security using R at work

classic Classic list List threaded Threaded
13 messages Options
Reply | Threaded
Open this post in threaded view
|

security using R at work

Laurence Clark
Hello all,

I want to download R and use it for work purposes. I hope to use it to analyse very sensitive data from our clients.

My question is:

If I install R on my work network computer, will the data ever leave our network? I need to know if the data goes anywhere other than our network, because this could compromise it's security. Is there is any chance the data could go to a server owned by 'R' or anything else that's not immediately obvious, but constitutes the data leaving our network?

Thank you

Laurence


----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Laurence Clark
Business Data Analyst
Account Management
Health Management Ltd

Mobile: 07584 556498
Switchboard: 0845 504 1000
Email: [hidden email]
Web: www.healthmanagement.co.uk

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
CONFIDENTIALITY NOTICE: This email, including attachments, is for the sole use of the intended recipients and may contain confidential and privileged information or otherwise be protected by law. Any unauthorised review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender, and destroy all copies and the original message.<BR><BR>MAXIMUS People Services Limited is registered in England and Wales (registered number: 03752300); registered office: 202 - 206 Union Street, London, SE1 0LX, United Kingdom. The Centre for Health and Disability Assessments Ltd (registered number: 9072343) and Health Management Ltd (registered number: 4369949) are registered in England and Wales. The registered office for each is Ash House, The Broyle, Ringmer, East Sussex, BN8 5NN, United Kingdom. Remploy Limited is registered in England and Wales (registered number: 09457025); registered office: 18c Meridian East, Meridian Business Park, Leicester, Leicestershire, LE19 1WZ, United Kingdom.</font>
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------


----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------


#####################################################################################
Scanned by MailMarshal - M86 Security's comprehensive email content security solution.
Download a free evaluation of MailMarshal at www.m86security.com
#####################################################################################

______________________________________________
[hidden email] mailing list -- To UNSUBSCRIBE and more, see
https://stat.ethz.ch/mailman/listinfo/r-help
PLEASE do read the posting guide http://www.R-project.org/posting-guide.html
and provide commented, minimal, self-contained, reproducible code.
Reply | Threaded
Open this post in threaded view
|

Re: security using R at work

barry rowlingson
On Wed, Aug 8, 2018 at 4:09 PM, Laurence Clark
<[hidden email]> wrote:
> Hello all,
>
> I want to download R and use it for work purposes. I hope to use it to analyse very sensitive data from our clients.
>
> My question is:
>
> If I install R on my work network computer, will the data ever leave our network? I need to know if the data goes anywhere other than our network, because this could compromise it's security.

> Is there is any chance the data could go to a server owned by 'R' or anything else that's not immediately obvious, but constitutes the data leaving our network?

You are talking mostly to statisticians here, and if p>0 then there's
"a chance". I'd say yes, there's a chance, but its pretty small, and
would only occur through stupidity, accident or malice.

 In the ordinary course of things your data will be on your hard disk,
or on your corporate network drives, and only exist between your
corporate network server and your PC's memory. R will load the data
into that memory, do stuff with it in that memory, and write results
back to hard disk. Nothing leaves the network this way.

However... R has facilities for talking to the internet. You can save
data to google docs spreadsheets, for example, but you'd have to be
signed in to google, and have to type something like:

 > writeGoogleDoc(my_data, "secretdata.xls")

that covers "stupid". You should know that google docs are on google's
servers, and google's servers aren't on your network, and your secret
data shouldn't go on google's servers.

Accidents happen. You might be working on non-secret data which you
want to save to google docs, and accidentally save "data1" which is
secret instead of "data2" which is okay to be public. Oops. You sent
it to google. Accidents happen.

"malice" would be if someone had put code into R or an add-on package
that you use that sends your data over the network without you
knowing. For example maybe every time you fit a linear model with:

 lm(age~beauty, data=people)

R could be transmitting the data to hackers. But the chance of this is
very small, and I don't think any malicious code has ever been
discovered in R or the 12000 add-on packages downloadable from CRAN.
Doesn't mean it hasn't been discovered yet or won't be in the future.

It used to be said that the only machine safe from hackers was one
unplugged from the network. But now hackers can get to your machine
via malicious USB sticks, keyboard loggers, and various other nasties.
The only machine safe from hackers is one with the power off. But take
the power plug out because a wake-on-lan packet could switch your
machine on remotely....

Barry







> Thank you
>
> Laurence
>
>
> ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
> Laurence Clark
> Business Data Analyst
> Account Management
> Health Management Ltd
>
> Mobile:                 07584 556498
> Switchboard:    0845 504 1000
> Email:          [hidden email]
> Web:            www.healthmanagement.co.uk
>
> ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
> CONFIDENTIALITY NOTICE: This email, including attachments, is for the sole use of the intended recipients and may contain confidential and privileged information or otherwise be protected by law. Any unauthorised review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender, and destroy all copies and the original message.<BR><BR>MAXIMUS People Services Limited is registered in England and Wales (registered number: 03752300); registered office: 202 - 206 Union Street, London, SE1 0LX, United Kingdom. The Centre for Health and Disability Assessments Ltd (registered number: 9072343) and Health Management Ltd (registered number: 4369949) are registered in England and Wales. The registered office for each is Ash House, The Broyle, Ringmer, East Sussex, BN8 5NN, United Kingdom. Remploy Limited is registered in England and Wales (registered number: 09457025); registered office: 18c Meridian East, Meridian Business Park, Leicester,
  Leicestershire, LE19 1WZ, United Kingdom.</font>

> ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
>
> ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
>
> #####################################################################################
> Scanned by MailMarshal - M86 Security's comprehensive email content security solution.
> Download a free evaluation of MailMarshal at www.m86security.com
> #####################################################################################
>
> ______________________________________________
> [hidden email] mailing list -- To UNSUBSCRIBE and more, see
> https://stat.ethz.ch/mailman/listinfo/r-help
> PLEASE do read the posting guide http://www.R-project.org/posting-guide.html
> and provide commented, minimal, self-contained, reproducible code.

