Quantcast
R R help

registry vulnerabilities in R

classic Classic list List threaded Threaded
17 messages Options
Paul Martin
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate
star

registry vulnerabilities in R

Paul Martin

   Kirtland Air Force Base has denied approval for the use of R on its
   Windows network. Some of their objections seem a bit strange, but some
   appear  to  be  legitimate. In particular, they have detected registry
   "vulnerabilities"
   which are detailed in the attachment.
   I know nothing about Windows registry vulnerabilities. If any of these
   issues are
   legitimate concerns, I would like to see them fixed for everyone's benefit.
   I would
   appreciate a referral to the appropriate forum for this information. I am
   willing
   to  assist  in  getting  questions  answered  and gathering additional
   information.
   Thank you,
   Paul Martin
   Air Force Research Laboratory
   Kirtland Air Force Base
   Albuquerque, New Mexico
   -------- Original Message --------

   Subject: FW: R/RStudio Software
   Date: Fri, 4 May 2012 15:15:20 -0600
   From: Martin, Paul A Civ USAF AFMC AFRL/RVSEF
   [1]<[hidden email]>
   To: [2]<[hidden email]>

-----Original Message-----
From: Goel, Suman K Civ USAF AFMC AFRL/RVIO
Sent: Friday, May 04, 2012 3:13 PM
To: Martin, Paul A Civ USAF AFMC AFRL/RVSEF
Subject: RE: R/RStudio Software

Mr. Martin,

Rstudio is an IDE for writing R code. I installed Rstudio first but it
doesn't work without R so I tested them together.

When I test a software usually the registry analysis file is blank. But this
one happen to have numerous registry vulnerabilities - see attached. Most of
them I even don't know if affects the software.
Collaboration P2P Host In TCP/Out TCP allowed seemed troubling.

Thanks,
Suman

-----Original Message-----
From: Martin, Paul A Civ USAF AFMC AFRL/RVSEF
Sent: Friday, May 04, 2012 2:51 PM
To: Goel, Suman K Civ USAF AFMC AFRL/RVIO
Subject: RE: R/RStudio Software

Ms. Goel,

Sorry to bother you again with this, but I have two more questions:

1. Were these vulnerabilities found in both R and RStudio?

2. Could you be more explicit about the registry vulnerabilities? This is
the only item
where I could potentially get some issues addressed. Even if I cannot get
this software
on the NIPRNET, I can pass along your discoveries and help the community
improve their
code.

Thank you,

Paul Martin

-----Original Message-----
From: Goel, Suman K Civ USAF AFMC AFRL/RVIO
Sent: Friday, May 04, 2012 2:34 PM
To: Martin, Paul A Civ USAF AFMC AFRL/RVSEF
Cc: Goel, Suman K Civ USAF AFMC AFRL/RVIO
Subject: RE: R/RStudio Software

Mr. Martin,

Thank you for understanding. Here are some examples of vulnerabilities.

Numerous forbidden file extensions.
Numerous registry vulnerabilities
Network connections to foreign IP address

Many vulnerabilities are firewall policies related under restricted
services.

Once again Thank you,

Respectfully,
Suman


-----Original Message-----
From: Martin, Paul A Civ USAF AFMC AFRL/RVSEF
Sent: Friday, May 04, 2012 2:12 PM
To: Goel, Suman K Civ USAF AFMC AFRL/RVIO
Subject: RE: R/RStudio Software

Suman,



Thank you for your reply. If it is not too much trouble, could you enumerate
the issues you found, so that I can forward the list to the team maintaining
the R software? I have no idea what kind of response to expect, but these
people should at least be aware of the issues.



Thank you.



Paul Martin



From: Goel, Suman K Civ USAF AFMC AFRL/RVIO
Sent: Friday, May 04, 2012 2:07 PM
To: Martin, Paul A Civ USAF AFMC AFRL/RVSEF
Cc: Motes, Raymond A Civ USAF AFMC AFRL/RVSE; Serafico, Romeo G Civ USAF
AFMC AFRL/RVIO; Mickey, Dallas C Civ USAF AFMC AFRL/RVIO; Trujillo, Lloyd P
Civ USAF AFMC AFRL/RVIO
Subject: R/RStudio Software



Mr. Martin,



After completing the vulnerability analysis, we decided to decline to
approve R/RStudio software on the NIPRNet. We discovered many unmitigated
risks and numerous registry vulnerabilities.  Above mentioned open source
software poses high risks to the NIPRNet. We recommend using software from
the Kirtland Base approved list. Here are some examples of the base approved
statistical software:



SPSS v19.x

LISREL v8.x

JMP v8.x - Soon to be certify JMP v9 or 10

Matlab v7.x

Mathematica v8.x

OriginPro v8.x



If you like, we can add following statistical software on the base list,
which will be available on May 25th.



Minitab v16.x

SAS v9.x

Maple v15.x



In addition, please let us know if you have any other proprietary
statistical software in mind. We can get those certified for the Base ATO.



I apologize this may cause interruption in your project. Most proprietary
software are safe for NIPRNet use but this one caused some concerns.
However, this can be continued for standalone system. Please accept my
humble apology.





Thanks,



Respectfully,

Suman Goel

505-846-5357

AFRL/RVIO

References

   1. mailto:[hidden email]
   2. mailto:[hidden email]

______________________________________________
[hidden email] mailing list
https://stat.ethz.ch/mailman/listinfo/r-help
PLEASE do read the posting guide http://www.R-project.org/posting-guide.html
and provide commented, minimal, self-contained, reproducible code.

RStudio_registry_analysis.txt (862K) Download Attachment
Bert Gunter
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate
star

Re: registry vulnerabilities in R

Bert Gunter
I am totally ignorant on these matters, but ..

R is open source statistical software written largely for (and used a
lot by) academics for research. So I would not be surprised if it has
"security vulnerabilities". As usual, the GPL explicitly exempts the R
organization from any responsibility on these matters. "R comes with
no guarantees."

That said, you'd have to check with R core about how they try to
defend against errant code being deposited on CRAN and distributed.
AFAICS, they do a damn good job. Ar least, I've never heard of
complaints of problems.

