{"id":5097,"date":"2017-02-23T12:16:37","date_gmt":"2017-02-23T17:16:37","guid":{"rendered":"https:\/\/rud.is\/b\/?p=5097"},"modified":"2018-03-07T17:22:27","modified_gmt":"2018-03-07T22:22:27","slug":"on-watering-holes-trust-defensible-systems-and-data-science-community-security","status":"publish","type":"post","link":"https:\/\/rud.is\/b\/2017\/02\/23\/on-watering-holes-trust-defensible-systems-and-data-science-community-security\/","title":{"rendered":"On Watering Holes, Trust, Defensible Systems and Data Science Community Security"},"content":{"rendered":"<p>I&#8217;ve been threatening to do a series on &#8220;data science community security&#8221; for a while and had cause to issue this inaugural post today. It all started with this:<\/p>\n<blockquote class=\"twitter-tweet\" data-lang=\"en\">\n<p lang=\"en\" dir=\"ltr\">Hey <a href=\"https:\/\/mobile.twitter.com\/hashtag\/rstats?src=hash\">#rstats<\/a> folks: don&#39;t do this. Srsly. Don&#39;t do this. Pls. Will blog why. Just don&#39;t do this. <a href=\"https:\/\/t.co\/qkem5ruEBi\">https:\/\/t.co\/qkem5ruEBi<\/a><\/p>\n<p>&mdash; boB Rudis (@hrbrmstr) <a href=\"https:\/\/mobile.twitter.com\/hrbrmstr\/status\/834772651579150336\">February 23, 2017<\/a><\/p><\/blockquote>\n<p><script async src=\"\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>Let me begin with the following: @henrikbengtsson is an <strong>awesome member<\/strong> of the <a rel=\"tag\" class=\"hashtag u-tag u-category\" href=\"https:\/\/rud.is\/b\/tag\/rstats\/\">#rstats<\/a> community. He makes great things and I trust his code and intentions. This post is not about him, it&#8217;s about raising awareness regarding security in the data science community.<\/p>\n<p>I can totally see why folks would like Henrik&#8217;s tool. Package dependency management \u2014 including installing packages \u2014 is not the most beloved of R tasks, especially for new R users or those who prefer performing their respective science or statistical work vs delve deep into the innards of R. The suggestion to use:<\/p>\n<pre id=\"callr-01\"><code class=\"language-r\">source(&#039;http:\/\/callr.org\/install#knitr&#039;)<\/code><\/pre>\n<p>no doubt came from a realization of how cumbersome it can be to deal with said dependency management. You can even ostensibly see what the script does since Henrik provides <a href=\"http:\/\/callr.org\/install\">a link to it<\/a> right on the page.<\/p>\n<p>So, why the call to not use it?<\/p>\n<p>For starters, if you do want to use this approach, grab his script and make a local copy of it. Read it. Try to grok what it does. Then, use it locally. It will likely be a time-\/effort-saver for many R users.<\/p>\n<p>My call was to not source it from the internet.<\/p>\n<p>Why? To answer that I need to talk about trust.<\/p>\n<h3>hrbrmstr&#8217;s Hierarchy of Package Trust<\/h3>\n<p>When you install a package on your system you&#8217;re bringing someone else&#8217;s code into your personal work space. When you try to use said code with a <code>library()<\/code> call, R has a few mechanisms to run code on package startup. So, when you just install and load a package you&#8217;re executing real code in the context of your local user. Some of that code may be interpreted R code. Some may be calling compiled code. Some of it may be trying to execute binaries (apps) that are already on your system.<\/p>\n<p>Stop and think about that for a second.<\/p>\n<p>If you saw a USB stick outside your office with a label <strong>&#8220;Cool\/Useful R Package&#8221;<\/strong> would you insert it into your system and install the package? (Please tell me you answered &#8220;No!&#8221; :-)<\/p>\n<p>With that in mind, I have a personal &#8220;HieraRchy of Package Trust&#8221; that I try to stick by:<\/p>\n<p><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" data-attachment-id=\"5098\" data-permalink=\"https:\/\/rud.is\/b\/2017\/02\/23\/on-watering-holes-trust-defensible-systems-and-data-science-community-security\/hierarchy\/\" data-orig-file=\"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2017\/02\/hieRarchy.png?fit=1426%2C1230&amp;ssl=1\" data-orig-size=\"1426,1230\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"hieRarchy\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2017\/02\/hieRarchy.png?fit=510%2C440&amp;ssl=1\" src=\"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2017\/02\/hieRarchy.png?resize=510%2C440&#038;ssl=1\" alt=\"\" width=\"510\" height=\"440\" class=\"aligncenter size-full wp-image-5098\" \/><\/p>\n<h4>Tier 1<\/h4>\n<p>This should be a pretty obvious one, but if it&#8217;s my own code\/server or my org&#8217;s code\/server there&#8217;s inherent trust.<\/p>\n<h4>Tier 2<\/h4>\n<p>When you type <code>install.pacakges()<\/code> and rely on a known CRAN mirror, MRAN server or Bioconductor download using <code>https<\/code> you&#8217;re getting quite a bit in the exchange.