class: center, middle, inverse, title-slide # Getting the most… ## Out of other people’s R sessions ### Colin Gillespie (<a href="https://twitter.com/csgillespie">@csgillespie</a>) --- <!-- https://www.youtube.com/watch?v=opRMrEfAIiI --> layout: true background-image: url(assets/title-jr-white-logo.png) background-size: contain class: left, top, inverse <div class="jr-header-inverse"> <img class="logo" src="assets/header-jr-white-logo.png"/> <span class="social"> <table><tr> <td> <img src="assets/header-twitter.gif"/> </td> <td>@jumping_uk</td></tr> </table> </span> </div> <div class="jr-footer-inverse"> <span>© 2020 Jumping Rivers (jumpingrivers.com) </span> <div> </div> </div> --- # Who: Colin Gillespie * Lead consultant at [Jumping Rivers](https://www.jumpingrivers.com) * Author Efficient R programming * R package author: poweRlaw, rtypeform, benchmarkme, ... <img src="graphics/book.png" width="180px" style="display: block; margin: auto 0 auto auto;" /> --- # Jumping Rivers * Founded 2016 (3, 5, 8, now 11 FTE) * Training & Consultancy * Lots of R, Python, ... * Moving into NICD June * Preferred Microsoft AI training partners (1 of 30 worldwide) * RStudio full service partners (1 of 9 worldwide) --- layout: true background-image: url(assets/title-jr-white-logo.png) background-size: contain class: center, middle, inverse <div class="jr-header-inverse"> <img class="logo" src="assets/header-jr-white-logo.png"/> <span class="social"> <table><tr> <td> <img src="assets/header-twitter.gif"/> </td> <td>@jumping_uk</td></tr> </table> </span> </div> <div class="jr-footer-inverse"> <span>© 2020 Jumping Rivers (jumpingrivers.com) </span> <div> </div> </div> --- # R is secure --- # The problem is us --- layout: true class: center, middle, inverse <div class="jr-header-inverse"> <img class="logo" src="assets/header-jr-white-logo.png"/> <span class="social"> <table><tr> <td> <img src="assets/header-twitter.gif"/> </td> <td>@jumping_uk</td></tr> </table> </span> </div> <div class="jr-footer-inverse"> <span>© 2020 Jumping Rivers (jumpingrivers.com) </span> <div> </div> </div> --- <iframe width="970" height="545" src="https://drive.google.com/file/d/1IgxDjRD2xT2RDZD8lZvrEvH2LDy05CGN/preview" allowfullscreen></iframe> --- layout: true background-image: url(assets/title-jr-white-logo.png) background-size: contain class: center, middle, inverse <div class="jr-header-inverse"> <img class="logo" src="assets/header-jr-white-logo.png"/> <span class="social"> <table><tr> <td> <img src="assets/header-twitter.gif"/> </td> <td>@jumping_uk</td></tr> </table> </span> </div> <div class="jr-footer-inverse"> <span>© 2020 Jumping Rivers (jumpingrivers.com) </span> <div> </div> </div> --- # For this talk I did some research --- # What's a hacker ### via Troy Hunt --- layout: true background-image: url(graphics/google-image-hacker.png) background-size: contain class: left, top, inverse <div class="jr-header-inverse"> <img class="logo" src="assets/header-jr-white-logo.png"/> <span class="social"> <table><tr> <td> <img src="assets/header-twitter.gif"/> </td> <td>@jumping_uk</td></tr> </table> </span> </div> <div class="jr-footer-inverse"> <span>© 2020 Jumping Rivers (jumpingrivers.com) </span> <div> </div> </div> --- --- ### Hackers: wear hoodies --- ### Hackers: use green text --- ### Hackers are scary! --- layout: true background-image: url(graphics/hacker_and_mum.jpg) background-size: contain class: left, top, inverse --- <!