-- Bert

On Tue, May 8, 2012 at 8:10 AM, Paul Martin <[hidden email]> wrote:

>
>   Kirtland Air Force Base has denied approval for the use of R on its
>   Windows network. Some of their objections seem a bit strange, but some
>   appear  to  be  legitimate. In particular, they have detected registry
>   "vulnerabilities"
>   which are detailed in the attachment.
>   I know nothing about Windows registry vulnerabilities. If any of these
>   issues are
>   legitimate concerns, I would like to see them fixed for everyone's benefit.
>   I would
>   appreciate a referral to the appropriate forum for this information. I am
>   willing
>   to  assist  in  getting  questions  answered  and gathering additional
>   information.
>   Thank you,
>   Paul Martin
>   Air Force Research Laboratory
>   Kirtland Air Force Base
>   Albuquerque, New Mexico
>   -------- Original Message --------
>
>   Subject: FW: R/RStudio Software
>   Date: Fri, 4 May 2012 15:15:20 -0600
>   From: Martin, Paul A Civ USAF AFMC AFRL/RVSEF
>   [1]<[hidden email]>
>   To: [2]<[hidden email]>
>
> -----Original Message-----
> From: Goel, Suman K Civ USAF AFMC AFRL/RVIO
> Sent: Friday, May 04, 2012 3:13 PM
> To: Martin, Paul A Civ USAF AFMC AFRL/RVSEF
> Subject: RE: R/RStudio Software
>
> Mr. Martin,
>
> Rstudio is an IDE for writing R code. I installed Rstudio first but it
> doesn't work without R so I tested them together.
>
> When I test a software usually the registry analysis file is blank. But this
> one happen to have numerous registry vulnerabilities - see attached. Most of
> them I even don't know if affects the software.
> Collaboration P2P Host In TCP/Out TCP allowed seemed troubling.
>
> Thanks,
> Suman
>
> -----Original Message-----
> From: Martin, Paul A Civ USAF AFMC AFRL/RVSEF
> Sent: Friday, May 04, 2012 2:51 PM
> To: Goel, Suman K Civ USAF AFMC AFRL/RVIO
> Subject: RE: R/RStudio Software
>
> Ms. Goel,
>
> Sorry to bother you again with this, but I have two more questions:
>
> 1. Were these vulnerabilities found in both R and RStudio?
>
> 2. Could you be more explicit about the registry vulnerabilities? This is
> the only item
> where I could potentially get some issues addressed. Even if I cannot get
> this software
> on the NIPRNET, I can pass along your discoveries and help the community
> improve their
> code.
>
> Thank you,
>
> Paul Martin
>
> -----Original Message-----
> From: Goel, Suman K Civ USAF AFMC AFRL/RVIO
> Sent: Friday, May 04, 2012 2:34 PM
> To: Martin, Paul A Civ USAF AFMC AFRL/RVSEF
> Cc: Goel, Suman K Civ USAF AFMC AFRL/RVIO
> Subject: RE: R/RStudio Software
>
> Mr. Martin,
>
> Thank you for understanding. Here are some examples of vulnerabilities.
>
> Numerous forbidden file extensions.
> Numerous registry vulnerabilities
> Network connections to foreign IP address
>
> Many vulnerabilities are firewall policies related under restricted
> services.
>
> Once again Thank you,
>
> Respectfully,
> Suman
>
>
> -----Original Message-----
> From: Martin, Paul A Civ USAF AFMC AFRL/RVSEF
> Sent: Friday, May 04, 2012 2:12 PM
> To: Goel, Suman K Civ USAF AFMC AFRL/RVIO
> Subject: RE: R/RStudio Software
>
> Suman,
>
>
>
> Thank you for your reply. If it is not too much trouble, could you enumerate
> the issues you found, so that I can forward the list to the team maintaining
> the R software? I have no idea what kind of response to expect, but these
> people should at least be aware of the issues.
>
>
>
> Thank you.
>
>
>
> Paul Martin
>
>
>
> From: Goel, Suman K Civ USAF AFMC AFRL/RVIO
> Sent: Friday, May 04, 2012 2:07 PM
> To: Martin, Paul A Civ USAF AFMC AFRL/RVSEF
> Cc: Motes, Raymond A Civ USAF AFMC AFRL/RVSE; Serafico, Romeo G Civ USAF
> AFMC AFRL/RVIO; Mickey, Dallas C Civ USAF AFMC AFRL/RVIO; Trujillo, Lloyd P
> Civ USAF AFMC AFRL/RVIO
> Subject: R/RStudio Software
>
>
>
> Mr. Martin,
>
>
>
> After completing the vulnerability analysis, we decided to decline to
> approve R/RStudio software on the NIPRNet. We discovered many unmitigated
> risks and numerous registry vulnerabilities.  Above mentioned open source
> software poses high risks to the NIPRNet. We recommend using software from
> the Kirtland Base approved list. Here are some examples of the base approved
> statistical software:
>
>
>
> SPSS v19.x
>
> LISREL v8.x
>
> JMP v8.x - Soon to be certify JMP v9 or 10
>
> Matlab v7.x
>
> Mathematica v8.x
>
> OriginPro v8.x
>
>
>
> If you like, we can add following statistical software on the base list,
> which will be available on May 25th.
>
>
>
> Minitab v16.x
>
> SAS v9.x
>
> Maple v15.x
>
>
>
> In addition, please let us know if you have any other proprietary
> statistical software in mind. We can get those certified for the Base ATO.
>
>
>
> I apologize this may cause interruption in your project. Most proprietary
> software are safe for NIPRNet use but this one caused some concerns.
> However, this can be continued for standalone system. Please accept my
> humble apology.
>
>
>
>
>
> Thanks,
>
>
>
> Respectfully,
>
> Suman Goel
>
> 505-846-5357
>
> AFRL/RVIO
>
> References
>
>   1. mailto:[hidden email]
>   2. mailto:[hidden email]
>
> ______________________________________________
> [hidden email] mailing list
> https://stat.ethz.ch/mailman/listinfo/r-help
> PLEASE do read the posting guide http://www.R-project.org/posting-guide.html
> and provide commented, minimal, self-contained, reproducible code.
>



--

Bert Gunter
Genentech Nonclinical Biostatistics

Internal Contact Info:
Phone: 467-7374
Website:
http://pharmadevelopment.roche.com/index/pdb/pdb-functional-groups/pdb-biostatistics/pdb-ncb-home.htm

______________________________________________
[hidden email] mailing list
https://stat.ethz.ch/mailman/listinfo/r-help
PLEASE do read the posting guide http://www.R-project.org/posting-guide.html
and provide commented, minimal, self-contained, reproducible code.
Barry Rowlingson
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate
star

Re: registry vulnerabilities in R

Barry Rowlingson
In reply to this post by Paul Martin
On Tue, May 8, 2012 at 4:10 PM, Paul Martin <[hidden email]> wrote:

>
>   Kirtland Air Force Base has denied approval for the use of R on its
>   Windows network. Some of their objections seem a bit strange, but some
>   appear  to  be  legitimate. In particular, they have detected registry
>   "vulnerabilities"
>   which are detailed in the attachment.
>   I know nothing about Windows registry vulnerabilities. If any of these
>   issues are
>   legitimate concerns, I would like to see them fixed for everyone's benefit.
>   I would
>   appreciate a referral to the appropriate forum for this information. I am
>   willing
>   to  assist  in  getting  questions  answered  and gathering additional
>   information.

