[OGRUG] Security considerations for R
Abdool, I would be very happy to chat a bit more about some of the security considerations we went through in getting set up directly if you are interested in discussing further. With respect to the government context, we followed and are following all relevant policies and procedures and feel that the risk is manageable, as does the US FDA : https://www.r-project.org/doc/R-FDA.pdf https://channel9.msdn.com/Events/useR-international-R-User-conference/useR2016/Using-R-in-a-regulatory-environment-FDA-experiences Daniel Buijs
On Aug 10, 2016 6:01 AM, <r-ug-ottawa-request at r-project.org> wrote:
Send R-UG-Ottawa mailing list submissions to
r-ug-ottawa at r-project.org
To subscribe or unsubscribe via the World Wide Web, visit
https://stat.ethz.ch/mailman/listinfo/r-ug-ottawa
or, via email, send a message with subject or body 'help' to
r-ug-ottawa-request at r-project.org
You can reach the person managing the list at
r-ug-ottawa-owner at r-project.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of R-UG-Ottawa digest..."
Today's Topics:
1. Re: " departments are concerned about security" [Forked from:
"Centres of ExpeRtise within GOC"] (Abdool Yasseen)
2. Re: " departments are concerned about security" [Forked from:
"Centres of ExpeRtise within GOC"] (Joseph Potvin)
3. Re: " departments are concerned about security" (Tyler Smith)
----------------------------------------------------------------------
Message: 1
Date: Tue, 9 Aug 2016 16:28:42 -0400
From: Abdool Yasseen <abdool.yasseen at gmail.com>
To: Joseph Potvin <jpotvin at xalgorithms.org>
Cc: r-ug-ottawa at r-project.org
Subject: Re: [OGRUG] " departments are concerned about security"
[Forked from: "Centres of ExpeRtise within GOC"]
Message-ID:
<CAB0Xbde=BOHx-VHP7jx30o76eyE6V7t+Wd-OAFtwEwS39PngOw at mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"
Good to know, and glad others have looked into this further, and developed
documentation.
Still, I can imagine how this issue may make a few directors nervous.
Abdool
On 9 August 2016 at 16:19, Joseph Potvin <jpotvin at xalgorithms.org> wrote:
Abdool, See: http://c2.com/cgi/wiki?OpenSourceSecurityStrategy (Co-authors of that summary are listed at the bottom of the entry.) Joseph Potvin Executive Director, Xalgorithms Foundation Mobile: 819-593-5983 jpotvin at xalgorithms.org https://www.xalgorithms.org On Tue, Aug 9, 2016 at 3:43 PM, Abdool Yasseen <abdool.yasseen at gmail.com> wrote:
Hay Alex, Re: the use of R in government. I know some departments are concerned about security, and are hesitant to make the shift. Also, the current knowledge base for R varies from place to place, like Tyler said. This will definitely be changing in the future, because R is the dominant paradigm in most analytic based university shops, of which their alumni will be future government employees. The only analogy I can think about is at the Institute for Clinical Evaluative Sciences (ICES) which didn't have R available, up till a few years back. They were really concerned about data access and only support an internally contained html-version of R (importing packages and the
like
need to be monitored). In light of the ever increasing need for web based security, I think the use of R in the government should follow suit. Just a point to note when thinking about applying freeware in institution settings, Abdool On 9 August 2016 at 11:27, jianmin duan <jim201105 at gmail.com> wrote:
Dear Alex: At Duan Pharmaceutical Consulting Inc., we use R for biostatistical analysis, PK/PD data analysis and power tests etc. Best regards, Jianmin On Mon, Aug 8, 2016 at 2:05 PM, Alex Demarsh <alexdemarsh at gmail.com> wrote:
Hey folks - Not sure if this is on-topic for this list, but I've become curious
about
the prevalence of R use in the Government of Canada (GOC) -
particularly
how many analytic teams are using R as their primary language. So, if you're a member of (or just know of) such an "R Shop", could
you
let
me know? Any information on specific tasks or level of expertise
would
be a
helpful addition.