<\/p>\n<p>CRAN GuaRdians at least took some time to review the package. They won&#8217;t catch every possible potentially malicious bit and the efficacy of evaluating statistical outcomes is also left to the package user. What you&#8217;re getting \u2014 at least from the main <code>cran.r-project.org<\/code> repo and RStudio&#8217;s repos \u2014 are reviewed packages served from decently secured systems run by organizations with good intentions. Your trust in other mirror servers is up to you but there are no guarantees of security on them. I&#8217;ve evaluated the main CRAN and RStudio setups (remotely) and am comfortable with them <strong>but<\/strong> I also use my own personal, internal CRAN mirror for many reasons, including security.<\/p>\n<p>Revolution-cum-Microsoft MRAN is also pretty trustworthy, especially since Microsoft has quite a bit to lose if there are security issues there.<\/p>\n<p>Bioconductor also has solid package management practices in place, but I don&#8217;t use that ecosystem much (at all, really) so can&#8217;t speak too much more about it except that I&#8217;m comfortable enough with it to put it with the others at that level.<\/p>\n<h4>Tier 3<\/h4>\n<p>If I&#8217;m part of a known R cabal in private collaboration, I also trust it, but it&#8217;s still raw source and I have to scan through code to ensure the efficacy of it, so it&#8217;s a bit further down the list.<\/p>\n<h4>Tier 4<\/h4>\n<p>If I know the contributors to a public source repo, I&#8217;ll also consider trusting it, but I will still need to read through the source and doubly-so if there is compiled code involved.<\/p>\n<h4>Tiers 5 &amp; 6<\/h4>\n<p>If the repo source is a new\/out-of-the-blue contributor to the R community or hosted personally, it will be relegated to the &#8220;check back later&#8221; task list and definitely not installed without a thorough reading of the source.<\/p>\n<h4>NOTE<\/h4>\n<p>There are caveats to the list above \u2014 like CRAN R packages that download pre-compiled Windows libraries from GitHub \u2014 that I&#8217;ll go into in other posts, along with a demonstration of the perils of trust that I hope doesn&#8217;t get Hadley too upset (you&#8217;ll see why in said future post ?).<\/p>\n<p>Also note that there is no place on said hierarchy for the random USB stick of cool\/useful R code. #justdontdoit<\/p>\n<h3>Watering Holes<\/h3>\n<p>The places where folks come together to collaborate have a colloquial security name: a &#8220;watering hole&#8221;. Attackers use these known places to perform \u2014\u00a0you guessed it \u2014 &#8220;watering hole&#8221; attacks. They figure out where you go, who\/what you trust and use that to do bad things. I personally don&#8217;t know of any current source-code attacks, but data scientists <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/cyber-espionage-group-uses-microphones-and-dropbox-to-spy-on-ukrainian-targets\/\">are being targeted<\/a> in other ways by attackers. If attackers sense there is a source code soft-spot it will only be a matter of time before they begin to use that vector for attack. The next section mentions one possible attacker that you&#8217;re likely not thinking of as an &#8220;attacker&#8221;.<\/p>\n<p>This isn&#8217;t <a href=\"https:\/\/en.wikipedia.org\/wiki\/Fear,_uncertainty_and_doubt\">FUD<\/a>.<\/p>\n<p>Governments, competitors and criminals know that the keys to the 21st century economy (for a while, anyway) reside in data and with those who can gather, analyze and derive insight from data. Not all of us have to worry about this, but many of us do and you should not dismiss the value of the work you&#8217;re doing, especially if you&#8217;re not performing open research. Imagine if a tiny bit of data exfiltration code managed to get on your Spark cluster or even your own laptop. This can easily happen with a tampered package (remember the incident a few years ago with usage tracking code in R scripts?).<\/p>\n<h3>A Bit More On https<\/h3>\n<p>I glossed over the <code>https<\/code> bit above, but by downloading a package over SSL\/TLS you&#8217;re ensuring that the bits of code aren&#8217;t modified in transit from the server to your system and what you&#8217;re downloading is also not shown to prying eyes. That&#8217;s important since you really want to be sure you&#8217;re getting what you think your getting (i.e. no bits are changed) and you may be working in areas your oppressive, authoritarian government doesn&#8217;t approve of, such as protecting the environment or tracking global climate change (?).<\/p>\n<p>The use of <code>https<\/code> also does show \u2014\u00a0at least in a limited sense \u2014 that the maintainers of the server knew enough to actually setup SSL\/TLS and thought \u2014\u00a0at least for a minute or two \u2014 about security. The crazy move to &#8220;Let&#8217;s Encrypt&#8221; everything is a topic for another, non-R post, but you can use that service to get free certificates for your own sites with a pretty easy installation mechanism.