My thoughts on this matter will be mitigated by my desire not to get
on the no-fly list so I can attend UseR! this year...

Firstly we don't know what the NIPRNet is. The analyst does say "this
[software? process?] can be continued for standalone systems", which
seems to imply you can have it on your desktop, but not on NIPRNet. If
NIPRNet is some kind of multi-user system running a variant of Windows
then maybe the security testing is looking for the sort of problems
that occur when you try and mash a single-user operating system into a
multi-user environment. We've never had any problems running R on
Windows Server OSes. It's always been proprietary software that has
insisted on writing to C:\TMP\TEMP.DAT for every user, and with closed
source programs we can't change that...

Secondly, we don't know what the security analysis tool did. I'm
guessing its essentially looking at the difference in the registry
before and after installation or running of R/RStudio, or just
monitoring registry access.

> Numerous forbidden file extensions.
> Numerous registry vulnerabilities
> Network connections to foreign IP address

 The file extensions section of this 'security audit' relate to Adobe
Acrobat Reader and a registry key with USAF_PKI_SPO in the name.
Somehow I don't think R did this. It doesn't mention .r files, which
should be one file extension that R uses. So at least that's not
forbidden.

 The long list of "registry vulnerabilities" is also equally odd. It
looks like a standard set of registry keys plus a whole bunch of
firewall configuration. Has R tried to modify these? Has R tried to
read these? It almost certainly didn't write them. Googling for
"Windows registry vulnerabilities" doesn't find anything specific. It
doesn't seem to be a class of security problems.

> After completing the vulnerability analysis, we decided to decline to
> approve R/RStudio software on the NIPRNet. We discovered many unmitigated
> risks and numerous registry vulnerabilities.  Above mentioned open source
> software poses high risks to the NIPRNet. We recommend using software from
> the Kirtland Base approved list. Here are some examples of the base approved
> statistical software:

  Here's where we all face-palmed. High risk?

> I apologize this may cause interruption in your project. Most proprietary
> software are safe for NIPRNet use but this one caused some concerns.
> However, this can be continued for standalone system. Please accept my
> humble apology.

 Maybe if you shell out for a proprietary version of R you'll get it approved.

 So, given the large quantity of unknowns (both known unknowns and
unknown unknowns) there's not much we can do. It seems that a security
tool which I doubt the analyst understands and which I doubt we are
allowed to know much about has just decided to block you.

 The great irony being of course that open source software is more
secure than any close-source proprietary system.

Barry


Barry

______________________________________________
[hidden email] mailing list
https://stat.ethz.ch/mailman/listinfo/r-help
PLEASE do read the posting guide http://www.R-project.org/posting-guide.html
and provide commented, minimal, self-contained, reproducible code.
Duncan Murdoch-2
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate
star

Re: registry vulnerabilities in R

Duncan Murdoch-2
In reply to this post by Paul Martin
On 08/05/2012 11:10 AM, Paul Martin wrote:
>     Kirtland Air Force Base has denied approval for the use of R on its
>     Windows network. Some of their objections seem a bit strange, but some
>     appear  to  be  legitimate. In particular, they have detected registry
>     "vulnerabilities"
>     which are detailed in the attachment.

I suspect their test is wrong, but I can't say for sure, because they
apparently tested R within RStudio.  I know R didn't have anything to do
with most of those registry entries that were listed, and I strongly
suspect RStudio didn't either.

I'd suggest that if you want to use R, just ask them to test R.  It's
nice to have the RStudio front end, but you don't need it.

Once R is accepted, you could ask for an RStudio test if you want.

On the other hand, R is not safe to install, in the sense that it does
give programs access to anything the user has access to.   I am pretty
sure that's also true of at least Matlab and Mathematica in the list of
alternatives you were given.

