Security and R

# Security and R
## It’s secure - we’re the problem
### Colin Gillespie (<a href="https://twitter.com/csgillespie">@csgillespie</a>)

---

<div class="jr-header-inverse">
        <img class="logo" src="assets/white_logo_full.png"/>
        <span class="social"><table><tr><td><img src="assets/twitter.gif"/></td><td> @jumping_uk</td></tr></table></span>
      </div>
      
<div class="jr-footer-inverse"><span>&copy; 2019 Jumping Rivers (jumpingrivers.com)</span><div>jumpingrivers.com/t/2019-user-security</div></div>
---

autosize: true
class: middle, center, inverse

---
layout: true
layout: true

<div class="jr-header">
        <img class="logo" src="assets/white_logo_full.png"/>
        <span class="social"><table><tr><td><img src="assets/twitter.gif"/></td><td> @jumping_uk</td></tr></table></span>
      </div>
      
<div class="jr-footer"><span>&copy; 2019 Jumping Rivers (jumpingrivers.com)</span><div>jumpingrivers.com/t/2019-user-security</div></div>

---
layout: true
layout: true
background-image: url(assets/white_logo.png)
background-size: contain

---
class: center, inverse, middle

# For this talk I did some research
---
class: center, inverse, middle

# What's a hacker?
### Credit: Troy Hunt

---

layout: true
background-image: url(graphics/google-image-hacker.png)
background-size: contain

---

---

# Hacker: Someone with a hoody

---

# Hacker: Someone who uses green text

---

# Hackers are scary!

---

layout: true
background-image: url(graphics/hacker_and_mum.jpg)
background-size: contain

---

---

layout: true
layout: true
background-image: url(assets/white_logo.png)
background-size: contain

---

# Only get hacked by adults

---

layout: false 
layout: true
background-image: url(assets/greek.jpg)
background-size: contain

---

---
layout: false 
layout: true
background-image: url(assets/greek_note.jpg)
background-size: contain

---
class: center, inverse
# What do you see?

---
class: center, inverse
# Former Minister (Greek Intelligence)

---

---

---

# RStudio in the cloud

* Someone has kindly made an container
 
    - Just point & click

* Default username/password: rstudio/rstudio
 
  - Guess what's coming?
  
  - (Default changed 12 months ago)
  
---

layout: false 
layout: true
background-image: url(graphics/rstudio_world.png)
background-size: contain

---
class: center

# Let's find RStudio

---

layout: false 
layout: true
background-image: url(graphics/rstudio_log_on.png)
background-size: contain

---

---

# username: __rstudio__

---

# username: __rstudio__
# password: __rstudio__

---

---

# Bioconductor

* R repository for genomics data
 
 * Contains over 1000 packages

* To install Bioconductor run

```r
source("https://bioconductor.org/biocLite.R")
```

---

# Bioconductor

```r
source("https://bioconductor.org/biocLite.R")
```

Last year I made a few online purchases

* boconductor.org

* biconductor.org

* biocnductor.org

* biocoductor.org

* 13 in total

Total cost less than £100

---

layout: false 
layout: true
background-image: url(/tmp/time.png)
background-size: contain

---

# Hits over time

![](graphics/time.png)

---

# Hits

In the last few months, I've had hits from

* 8 out of top 10 Unis
 
 * Governments
 
 * Pharma companies
 
--

Every hit to my fake sites would

* allow me to run an arbitrary R script
 
 * __all__ user data belogs to me (insert evil laugh)

---

# R-bloggers

* Suppose someone scans a list of contributing blogs

* Suppose someone looks for blogs that return 404's
 
--
 
 * Suppose someone purchases these domains ....
 
--

* Suppose someone creates a quick blog post on graphics
 
--

* Would people run arbitary code?
 
--
 
  - The answer is yes

---

# Summary

Security is important (I've few more examples!)

* Jumping Rivers spends just as much time on set-up and security
   
  * Data scientists typically don't have much formal programming experience
 
    - Even less in the web & security department

* __Beta testers:__ RStudio server/connect monitoring 
    
     - http://bit.ly/user2019-security

---

# Credits & Further Reading

* Listening & reading material by [Troy Hunt](https://www.troyhunt.com/) & [Scott Helme](https://scotthelme.co.uk/) provided lots of inspiration for this talk. In particular, 
  the bit about "What is a hacker"
  
    * I found (and recommend) their [Hack Yourself First](https://www.troyhunt.com/workshops/) course

* Expensive, but amazingly well delievered and fun.

* Another excellent podcast is [Dark New Diaries](https://darknetdiaries.com/)