No video
R's new exploit: how it works & other ways you're vulnerable
Рет қаралды 2,337
Күн бұрын
@rising1underground 3 ай бұрын
Thanks for the content. As an R user i don't usually think about this but very informative context!
@josiahparry 3 ай бұрын
@pizzaprosciuttofunghi 3 ай бұрын
Very interesting!
@JasonMitchellofcompsci 3 ай бұрын
I don't get how it is a huge vulnerability. When you download code from the internet it can run code. cmd() or similar is a common resource in nearly every programming language. There is nearly no scripted programming language where a downloaded module couldn't do that. I guess it might better let them obfuscate because it is calling it indirectly? In general you should assume all downloaded code can run anything within userland within the same user on the machine. Launching a calculator is just something code can do. Any module in any programming language could probably delete all your files or send them off to some server.
@josiahparry 3 ай бұрын
I think the idea is that these are data formats and you might think you're loading data but actually you're loading a promise to unexecuted code. Then that code is executed instead of being a piece of data already. It feels like a feature not a bug but alas, you shouldn't need to have a binary file to store unexecuted code.
@superslash7254 3 ай бұрын
What it boils down to is that R is at its core a fully featured programming language. To some degree it will always be inherently unsafe, as will any other programming language, simply because by nature they have to be in order to function. Much like a good quality knife is also able to cut you as well as your dinner. There are some shenanigans at play here, but it still pales in comparison to the likes of Java's Fracturiser hidden in minecraft mods or malicious executables.
3 ай бұрын
1:26 I can confirm that note LOL
@josiahparry 3 ай бұрын
Can confirm. You smell good.
@manzyzuzajnr3508 3 ай бұрын
There a chance to show us how to do species distribution modelling using Biomod2 or SDM package
@skeleton_craftGaming 3 ай бұрын
What is R used for? Like with syntax like that I understand why it is used [That might be the most beautiful code I've ever seen] But for what like what is its practical applications?
@josiahparry 3 ай бұрын
Biomedical research, econometrics, data engineering, machine learning, big geospatial analysis, interactive dashboards, nlp, web scraping, idk whatever you want to do you can do
@superslash7254 3 ай бұрын
R's biggest strength is data engineering. Cleaning, analyzing, and reporting tabular data can be done with a fraction of the code and a fraction of the runtime in R compared to pretty much any other language. Data.table is several times faster than Pandas, and Collapse is even faster still. The nature of the interactive console also makes it incredibly easy to really get hands-on with the data step by step before cementing an optimized pipeline.
@skeleton_craftGaming 3 ай бұрын
@@superslash7254 hmm.. like I said that is some beautiful syntax
@joshstat8114 3 ай бұрын
I emailed Hadley and he said, you don't have to update R to 4.4.0. Someone in reddit said, it is no use to update R if you use RDS/RDA files from unknown source. Also, for a follow up question, is it possible to combine C, FORTRAN, C++ and Rust code together in one package? I tried to combine C++ and Rust but failed to debugged my R package but I know there's a certain package that uses C and C++ together (EBImage as an example).
@josiahparry 3 ай бұрын
You can use all of them together it just requires extra work on your behalf to make sure they dont conflict with eachother. These tools aren't designed to work out of the box with eachother.
@joshstat8114 3 ай бұрын
@@josiahparry yeah you're right. I tried both C and C++ and in order to be working, you need to call the C code from C++. And yes, it is such a pain.
@vlemvlemvlem3659 3 ай бұрын
I'll be sure to never share this with my legal/sec department. They'd freak out at your blatant use of the R-word (whispers 'risk'). On the other hand, I've been able to take away their dread by filling out copious forms in the past so should they be exposed to your scary talk I know what to do. After all, everyone knows killer-bureaucracy is what truly keeps our corporate networks safe
@josiahparry 3 ай бұрын
LOL!! I love this so much. Yeah....I'm sure they're allowing far scarier things than **manually** inspected R packages from CRAN. And, as always, its not the language that's dangerous...it's the developers. You can allow SQL injections using just about any language / tool out there. It is up to the developer to prevent them.
@davidbosak7503 3 ай бұрын
This whole thing seems suspicious to me. A contract threat research company sets out to find a way to exploit R, and then, (Wa-La!) finds it! Then advertises it like crazy! And in the write-up they specifically reference the usage of R in the Pharmaceutical industry, and even links to a talk by R/Pharma. This whole thing feels like a set up. Was HiddenLayer contracted to do this? By who? Very suspicious that a *potential* exploit got as much coverage as way more damaging *actual* exploits.
@superslash7254 3 ай бұрын
Especially when the exploit basically boils down to blindly running completely unknown code. This is the coding version of downloading random executables from the internet and running them as administrator. Or to use a physical metaphor it's like saying household appliances are unsafe because someone told you to stick a fork in the socket and you did it. P.s. "Voila". Because the french were so rich they had to use extra letters just to show off.
@pizzaprosciuttofunghi 3 ай бұрын
Very interesting!