______________________________________________
[hidden email] mailing list -- To UNSUBSCRIBE and more, see
https://stat.ethz.ch/mailman/listinfo/r-help
PLEASE do read the posting guide http://www.R-project.org/posting-guide.html
and provide commented, minimal, self-contained, reproducible code.
Reply | Threaded
Open this post in threaded view
|

Re: security using R at work

Rich Shepard
In reply to this post by Laurence Clark
On Wed, 8 Aug 2018, Laurence Clark wrote:

> I want to download R and use it for work purposes. I hope to use it to
> analyse very sensitive data from our clients.

Laurence,

   Good choice.

> My question is:
>
> If I install R on my work network computer, will the data ever leave our
> network? I need to know if the data goes anywhere other than our network,
> because this could compromise it's security. Is there is any chance the
> data could go to a server owned by 'R' or anything else that's not
> immediately obvious, but constitutes the data leaving our network?

   Your sensitive data are no more, and no less, secure than any other data
on your desktop computer or the company's network. Assuming company
personnel and payroll data are on your local network, and proposals written
with Microsoft's tools are happily created by employees, then your client
data are equally secure (or at risk) regardless of the application used on
them. This is a network security issue, not an R issue.

Rich

______________________________________________
[hidden email] mailing list -- To UNSUBSCRIBE and more, see
https://stat.ethz.ch/mailman/listinfo/r-help
PLEASE do read the posting guide http://www.R-project.org/posting-guide.html
and provide commented, minimal, self-contained, reproducible code.
Reply | Threaded
Open this post in threaded view
|

Re: security using R at work

rsherry8
In reply to this post by Laurence Clark
I consider R to be secure. It is possible, but very unlikely, that there
are some back door traps in R where somebody could access your data.
There is no software that is 100% secure and R is not 100% secure.

Bob

On 8/8/2018 11:09 AM, Laurence Clark wrote:

> Hello all,
>
> I want to download R and use it for work purposes. I hope to use it to analyse very sensitive data from our clients.
>
> My question is:
>
> If I install R on my work network computer, will the data ever leave our network? I need to know if the data goes anywhere other than our network, because this could compromise it's security. Is there is any chance the data could go to a server owned by 'R' or anything else that's not immediately obvious, but constitutes the data leaving our network?
>
> Thank you
>
> Laurence
>
>
> ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
> Laurence Clark
> Business Data Analyst
> Account Management
> Health Management Ltd
>
> Mobile: 07584 556498
> Switchboard: 0845 504 1000
> Email: [hidden email]
> Web: www.healthmanagement.co.uk
>
> ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
> CONFIDENTIALITY NOTICE: This email, including attachments, is for the sole use of the intended recipients and may contain confidential and privileged information or otherwise be protected by law. Any unauthorised review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender, and destroy all copies and the original message.<BR><BR>MAXIMUS People Services Limited is registered in England and Wales (registered number: 03752300); registered office: 202 - 206 Union Street, London, SE1 0LX, United Kingdom. The Centre for Health and Disability Assessments Ltd (registered number: 9072343) and Health Management Ltd (registered number: 4369949) are registered in England and Wales. The registered office for each is Ash House, The Broyle, Ringmer, East Sussex, BN8 5NN, United Kingdom. Remploy Limited is registered in England and Wales (registered number: 09457025); registered office: 18c Meridian East, Meridian Business Park, Leicester,
  Leicestershire, LE19 1WZ, United Kingdom.</font>

> ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
>
> ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
>
> #####################################################################################
> Scanned by MailMarshal - M86 Security's comprehensive email content security solution.
> Download a free evaluation of MailMarshal at www.m86security.com
> #####################################################################################
>
> ______________________________________________
> [hidden email] mailing list -- To UNSUBSCRIBE and more, see
> https://stat.ethz.ch/mailman/listinfo/r-help
> PLEASE do read the posting guide http://www.R-project.org/posting-guide.html
> and provide commented, minimal, self-contained, reproducible code.
>

______________________________________________
[hidden email] mailing list -- To UNSUBSCRIBE and more, see
https://stat.ethz.ch/mailman/listinfo/r-help
PLEASE do read the posting guide http://www.R-project.org/posting-guide.html
and provide commented, minimal, self-contained, reproducible code.
Reply | Threaded
Open this post in threaded view
|

Re: security using R at work

Rainer Krug-3
This can likely be answered for R itself, but R itself (without additional packages) is very limited. As soon as you install packages, it all depends on the package you install and if you trust the authors of these packages.

As far as I know, there is no code checking for security on CRAN (please correct me if I am wrong!).

The advantage of R and open source: you can always look into the source code and see yourself.

And as this can be done, and R is not written by a single person or company, the likelihood of a backdoor in R is very very low (lower than in many commercial products I would say).

