I am totally ignorant on these matters, but .. R is open source statistical software written largely for (and used a lot by) academics for research. So I would not be surprised if it has "security vulnerabilities". As usual, the GPL explicitly exempts the R organization from any responsibility on these matters. "R comes with no guarantees."
That said, you'd have to check with R core about how they try to defend against errant code being deposited on CRAN and distributed. AFAICS, they do a damn good job. Ar least, I've never heard of complaints of problems. -- Bert On Tue, May 8, 2012 at 8:10 AM, Paul Martin <pamar...@alum.mit.edu> wrote: > > Kirtland Air Force Base has denied approval for the use of R on its > Windows network. Some of their objections seem a bit strange, but some > appear to be legitimate. In particular, they have detected registry > "vulnerabilities" > which are detailed in the attachment. > I know nothing about Windows registry vulnerabilities. If any of these > issues are > legitimate concerns, I would like to see them fixed for everyone's benefit. > I would > appreciate a referral to the appropriate forum for this information. I am > willing > to assist in getting questions answered and gathering additional > information. > Thank you, > Paul Martin > Air Force Research Laboratory > Kirtland Air Force Base > Albuquerque, New Mexico > -------- Original Message -------- > > Subject: FW: R/RStudio Software > Date: Fri, 4 May 2012 15:15:20 -0600 > From: Martin, Paul A Civ USAF AFMC AFRL/RVSEF > [1]<paul.mar...@kirtland.af.mil> > To: [2]<pamar...@alum.mit.edu> > > -----Original Message----- > From: Goel, Suman K Civ USAF AFMC AFRL/RVIO > Sent: Friday, May 04, 2012 3:13 PM > To: Martin, Paul A Civ USAF AFMC AFRL/RVSEF > Subject: RE: R/RStudio Software > > Mr. Martin, > > Rstudio is an IDE for writing R code. I installed Rstudio first but it > doesn't work without R so I tested them together. > > When I test a software usually the registry analysis file is blank. But this > one happen to have numerous registry vulnerabilities - see attached. Most of > them I even don't know if affects the software. > Collaboration P2P Host In TCP/Out TCP allowed seemed troubling. > > Thanks, > Suman > > -----Original Message----- > From: Martin, Paul A Civ USAF AFMC AFRL/RVSEF > Sent: Friday, May 04, 2012 2:51 PM > To: Goel, Suman K Civ USAF AFMC AFRL/RVIO > Subject: RE: R/RStudio Software > > Ms. Goel, > > Sorry to bother you again with this, but I have two more questions: > > 1. Were these vulnerabilities found in both R and RStudio? > > 2. Could you be more explicit about the registry vulnerabilities? This is > the only item > where I could potentially get some issues addressed. Even if I cannot get > this software > on the NIPRNET, I can pass along your discoveries and help the community > improve their > code. > > Thank you, > > Paul Martin > > -----Original Message----- > From: Goel, Suman K Civ USAF AFMC AFRL/RVIO > Sent: Friday, May 04, 2012 2:34 PM > To: Martin, Paul A Civ USAF AFMC AFRL/RVSEF > Cc: Goel, Suman K Civ USAF AFMC AFRL/RVIO > Subject: RE: R/RStudio Software > > Mr. Martin, > > Thank you for understanding. Here are some examples of vulnerabilities. > > Numerous forbidden file extensions. > Numerous registry vulnerabilities > Network connections to foreign IP address > > Many vulnerabilities are firewall policies related under restricted > services. > > Once again Thank you, > > Respectfully, > Suman > > > -----Original Message----- > From: Martin, Paul A Civ USAF AFMC AFRL/RVSEF > Sent: Friday, May 04, 2012 2:12 PM > To: Goel, Suman K Civ USAF AFMC AFRL/RVIO > Subject: RE: R/RStudio Software > > Suman, > > > > Thank you for your reply. If it is not too much trouble, could you enumerate > the issues you found, so that I can forward the list to the team maintaining > the R software? I have no idea what kind of response to expect, but these > people should at least be aware of the issues. > > > > Thank you. > > > > Paul Martin > > > > From: Goel, Suman K Civ USAF AFMC AFRL/RVIO > Sent: Friday, May 04, 2012 2:07 PM > To: Martin, Paul A Civ USAF AFMC AFRL/RVSEF > Cc: Motes, Raymond A Civ USAF AFMC AFRL/RVSE; Serafico, Romeo G Civ USAF > AFMC AFRL/RVIO; Mickey, Dallas C Civ USAF AFMC AFRL/RVIO; Trujillo, Lloyd P > Civ USAF AFMC AFRL/RVIO > Subject: R/RStudio Software > > > > Mr. Martin, > > > > After completing the vulnerability analysis, we decided to decline to > approve R/RStudio software on the NIPRNet. We discovered many unmitigated > risks and numerous registry vulnerabilities. Above mentioned open source > software poses high risks to the NIPRNet. We recommend using software from > the Kirtland Base approved list. Here are some examples of the base approved > statistical software: > > > > SPSS v19.x > > LISREL v8.x > > JMP v8.x - Soon to be certify JMP v9 or 10 > > Matlab v7.x > > Mathematica v8.x > > OriginPro v8.x > > > > If you like, we can add following statistical software on the base list, > which will be available on May 25th. > > > > Minitab v16.x > > SAS v9.x > > Maple v15.x > > > > In addition, please let us know if you have any other proprietary > statistical software in mind. We can get those certified for the Base ATO. > > > > I apologize this may cause interruption in your project. Most proprietary > software are safe for NIPRNet use but this one caused some concerns. > However, this can be continued for standalone system. Please accept my > humble apology. > > > > > > Thanks, > > > > Respectfully, > > Suman Goel > > 505-846-5357 > > AFRL/RVIO > > References > > 1. mailto:paul.mar...@kirtland.af.mil > 2. mailto:pamar...@alum.mit.edu > > ______________________________________________ > R-help@r-project.org mailing list > https://stat.ethz.ch/mailman/listinfo/r-help > PLEASE do read the posting guide http://www.R-project.org/posting-guide.html > and provide commented, minimal, self-contained, reproducible code. > -- Bert Gunter Genentech Nonclinical Biostatistics Internal Contact Info: Phone: 467-7374 Website: http://pharmadevelopment.roche.com/index/pdb/pdb-functional-groups/pdb-biostatistics/pdb-ncb-home.htm ______________________________________________ R-help@r-project.org mailing list https://stat.ethz.ch/mailman/listinfo/r-help PLEASE do read the posting guide http://www.R-project.org/posting-guide.html and provide commented, minimal, self-contained, reproducible code.
