway', I'll point out that R doesn't open any network ports so doesn't expose the machine that way. Unless of course you run a network server in R (is there a server package on CRAN?). I can think of crazy ways where R might be involved in an exploit - for example if the malicious party poisoned your DNS, then if you tried to install a package from CRAN, a fake DNS entry for cran.r-project.org would mean you instead got a package from a malicious party's web site, and hence you'd be running the wrong code. It would take a lot of work though - I suspect the intersection set of R programmers and black-hat hackers is pretty small. And if the hacker can poison the DNS effectively then there's plenty of easier exploits to do. And anyway, it's probably easier to get malicious R code by just announcing it on R-help. A message of "I've written this package to do XXYYZ" and a non-CRAN URL might get some people to bite. But the same applies to just about anything you download from the net - browser extensions, screen savers, add-on applications and so forth. R mitigates against this by having open source code for its core and CRAN add-on packages. Perhaps your IT Manager should only sanction the use of packages from CRAN? Although enforcing this wouldn't be easy. So yes, R is as safe as possible, for most values of 'safe' and 'possible'. Barry ______________________________________________ R-help@r-project.org mailing list https://stat.ethz.ch/mailman/listinfo/r-help PLEASE do read the posting guide http://www.R-project.org/posting-guide.html and provide commented, minimal, self-contained, reproducible code.