-- Ryan clark who hacked the CIA with his mum --> --- layout: true background-image: url(assets/title-jr-white-logo.png) background-size: contain class: right, middle, inverse <div class="jr-header-inverse"> <img class="logo" src="assets/header-jr-white-logo.png"/> <span class="social"> <table><tr> <td> <img src="assets/header-twitter.gif"/> </td> <td>@jumping_uk</td></tr> </table> </span> </div> <div class="jr-footer-inverse"> <span>© 2020 Jumping Rivers (jumpingrivers.com) </span> <div> </div> </div> --- ## My modest security goal -- # Only get hacked by adults --- layout: true background-image: url(graphics/security_assets_greek.jpg) background-size: contain class: left, top, inverse <div class="jr-header-inverse"> <img class="logo" src="assets/header-jr-white-logo.png"/> <span class="social"> <table><tr> <td> <img src="assets/header-twitter.gif"/> </td> <td>@jumping_uk</td></tr> </table> </span> </div> <div class="jr-footer-inverse"> <span>© 2020 Jumping Rivers (jumpingrivers.com) </span> <div> </div> </div> --- ## What do you see? --- layout: true background-image: url(graphics/security_assets_greek_note.jpg) background-size: contain class: left, top, inverse <div class="jr-header-inverse"> <img class="logo" src="assets/header-jr-white-logo.png"/> <span class="social"> <table><tr> <td> <img src="assets/header-twitter.gif"/> </td> <td>@jumping_uk</td></tr> </table> </span> </div> <div class="jr-footer-inverse"> <span>© 2020 Jumping Rivers (jumpingrivers.com) </span> <div> </div> </div> --- ## What do you see? -- ### Former Minister (Greek Intelligence) --- # username: minister # password: 12345 --- layout: true background-image: url(assets/title-jr-white-logo.png) background-size: contain class: right, middle, inverse <div class="jr-header-inverse"> <img class="logo" src="assets/header-jr-white-logo.png"/> <span class="social"> <table><tr> <td> <img src="assets/header-twitter.gif"/> </td> <td>@jumping_uk</td></tr> </table> </span> </div> <div class="jr-footer-inverse"> <span>© 2020 Jumping Rivers (jumpingrivers.com) </span> <div> </div> </div> --- # RStudio --- layout: true background-image: url(assets/title-jr-white-logo.png) background-size: contain class: left, top, inverse <div class="jr-header-inverse"> <img class="logo" src="assets/header-jr-white-logo.png"/> <span class="social"> <table><tr> <td> <img src="assets/header-twitter.gif"/> </td> <td>@jumping_uk</td></tr> </table> </span> </div> <div class="jr-footer-inverse"> <span>© 2020 Jumping Rivers (jumpingrivers.com) </span> <div> </div> </div> --- ### RStudio in the Cloud * We run RStudio in the cloud - rstudio.jumpingrivers.cloud -- * Easy to set-up - Create a cloud account - Single click to launch --- ### RStudio in the cloud * Someone has kindly made a Docker container - Just point & click -- * Default username/password: rstudio/rstudio -- * Now what? --- layout: true background-image: url(graphics/rstudio_world.png) background-size: contain class: left, top, inverse <div class="jr-header-inverse"> <img class="logo" src="assets/header-jr-white-logo.png"/> <span class="social"> <table><tr> <td> <img src="assets/header-twitter.gif"/> </td> <td>@jumping_uk</td></tr> </table> </span> </div> <div class="jr-footer-inverse"> <span>© 2020 Jumping Rivers (jumpingrivers.com) </span> <div> </div> </div> --- ### Let's find RStudio --- layout: true background-image: url(graphics/rstudio_log_on.png) background-size: contain class: left, top, inverse <div class="jr-header-inverse"> <img class="logo" src="assets/header-jr-white-logo.png"/> <span class="social"> <table><tr> <td> <img src="assets/header-twitter.gif"/> </td> <td>@jumping_uk</td></tr> </table> </span> </div> <div class="jr-footer-inverse"> <span>© 2020 Jumping Rivers (jumpingrivers.com) </span> <div> </div> </div> --- ### Username & password? --- ### Username: __rstudio__ -- ### Password: __rstudio__ --- layout: true class: left, top <div class="jr-header"> <img class="logo" src="assets/header-jr-white-logo.png"/> <span class="social"> <table><tr> <td> <img src="assets/header-twitter.gif"/> </td> <td>@jumping_uk</td></tr> </table> </span> </div> <div class="jr-footer"> <span>© 2020 Jumping Rivers (jumpingrivers.com) </span> <div> </div> </div> --- ### Bioconductor * R repository for genomics data * Contains over 1000 packages -- * To install Bioconductor run ```r source("https://bioconductor.org/biocLite.R") ``` --- ### Bioconductor ```r source("https://bioconductor.org/biocLite.R") ``` I made a few online purchases -- * boconductor.org -- * biconductor.org -- * biocnductor.org -- * biocoductor.org -- * 13 in total Total cost less than £100 --- layout: true background-image: url(graphics/time.png) background-size: contain class: left, top, inverse <div class="jr-header-inverse"> <img class="logo" src="assets/header-jr-white-logo.png"/> <span class="social"> <table><tr> <td> <img src="assets/header-twitter.gif"/> </td> <td>@jumping_uk</td></tr> </table> </span> </div> <div class="jr-footer-inverse"> <span>© 2020 Jumping Rivers (jumpingrivers.com) </span> <div> </div> </div> --- --- layout: true class: left, top <div class="jr-header"> <img class="logo" src="assets/header-jr-white-logo.png"/> <span class="social"> <table><tr> <td> <img src="assets/header-twitter.gif"/> </td> <td>@jumping_uk</td></tr> </table> </span> </div> <div class="jr-footer"> <span>© 2020 Jumping Rivers (jumpingrivers.com) </span> <div> </div> </div> --- # Hits In the last few months, I've had hits from * 8 out of top 10 Unis * Governments * Pharma companies --- layout: true background-image: url(assets/title-jr-white-logo.png) background-size: contain class: center, middle, inverse <div class="jr-header-inverse"> <img class="logo" src="assets/header-jr-white-logo.png"/> <span class="social"> <table><tr> <td> <img src="assets/header-twitter.gif"/> </td> <td>@jumping_uk</td></tr> </table> </span> </div> <div class="jr-footer-inverse"> <span>© 2020 Jumping Rivers (jumpingrivers.com) </span> <div> </div> </div> --- # R-bloggers --- layout: true background-image: url(assets/title-jr-white-logo.png) background-size: contain class: left, top, inverse <div class="jr-header-inverse"> <img class="logo" src="assets/header-jr-white-logo.png"/> <span class="social"> <table><tr> <td> <img src="assets/header-twitter.gif"/> </td> <td>@jumping_uk</td></tr> </table> </span> </div> <div class="jr-footer-inverse"> <span>© 2020 Jumping Rivers (jumpingrivers.com) </span> <div> </div> </div> --- ### R-bloggers Suppose someone * scans a list of contributing blogs -- * looks for blogs that return 404's -- * purchases these domains .... -- * creates a quick blog post on graphics -- Would people run arbitrary code? --- layout: true background-image: url(assets/title-jr-white-logo.png) background-size: contain class: center, middle, inverse <div class="jr-header-inverse"> <img class="logo" src="assets/header-jr-white-logo.png"/> <span class="social"> <table><tr> <td> <img src="assets/header-twitter.gif"/> </td> <td>@jumping_uk</td></tr> </table> </span> </div> <div class="jr-footer-inverse"> <span>© 2020 Jumping Rivers (jumpingrivers.com) </span> <div> </div> </div> --- # YES --- layout: true background-image: url(assets/title-jr-white-logo.png) background-size: contain class: right, middle, inverse <div class="jr-header-inverse"> <img class="logo" src="assets/header-jr-white-logo.png"/> <span class="social"> <table><tr> <td> <img src="assets/header-twitter.gif"/> </td> <td>@jumping_uk</td></tr> </table> </span> </div> <div class="jr-footer-inverse"> <span>© 2020 Jumping Rivers (jumpingrivers.com) </span> <div> </div> </div> --- # Let's go mining! --- ### Feb 2018 ### Multiple sites around the world ### JavaScript bit-coin miner --- layout: true background-image: url(graphics/gmc_hack.jpg) background-size: contain class: left, top, inverse <div class="jr-header-inverse"> <img class="logo" src="assets/header-jr-white-logo.png"/> <span class="social"> <table><tr> <td> <img src="assets/header-twitter.gif"/> </td> <td>@jumping_uk</td></tr> </table> </span> </div> <div