[OGRUG] Security considerations for R

Daniel Buijs dbuijs at gmail.com
Wed Aug 10 13:12:55 CEST 2016 

Abdool,

I would be very happy to chat a bit more about some of the security
considerations we went through in getting set up directly if you are
interested in discussing further.

With respect to the government context, we followed and are following all
relevant policies and procedures and feel that the risk is manageable, as
does the US FDA : https://www.r-project.org/doc/R-FDA.pdf
https://channel9.msdn.com/Events/useR-international-R-User-conference/useR2016/Using-R-in-a-regulatory-environment-FDA-experiences

Daniel Buijs

On Aug 10, 2016 6:01 AM, <r-ug-ottawa-request at r-project.org> wrote:

Send R-UG-Ottawa mailing list submissions to
        r-ug-ottawa at r-project.org

To subscribe or unsubscribe via the World Wide Web, visit
        https://stat.ethz.ch/mailman/listinfo/r-ug-ottawa
or, via email, send a message with subject or body 'help' to
        r-ug-ottawa-request at r-project.org

You can reach the person managing the list at
        r-ug-ottawa-owner at r-project.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of R-UG-Ottawa digest..."


Today's Topics:

   1. Re: " departments are concerned about security" [Forked from:
      "Centres of ExpeRtise within GOC"] (Abdool Yasseen)
   2. Re: " departments are concerned about security" [Forked from:
      "Centres of ExpeRtise within GOC"] (Joseph Potvin)
   3. Re: " departments are concerned about security" (Tyler Smith)


----------------------------------------------------------------------

Message: 1
Date: Tue, 9 Aug 2016 16:28:42 -0400
From: Abdool Yasseen <abdool.yasseen at gmail.com>
To: Joseph Potvin <jpotvin at xalgorithms.org>
Cc: r-ug-ottawa at r-project.org
Subject: Re: [OGRUG] " departments are concerned about security"
        [Forked from: "Centres of ExpeRtise within GOC"]
Message-ID:
        <CAB0Xbde=BOHx-VHP7jx30o76eyE6V7t+Wd-OAFtwEwS39PngOw at mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"

Good to know, and glad others have looked into this further, and developed
documentation.
Still, I can imagine how this issue may make a few directors nervous.


Abdool

On 9 August 2016 at 16:19, Joseph Potvin <jpotvin at xalgorithms.org> wrote:

> Abdool,
>
> See: http://c2.com/cgi/wiki?OpenSourceSecurityStrategy
>
> (Co-authors of that summary are listed at the bottom of the entry.)
>
> Joseph Potvin
> Executive Director, Xalgorithms Foundation
> Mobile: 819-593-5983
> jpotvin at xalgorithms.org
> https://www.xalgorithms.org
>
> On Tue, Aug 9, 2016 at 3:43 PM, Abdool Yasseen <abdool.yasseen at gmail.com>
> wrote:
>
>> Hay Alex,
>>
>> Re: the use of R in government.
>>
>> I know some departments are concerned about security, and are hesitant to
>> make the shift. Also, the current knowledge base for R varies from place
>> to
>> place, like Tyler said. This will definitely be changing in the future,
>> because R is the dominant paradigm in most analytic based university
>> shops,
>> of which their alumni will be future government employees.
>>
>> The only analogy I can think about is at the Institute for Clinical
>> Evaluative Sciences (ICES) which didn't have R available, up till a few
>> years back. They were really concerned about data access and only support
>> an internally contained html-version of R (importing packages and the
like
>> need to be monitored). In light of the ever increasing need for web based
>> security, I think the use of R in the government should follow suit.
>>
>> Just a point to note when thinking about applying freeware in institution
>> settings,
>>
>> Abdool
>>
>>
>>
>> On 9 August 2016 at 11:27, jianmin duan <jim201105 at gmail.com> wrote:
>>
>> > Dear Alex:
>> >
>> > At Duan Pharmaceutical Consulting Inc., we use R for biostatistical
>> > analysis, PK/PD data analysis and power tests etc.
>> >
>> > Best regards,
>> >
>> > Jianmin
>> >
>> > On Mon, Aug 8, 2016 at 2:05 PM, Alex Demarsh <alexdemarsh at gmail.com>
>> > wrote:
>> >
>> > > Hey folks -
>> > >
>> > > Not sure if this is on-topic for this list, but I've become curious
>> about
>> > > the prevalence of R use in the Government of Canada (GOC) -
>> particularly
>> > > how many analytic teams are using R as their primary language.
>> > >
>> > > So, if you're a member of (or just know of) such an "R Shop", could
>> you
>> > let
>> > > me know? Any information on specific tasks or level of expertise
would
>> > be a
>> > > helpful addition.
>> > >
>> > > Many thanks in advance,
>> > >
>> > > Alex Demarsh
>> > > Epidemiologist/Biostatistician, Public Health Agency of Canada
>> > >
>> > >         [[alternative HTML version deleted]]
>> > >
>> > > _______________________________________________
>> > > R-UG-Ottawa mailing list
>> > > R-UG-Ottawa at r-project.org
>> > > https://stat.ethz.ch/mailman/listinfo/r-ug-ottawa
>> > >
>> >
>> >         [[alternative HTML version deleted]]
>> >
>> > _______________________________________________
>> > R-UG-Ottawa mailing list
>> > R-UG-Ottawa at r-project.org
>> > https://stat.ethz.ch/mailman/listinfo/r-ug-ottawa
>> >
>>
>>
>>
>> --
>> *Abdool S. Yasseen III PhD(c)*
>> Dalla Lana School of Public Health, University of Toronto
>> __________________________________________________________________
>> "A powerful will can cure, where doubt will end in failure" :  Franz
Anton
>> Mesmer
>> "It's tough to make predictions, especially about the future" : Yogi
Berra
>>
>>         [[alternative HTML version deleted]]
>>
>> _______________________________________________
>> R-UG-Ottawa mailing list
>> R-UG-Ottawa at r-project.org
>> https://stat.ethz.ch/mailman/listinfo/r-ug-ottawa
>>
>
>