Duncan Murdoch

>     I know nothing about Windows registry vulnerabilities. If any of these
>     issues are
>     legitimate concerns, I would like to see them fixed for everyone's benefit.
>     I would
>     appreciate a referral to the appropriate forum for this information. I am
>     willing
>     to  assist  in  getting  questions  answered  and gathering additional
>     information.
>     Thank you,
>     Paul Martin
>     Air Force Research Laboratory
>     Kirtland Air Force Base
>     Albuquerque, New Mexico
>     -------- Original Message --------
>
>     Subject: FW: R/RStudio Software
>     Date: Fri, 4 May 2012 15:15:20 -0600
>     From: Martin, Paul A Civ USAF AFMC AFRL/RVSEF
>     [1]<[hidden email]>
>     To: [2]<[hidden email]>
>
> -----Original Message-----
> From: Goel, Suman K Civ USAF AFMC AFRL/RVIO
> Sent: Friday, May 04, 2012 3:13 PM
> To: Martin, Paul A Civ USAF AFMC AFRL/RVSEF
> Subject: RE: R/RStudio Software
>
> Mr. Martin,
>
> Rstudio is an IDE for writing R code. I installed Rstudio first but it
> doesn't work without R so I tested them together.
>
> When I test a software usually the registry analysis file is blank. But this
> one happen to have numerous registry vulnerabilities - see attached. Most of
> them I even don't know if affects the software.
> Collaboration P2P Host In TCP/Out TCP allowed seemed troubling.
>
> Thanks,
> Suman
>
> -----Original Message-----
> From: Martin, Paul A Civ USAF AFMC AFRL/RVSEF
> Sent: Friday, May 04, 2012 2:51 PM
> To: Goel, Suman K Civ USAF AFMC AFRL/RVIO
> Subject: RE: R/RStudio Software
>
> Ms. Goel,
>
> Sorry to bother you again with this, but I have two more questions:
>
> 1. Were these vulnerabilities found in both R and RStudio?
>
> 2. Could you be more explicit about the registry vulnerabilities? This is
> the only item
> where I could potentially get some issues addressed. Even if I cannot get
> this software
> on the NIPRNET, I can pass along your discoveries and help the community
> improve their
> code.
>
> Thank you,
>
> Paul Martin
>
> -----Original Message-----
> From: Goel, Suman K Civ USAF AFMC AFRL/RVIO
> Sent: Friday, May 04, 2012 2:34 PM
> To: Martin, Paul A Civ USAF AFMC AFRL/RVSEF
> Cc: Goel, Suman K Civ USAF AFMC AFRL/RVIO
> Subject: RE: R/RStudio Software
>
> Mr. Martin,
>
> Thank you for understanding. Here are some examples of vulnerabilities.
>
> Numerous forbidden file extensions.
> Numerous registry vulnerabilities
> Network connections to foreign IP address
>
> Many vulnerabilities are firewall policies related under restricted
> services.
>
> Once again Thank you,
>
> Respectfully,
> Suman
>
>
> -----Original Message-----
> From: Martin, Paul A Civ USAF AFMC AFRL/RVSEF
> Sent: Friday, May 04, 2012 2:12 PM
> To: Goel, Suman K Civ USAF AFMC AFRL/RVIO
> Subject: RE: R/RStudio Software
>
> Suman,
>
>
>
> Thank you for your reply. If it is not too much trouble, could you enumerate
> the issues you found, so that I can forward the list to the team maintaining
> the R software? I have no idea what kind of response to expect, but these
> people should at least be aware of the issues.
>
>
>
> Thank you.
>
>
>
> Paul Martin
>
>
>
> From: Goel, Suman K Civ USAF AFMC AFRL/RVIO
> Sent: Friday, May 04, 2012 2:07 PM
> To: Martin, Paul A Civ USAF AFMC AFRL/RVSEF
> Cc: Motes, Raymond A Civ USAF AFMC AFRL/RVSE; Serafico, Romeo G Civ USAF
> AFMC AFRL/RVIO; Mickey, Dallas C Civ USAF AFMC AFRL/RVIO; Trujillo, Lloyd P
> Civ USAF AFMC AFRL/RVIO
> Subject: R/RStudio Software
>
>
>
> Mr. Martin,
>
>
>
> After completing the vulnerability analysis, we decided to decline to
> approve R/RStudio software on the NIPRNet. We discovered many unmitigated
> risks and numerous registry vulnerabilities.  Above mentioned open source
> software poses high risks to the NIPRNet. We recommend using software from
> the Kirtland Base approved list. Here are some examples of the base approved
> statistical software:
>
>
>
> SPSS v19.x
>
> LISREL v8.x
>
> JMP v8.x - Soon to be certify JMP v9 or 10
>
> Matlab v7.x
>
> Mathematica v8.x
>
> OriginPro v8.x
>
>
>
> If you like, we can add following statistical software on the base list,
> which will be available on May 25th.
>
>
>
> Minitab v16.x
>
> SAS v9.x
>
> Maple v15.x
>
>
>
> In addition, please let us know if you have any other proprietary
> statistical software in mind. We can get those certified for the Base ATO.
>
>
>
> I apologize this may cause interruption in your project. Most proprietary
> software are safe for NIPRNet use but this one caused some concerns.
> However, this can be continued for standalone system. Please accept my
> humble apology.
>
>
>
>
>
> Thanks,
>
>
>
> Respectfully,
>
> Suman Goel
>
> 505-846-5357
>
> AFRL/RVIO
>
> References
>
>     1. mailto:[hidden email]
>     2. mailto:[hidden email]
>
>
> ______________________________________________
> [hidden email] mailing list
> https://stat.ethz.ch/mailman/listinfo/r-help
> PLEASE do read the posting guide http://www.R-project.org/posting-guide.html
> and provide commented, minimal, self-contained, reproducible code.

______________________________________________
[hidden email] mailing list
https://stat.ethz.ch/mailman/listinfo/r-help
PLEASE do read the posting guide http://www.R-project.org/posting-guide.html
and provide commented, minimal, self-contained, reproducible code.
Gavin Blackburn
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate
star

Re: registry vulnerabilities in R

Gavin Blackburn
Not sure if it helps, but Tinn-R could be used as a replacement for RStudio if the main things you were after were the syntax highlighting and R integration.

Cheers,

Gavin.

-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Duncan Murdoch
Sent: 09 May 2012 15:57
To: [hidden email]
Cc: [hidden email]
Subject: Re: [R] registry vulnerabilities in R

On 08/05/2012 11:10 AM, Paul Martin wrote:
>     Kirtland Air Force Base has denied approval for the use of R on its
>     Windows network. Some of their objections seem a bit strange, but some
>     appear  to  be  legitimate. In particular, they have detected registry
>     "vulnerabilities"
>     which are detailed in the attachment.

I suspect their test is wrong, but I can't say for sure, because they
apparently tested R within RStudio.  I know R didn't have anything to do
with most of those registry entries that were listed, and I strongly
suspect RStudio didn't either.

I'd suggest that if you want to use R, just ask them to test R.  It's
nice to have the RStudio front end, but you don't need it.

Once R is accepted, you could ask for an RStudio test if you want.

On the other hand, R is not safe to install, in the sense that it does
give programs access to anything the user has access to.   I am pretty
sure that's also true of at least Matlab and Mathematica in the list of
alternatives you were given.