Many thanks in advance,
Alex Demarsh
Epidemiologist/Biostatistician, Public Health Agency of Canada
[[alternative HTML version deleted]]
_______________________________________________ R-UG-Ottawa mailing list R-UG-Ottawa at r-project.org https://stat.ethz.ch/mailman/listinfo/r-ug-ottawa
[[alternative HTML version deleted]]
_______________________________________________ R-UG-Ottawa mailing list R-UG-Ottawa at r-project.org https://stat.ethz.ch/mailman/listinfo/r-ug-ottawa
-- *Abdool S. Yasseen III PhD(c)* Dalla Lana School of Public Health, University of Toronto
__________________________________________________________________ "A powerful will can cure, where doubt will end in failure" : Franz
Anton
Mesmer "It's tough to make predictions, especially about the future" : Yogi
Berra
[[alternative HTML version deleted]]
_______________________________________________ R-UG-Ottawa mailing list R-UG-Ottawa at r-project.org https://stat.ethz.ch/mailman/listinfo/r-ug-ottawa
--
*Abdool S. Yasseen III PhD(c)*
Dalla Lana School of Public Health, University of Toronto
__________________________________________________________________
"A powerful will can cure, where doubt will end in failure" : Franz Anton
Mesmer
"It's tough to make predictions, especially about the future" : Yogi Berra
------------------------------
Message: 2
Date: Tue, 9 Aug 2016 16:45:54 -0400
From: Joseph Potvin <jpotvin at xalgorithms.org>
To: Abdool Yasseen <abdool.yasseen at gmail.com>
Cc: r-ug-ottawa at r-project.org
Subject: Re: [OGRUG] " departments are concerned about security"
[Forked from: "Centres of ExpeRtise within GOC"]
Message-ID:
<CAAuWHCJUT==NvHrJbpS83OJhYxLJdTwnjh1ZD391cK--dtQdcQ at mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"
RE: "this issue may make a few directors nervous"
Yup. And they should be much more nervous when they are not allowed to
independently validate the integrity of software that GC and Canadians
depend upon. (Unfortunately, many rely on supplier marketing materials,
confident proposal text, and f2f meetings with suppliers.)
Here's another "oldie" (from 1999): this one is an explanation for a
Washington State Dept of Transportation office about why bridge engineering
software ought to be fre/libre/open:
http://www.wsdot.wa.gov/eesc/bridge/alternateroute/about.htm
Joseph Potvin
Executive Director, Xalgorithms Foundation
Mobile: 819-593-5983
jpotvin at xalgorithms.org
https://www.xalgorithms.org
On Tue, Aug 9, 2016 at 4:28 PM, Abdool Yasseen <abdool.yasseen at gmail.com>
wrote:
Good to know, and glad others have looked into this further, and developed documentation. Still, I can imagine how this issue may make a few directors nervous. Abdool On 9 August 2016 at 16:19, Joseph Potvin <jpotvin at xalgorithms.org> wrote:
Abdool, See: http://c2.com/cgi/wiki?OpenSourceSecurityStrategy (Co-authors of that summary are listed at the bottom of the entry.) Joseph Potvin Executive Director, Xalgorithms Foundation Mobile: 819-593-5983 jpotvin at xalgorithms.org https://www.xalgorithms.org On Tue, Aug 9, 2016 at 3:43 PM, Abdool Yasseen <abdool.yasseen at gmail.com> wrote:
Hay Alex, Re: the use of R in government. I know some departments are concerned about security, and are hesitant
to
make the shift. Also, the current knowledge base for R varies from place to place, like Tyler said. This will definitely be changing in the future, because R is the dominant paradigm in most analytic based university shops, of which their alumni will be future government employees. The only analogy I can think about is at the Institute for Clinical Evaluative Sciences (ICES) which didn't have R available, up till a few years back. They were really concerned about data access and only
support
an internally contained html-version of R (importing packages and the like need to be monitored). In light of the ever increasing need for web
based
security, I think the use of R in the government should follow suit. Just a point to note when thinking about applying freeware in
institution
settings, Abdool On 9 August 2016 at 11:27, jianmin duan <jim201105 at gmail.com> wrote:
Dear Alex: At Duan Pharmaceutical Consulting Inc., we use R for biostatistical analysis, PK/PD data analysis and power tests etc. Best regards, Jianmin On Mon, Aug 8, 2016 at 2:05 PM, Alex Demarsh <alexdemarsh at gmail.com> wrote:
Hey folks - Not sure if this is on-topic for this list, but I've become curious
about
the prevalence of R use in the Government of Canada (GOC) -
particularly
how many analytic teams are using R as their primary language. So, if you're a member of (or just know of) such an "R Shop", could
you
let
me know? Any information on specific tasks or level of expertise
would
be a
helpful addition.