Cheers,

Rainer


> On 8 Aug 2018, at 18:40, rsherry8 <[hidden email]> wrote:
>
> I consider R to be secure. It is possible, but very unlikely, that there are some back door traps in R where somebody could access your data. There is no software that is 100% secure and R is not 100% secure.
>
> Bob
>
> On 8/8/2018 11:09 AM, Laurence Clark wrote:
>> Hello all,
>>
>> I want to download R and use it for work purposes. I hope to use it to analyse very sensitive data from our clients.
>>
>> My question is:
>>
>> If I install R on my work network computer, will the data ever leave our network? I need to know if the data goes anywhere other than our network, because this could compromise it's security. Is there is any chance the data could go to a server owned by 'R' or anything else that's not immediately obvious, but constitutes the data leaving our network?
>>
>> Thank you
>>
>> Laurence
>>
>>
>> ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>> Laurence Clark
>> Business Data Analyst
>> Account Management
>> Health Management Ltd
>>
>> Mobile: 07584 556498
>> Switchboard: 0845 504 1000
>> Email: [hidden email]
>> Web: www.healthmanagement.co.uk
>>
>> ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>> CONFIDENTIALITY NOTICE: This email, including attachments, is for the sole use of the intended recipients and may contain confidential and privileged information or otherwise be protected by law. Any unauthorised review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender, and destroy all copies and the original message.<BR><BR>MAXIMUS People Services Limited is registered in England and Wales (registered number: 03752300); registered office: 202 - 206 Union Street, London, SE1 0LX, United Kingdom. The Centre for Health and Disability Assessments Ltd (registered number: 9072343) and Health Management Ltd (registered number: 4369949) are registered in England and Wales. The registered office for each is Ash House, The Broyle, Ringmer, East Sussex, BN8 5NN, United Kingdom. Remploy Limited is registered in England and Wales (registered number: 09457025); registered office: 18c Meridian East, Meridian Business Park, Leicester,
> Leicestershire, LE19 1WZ, United Kingdom.</font>
>> ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>>
>>
>> ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>>
>>
>> #####################################################################################
>> Scanned by MailMarshal - M86 Security's comprehensive email content security solution.
>> Download a free evaluation of MailMarshal at www.m86security.com
>> #####################################################################################
>>
>> ______________________________________________
>> [hidden email] mailing list -- To UNSUBSCRIBE and more, see
>> https://stat.ethz.ch/mailman/listinfo/r-help
>> PLEASE do read the posting guide http://www.R-project.org/posting-guide.html
>> and provide commented, minimal, self-contained, reproducible code.
>>
>
> ______________________________________________
> [hidden email] mailing list -- To UNSUBSCRIBE and more, see
> https://stat.ethz.ch/mailman/listinfo/r-help
> PLEASE do read the posting guide http://www.R-project.org/posting-guide.html
> and provide commented, minimal, self-contained, reproducible code.
--
Rainer M. Krug, PhD (Conservation Ecology, SUN), MSc (Conservation Biology, UCT), Dipl. Phys. (Germany)

University of Zürich

Cell:       +41 (0)78 630 66 57
email:      [hidden email]
Skype:      RMkrug

PGP: 0x0F52F982




______________________________________________
[hidden email] mailing list -- To UNSUBSCRIBE and more, see
https://stat.ethz.ch/mailman/listinfo/r-help
PLEASE do read the posting guide http://www.R-project.org/posting-guide.html
and provide commented, minimal, self-contained, reproducible code.

signature.asc (499 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: security using R at work

Rainer Krug-3
In reply to this post by barry rowlingson
I can not agree more, Barry. Very nicely put.