Duncan Murdoch

>     I know nothing about Windows registry vulnerabilities. If any of these
>     issues are
>     legitimate concerns, I would like to see them fixed for everyone's benefit.
>     I would
>     appreciate a referral to the appropriate forum for this information. I am
>     willing
>     to  assist  in  getting  questions  answered  and gathering additional
>     information.
>     Thank you,
>     Paul Martin
>     Air Force Research Laboratory
>     Kirtland Air Force Base
>     Albuquerque, New Mexico
>     -------- Original Message --------
>
>     Subject: FW: R/RStudio Software
>     Date: Fri, 4 May 2012 15:15:20 -0600
>     From: Martin, Paul A Civ USAF AFMC AFRL/RVSEF
>     [1]<[hidden email]>
>     To: [2]<[hidden email]>
>
> -----Original Message-----
> From: Goel, Suman K Civ USAF AFMC AFRL/RVIO
> Sent: Friday, May 04, 2012 3:13 PM
> To: Martin, Paul A Civ USAF AFMC AFRL/RVSEF
> Subject: RE: R/RStudio Software
>
> Mr. Martin,
>
> Rstudio is an IDE for writing R code. I installed Rstudio first but it
> doesn't work without R so I tested them together.
>
> When I test a software usually the registry analysis file is blank. But this
> one happen to have numerous registry vulnerabilities - see attached. Most of
> them I even don't know if affects the software.
> Collaboration P2P Host In TCP/Out TCP allowed seemed troubling.
>
> Thanks,
> Suman
>
> -----Original Message-----
> From: Martin, Paul A Civ USAF AFMC AFRL/RVSEF
> Sent: Friday, May 04, 2012 2:51 PM
> To: Goel, Suman K Civ USAF AFMC AFRL/RVIO
> Subject: RE: R/RStudio Software
>
> Ms. Goel,
>
> Sorry to bother you again with this, but I have two more questions:
>
> 1. Were these vulnerabilities found in both R and RStudio?
>
> 2. Could you be more explicit about the registry vulnerabilities? This is
> the only item
> where I could potentially get some issues addressed. Even if I cannot get
> this software
> on the NIPRNET, I can pass along your discoveries and help the community
> improve their
> code.
>
> Thank you,
>
> Paul Martin
>
> -----Original Message-----
> From: Goel, Suman K Civ USAF AFMC AFRL/RVIO
> Sent: Friday, May 04, 2012 2:34 PM
> To: Martin, Paul A Civ USAF AFMC AFRL/RVSEF
> Cc: Goel, Suman K Civ USAF AFMC AFRL/RVIO
> Subject: RE: R/RStudio Software
>
> Mr. Martin,
>
> Thank you for understanding. Here are some examples of vulnerabilities.
>
> Numerous forbidden file extensions.
> Numerous registry vulnerabilities
> Network connections to foreign IP address
>
> Many vulnerabilities are firewall policies related under restricted
> services.
>
> Once again Thank you,
>
> Respectfully,
> Suman
>
>
> -----Original Message-----
> From: Martin, Paul A Civ USAF AFMC AFRL/RVSEF
> Sent: Friday, May 04, 2012 2:12 PM
> To: Goel, Suman K Civ USAF AFMC AFRL/RVIO
> Subject: RE: R/RStudio Software
>
> Suman,
>
>
>
> Thank you for your reply. If it is not too much trouble, could you enumerate
> the issues you found, so that I can forward the list to the team maintaining
> the R software? I have no idea what kind of response to expect, but these
> people should at least be aware of the issues.
>
>
>
> Thank you.
>
>
>
> Paul Martin
>
>
>
> From: Goel, Suman K Civ USAF AFMC AFRL/RVIO
> Sent: Friday, May 04, 2012 2:07 PM
> To: Martin, Paul A Civ USAF AFMC AFRL/RVSEF
> Cc: Motes, Raymond A Civ USAF AFMC AFRL/RVSE; Serafico, Romeo G Civ USAF
> AFMC AFRL/RVIO; Mickey, Dallas C Civ USAF AFMC AFRL/RVIO; Trujillo, Lloyd P
> Civ USAF AFMC AFRL/RVIO
> Subject: R/RStudio Software
>
>
>
> Mr. Martin,
>
>
>
> After completing the vulnerability analysis, we decided to decline to
> approve R/RStudio software on the NIPRNet. We discovered many unmitigated
> risks and numerous registry vulnerabilities.  Above mentioned open source
> software poses high risks to the NIPRNet. We recommend using software from
> the Kirtland Base approved list. Here are some examples of the base approved
> statistical software:
>
>
>
> SPSS v19.x
>
> LISREL v8.x
>
> JMP v8.x - Soon to be certify JMP v9 or 10
>
> Matlab v7.x
>
> Mathematica v8.x
>
> OriginPro v8.x
>
>
>
> If you like, we can add following statistical software on the base list,
> which will be available on May 25th.
>
>
>
> Minitab v16.x
>
> SAS v9.x
>
> Maple v15.x
>
>
>
> In addition, please let us know if you have any other proprietary
> statistical software in mind. We can get those certified for the Base ATO.
>
>
>
> I apologize this may cause interruption in your project. Most proprietary
> software are safe for NIPRNet use but this one caused some concerns.
> However, this can be continued for standalone system. Please accept my
> humble apology.
>
>
>
>
>
> Thanks,
>
>
>
> Respectfully,
>
> Suman Goel
>
> 505-846-5357
>
> AFRL/RVIO
>
> References
>
>     1. mailto:[hidden email]
>     2. mailto:[hidden email]
>
>
> ______________________________________________
> [hidden email] mailing list
> https://stat.ethz.ch/mailman/listinfo/r-help
> PLEASE do read the posting guide http://www.R-project.org/posting-guide.html
> and provide commented, minimal, self-contained, reproducible code.

______________________________________________
[hidden email] mailing list
https://stat.ethz.ch/mailman/listinfo/r-help
PLEASE do read the posting guide http://www.R-project.org/posting-guide.html
and provide commented, minimal, self-contained, reproducible code.

______________________________________________
[hidden email] mailing list
https://stat.ethz.ch/mailman/listinfo/r-help
PLEASE do read the posting guide http://www.R-project.org/posting-guide.html
and provide commented, minimal, self-contained, reproducible code.
Marc Schwartz-3
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate
star

Re: registry vulnerabilities in R

Marc Schwartz-3
In reply to this post by Duncan Murdoch-2

On May 9, 2012, at 9:57 AM, Duncan Murdoch wrote:

> On 08/05/2012 11:10 AM, Paul Martin wrote:
>>    Kirtland Air Force Base has denied approval for the use of R on its
>>    Windows network. Some of their objections seem a bit strange, but some
>>    appear  to  be  legitimate. In particular, they have detected registry
>>    "vulnerabilities"
>>    which are detailed in the attachment.
>
> I suspect their test is wrong, but I can't say for sure, because they apparently tested R within RStudio.  I know R didn't have anything to do with most of those registry entries that were listed, and I strongly suspect RStudio didn't either.
>
> I'd suggest that if you want to use R, just ask them to test R.  It's nice to have the RStudio front end, but you don't need it.
>
> Once R is accepted, you could ask for an RStudio test if you want.
>
> On the other hand, R is not safe to install, in the sense that it does give programs access to anything the user has access to.   I am pretty sure that's also true of at least Matlab and Mathematica in the list of alternatives you were given.
>
> Duncan Murdoch

Just as an FYI, in response to Barry's post on this thread, NIPRNet is the US Dept of Defense (DOD) private network that supports the transmission of sensitive, but unclassified, information. It is hosted by DOD private routers, primarily for internal use, while providing external access as well. Some may know it by it's former name MILNet and it has a classified private network counterpart, known as SIPRNet.

As a consequence, the level of security oversight is higher and more restrictive than what one might find on typical commercial or academic networks.

Regards,

Marc Schwartz

______________________________________________
[hidden email] mailing list
https://stat.ethz.ch/mailman/listinfo/r-help
PLEASE do read the posting guide http://www.R-project.org/posting-guide.html
and provide commented, minimal, self-contained, reproducible code.
Barry Rowlingson
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate
star

Re: registry vulnerabilities in R

Barry Rowlingson
In reply to this post by Duncan Murdoch-2
>> Someone said:

>> Once R is accepted, you could ask for an RStudio test if you want.