Many thanks in advance,
Alex Demarsh
Epidemiologist/Biostatistician, Public Health Agency of Canada
[[alternative HTML version deleted]]
_______________________________________________ R-UG-Ottawa mailing list R-UG-Ottawa at r-project.org https://stat.ethz.ch/mailman/listinfo/r-ug-ottawa
[[alternative HTML version deleted]]
_______________________________________________ R-UG-Ottawa mailing list R-UG-Ottawa at r-project.org https://stat.ethz.ch/mailman/listinfo/r-ug-ottawa
-- *Abdool S. Yasseen III PhD(c)* Dalla Lana School of Public Health, University of Toronto
__________________________________________________________________
"A powerful will can cure, where doubt will end in failure" : Franz
Anton
Mesmer
"It's tough to make predictions, especially about the future" : Yogi
Berra
[[alternative HTML version deleted]]
_______________________________________________
R-UG-Ottawa mailing list
R-UG-Ottawa at r-project.org
https://stat.ethz.ch/mailman/listinfo/r-ug-ottawa
-- *Abdool S. Yasseen III PhD(c)* Dalla Lana School of Public Health, University of Toronto
__________________________________________________________________ "A powerful will can cure, where doubt will end in failure" : Franz Anton Mesmer "It's tough to make predictions, especially about the future" : Yogi Berra
------------------------------
Message: 3
Date: Tue, 09 Aug 2016 17:08:02 -0400
From: Tyler Smith <tyler at plantarum.ca>
To: r-ug-ottawa at r-project.org
Subject: Re: [OGRUG] " departments are concerned about security"
Message-ID:
<1470776882.1198746.690699377.12CD4E4D at webmail.messagingengine.com>
Content-Type: text/plain
On Tue, Aug 9, 2016, Abdool Yasseen wrote:
Just a point to note when thinking about applying freeware in
institution
settings,
Still, I can imagine how this issue may make a few directors nervous.
They may be nervous, but this is due in large part to conflating the concepts of freeware and Free Software. Freeware is typically a binary executable of unknown provenance, and frequently contains malware. The developers are unknown, and there is little risk to them if their program does bad things to the users' computers. Free Software is software for which the source code is available, and typically is developed in an open and transparent way. In many cases (including R), the developers are well-known and respected domain experts. While it's unlikely an average R user has the time or expertise to validate the security of the code they use, there are many expert users that do. Furthermore, the domain experts behind it would risk their reputations and careers should they engage in anything nefarious. It would be possible to use R as an infection vector, but the effort required to entice a naive user into running malicious R code would be far greater, and the target group far smaller, than a standard phishing email scam. On the other hand, there are many serious benefits to using Free Software, some of which are detailed in the links Joseph provided. Best, Tyler ------------------------------ Subject: Digest Footer _______________________________________________ R-UG-Ottawa mailing list R-UG-Ottawa at r-project.org https://stat.ethz.ch/mailman/listinfo/r-ug-ottawa ------------------------------ End of R-UG-Ottawa Digest, Vol 40, Issue 3 ******************************************