<\/p>\n<p>I re-mention SSL\/TLS as a segue back to the original topic\u2026<\/p>\n<h3>Back to the topic at hand<\/h3>\n<p>So, what&#8217;s so bad about:<\/p>\n<pre id=\"callr-01\"><code class=\"language-r\">source(&#039;http:\/\/callr.org\/install#knitr&#039;)<\/code><\/pre>\n<p>On preview: nothing. Henrik&#8217;s a good dude and you can ostensibly see what that script is doing.<\/p>\n<p>On review: <em>much<\/em>.<\/p>\n<p>I won&#8217;t go into a great deal of detail, but that server is running a RHEL 5 server with 15 internet services enabled, ranging from FTP to mail to web serving along with two database servers (both older versions) directly exposed to the internet. The default serving mode is <code>http<\/code> and the SSL certificate it does have is not trusted by any common certificate store.<\/p>\n<p>None of that was found by any super-elite security mechanism.<\/p>\n<p>Point your various clients at those services on that system and you&#8217;ll get a response. To put it bluntly, that system is 100% vulnerable to attack. (How to setup a defensible system is a topic for another post.).<\/p>\n<p>In other words, if said mechanism becomes a popular &#8220;watering hole&#8221; for easy installation of R packages, it&#8217;s also a pretty easy target for attackers to take surreptitious control of and then inject whatever they want, along with keeping track of what&#8217;s being installed, by whom and from which internet locale.<\/p>\n<p>Plain <code>base::source()<\/code> does nothing on your end to validate the integrity of that script. It&#8217;s like using <code>devtools::source()<\/code> or <code>devtools::source_gist()<\/code> without the <code>sha1<\/code> parameter (which uses a hash to validate the integrity of what you&#8217;re sourcing). Plus, it seems you cannot do:<\/p>\n<pre id=\"callr-02\"><code class=\"language-r\">devtools::source_url(&#039;http:\/\/callr.org\/install#knitr&#039;, sha1=&quot;2c1c7fe56ea5b5127f0e709db9169691cc50544a&quot;)<\/code><\/pre>\n<p>since the <code>httr<\/code> call that lies beneath appears to be stripping away the <code>#\u2026<\/code> bits. So, there&#8217;s no way to run this remotely with any level of integrity or confidentiality.<\/p>\n<h4>TLDR<\/h4>\n<p>If you like this script (it&#8217;s pretty handy) put it in a local directory and source it from there.<\/p>\n<h3>Fin<\/h3>\n<p>I can&#8217;t promise a frequency for &#8220;security in the data science community&#8221; posts but will endeavor to crank out a few more before summer. Note also that R is not the only ecosystem with these issues, so Python, Julia, node.js and other communities should not get smug :-)<\/p>\n<p>Our pursuit of open, collaborative work has left us vulnerable to bad intentioned ne&#8217;er-do-wells and it&#8217;s important to at least be aware of the vulnerabilities in our processes, workflows and practices. I&#8217;m not saying you have to be wary of every <code>devtools::instal_github()<\/code> that you do, but you are now armed with information that might help you think twice about how often you trust calls to do such things.<\/p>\n<p>In the meantime, download @henrikbengtsson&#8217;s script, thank him for making a very useful tool and run it locally (provided you&#8217;re cool with potentially installing things from non-CRAN repos :-)<\/p>\n","protected":false},"excerpt":{"rendered":"<p>I&#8217;ve been threatening to do a series on &#8220;data science community security&#8221; for a while and had cause to issue this inaugural post today. It all started with this: Hey #rstats folks: don&#39;t do this. Srsly. Don&#39;t do this. Pls. Will blog why. Just don&#39;t do this. https:\/\/t.co\/qkem5ruEBi &mdash; boB Rudis (@hrbrmstr) February 23, 2017 [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":5098,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":true,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"activitypub_content_warning":"","activitypub_content_visibility":"","activitypub_max_image_attachments":3,"activitypub_interaction_policy_quote":"anyone","activitypub_status":"","footnotes":""},"categories":[91,646],"tags":[783,810],"class_list":["post-5097","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-r","category-security-awareness","tag-datascisec","tag-post"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.3 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>On Watering Holes, Trust, Defensible Systems and Data Science Community Security - rud.is<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/rud.is\/b\/2017\/02\/23\/on-watering-holes-trust-defensible-systems-and-data-science-community-security\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"On Watering Holes, Trust, Defensible Systems and Data Science Community Security - rud.is\" \/>\n<meta property=\"og:description\" content=\"I&#8217;ve been threatening to do a series on &#8220;data science community security&#8221; for