 I had another thought shortly after my initial email. Suppose yes, R
is accepted. Great. You run R.

 Then you think, "Oh, I need ggplot2" (yes you do). Do you then have
to get security clearance for every package you want to download from
CRAN?

Barry

______________________________________________
[hidden email] mailing list
https://stat.ethz.ch/mailman/listinfo/r-help
PLEASE do read the posting guide http://www.R-project.org/posting-guide.html
and provide commented, minimal, self-contained, reproducible code.
Marc Schwartz-3
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate
star

Re: registry vulnerabilities in R

Marc Schwartz-3

On May 9, 2012, at 11:00 AM, Barry Rowlingson wrote:

>>> Someone said:
>
>>> Once R is accepted, you could ask for an RStudio test if you want.
>
> I had another thought shortly after my initial email. Suppose yes, R
> is accepted. Great. You run R.
>
> Then you think, "Oh, I need ggplot2" (yes you do). Do you then have
> to get security clearance for every package you want to download from
> CRAN?
>
> Barry

That will depend upon their internal procedures/policies.

Presuming that the initial hurdle for R itself is overcome, for third party packages, whether from CRAN or elsewhere, Paul might see if the folks involved in the review process would allow him to install these to a local private folder tree, where it may be possible that security related concerns may be more mitigated and provide more flexibility than if for a system-wide install. In other words, see if there is some way to, in effect, sandbox the additional components, that would be acceptable.

A quick review of the lengthy output that Paul provided in the original post seems to suggest that the majority, if not all, of the registry related issues are specific to R-Studio itself and not to R.

Third party packages, of course, may have additional code that can perform a variety of activities (access/modify local system resources, access external IP's, etc.), so it would not be a surprise to me that there may need to be a package by package review and approval process.

Of course, the mere process of downloading and installing CRAN or other packages means that access to external IP's would be required, which appear to be part of the restrictions. It would be interesting to find out how updates "over the net" are handled for the approved applications. Are these allowed or are they controlled by a central authority?

So an internal discussion would be required to understand how R would fit within the policy and procedure constraints in place. It is clear that despite the subject heading for this thread, registry related issues are only a part of the underlying "problem".

It would also be of value to know how other folks, operating in similar 'restricted' environments, either inside or outside the U.S., have overcome these issues, so that Paul may learn from their experience. We do, for example, get posts here now and then from folks with U.S. ".mil" domain e-mail addresses. So there appear to be folks using R in such environments, unless they are using R, but not on DOD owned systems.

Regards,

Marc

______________________________________________
[hidden email] mailing list
https://stat.ethz.ch/mailman/listinfo/r-help
PLEASE do read the posting guide http://www.R-project.org/posting-guide.html
and provide commented, minimal, self-contained, reproducible code.
Paul Martin
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate
star

Re: registry vulnerabilities in R

Paul Martin
In reply to this post by Barry Rowlingson
I don't have much new to add, but I want to make some clarifying comments:

First, there are clearly workarounds available. I am using one now. R is
installed on a personal laptop which I bring to work every day. I take
extreme care with the nature of the files I move back and forth, and
none of this is classified. This is common practice here. Yes, it would
be nice if I could get R onto my desktop machine at work. It would save
me burning CDs to move plots back and forth. But it's not the end of the
world. My ability to get work done is not the issue here.

The issue is the following: Is there anything her which is of concern to
the R community? I suspect the answer is no, but cannot say anything for
sure at this point.

The registry analysis tool looks like it is custom software developed by
the Air Force. I can't get any specific information beyond that. That is
unfortunate, since it would be nice if the tests could be duplicated and
confirmed.

We will get separate tests on R without RStudio.

The registry analysis reports results in two sections: Registry entries
added and registry entries modified. There were no vulnerabilities found
in the "entries modified" section. All of the vulnerabilities are listed
under "entries added".

I will let you know if I find out anything else. Certainly the isolated
test of the R software without RStudio will be of interest.

Thank you all or your comments,

Paul Martin

On 5/9/2012 10:00 AM, Barry Rowlingson wrote:

>>> Someone said:
>>> Once R is accepted, you could ask for an RStudio test if you want.
>   I had another thought shortly after my initial email. Suppose yes, R
> is accepted. Great. You run R.
>
>   Then you think, "Oh, I need ggplot2" (yes you do). Do you then have
> to get security clearance for every package you want to download from
> CRAN?
>
> Barry
>

______________________________________________
[hidden email] mailing list
https://stat.ethz.ch/mailman/listinfo/r-help
PLEASE do read the posting guide http://www.R-project.org/posting-guide.html
and provide commented, minimal, self-contained, reproducible code.
Gabor Grothendieck
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate
star

Re: registry vulnerabilities in R

Gabor Grothendieck
On Wed, May 9, 2012 at 12:46 PM, Paul Martin <[hidden email]> wrote:

> I don't have much new to add, but I want to make some clarifying comments:
>
> First, there are clearly workarounds available. I am using one now. R is
> installed on a personal laptop which I bring to work every day. I take
> extreme care with the nature of the files I move back and forth, and none of
> this is classified. This is common practice here. Yes, it would be nice if I
> could get R onto my desktop machine at work. It would save me burning CDs to
> move plots back and forth. But it's not the end of the world. My ability to
> get work done is not the issue here.
>
> The issue is the following: Is there anything her which is of concern to the
> R community? I suspect the answer is no, but cannot say anything for sure at
> this point.
>
> The registry analysis tool looks like it is custom software developed by the
> Air Force. I can't get any specific information beyond that. That is
> unfortunate, since it would be nice if the tests could be duplicated and
> confirmed.
>
> We will get separate tests on R without RStudio.
>
> The registry analysis reports results in two sections: Registry entries
> added and registry entries modified. There were no vulnerabilities found in
> the "entries modified" section. All of the vulnerabilities are listed under
> "entries added".
>

During the installation process its only the installer that sets any
registry values, not R itself.

Using the standard installer that comes with R it asks you whether you
want to save version numbers in the registry and whether you want to
create an association for RData files.  If you uncheck those then the
installation does not set any registry values.