Rainer


> On 8 Aug 2018, at 18:10, Barry Rowlingson <[hidden email]> wrote:
>
> On Wed, Aug 8, 2018 at 4:09 PM, Laurence Clark
> <[hidden email]> wrote:
>> Hello all,
>>
>> I want to download R and use it for work purposes. I hope to use it to analyse very sensitive data from our clients.
>>
>> My question is:
>>
>> If I install R on my work network computer, will the data ever leave our network? I need to know if the data goes anywhere other than our network, because this could compromise it's security.
>
>> Is there is any chance the data could go to a server owned by 'R' or anything else that's not immediately obvious, but constitutes the data leaving our network?
>
> You are talking mostly to statisticians here, and if p>0 then there's
> "a chance". I'd say yes, there's a chance, but its pretty small, and
> would only occur through stupidity, accident or malice.
>
> In the ordinary course of things your data will be on your hard disk,
> or on your corporate network drives, and only exist between your
> corporate network server and your PC's memory. R will load the data
> into that memory, do stuff with it in that memory, and write results
> back to hard disk. Nothing leaves the network this way.
>
> However... R has facilities for talking to the internet. You can save
> data to google docs spreadsheets, for example, but you'd have to be
> signed in to google, and have to type something like:
>
>> writeGoogleDoc(my_data, "secretdata.xls")
>
> that covers "stupid". You should know that google docs are on google's
> servers, and google's servers aren't on your network, and your secret
> data shouldn't go on google's servers.
>
> Accidents happen. You might be working on non-secret data which you
> want to save to google docs, and accidentally save "data1" which is
> secret instead of "data2" which is okay to be public. Oops. You sent
> it to google. Accidents happen.
>
> "malice" would be if someone had put code into R or an add-on package
> that you use that sends your data over the network without you
> knowing. For example maybe every time you fit a linear model with:
>
> lm(age~beauty, data=people)
>
> R could be transmitting the data to hackers. But the chance of this is
> very small, and I don't think any malicious code has ever been
> discovered in R or the 12000 add-on packages downloadable from CRAN.
> Doesn't mean it hasn't been discovered yet or won't be in the future.
>
> It used to be said that the only machine safe from hackers was one
> unplugged from the network. But now hackers can get to your machine
> via malicious USB sticks, keyboard loggers, and various other nasties.
> The only machine safe from hackers is one with the power off. But take
> the power plug out because a wake-on-lan packet could switch your
> machine on remotely....
>
> Barry
>
>
>
>
>
>
>
>> Thank you
>>
>> Laurence
>>
>>
>> ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>> Laurence Clark
>> Business Data Analyst
>> Account Management
>> Health Management Ltd
>>
>> Mobile:                 07584 556498
>> Switchboard:    0845 504 1000
>> Email:          [hidden email]
>> Web:            www.healthmanagement.co.uk
>>
>> ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>> CONFIDENTIALITY NOTICE: This email, including attachments, is for the sole use of the intended recipients and may contain confidential and privileged information or otherwise be protected by law. Any unauthorised review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender, and destroy all copies and the original message.<BR><BR>MAXIMUS People Services Limited is registered in England and Wales (registered number: 03752300); registered office: 202 - 206 Union Street, London, SE1 0LX, United Kingdom. The Centre for Health and Disability Assessments Ltd (registered number: 9072343) and Health Management Ltd (registered number: 4369949) are registered in England and Wales. The registered office for each is Ash House, The Broyle, Ringmer, East Sussex, BN8 5NN, United Kingdom. Remploy Limited is registered in England and Wales (registered number: 09457025); registered office: 18c Meridian East, Meridian Business Park, Leicester,
>  Leicestershire, LE19 1WZ, United Kingdom.</font>
>> ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>>
>>
>> ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>>
>>
>> #####################################################################################
>> Scanned by MailMarshal - M86 Security's comprehensive email content security solution.
>> Download a free evaluation of MailMarshal at www.m86security.com
>> #####################################################################################
>>
>> ______________________________________________
>> [hidden email] mailing list -- To UNSUBSCRIBE and more, see
>> https://stat.ethz.ch/mailman/listinfo/r-help
>> PLEASE do read the posting guide http://www.R-project.org/posting-guide.html
>> and provide commented, minimal, self-contained, reproducible code.
>
> ______________________________________________
> [hidden email] mailing list -- To UNSUBSCRIBE and more, see
> https://stat.ethz.ch/mailman/listinfo/r-help
> PLEASE do read the posting guide http://www.R-project.org/posting-guide.html
> and provide commented, minimal, self-contained, reproducible code.
--
Rainer M. Krug, PhD (Conservation Ecology, SUN), MSc (Conservation Biology, UCT), Dipl. Phys. (Germany)

University of Zürich

Cell:       +41 (0)78 630 66 57
email:      [hidden email]
Skype:      RMkrug

PGP: 0x0F52F982




______________________________________________
[hidden email] mailing list -- To UNSUBSCRIBE and more, see
https://stat.ethz.ch/mailman/listinfo/r-help
PLEASE do read the posting guide http://www.R-project.org/posting-guide.html
and provide commented, minimal, self-contained, reproducible code.

signature.asc (499 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: security using R at work

Jan van der LAan-2
You can also inadvertently transmit data to the internet using a package
without being obviously 'stupid', e.g. by using a package that uses an
external service for data processing. For example, some javascript
visualisation libs can do that (not sure if those wrapped in R-packages
do), or, for example, a geocoding service.

Not having an (outgoing) internet connection at least helps against
mistakes like this (and probably against many untargeted attacks). If it
is allowed to have the sensitive data on that computer, using R on that
computer is probably not going to make is less safe.

Jan


On 09-08-18 09:19, Rainer M Krug wrote:

> I can not agree more, Barry. Very nicely put.
>
> Rainer
>
>
>> On 8 Aug 2018, at 18:10, Barry Rowlingson <[hidden email]> wrote:
>>
>> On Wed, Aug 8, 2018 at 4:09 PM, Laurence Clark
>> <[hidden email]> wrote:
>>> Hello all,
>>>
>>> I want to download R and use it for work purposes. I hope to use it to analyse very sensitive data from our clients.
>>>
>>> My question is:
>>>
>>> If I install R on my work network computer, will the data ever leave our network? I need to know if the data goes anywhere other than our network, because this could compromise it's security.
>>
>>> Is there is any chance the data could go to a server owned by 'R' or anything else that's not immediately obvious, but constitutes the data leaving our network?
>>
>> You are talking mostly to statisticians here, and if p>0 then there's
>> "a chance". I'd say yes, there's a chance, but its pretty small, and
>> would only occur through stupidity, accident or malice.
>>
>> In the ordinary course of things your data will be on your hard disk,
>> or on your corporate network drives, and only exist between your
>> corporate network server and your PC's memory. R will load the data
>> into that memory, do stuff with it in that memory, and write results
>> back to hard disk. Nothing leaves the network this way.
>>
>> However... R has facilities for talking to the internet. You can save
>> data to google docs spreadsheets, for example, but you'd have to be
>> signed in to google, and have to type something like:
>>
>>> writeGoogleDoc(my_data, "secretdata.xls")
>>
>> that covers "stupid". You should know that google docs are on google's
>> servers, and google's servers aren't on your network, and your secret
>> data shouldn't go on google's servers.
>>
>> Accidents happen. You might be working on non-secret data which you
>> want to save to google docs, and accidentally save "data1" which is
>> secret instead of "data2" which is okay to be public. Oops. You sent
>> it to google. Accidents happen.
>>
>> "malice" would be if someone had put code into R or an add-on package
>> that you use that sends your data over the network without you
>> knowing. For example maybe every time you fit a linear model with:
>>
>> lm(age~beauty, data=people)
>>
>> R could be transmitting the data to hackers. But the chance of this is
>> very small, and I don't think any malicious code has ever been
>> discovered in R or the 12000 add-on packages downloadable from CRAN.
>> Doesn't mean it hasn't been discovered yet or won't be in the future.
>>
>> It used to be said that the only machine safe from hackers was one
>> unplugged from the network. But now hackers can get to your machine
>> via malicious USB sticks, keyboard loggers, and various other nasties.
>> The only machine safe from hackers is one with the power off. But take
>> the power plug out because a wake-on-lan packet could switch your
>> machine on remotely....
>>
>> Barry
>>
>>
>>
>>
>>
>>
>>
>>> Thank you
>>>
>>> Laurence
>>>
>>>
>>> ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>>> Laurence Clark
>>> Business Data Analyst
>>> Account Management
>>> Health Management Ltd
>>>
>>> Mobile:                 07584 556498
>>> Switchboard:    0845 504 1000
>>> Email:          [hidden email]
>>> Web:            www.healthmanagement.co.uk
>>>
>>> ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>>> CONFIDENTIALITY NOTICE: This email, including attachments, is for the sole use of the intended recipients and may contain confidential and privileged information or otherwise be protected by law. Any unauthorised review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender, and destroy all copies and the original message.<BR><BR>MAXIMUS People Services Limited is registered in England and Wales (registered number: 03752300); registered office: 202 - 206 Union Street, London, SE1 0LX, United Kingdom. The Centre for Health and Disability Assessments Ltd (registered number: 9072343) and Health Management Ltd (registered number: 4369949) are registered in England and Wales. The registered office for each is Ash House, The Broyle, Ringmer, East Sussex, BN8 5NN, United Kingdom. Remploy Limited is registered in England and Wales (registered number: 09457025); registered office: 18c Meridian East, Meridian Business Park, Leicester,
>>   Leicestershire, LE19 1WZ, United Kingdom.</font>
>>> ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>>>
>>>
>>> ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>>>
>>>
>>> #####################################################################################
>>> Scanned by MailMarshal - M86 Security's comprehensive email content security solution.
>>> Download a free evaluation of MailMarshal at www.m86security.com
>>> #####################################################################################
>>>
>>> ______________________________________________
>>> [hidden email] mailing list -- To UNSUBSCRIBE and more, see
>>> https://stat.ethz.ch/mailman/listinfo/r-help
>>> PLEASE do read the posting guide http://www.R-project.org/posting-guide.html
>>> and provide commented, minimal, self-contained, reproducible code.
>>
>> ______________________________________________
>> [hidden email] mailing list -- To UNSUBSCRIBE and more, see
>> https://stat.ethz.ch/mailman/listinfo/r-help
>> PLEASE do read the posting guide http://www.R-project.org/posting-guide.html
>> and provide commented, minimal, self-contained, reproducible code.
>
> --
> Rainer M. Krug, PhD (Conservation Ecology, SUN), MSc (Conservation Biology, UCT), Dipl. Phys. (Germany)
>
> University of Zürich
>
> Cell:       +41 (0)78 630 66 57
> email:      [hidden email]
> Skype:      RMkrug
>
> PGP: 0x0F52F982
>
>
>
>
>
> ______________________________________________
> [hidden email] mailing list -- To UNSUBSCRIBE and more, see
> https://stat.ethz.ch/mailman/listinfo/r-help
> PLEASE do read the posting guide http://www.R-project.org/posting-guide.html
> and provide commented, minimal, self-contained, reproducible code.
>
______________________________________________
[hidden email] mailing list -- To UNSUBSCRIBE and more, see
https://stat.ethz.ch/mailman/listinfo/r-help
PLEASE do read the posting guide http://www.R-project.org/posting-guide.html
and provide commented, minimal, self-contained, reproducible code.
Reply | Threaded
Open this post in threaded view
|

Re: security using R at work

R help mailing list-2
In reply to this post by Laurence Clark
Hiya,
I work in a very security conscious organisation and we happily use R. The average user can only use R via RStudio Server, with a limited number of packages available, so that adds an additional level of control.
That said, are you sure that the sentence 'a few people on a mailing list said it would be alright' is going to convince your IT department of the harmlessness of R?
Cheers,
Katharina.

--

Dr Katharina Fritsch B.Sc. M.Sc. MRSC
Chemical Modeller, Chemical and Process Modelling


E.
[hidden email]
T.
+44 (0)1925 289387
@uknnl

National Nuclear Laboratory Limited, 5th Floor, Chadwick House,
Birchwood Park, Warrington, WA3 6AE, UK

www.nnl.co.uk


-----Original Message-----
From: R-help [mailto:[hidden email]] On Behalf Of Laurence Clark
Sent: 08 August 2018 16:10
To: '[hidden email]'
Subject: [R] security using R at work

Hello all,

I want to download R and use it for work purposes. I hope to use it to analyse very sensitive data from our clients.