--
*Abdool S. Yasseen III PhD(c)*
Dalla Lana School of Public Health, University of Toronto
__________________________________________________________________
"A powerful will can cure, where doubt will end in failure" :  Franz Anton
Mesmer
"It's tough to make predictions, especially about the future" : Yogi Berra

        [[alternative HTML version deleted]]



------------------------------

Message: 2
Date: Tue, 9 Aug 2016 16:45:54 -0400
From: Joseph Potvin <jpotvin at xalgorithms.org>
To: Abdool Yasseen <abdool.yasseen at gmail.com>
Cc: r-ug-ottawa at r-project.org
Subject: Re: [OGRUG] " departments are concerned about security"
        [Forked from: "Centres of ExpeRtise within GOC"]
Message-ID:
        <CAAuWHCJUT==NvHrJbpS83OJhYxLJdTwnjh1ZD391cK--dtQdcQ at mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"

RE: "this issue may make a few directors nervous"

Yup. And they should be much more nervous when they are not allowed to
independently validate the integrity of software that GC and Canadians
depend upon. (Unfortunately, many rely on supplier marketing materials,
confident proposal text, and f2f meetings with suppliers.)

Here's another "oldie" (from 1999): this one is an explanation for a
Washington State Dept of Transportation office about why bridge engineering
software ought to be fre/libre/open:
http://www.wsdot.wa.gov/eesc/bridge/alternateroute/about.htm


Joseph Potvin
Executive Director, Xalgorithms Foundation
Mobile: 819-593-5983
jpotvin at xalgorithms.org
https://www.xalgorithms.org

On Tue, Aug 9, 2016 at 4:28 PM, Abdool Yasseen <abdool.yasseen at gmail.com>
wrote:

> Good to know, and glad others have looked into this further, and developed
> documentation.
> Still, I can imagine how this issue may make a few directors nervous.
>
>
> Abdool
>
> On 9 August 2016 at 16:19, Joseph Potvin <jpotvin at xalgorithms.org> wrote:
>
>> Abdool,
>>
>> See: http://c2.com/cgi/wiki?OpenSourceSecurityStrategy
>>
>> (Co-authors of that summary are listed at the bottom of the entry.)
>>
>> Joseph Potvin
>> Executive Director, Xalgorithms Foundation
>> Mobile: 819-593-5983
>> jpotvin at xalgorithms.org
>> https://www.xalgorithms.org
>>
>> On Tue, Aug 9, 2016 at 3:43 PM, Abdool Yasseen <abdool.yasseen at gmail.com>
>> wrote:
>>
>>> Hay Alex,
>>>
>>> Re: the use of R in government.
>>>
>>> I know some departments are concerned about security, and are hesitant
to
>>> make the shift. Also, the current knowledge base for R varies from place
>>> to
>>> place, like Tyler said. This will definitely be changing in the future,
>>> because R is the dominant paradigm in most analytic based university
>>> shops,
>>> of which their alumni will be future government employees.
>>>
>>> The only analogy I can think about is at the Institute for Clinical
>>> Evaluative Sciences (ICES) which didn't have R available, up till a few
>>> years back. They were really concerned about data access and only
support
>>> an internally contained html-version of R (importing packages and the
>>> like
>>> need to be monitored). In light of the ever increasing need for web
based
>>> security, I think the use of R in the government should follow suit.
>>>
>>> Just a point to note when thinking about applying freeware in
institution
>>> settings,
>>>
>>> Abdool
>>>
>>>
>>>
>>> On 9 August 2016 at 11:27, jianmin duan <jim201105 at gmail.com> wrote:
>>>
>>> > Dear Alex:
>>> >
>>> > At Duan Pharmaceutical Consulting Inc., we use R for biostatistical
>>> > analysis, PK/PD data analysis and power tests etc.
>>> >
>>> > Best regards,
>>> >
>>> > Jianmin
>>> >
>>> > On Mon, Aug 8, 2016 at 2:05 PM, Alex Demarsh <alexdemarsh at gmail.com>
>>> > wrote:
>>> >
>>> > > Hey folks -
>>> > >
>>> > > Not sure if this is on-topic for this list, but I've become curious
>>> about
>>> > > the prevalence of R use in the Government of Canada (GOC) -
>>> particularly
>>> > > how many analytic teams are using R as their primary language.
>>> > >
>>> > > So, if you're a member of (or just know of) such an "R Shop", could
>>> you
>>> > let
>>> > > me know? Any information on specific tasks or level of expertise
>>> would
>>> > be a
>>> > > helpful addition.
>>> > >
>>> > > Many thanks in advance,
>>> > >
>>> > > Alex Demarsh
>>> > > Epidemiologist/Biostatistician, Public Health Agency of Canada
>>> > >
>>> > >         [[alternative HTML version deleted]]
>>> > >
>>> > > _______________________________________________
>>> > > R-UG-Ottawa mailing list
>>> > > R-UG-Ottawa at r-project.org
>>> > > https://stat.ethz.ch/mailman/listinfo/r-ug-ottawa
>>> > >
>>> >
>>> >         [[alternative HTML version deleted]]
>>> >
>>> > _______________________________________________
>>> > R-UG-Ottawa mailing list
>>> > R-UG-Ottawa at r-project.org
>>> > https://stat.ethz.ch/mailman/listinfo/r-ug-ottawa
>>> >
>>>
>>>
>>>
>>> --
>>> *Abdool S. Yasseen III PhD(c)*
>>> Dalla Lana School of Public Health, University of Toronto
>>> __________________________________________________________________
>>> "A powerful will can cure, where doubt will end in failure" :  Franz
>>> Anton
>>> Mesmer
>>> "It's tough to make predictions, especially about the future" : Yogi
>>> Berra
>>>
>>>         [[alternative HTML version deleted]]
>>>
>>> _______________________________________________
>>> R-UG-Ottawa mailing list
>>> R-UG-Ottawa at r-project.org
>>> https://stat.ethz.ch/mailman/listinfo/r-ug-ottawa
>>>
>>
>>
>
>
> --
> *Abdool S. Yasseen III PhD(c)*
> Dalla Lana School of Public Health, University of Toronto
> __________________________________________________________________
> "A powerful will can cure, where doubt will end in failure" :  Franz Anton
> Mesmer
> "It's tough to make predictions, especially about the future" : Yogi Berra
>

        [[alternative HTML version deleted]]



------------------------------

Message: 3
Date: Tue, 09 Aug 2016 17:08:02 -0400
From: Tyler Smith <tyler at plantarum.ca>
To: r-ug-ottawa at r-project.org
Subject: Re: [OGRUG] " departments are concerned about security"
Message-ID:
        <1470776882.1198746.690699377.12CD4E4D at webmail.messagingengine.com>
Content-Type: text/plain

On Tue, Aug 9, 2016, Abdool Yasseen wrote:
> >> Just a point to note when thinking about applying freeware in
institution
> >> settings,
>
> Still, I can imagine how this issue may make a few directors nervous.

They may be nervous, but this is due in large part to conflating the
concepts of freeware and Free Software.

Freeware is typically a binary executable of unknown provenance, and
frequently contains malware. The developers are unknown, and there is
little risk to them if their program does bad things to the users'
computers.

Free Software is software for which the source code is available, and
typically is developed in an open and transparent way. In many cases
(including R), the developers are well-known and respected domain
experts. While it's unlikely an average R user has the time or expertise
to validate the security of the code they use, there are many expert
users that do. Furthermore, the domain experts behind it would risk
their reputations and careers should they engage in anything nefarious.

It would be possible to use R as an infection vector, but the effort
required to entice a naive user into running malicious R code would be
far greater, and the target group far smaller, than a standard phishing
email scam. On the other hand, there are many serious benefits to using
Free Software, some of which are detailed in the links Joseph provided.

Best,

Tyler



------------------------------

Subject: Digest Footer

_______________________________________________
R-UG-Ottawa mailing list
R-UG-Ottawa at r-project.org
https://stat.ethz.ch/mailman/listinfo/r-ug-ottawa

------------------------------

End of R-UG-Ottawa Digest, Vol 40, Issue 3
******************************************

	[[alternative HTML version deleted]]

More information about the R-UG-Ottawa mailing list