Thanks for the content. As an R user i don't usually think about this but very informative context!
@josiahparry3 ай бұрын
@pizzaprosciuttofunghi3 ай бұрын
Very interesting!
@JasonMitchellofcompsci3 ай бұрын
I don't get how it is a huge vulnerability. When you download code from the internet it can run code. cmd() or similar is a common resource in nearly every programming language. There is nearly no scripted programming language where a downloaded module couldn't do that. I guess it might better let them obfuscate because it is calling it indirectly? In general you should assume all downloaded code can run anything within userland within the same user on the machine. Launching a calculator is just something code can do. Any module in any programming language could probably delete all your files or send them off to some server.
@josiahparry3 ай бұрын
I think the idea is that these are data formats and you might think you're loading data but actually you're loading a promise to unexecuted code. Then that code is executed instead of being a piece of data already. It feels like a feature not a bug but alas, you shouldn't need to have a binary file to store unexecuted code.
@superslash72543 ай бұрын
What it boils down to is that R is at its core a fully featured programming language. To some degree it will always be inherently unsafe, as will any other programming language, simply because by nature they have to be in order to function. Much like a good quality knife is also able to cut you as well as your dinner. There are some shenanigans at play here, but it still pales in comparison to the likes of Java's Fracturiser hidden in minecraft mods or malicious executables.
3 ай бұрын
1:26 I can confirm that note LOL
@josiahparry3 ай бұрын
Can confirm. You smell good.
@manzyzuzajnr35083 ай бұрын
There a chance to show us how to do species distribution modelling using Biomod2 or SDM package
@skeleton_craftGaming3 ай бұрын
What is R used for? Like with syntax like that I understand why it is used [That might be the most beautiful code I've ever seen] But for what like what is its practical applications?
@josiahparry3 ай бұрын
Biomedical research, econometrics, data engineering, machine learning, big geospatial analysis, interactive dashboards, nlp, web scraping, idk whatever you want to do you can do
@superslash72543 ай бұрын
R's biggest strength is data engineering. Cleaning, analyzing, and reporting tabular data can be done with a fraction of the code and a fraction of the runtime in R compared to pretty much any other language. Data.table is several times faster than Pandas, and Collapse is even faster still. The nature of the interactive console also makes it incredibly easy to really get hands-on with the data step by step before cementing an optimized pipeline.
@skeleton_craftGaming3 ай бұрын
@@superslash7254 hmm.. like I said that is some beautiful syntax
@joshstat81143 ай бұрын
I emailed Hadley and he said, you don't have to update R to 4.4.0. Someone in reddit said, it is no use to update R if you use RDS/RDA files from unknown source. Also, for a follow up question, is it possible to combine C, FORTRAN, C++ and Rust code together in one package? I tried to combine C++ and Rust but failed to debugged my R package but I know there's a certain package that uses C and C++ together (EBImage as an example).
@josiahparry3 ай бұрын
You can use all of them together it just requires extra work on your behalf to make sure they dont conflict with eachother. These tools aren't designed to work out of the box with eachother.
@joshstat81143 ай бұрын
@@josiahparry yeah you're right. I tried both C and C++ and in order to be working, you need to call the C code from C++. And yes, it is such a pain.
@vlemvlemvlem36593 ай бұрын
I'll be sure to never share this with my legal/sec department. They'd freak out at your blatant use of the R-word (whispers 'risk'). On the other hand, I've been able to take away their dread by filling out copious forms in the past so should they be exposed to your scary talk I know what to do. After all, everyone knows killer-bureaucracy is what truly keeps our corporate networks safe
@josiahparry3 ай бұрын
LOL!! I love this so much. Yeah....I'm sure they're allowing far scarier things than **manually** inspected R packages from CRAN. And, as always, its not the language that's dangerous...it's the developers. You can allow SQL injections using just about any language / tool out there. It is up to the developer to prevent them.
@davidbosak75033 ай бұрын
This whole thing seems suspicious to me. A contract threat research company sets out to find a way to exploit R, and then, (Wa-La!) finds it! Then advertises it like crazy! And in the write-up they specifically reference the usage of R in the Pharmaceutical industry, and even links to a talk by R/Pharma. This whole thing feels like a set up. Was HiddenLayer contracted to do this? By who? Very suspicious that a *potential* exploit got as much coverage as way more damaging *actual* exploits.
@superslash72543 ай бұрын
Especially when the exploit basically boils down to blindly running completely unknown code. This is the coding version of downloading random executables from the internet and running them as administrator. Or to use a physical metaphor it's like saying household appliances are unsafe because someone told you to stick a fork in the socket and you did it. P.s. "Voila". Because the french were so rich they had to use extra letters just to show off.