class="jr-footer-inverse"> <span>© 2020 Jumping Rivers (jumpingrivers.com) </span> <div> </div> </div> --- --- layout: true background-image: url(graphics/student_loans.jpg) background-size: contain class: left, top, inverse <div class="jr-header-inverse"> <img class="logo" src="assets/header-jr-white-logo.png"/> <span class="social"> <table><tr> <td> <img src="assets/header-twitter.gif"/> </td> <td>@jumping_uk</td></tr> </table> </span> </div> <div class="jr-footer-inverse"> <span>© 2020 Jumping Rivers (jumpingrivers.com) </span> <div> </div> </div> --- --- layout: true background-image: url(graphics/nhs_hack.jpg) background-size: contain class: left, top, inverse <div class="jr-header-inverse"> <img class="logo" src="assets/header-jr-white-logo.png"/> <span class="social"> <table><tr> <td> <img src="assets/header-twitter.gif"/> </td> <td>@jumping_uk</td></tr> </table> </span> </div> <div class="jr-footer-inverse"> <span>© 2020 Jumping Rivers (jumpingrivers.com) </span> <div> </div> </div> --- --- layout: true background-image: url(assets/title-jr-white-logo.png) background-size: contain class: right, middle, inverse <div class="jr-header-inverse"> <img class="logo" src="assets/header-jr-white-logo.png"/> <span class="social"> <table><tr> <td> <img src="assets/header-twitter.gif"/> </td> <td>@jumping_uk</td></tr> </table> </span> </div> <div class="jr-footer-inverse"> <span>© 2020 Jumping Rivers (jumpingrivers.com) </span> <div> </div> </div> --- ## If you want to load a crypto miner on 1,000+ websites -- ## Don't attack 1,000+ websites -- ### Attack 1 --- # So.... --- # Step 1: Find a leading person in the R community --- # Step 2: Hack their account -- # Step 3: But that's hard...so --- # https://haveibeenpwned.com/ # Credential stuffing --- ### We don't just trust developers programming ### We need to trust their security practices! --- ### (Basic) good practice --- # Jumping Rivers ### https://github.com/orgs/jumpingrivers/people --- ## Keep on top of infrastructure --- layout: true background-image: url(assets/title-jr-white-logo.png) background-size: contain class: right, middle, inverse <div class="jr-header-inverse"> <img class="logo" src="assets/header-jr-white-logo.png"/> <span class="social"> <table><tr> <td> <img src="assets/header-twitter.gif"/> </td> <td>@jumping_uk</td></tr> </table> </span> </div> <div class="jr-footer-inverse"> <span>© 2020 Jumping Rivers (jumpingrivers.com) </span> <div> </div> </div> --- # What should we do to be safe? --- ## Who are the threat actors? --- ## Look at the person next to you -- ## You want better security than them --- layout: true background-image: url(assets/title-jr-white-logo.png) background-size: contain class: left, top, inverse <div class="jr-header-inverse"> <img class="logo" src="assets/header-jr-white-logo.png"/> <span class="social"> <table><tr> <td> <img src="assets/header-twitter.gif"/> </td> <td>@jumping_uk</td></tr> </table> </span> </div> <div class="jr-footer-inverse"> <span>© 2020 Jumping Rivers (jumpingrivers.com) </span> <div> </div> </div> --- # Jumping Rivers * RStudio Partners (one of only ten) * We install, set-up & maintain R & RStudio --- # Summary * We spend __more__ time on set-up & security * than on machine learning * Data scientists little experience in web & security -- * Interested in our set-up & management? - colin@jumpingrivers.com * Credits on next slide --- # Credits & Further Reading * Listening & reading material by [Troy Hunt](https://www.troyhunt.com/) & [Scott Helme](https://scotthelme.co.uk/) provided lots of inspiration for this talk. In particular, the bit about "What is a hacker" * I found (and recommend) their [Hack Yourself First](https://www.troyhunt.com/workshops/) course * Also [Dark Net Diaries](https://darknetdiaries.com/)