My question is:

If I install R on my work network computer, will the data ever leave our network? I need to know if the data goes anywhere other than our network, because this could compromise it's security. Is there is any chance the data could go to a server owned by 'R' or anything else that's not immediately obvious, but constitutes the data leaving our network?

Thank you

Laurence


----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Laurence Clark
Business Data Analyst
Account Management
Health Management Ltd

Mobile:                 07584 556498
Switchboard:    0845 504 1000
Email:          [hidden email]
Web:            BLOCKEDhealthmanagement[.]co[.]ukBLOCKED

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
CONFIDENTIALITY NOTICE: This email, including attachments, is for the sole use of the intended recipients and may contain confidential and privileged information or otherwise be protected by law. Any unauthorised review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender, and destroy all copies and the original message.<BR><BR>MAXIMUS People Services Limited is registered in England and Wales (registered number: 03752300); registered office: 202 - 206 Union Street, London, SE1 0LX, United Kingdom. The Centre for Health and Disability Assessments Ltd (registered number: 9072343) and Health Management Ltd (registered number: 4369949) are registered in England and Wales. The registered office for each is Ash House, The Broyle, Ringmer, East Sussex, BN8 5NN, United Kingdom. Remploy Limited is registered in England and Wales (registered number: 09457025); registered office: 18c Meridian East, Meridian Business Park, Leicester, L
 eicestershire, LE19 1WZ, United Kingdom.</font>
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------


----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------


#####################################################################################
Scanned by MailMarshal - M86 Security's comprehensive email content security solution.
Download a free evaluation of MailMarshal at BLOCKEDm86security[.]comBLOCKED
#####################################################################################

______________________________________________
[hidden email] mailing list -- To UNSUBSCRIBE and more, see
BLOCKEDstat[.]ethz[.]ch/mailman/listinfo/r-helpBLOCKED
PLEASE do read the posting guide BLOCKEDR-project[.]org/posting-guide[.]htmlBLOCKED
and provide commented, minimal, self-contained, reproducible code.
*****************************************************************************
This message was received by the Cloud Security Email Gateway

and was checked for Viruses and SPAM by the Cloud Security Email Management Service.
Please forward any suspicious or unwanted emails to "Spam Helpdesk"
*****************************************************************************


This e-mail is from National Nuclear Laboratory Limited ("NNL"). This e-mail and any attachments are intended for the addressee and may also be legally privileged. If you are not the intended recipient please do not print, re-transmit, store or act in reliance on it or any attachments. Instead, please e-mail it back to the sender and then immediately permanently delete it.

National Nuclear Laboratory Limited (Company number 3857752) Registered in England and Wales. Registered office: Chadwick House, Warrington Road, Birchwood Park, Warrington, WA3 6AE.

______________________________________________
[hidden email] mailing list -- To UNSUBSCRIBE and more, see
https://stat.ethz.ch/mailman/listinfo/r-help
PLEASE do read the posting guide http://www.R-project.org/posting-guide.html
and provide commented, minimal, self-contained, reproducible code.
Reply | Threaded
Open this post in threaded view
|

Re: security using R at work

barry rowlingson
In reply to this post by Rainer Krug-3
On Thu, Aug 9, 2018 at 9:14 AM, Jan van der Laan <[hidden email]> wrote:
> You can also inadvertently transmit data to the internet using a package
> without being obviously 'stupid', e.g. by using a package that uses an
> external service for data processing. For example, some javascript
> visualisation libs can do that (not sure if those wrapped in R-packages
> do), or, for example, a geocoding service.

 Ooh yes, that's probably a whole new category.  Maybe "Unwittingly"
describes this - it could be the users fault for not reading or
understanding the documentation or the package authors fault for not
documenting the network activity properly. Leave that one to the
lawyers to decide.

Barry

______________________________________________
[hidden email] mailing list -- To UNSUBSCRIBE and more, see
https://stat.ethz.ch/mailman/listinfo/r-help
PLEASE do read the posting guide http://www.R-project.org/posting-guide.html
and provide commented, minimal, self-contained, reproducible code.
Reply | Threaded
Open this post in threaded view
|

Re: security using R at work

R help mailing list-2
In reply to this post by Laurence Clark
Hello Laurence.
Taking a pragmatic approach.

If the data is so valuable and secret but also needs some analysis in R,
here is suggested steps to minimise security risks.

1. Plan the analysis up front, what exactly what you want and the outcomes.
2. Take a laptop with Internet, install R and all packages needed for the
planned analysis.
3. Unplug ethernet and turn off blue tooth and wifi. So no internet access
at all.
4. Bring your secret data via USB or cd.
5. Perform the R analysis and export reports and figures etc to safe place.
6. Delete R, the data and all packages from laptop before using online
again.

A bit extreme and may still be some risk but its minimal as the analysis
was done offline, and you removed R etc after. But now have a set of R
results.

Just an idea.

John.


