class: center, middle, inverse, title-slide # Security and R ## A gentle introduction ### Colin Gillespie (<a href="https://twitter.com/csgillespie">@csgillespie</a>) --- <!-- https://www.youtube.com/watch?v=opRMrEfAIiI --> layout: true layout: true background-image: url(assets/white_logo.png) background-size: contain <div class="jr-header-inverse"> <img class="logo" src="assets/white_logo_full.png"/> <span class="social"><table><tr><td><img src="assets/twitter.gif"/></td><td> @jumping_uk</td></tr></table></span> </div> <div class="jr-footer-inverse"><span>© 2019 Jumping Rivers (jumpingrivers.com)</span><div>jumpingrivers.com/t/2019-whyr</div></div> --- class: center, inverse middle # R is secure --- class: center, inverse middle # The problem is us --- layout: true <div class="jr-header-inverse"> <img class="logo" src="assets/white_logo_full.png"/> <span class="social"><table><tr><td><img src="assets/twitter.gif"/></td><td> @jumping_uk</td></tr></table></span> </div> <div class="jr-footer-inverse"><span>© 2019 Jumping Rivers (jumpingrivers.com)</span><div>jumpingrivers.com/t/2019-whyr</div></div> --- autosize: true class: middle, center, inverse <video controls> <source src="https://www.mas.ncl.ac.uk/~ncsg3/password.mp4" type="video/mp4"> </video> --- layout: true layout: true <div class="jr-header"> <img class="logo" src="assets/white_logo_full.png"/> <span class="social"><table><tr><td><img src="assets/twitter.gif"/></td><td> @jumping_uk</td></tr></table></span> </div> <div class="jr-footer"><span>© 2019 Jumping Rivers (jumpingrivers.com)</span><div>jumpingrivers.com/t/2019-whyr</div></div> --- class: middle, center # As Donald said...  --- layout: true layout: true background-image: url(assets/white_logo.png) background-size: contain <div class="jr-header-inverse"> <img class="logo" src="assets/white_logo_full.png"/> <span class="social"><table><tr><td><img src="assets/twitter.gif"/></td><td> @jumping_uk</td></tr></table></span> </div> <div class="jr-footer-inverse"><span>© 2019 Jumping Rivers (jumpingrivers.com)</span><div>jumpingrivers.com/t/2019-whyr</div></div> --- class: center, inverse, middle # For this talk I did some research --- class: center, inverse, middle # What's a hacker? ### Credit: Troy Hunt (see final slide) --- layout: true background-image: url(graphics/google-image-hacker.png) background-size: contain <div class="jr-header-inverse"> <img class="logo" src="assets/white_logo_full.png"/> <span class="social"><table><tr><td><img src="assets/twitter.gif"/></td><td> @jumping_uk</td></tr></table></span> </div> <div class="jr-footer-inverse"><span>© 2019 Jumping Rivers (jumpingrivers.com)</span><div>jumpingrivers.com/t/2019-whyr</div></div> --- class: center --- # Hacker: Someone with a hoody --- # Hacker: Someone who uses green text --- # Hackers are scary! --- layout: true background-image: url(graphics/hacker_and_mum.jpg) background-size: contain --- <!-- Ryan clark who hacked the CIA with his mum --> --- layout: true layout: true background-image: url(assets/white_logo.png) background-size: contain <div class="jr-header-inverse"> <img class="logo" src="assets/white_logo_full.png"/> <span class="social"><table><tr><td><img src="assets/twitter.gif"/></td><td> @jumping_uk</td></tr></table></span> </div> <div class="jr-footer-inverse"><span>© 2019 Jumping Rivers (jumpingrivers.com)</span><div>jumpingrivers.com/t/2019-whyr</div></div> --- class: center, inverse middle # My modest security goal -- # Only get hacked by adults --- layout: false layout: true background-image: url(assets/greek.jpg) background-size: contain <div class="jr-header-inverse"> <img class="logo" src="assets/white_logo_full.png"/> <span class="social"><table><tr><td><img src="assets/twitter.gif"/></td><td> @jumping_uk</td></tr></table></span> </div> <div class="jr-footer-inverse"><span>© 2019 Jumping Rivers (jumpingrivers.com)</span><div>jumpingrivers.com/t/2019-whyr</div></div> --- class: center, inverse # What do you see? --- layout: false layout: true background-image: url(assets/greek_note.jpg) background-size: contain <div class="jr-header-inverse"> <img class="logo" src="assets/white_logo_full.png"/> <span class="social"><table><tr><td><img src="assets/twitter.gif"/></td><td> @jumping_uk</td></tr></table></span> </div> <div class="jr-footer-inverse"><span>© 2019 Jumping Rivers (jumpingrivers.com)</span><div>jumpingrivers.com/t/2019-whyr</div></div> --- class: center, inverse # What do you see? --- class: center, inverse # Former Minister (Greek Intelligence) --- class: center, inverse # username: minister # password: 12345 --- layout: false layout: true <div class="jr-header"> <img class="logo" src="assets/white_logo_full.png"/> <span class="social"><table><tr><td><img src="assets/twitter.gif"/></td><td> @jumping_uk</td></tr></table></span> </div> <div class="jr-footer"><span>© 2019 Jumping Rivers (jumpingrivers.com)</span><div>jumpingrivers.com/t/2019-whyr</div></div> --- # RStudio in the cloud * We run RStudio in the cloud - rstudio.jumpingrivers.cloud * Setting it up is easy - Create a cloud account - Click a single link to launch an instance -- * Someone has kindly made a Docker