        --
Statistics & Software Consulting
GKX Group, GKX Associates Inc.
tel: 1-877-GKX-GROUP
email: ggrothendieck at gmail.com

______________________________________________
[hidden email] mailing list
https://stat.ethz.ch/mailman/listinfo/r-help
PLEASE do read the posting guide http://www.R-project.org/posting-guide.html
and provide commented, minimal, self-contained, reproducible code.
Richard M. Heiberger
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate
star

Re: registry vulnerabilities in R

Richard M. Heiberger
In reply to this post by Paul Martin
I spoke to someone in the military who did some investigation.
This is his response

>> 1.  I'm sorry that I don't have anything good to report. The military is
>> cautious with it's networks and I'm no longer able to use R at work.  I
>> don't know anything about this registry issue but the show stopper for me
>> even trying to get R on the military network is CRAN. All that r-project
>> checks on contributed applications is if they load (or compile as
>> necessary)
>> cross-platform. I could make an argument for the security of the Core
>> functionality of R but not for the contributed packages.


On 5/8/12, Paul Martin <[hidden email]> wrote:

>
>    Kirtland Air Force Base has denied approval for the use of R on its
>    Windows network. Some of their objections seem a bit strange, but some
>    appear  to  be  legitimate. In particular, they have detected registry
>    "vulnerabilities"
>    which are detailed in the attachment.
>    I know nothing about Windows registry vulnerabilities. If any of these
>    issues are
>    legitimate concerns, I would like to see them fixed for everyone's
> benefit.
>    I would
>    appreciate a referral to the appropriate forum for this information. I
> am
>    willing
>    to  assist  in  getting  questions  answered  and gathering additional
>    information.
>    Thank you,
>    Paul Martin
>    Air Force Research Laboratory
>    Kirtland Air Force Base
>    Albuquerque, New Mexico
>

______________________________________________
[hidden email] mailing list
https://stat.ethz.ch/mailman/listinfo/r-help
PLEASE do read the posting guide http://www.R-project.org/posting-guide.html
and provide commented, minimal, self-contained, reproducible code.
Duncan Murdoch-2
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate
star

Re: registry vulnerabilities in R

Duncan Murdoch-2
In reply to this post by Gabor Grothendieck
On 09/05/2012 2:04 PM, Gabor Grothendieck wrote:

> On Wed, May 9, 2012 at 12:46 PM, Paul Martin<[hidden email]>  wrote:
> >  I don't have much new to add, but I want to make some clarifying comments:
> >
> >  First, there are clearly workarounds available. I am using one now. R is
> >  installed on a personal laptop which I bring to work every day. I take
> >  extreme care with the nature of the files I move back and forth, and none of
> >  this is classified. This is common practice here. Yes, it would be nice if I
> >  could get R onto my desktop machine at work. It would save me burning CDs to
> >  move plots back and forth. But it's not the end of the world. My ability to
> >  get work done is not the issue here.
> >
> >  The issue is the following: Is there anything her which is of concern to the
> >  R community? I suspect the answer is no, but cannot say anything for sure at
> >  this point.
> >
> >  The registry analysis tool looks like it is custom software developed by the
> >  Air Force. I can't get any specific information beyond that. That is
> >  unfortunate, since it would be nice if the tests could be duplicated and
> >  confirmed.
> >
> >  We will get separate tests on R without RStudio.
> >
> >  The registry analysis reports results in two sections: Registry entries
> >  added and registry entries modified. There were no vulnerabilities found in
> >  the "entries modified" section. All of the vulnerabilities are listed under
> >  "entries added".
> >
>
> During the installation process its only the installer that sets any
> registry values, not R itself.
>
> Using the standard installer that comes with R it asks you whether you
> want to save version numbers in the registry and whether you want to
> create an association for RData files.  If you uncheck those then the
> installation does not set any registry values.

That's correct.  And with a small change to the installer script, even
that can be suppressed.  (For anyone interested:  you need
"Uninstallable=no" near the top of the Inno Setup script; if using the
regular build, that's in the file RHOME/src/gnuwin32/installer/header1.iss.)

Duncan Murdoch

______________________________________________
[hidden email] mailing list
https://stat.ethz.ch/mailman/listinfo/r-help
PLEASE do read the posting guide http://www.R-project.org/posting-guide.html
and provide commented, minimal, self-contained, reproducible code.
Bert Gunter
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate
star

Re: registry vulnerabilities in R

Bert Gunter
In reply to this post by Richard M. Heiberger
Thanks Rich and Paul:

This gets back to my original comment in this thread. I believe that
CRAN repositories simply rely on whatever security software (malware
checking, etc.) that the hosts provide; R/CRAN do nothing, as you
said. This results in a whole new and almost certainly wholly
impracticable level of security protection to validate, so it is
doubtful that anything can be done to address the concerns. Again, as
you said.

As always, authoritative (dis?) confirmation by R Core experts
required to validate by statement.

-- Bert



On Wed, May 9, 2012 at 11:10 AM, Richard M. Heiberger <[hidden email]> wrote:

> I spoke to someone in the military who did some investigation.
> This is his response
>
>>> 1.  I'm sorry that I don't have anything good to report. The military is
>>> cautious with it's networks and I'm no longer able to use R at work.  I
>>> don't know anything about this registry issue but the show stopper for me
>>> even trying to get R on the military network is CRAN. All that r-project
>>> checks on contributed applications is if they load (or compile as
>>> necessary)
>>> cross-platform. I could make an argument for the security of the Core
>>> functionality of R but not for the contributed packages.
>
>
> On 5/8/12, Paul Martin <[hidden email]> wrote:
>>
>>    Kirtland Air Force Base has denied approval for the use of R on its
>>    Windows network. Some of their objections seem a bit strange, but some
>>    appear  to  be  legitimate. In particular, they have detected registry
>>    "vulnerabilities"
>>    which are detailed in the attachment.
>>    I know nothing about Windows registry vulnerabilities. If any of these
>>    issues are
>>    legitimate concerns, I would like to see them fixed for everyone's
>> benefit.
>>    I would
>>    appreciate a referral to the appropriate forum for this information. I
>> am
>>    willing
>>    to  assist  in  getting  questions  answered  and gathering additional
>>    information.
>>    Thank you,
>>    Paul Martin
>>    Air Force Research Laboratory
>>    Kirtland Air Force Base
>>    Albuquerque, New Mexico
>>
>
> ______________________________________________
> [hidden email] mailing list
> https://stat.ethz.ch/mailman/listinfo/r-help
> PLEASE do read the posting guide http://www.R-project.org/posting-guide.html
> and provide commented, minimal, self-contained, reproducible code.