On 8 Aug 2018 16:53, "Laurence Clark" <[hidden email]>
wrote:

> Hello all,
>
> I want to download R and use it for work purposes. I hope to use it to
> analyse very sensitive data from our clients.
>
> My question is:
>
> If I install R on my work network computer, will the data ever leave our
> network? I need to know if the data goes anywhere other than our network,
> because this could compromise it's security. Is there is any chance the
> data could go to a server owned by 'R' or anything else that's not
> immediately obvious, but constitutes the data leaving our network?
>
> Thank you
>
> Laurence
>
>
> ------------------------------------------------------------
> ------------------------------------------------------------
> ----------------------------------------------------------
> Laurence Clark
> Business Data Analyst
> Account Management
> Health Management Ltd
>
> Mobile:                 07584 556498
> Switchboard:    0845 504 1000
> Email:          [hidden email]
> Web:            www.healthmanagement.co.uk
>
> ------------------------------------------------------------
> ------------------------------------------------------------
> ----------------------------------------------------------
> CONFIDENTIALITY NOTICE: This email, including attachments, is for the sole
> use of the intended recipients and may contain confidential and privileged
> information or otherwise be protected by law. Any unauthorised review, use,
> disclosure or distribution is prohibited. If you are not the intended
> recipient, please contact the sender, and destroy all copies and the
> original message.<BR><BR>MAXIMUS People Services Limited is registered in
> England and Wales (registered number: 03752300); registered office: 202 -
> 206 Union Street, London, SE1 0LX, United Kingdom. The Centre for Health
> and Disability Assessments Ltd (registered number: 9072343) and Health
> Management Ltd (registered number: 4369949) are registered in England and
> Wales. The registered office for each is Ash House, The Broyle, Ringmer,
> East Sussex, BN8 5NN, United Kingdom. Remploy Limited is registered in
> England and Wales (registered number: 09457025); registered office: 18c
> Meridian East, Meridian Business Park, Leicester, Leicestershire, LE19 1WZ,
> United Kingdom.</font>
> ------------------------------------------------------------
> ------------------------------------------------------------
> ----------------------------------------------------------
>
>
> ------------------------------------------------------------
> ------------------------------------------------------------
> ----------------------------------------------------------
>
>
> ############################################################
> #########################
> Scanned by MailMarshal - M86 Security's comprehensive email content
> security solution.
> Download a free evaluation of MailMarshal at www.m86security.com
> ############################################################
> #########################
>
> ______________________________________________
> [hidden email] mailing list -- To UNSUBSCRIBE and more, see
> https://stat.ethz.ch/mailman/listinfo/r-help
> PLEASE do read the posting guide http://www.R-project.org/
> posting-guide.html
> and provide commented, minimal, self-contained, reproducible code.
>

        [[alternative HTML version deleted]]

______________________________________________
[hidden email] mailing list -- To UNSUBSCRIBE and more, see
https://stat.ethz.ch/mailman/listinfo/r-help
PLEASE do read the posting guide http://www.R-project.org/posting-guide.html
and provide commented, minimal, self-contained, reproducible code.
Reply | Threaded
Open this post in threaded view
|

Re: security using R at work

R help mailing list-2
In reply to this post by R help mailing list-2
Hi Katherina.
Good point you make. What makes your IT department happy with the use of R
studio server? What are the safe packages?

Can I trust your answer? :)
John.



On 9 Aug 2018 10:38, "Fritsch, Katharina (NNL) via R-help" <
[hidden email]> wrote:

> Hiya,
> I work in a very security conscious organisation and we happily use R. The
> average user can only use R via RStudio Server, with a limited number of
> packages available, so that adds an additional level of control.
> That said, are you sure that the sentence 'a few people on a mailing list
> said it would be alright' is going to convince your IT department of the
> harmlessness of R?
> Cheers,
> Katharina.
>
> --
>
> Dr Katharina Fritsch B.Sc. M.Sc. MRSC
> Chemical Modeller, Chemical and Process Modelling
>
>
> E.
> [hidden email]
> T.
> +44 (0)1925 289387
> @uknnl
>
> National Nuclear Laboratory Limited, 5th Floor, Chadwick House,
> Birchwood Park, Warrington, WA3 6AE, UK
>
> www.nnl.co.uk
>
>
> -----Original Message-----
> From: R-help [mailto:[hidden email]] On Behalf Of Laurence
> Clark
> Sent: 08 August 2018 16:10
> To: '[hidden email]'
> Subject: [R] security using R at work
>
> Hello all,
>
> I want to download R and use it for work purposes. I hope to use it to
> analyse very sensitive data from our clients.
>
> My question is:
>
> If I install R on my work network computer, will the data ever leave our
> network? I need to know if the data goes anywhere other than our network,
> because this could compromise it's security. Is there is any chance the
> data could go to a server owned by 'R' or anything else that's not
> immediately obvious, but constitutes the data leaving our network?
>
> Thank you
>
> Laurence
>
>
> ------------------------------------------------------------
> ------------------------------------------------------------
> ----------------------------------------------------------
> Laurence Clark
> Business Data Analyst
> Account Management
> Health Management Ltd
>
> Mobile:                 07584 556498
> Switchboard:    0845 504 1000
> Email:          [hidden email]
> Web:            BLOCKEDhealthmanagement[.]co[.]ukBLOCKED
>
> ------------------------------------------------------------
> ------------------------------------------------------------
> ----------------------------------------------------------
> CONFIDENTIALITY NOTICE: This email, including attachments, is for the sole
> use of the intended recipients and may contain confidential and privileged
> information or otherwise be protected by law. Any unauthorised review, use,
> disclosure or distribution is prohibited. If you are not the intended
> recipient, please contact the sender, and destroy all copies and the
> original message.<BR><BR>MAXIMUS People Services Limited is registered in
> England and Wales (registered number: 03752300); registered office: 202 -
> 206 Union Street, London, SE1 0LX, United Kingdom. The Centre for Health
> and Disability Assessments Ltd (registered number: 9072343) and Health
> Management Ltd (registered number: 4369949) are registered in England and
> Wales. The registered office for each is Ash House, The Broyle, Ringmer,
> East Sussex, BN8 5NN, United Kingdom. Remploy Limited is registered in
> England and Wales (registered number: 09457025); registered office: 18c
> Meridian East, Meridian Business Park, Leicester, L
>  eicestershire, LE19 1WZ, United Kingdom.</font>
> ------------------------------------------------------------
> ------------------------------------------------------------
> ----------------------------------------------------------
>
>
> ------------------------------------------------------------
> ------------------------------------------------------------
> ----------------------------------------------------------
>
>
> ############################################################
> #########################
> Scanned by MailMarshal - M86 Security's comprehensive email content
> security solution.
> Download a free evaluation of MailMarshal at BLOCKEDm86security[.]
> comBLOCKED
> ############################################################
> #########################
>
> ______________________________________________
> [hidden email] mailing list -- To UNSUBSCRIBE and more, see
> BLOCKEDstat[.]ethz[.]ch/mailman/listinfo/r-helpBLOCKED
> PLEASE do read the posting guide BLOCKEDR-project[.]org/
> posting-guide[.]htmlBLOCKED
> and provide commented, minimal, self-contained, reproducible code.
> ************************************************************
> *****************
> This message was received by the Cloud Security Email Gateway
>
> and was checked for Viruses and SPAM by the Cloud Security Email
> Management Service.
> Please forward any suspicious or unwanted emails to "Spam Helpdesk"
> ************************************************************
> *****************
>
>
> This e-mail is from National Nuclear Laboratory Limited ("NNL"). This
> e-mail and any attachments are intended for the addressee and may also be
> legally privileged. If you are not the intended recipient please do not
> print, re-transmit, store or act in reliance on it or any attachments.
> Instead, please e-mail it back to the sender and then immediately
> permanently delete it.
>
> National Nuclear Laboratory Limited (Company number 3857752) Registered in
> England and Wales. Registered office: Chadwick House, Warrington Road,
> Birchwood Park, Warrington, WA3 6AE.
>
> ______________________________________________
> [hidden email] mailing list -- To UNSUBSCRIBE and more, see
> https://stat.ethz.ch/mailman/listinfo/r-help
> PLEASE do read the posting guide http://www.R-project.org/
> posting-guide.html
> and provide commented, minimal, self-contained, reproducible code.
>

        [[alternative HTML version deleted]]

______________________________________________
[hidden email] mailing list -- To UNSUBSCRIBE and more, see
https://stat.ethz.ch/mailman/listinfo/r-help
PLEASE do read the posting guide http://www.R-project.org/posting-guide.html
and provide commented, minimal, self-contained, reproducible code.
Reply | Threaded
Open this post in threaded view
|

Re: security using R at work

S Ellison-2
In reply to this post by Laurence Clark
> If I install R on my work network computer, will the data ever leave our
> network?
As far as I know, if you run R locally (and not, say, on an amazon EC2 instance) your data - indeed anything about you or your machine - will only leave your desktop if you download and run an R package that transfers data intentionally. I don't know of _any_, but there are 10000 or so out there and I've probably used less than a hundred of them over the last decade.
Other than malice, I can't imagine why an R package would upload data to anywhere else, but I suppose it's conceivable that someone has a server farm out there for doing parallel MCMC and has written a package to access it, and that might be a use-case for data upload. Again, I don't know of one.

But here are three things that don't depend on a mailing list opinion.
a) If you are genuinely concerned, airgap. Only run sensitive data on machines that are not connected to the outside world. Install any necessary packages from local .zip on USB drives or something.

b) Install something like wireshark and test for unexpected outgoing traffic on a dummy data set before applying the package to anything sensitive.

c) Have your IT department mark R as an unauthorised package (in your machine's firewall/security package) for TCP/IP transport so that R cannot talk to the internet.*

*That is a pain as the ability to download packages on demand is really helpful. However, it does mean that you can restrict _just_ R and does not require an airgap.



*******************************************************************
This email and any attachments are confidential. Any use...{{dropped:8}}

______________________________________________
[hidden email] mailing list -- To UNSUBSCRIBE and more, see
https://stat.ethz.ch/mailman/listinfo/r-help
PLEASE do read the posting guide http://www.R-project.org/posting-guide.html
and provide commented, minimal, self-contained, reproducible code.
Reply | Threaded
Open this post in threaded view
|

Re: security using R at work

Bjørn-Helge Mevik-3
In reply to this post by Laurence Clark
The section I'm working in runs a facility for sensitive research data
(https://www.uio.no/english/services/it/research/sensitive-data/).  Our
users use R (along with other analysis software).  We don't consider R
safe or unsafe, but have designed the services so that it should not be
possible (or at least very difficult) for sensitive information to leak
out of the network.

I would say that your best bet is to expect all analysis software to
have security holes or be compromised, and design your setup/network
around that assumption.

--
Regards,
Bjørn-Helge Mevik

______________________________________________
[hidden email] mailing list -- To UNSUBSCRIBE and more, see
https://stat.ethz.ch/mailman/listinfo/r-help
PLEASE do read the posting guide http://www.R-project.org/posting-guide.html
and provide commented, minimal, self-contained, reproducible code.

signature.asc (847 bytes) Download Attachment