container - Just point & click -- * Default username/password: rstudio/rstudio - Guess what's coming? --- layout: false layout: true background-image: url(graphics/rstudio_world.png) background-size: contain <div class="jr-header-inverse"> <img class="logo" src="assets/white_logo_full.png"/> <span class="social"><table><tr><td><img src="assets/twitter.gif"/></td><td> @jumping_uk</td></tr></table></span> </div> <div class="jr-footer-inverse"><span>© 2019 Jumping Rivers (jumpingrivers.com)</span><div>jumpingrivers.com/t/2019-whyr</div></div> --- class: center # Let's find RStudio --- layout: false layout: true background-image: url(graphics/rstudio_log_on.png) background-size: contain <div class="jr-header-inverse"> <img class="logo" src="assets/white_logo_full.png"/> <span class="social"><table><tr><td><img src="assets/twitter.gif"/></td><td> @jumping_uk</td></tr></table></span> </div> <div class="jr-footer-inverse"><span>© 2019 Jumping Rivers (jumpingrivers.com)</span><div>jumpingrivers.com/t/2019-whyr</div></div> --- class: bottom, center # What username & password to try? --- class: bottom, center # username: __rstudio__ --- class: bottom, center # username: __rstudio__ # password: __rstudio__ --- layout: false layout: true <div class="jr-header"> <img class="logo" src="assets/white_logo_full.png"/> <span class="social"><table><tr><td><img src="assets/twitter.gif"/></td><td> @jumping_uk</td></tr></table></span> </div> <div class="jr-footer"><span>© 2019 Jumping Rivers (jumpingrivers.com)</span><div>jumpingrivers.com/t/2019-whyr</div></div> --- # Bioconductor * R repository for genomics data * Contains over 1000 packages -- * To install Bioconductor run ```r source("https://bioconductor.org/biocLite.R") ``` --- # Bioconductor ```r source("https://bioconductor.org/biocLite.R") ``` Last year I made a few online purchases -- * boconductor.org -- * biconductor.org -- * biocnductor.org -- * biocoductor.org -- * 13 in total Total cost less than £100 --- layout: false layout: true background-image: url(/tmp/time.png) background-size: contain <div class="jr-header"> <img class="logo" src="assets/white_logo_full.png"/> <span class="social"><table><tr><td><img src="assets/twitter.gif"/></td><td> @jumping_uk</td></tr></table></span> </div> <div class="jr-footer"><span>© 2019 Jumping Rivers (jumpingrivers.com)</span><div>jumpingrivers.com/t/2019-whyr</div></div> --- # Hits over time  --- # Hits In the last few months, I've had hits from * 8 out of top 10 Unis * Governments * Pharma companies -- Every hit to my fake sites * allowed me to run an arbitrary R script * steal sensitive data --- layout: true layout: true <div class="jr-header"> <img class="logo" src="assets/white_logo_full.png"/> <span class="social"><table><tr><td><img src="assets/twitter.gif"/></td><td> @jumping_uk</td></tr></table></span> </div> <div class="jr-footer"><span>© 2019 Jumping Rivers (jumpingrivers.com)</span><div>jumpingrivers.com/t/2019-whyr</div></div> --- # R-bloggers * Suppose someone scans a list of contributing blogs * Syndicates "R blogs" --- # R-bloggers * Suppose someone scans a list of contributing blogs -- * Suppose someone looks for blogs that return 404's -- * Suppose someone purchases these domains .... -- * Suppose someone creates a quick blog post on graphics -- * Would people run arbitrary code? -- - The answer is yes --- layout: true layout: true background-image: url(assets/white_logo.png) background-size: contain <div class="jr-header-inverse"> <img class="logo" src="assets/white_logo_full.png"/> <span class="social"><table><tr><td><img src="assets/twitter.gif"/></td><td> @jumping_uk</td></tr></table></span> </div> <div class="jr-footer-inverse"><span>© 2019 Jumping Rivers (jumpingrivers.com)</span><div>jumpingrivers.com/t/2019-whyr</div></div> --- class: center, inverse middle # That's __not__ all folks --- layout: true layout: true <div class="jr-header"> <img class="logo" src="assets/white_logo_full.png"/> <span class="social"><table><tr><td><img src="assets/twitter.gif"/></td><td> @jumping_uk</td></tr></table></span> </div> <div class="jr-footer"><span>© 2019 Jumping Rivers (jumpingrivers.com)</span><div>jumpingrivers.com/t/2019-whyr</div></div> --- # Other topics * User authentication * SQL (and data frame!) injections * http vs https * Package trust * Uploading malicious files --- # Summary Security is important * Jumping Rivers spends just as much__more__ time on set-up and security * than on machine learning * Data scientists typically don't have much formal programming experience - Even less in the web & security department * __Beta testers:__ RStudio server/connect monitoring - http://bit.ly/user2019-security (not a trick link!) --- # Credits & Further Reading * Listening & reading material by [Troy Hunt](https://www.troyhunt.com/) & [Scott Helme](https://scotthelme.co.uk/) provided lots of inspiration for this talk. In particular, the bit about "What is a hacker" * I found (and recommend) their [Hack Yourself First](https://www.troyhunt.com/workshops/) course * Expensive, but amazingly well delievered and fun. * Another excellent podcast is [Dark New Diaries](https://darknetdiaries.com/)