--

Bert Gunter
Genentech Nonclinical Biostatistics

Internal Contact Info:
Phone: 467-7374
Website:
http://pharmadevelopment.roche.com/index/pdb/pdb-functional-groups/pdb-biostatistics/pdb-ncb-home.htm

______________________________________________
[hidden email] mailing list
https://stat.ethz.ch/mailman/listinfo/r-help
PLEASE do read the posting guide http://www.R-project.org/posting-guide.html
and provide commented, minimal, self-contained, reproducible code.
Richard M. Heiberger
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate
star

Re: registry vulnerabilities in R

Richard M. Heiberger
In reply to this post by Paul Martin
One more item.  Have you given a copy of the document
   R: Regulatory Compliance and Validation Issues A Guidance Document
for the Use of R in Regulated Clinical Trial Environments
   http://www.r-project.org/doc/R-FDA.pdf
to your security office?

It addresses overlapping, not identical, security issues.

Rich

On 5/9/12, Paul Martin <[hidden email]> wrote:

> I don't have much new to add, but I want to make some clarifying comments:
>
> First, there are clearly workarounds available. I am using one now. R is
> installed on a personal laptop which I bring to work every day. I take
> extreme care with the nature of the files I move back and forth, and
> none of this is classified. This is common practice here. Yes, it would
> be nice if I could get R onto my desktop machine at work. It would save
> me burning CDs to move plots back and forth. But it's not the end of the
> world. My ability to get work done is not the issue here.
>
> The issue is the following: Is there anything her which is of concern to
> the R community? I suspect the answer is no, but cannot say anything for
> sure at this point.
>
> The registry analysis tool looks like it is custom software developed by
> the Air Force. I can't get any specific information beyond that. That is
> unfortunate, since it would be nice if the tests could be duplicated and
> confirmed.
>
> We will get separate tests on R without RStudio.
>
> The registry analysis reports results in two sections: Registry entries
> added and registry entries modified. There were no vulnerabilities found
> in the "entries modified" section. All of the vulnerabilities are listed
> under "entries added".
>
> I will let you know if I find out anything else. Certainly the isolated
> test of the R software without RStudio will be of interest.
>
> Thank you all or your comments,
>
> Paul Martin
>
> On 5/9/2012 10:00 AM, Barry Rowlingson wrote:
>>>> Someone said:
>>>> Once R is accepted, you could ask for an RStudio test if you want.
>>   I had another thought shortly after my initial email. Suppose yes, R
>> is accepted. Great. You run R.
>>
>>   Then you think, "Oh, I need ggplot2" (yes you do). Do you then have
>> to get security clearance for every package you want to download from
>> CRAN?
>>
>> Barry
>>
>
> ______________________________________________
> [hidden email] mailing list
> https://stat.ethz.ch/mailman/listinfo/r-help
> PLEASE do read the posting guide
> http://www.R-project.org/posting-guide.html
> and provide commented, minimal, self-contained, reproducible code.
>

______________________________________________
[hidden email] mailing list
https://stat.ethz.ch/mailman/listinfo/r-help
PLEASE do read the posting guide http://www.R-project.org/posting-guide.html
and provide commented, minimal, self-contained, reproducible code.
Zhou Fang
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate
star

Re: registry vulnerabilities in R

Zhou Fang
In reply to this post by Gabor Grothendieck
What about using a Portable Apps style packaging of R? That might solve some of the issues.
ipstone
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate
star

Re: registry vulnerabilities in R

ipstone
how about just removing those network related package (including CRAN) from your copy of R?
R can be used portably, as long as you have the package you need installed already within your R.
Paul Martin
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate
star

Re: registry vulnerabilities in R

Paul Martin
In reply to this post by Richard M. Heiberger
Update:

The IT people agreed to test R separately. R is now approved and RStudio
is not.
The folks at RStudio are baffled as to why all those registry entries
are being
recorded. They directed me to the source code which details the known
accesses
to the registry during installation. I have not yet followed the link. I
suspect the
registry vulnerability software is flawed, or perhaps their procedures.
(Are they
installing into a clean image? No idea.)

So, limited progress. I may just move my R work to Linux, where the
rules are
different.

Thank you, everyone.

Paul Martin

On 5/9/2012 12:57 PM, Richard M. Heiberger wrote:

> One more item.  Have you given a copy of the document
>     R: Regulatory Compliance and Validation Issues A Guidance Document
> for the Use of R in Regulated Clinical Trial Environments
>     http://www.r-project.org/doc/R-FDA.pdf
> to your security office?
>
> It addresses overlapping, not identical, security issues.
>
> Rich
>
> On 5/9/12, Paul Martin<[hidden email]>  wrote:
>> I don't have much new to add, but I want to make some clarifying comments:
>>
>> First, there are clearly workarounds available. I am using one now. R is
>> installed on a personal laptop which I bring to work every day. I take
>> extreme care with the nature of the files I move back and forth, and
>> none of this is classified. This is common practice here. Yes, it would
>> be nice if I could get R onto my desktop machine at work. It would save
>> me burning CDs to move plots back and forth. But it's not the end of the
>> world. My ability to get work done is not the issue here.
>>
>> The issue is the following: Is there anything her which is of concern to
>> the R community? I suspect the answer is no, but cannot say anything for
>> sure at this point.
>>
>> The registry analysis tool looks like it is custom software developed by
>> the Air Force. I can't get any specific information beyond that. That is
>> unfortunate, since it would be nice if the tests could be duplicated and
>> confirmed.
>>
>> We will get separate tests on R without RStudio.
>>
>> The registry analysis reports results in two sections: Registry entries
>> added and registry entries modified. There were no vulnerabilities found
>> in the "entries modified" section. All of the vulnerabilities are listed
>> under "entries added".
>>
>> I will let you know if I find out anything else. Certainly the isolated
>> test of the R software without RStudio will be of interest.
>>
>> Thank you all or your comments,
>>
>> Paul Martin
>>
>> On 5/9/2012 10:00 AM, Barry Rowlingson wrote:
>>>>> Someone said:
>>>>> Once R is accepted, you could ask for an RStudio test if you want.
>>>    I had another thought shortly after my initial email. Suppose yes, R
>>> is accepted. Great. You run R.
>>>
>>>    Then you think, "Oh, I need ggplot2" (yes you do). Do you then have
>>> to get security clearance for every package you want to download from
>>> CRAN?
>>>
>>> Barry
>>>
>> ______________________________________________
>> [hidden email] mailing list
>> https://stat.ethz.ch/mailman/listinfo/r-help
>> PLEASE do read the posting guide
>> http://www.R-project.org/posting-guide.html
>> and provide commented, minimal, self-contained, reproducible code.
>>

______________________________________________
[hidden email] mailing list
https://stat.ethz.ch/mailman/listinfo/r-help
PLEASE do read the posting guide http://www.R-project.org/posting-guide.html
and provide commented, minimal, self-contained, reproducible code.
Loading...
Powered by Nabble Edit this page