On 08/05/2012 11:10 AM, Paul Martin wrote:
Kirtland Air Force Base has denied approval for the use of R on its
Windows network. Some of their objections seem a bit strange, but some
appear to be legitimate. In particular, they have detected registry
"vulnerabilities"
which are detailed in the attachment.
I suspect their test is wrong, but I can't say for sure, because they
apparently tested R within RStudio. I know R didn't have anything to do
with most of those registry entries that were listed, and I strongly
suspect RStudio didn't either.
I'd suggest that if you want to use R, just ask them to test R. It's
nice to have the RStudio front end, but you don't need it.
Once R is accepted, you could ask for an RStudio test if you want.
On the other hand, R is not safe to install, in the sense that it does
give programs access to anything the user has access to. I am pretty
sure that's also true of at least Matlab and Mathematica in the list of
alternatives you were given.
Duncan Murdoch
I know nothing about Windows registry vulnerabilities. If any of these
issues are
legitimate concerns, I would like to see them fixed for everyone's benefit.
I would
appreciate a referral to the appropriate forum for this information. I am
willing
to assist in getting questions answered and gathering additional
information.
Thank you,
Paul Martin
Air Force Research Laboratory
Kirtland Air Force Base
Albuquerque, New Mexico
-------- Original Message --------
Subject: FW: R/RStudio Software
Date: Fri, 4 May 2012 15:15:20 -0600
From: Martin, Paul A Civ USAF AFMC AFRL/RVSEF
[1]<paul.mar...@kirtland.af.mil>
To: [2]<pamar...@alum.mit.edu>
-----Original Message-----
From: Goel, Suman K Civ USAF AFMC AFRL/RVIO
Sent: Friday, May 04, 2012 3:13 PM
To: Martin, Paul A Civ USAF AFMC AFRL/RVSEF
Subject: RE: R/RStudio Software
Mr. Martin,
Rstudio is an IDE for writing R code. I installed Rstudio first but it
doesn't work without R so I tested them together.
When I test a software usually the registry analysis file is blank. But this
one happen to have numerous registry vulnerabilities - see attached. Most of
them I even don't know if affects the software.
Collaboration P2P Host In TCP/Out TCP allowed seemed troubling.
Thanks,
Suman
-----Original Message-----
From: Martin, Paul A Civ USAF AFMC AFRL/RVSEF
Sent: Friday, May 04, 2012 2:51 PM
To: Goel, Suman K Civ USAF AFMC AFRL/RVIO
Subject: RE: R/RStudio Software
Ms. Goel,
Sorry to bother you again with this, but I have two more questions:
1. Were these vulnerabilities found in both R and RStudio?
2. Could you be more explicit about the registry vulnerabilities? This is
the only item
where I could potentially get some issues addressed. Even if I cannot get
this software
on the NIPRNET, I can pass along your discoveries and help the community
improve their
code.
Thank you,
Paul Martin
-----Original Message-----
From: Goel, Suman K Civ USAF AFMC AFRL/RVIO
Sent: Friday, May 04, 2012 2:34 PM
To: Martin, Paul A Civ USAF AFMC AFRL/RVSEF
Cc: Goel, Suman K Civ USAF AFMC AFRL/RVIO
Subject: RE: R/RStudio Software
Mr. Martin,
Thank you for understanding. Here are some examples of vulnerabilities.
Numerous forbidden file extensions.
Numerous registry vulnerabilities
Network connections to foreign IP address
Many vulnerabilities are firewall policies related under restricted
services.
Once again Thank you,
Respectfully,
Suman
-----Original Message-----
From: Martin, Paul A Civ USAF AFMC AFRL/RVSEF
Sent: Friday, May 04, 2012 2:12 PM
To: Goel, Suman K Civ USAF AFMC AFRL/RVIO
Subject: RE: R/RStudio Software
Suman,
Thank you for your reply. If it is not too much trouble, could you enumerate
the issues you found, so that I can forward the list to the team maintaining
the R software? I have no idea what kind of response to expect, but these
people should at least be aware of the issues.
Thank you.
Paul Martin
From: Goel, Suman K Civ USAF AFMC AFRL/RVIO
Sent: Friday, May 04, 2012 2:07 PM
To: Martin, Paul A Civ USAF AFMC AFRL/RVSEF
Cc: Motes, Raymond A Civ USAF AFMC AFRL/RVSE; Serafico, Romeo G Civ USAF
AFMC AFRL/RVIO; Mickey, Dallas C Civ USAF AFMC AFRL/RVIO; Trujillo, Lloyd P
Civ USAF AFMC AFRL/RVIO
Subject: R/RStudio Software
Mr. Martin,
After completing the vulnerability analysis, we decided to decline to
approve R/RStudio software on the NIPRNet. We discovered many unmitigated
risks and numerous registry vulnerabilities. Above mentioned open source
software poses high risks to the NIPRNet. We recommend using software from
the Kirtland Base approved list. Here are some examples of the base approved
statistical software:
SPSS v19.x
LISREL v8.x
JMP v8.x - Soon to be certify JMP v9 or 10
Matlab v7.x
Mathematica v8.x
OriginPro v8.x
If you like, we can add following statistical software on the base list,
which will be available on May 25th.
Minitab v16.x
SAS v9.x
Maple v15.x
In addition, please let us know if you have any other proprietary
statistical software in mind. We can get those certified for the Base ATO.
I apologize this may cause interruption in your project. Most proprietary
software are safe for NIPRNet use but this one caused some concerns.
However, this can be continued for standalone system. Please accept my
humble apology.
Thanks,
Respectfully,
Suman Goel
505-846-5357
AFRL/RVIO
References
1. mailto:paul.mar...@kirtland.af.mil
2. mailto:pamar...@alum.mit.edu
______________________________________________
R-help@r-project.org mailing list
https://stat.ethz.ch/mailman/listinfo/r-help
PLEASE do read the posting guide http://www.R-project.org/posting-guide.html
and provide commented, minimal, self-contained, reproducible code.
______________________________________________
R-help@r-project.org mailing list
https://stat.ethz.ch/mailman/listinfo/r-help
PLEASE do read the posting guide http://www.R-project.org/posting-guide.html
and provide commented, minimal, self-contained, reproducible code.