a while and had cause to issue this inaugural post today. It all started with this: Hey #rstats folks: don&#039;t do this. Srsly. Don&#039;t do this. Pls. Will blog why. Just don&#039;t do this. https:\/\/t.co\/qkem5ruEBi &mdash; boB Rudis (@hrbrmstr) February 23, 2017 [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/rud.is\/b\/2017\/02\/23\/on-watering-holes-trust-defensible-systems-and-data-science-community-security\/\" \/>\n<meta property=\"og:site_name\" content=\"rud.is\" \/>\n<meta property=\"article:published_time\" content=\"2017-02-23T17:16:37+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2018-03-07T22:22:27+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2017\/02\/hieRarchy.png?fit=1426%2C1230&ssl=1\" \/>\n\t<meta property=\"og:image:width\" content=\"1426\" \/>\n\t<meta property=\"og:image:height\" content=\"1230\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"hrbrmstr\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"hrbrmstr\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"8 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/2017\\\/02\\\/23\\\/on-watering-holes-trust-defensible-systems-and-data-science-community-security\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/2017\\\/02\\\/23\\\/on-watering-holes-trust-defensible-systems-and-data-science-community-security\\\/\"},\"author\":{\"name\":\"hrbrmstr\",\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/#\\\/schema\\\/person\\\/d7cb7487ab0527447f7fda5c423ff886\"},\"headline\":\"On Watering Holes, Trust, Defensible Systems and Data Science Community Security\",\"datePublished\":\"2017-02-23T17:16:37+00:00\",\"dateModified\":\"2018-03-07T22:22:27+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/2017\\\/02\\\/23\\\/on-watering-holes-trust-defensible-systems-and-data-science-community-security\\\/\"},\"wordCount\":1723,\"commentCount\":13,\"publisher\":{\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/#\\\/schema\\\/person\\\/d7cb7487ab0527447f7fda5c423ff886\"},\"image\":{\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/2017\\\/02\\\/23\\\/on-watering-holes-trust-defensible-systems-and-data-science-community-security\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/i0.wp.com\\\/rud.is\\\/b\\\/wp-content\\\/uploads\\\/2017\\\/02\\\/hieRarchy.png?fit=1426%2C1230&ssl=1\",\"keywords\":[\"datascisec\",\"post\"],\"articleSection\":[\"R\",\"Security Awareness\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/rud.is\\\/b\\\/2017\\\/02\\\/23\\\/on-watering-holes-trust-defensible-systems-and-data-science-community-security\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/2017\\\/02\\\/23\\\/on-watering-holes-trust-defensible-systems-and-data-science-community-security\\\/\",\"url\":\"https:\\\/\\\/rud.is\\\/b\\\/2017\\\/02\\\/23\\\/on-watering-holes-trust-defensible-systems-and-data-science-community-security\\\/\",\"name\":\"On Watering Holes, Trust, Defensible Systems and Data Science Community Security - rud.is\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/2017\\\/02\\\/23\\\/on-watering-holes-trust-defensible-systems-and-data-science-community-security\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/2017\\\/02\\\/23\\\/on-watering-holes-trust-defensible-systems-and-data-science-community-security\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/i0.wp.com\\\/rud.is\\\/b\\\/wp-content\\\/uploads\\\/2017\\\/02\\\/hieRarchy.png?fit=1426%2C1230&ssl=1\",\"datePublished\":\"2017-02-23T17:16:37+00:00\",\"dateModified\":\"2018-03-07T22:22:27+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/2017\\\/02\\\/23\\\/on-watering-holes-trust-defensible-systems-and-data-science-community-security\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/rud.is\\\/b\\\/2017\\\/02\\\/23\\\/on-watering-holes-trust-defensible-systems-and-data-science-community-security\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/2017\\\/02\\\/23\\\/on-watering-holes-trust-defensible-systems-and-data-science-community-security\\\/#primaryimage\",\"url\":\"https:\\\/\\\/i0.wp.com\\\/rud.is\\\/b\\\/wp-content\\\/uploads\\\/2017\\\/02\\\/hieRarchy.png?fit=1426%2C1230&ssl=1\",\"contentUrl\":\"https:\\\/\\\/i0.wp.com\\\/rud.is\\\/b\\\/wp-content\\\/uploads\\\/2017\\\/02\\\/hieRarchy.png?fit=1426%2C1230&ssl=1\",\"width\":1426,\"height\":1230},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/2017\\\/02\\\/23\\\/on-watering-holes-trust-defensible-systems-and-data-science-community-security\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/rud.is\\\/b\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"On Watering Holes, Trust, Defensible Systems and Data Science Community Security\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/#website\",\"url\":\"https:\\\/\\\/rud.is\\\/b\\\/\",\"name\":\"rud.is\",\"description\":\"&quot;In God we trust. All others must bring data&quot;\",\"publisher\":{\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/#\\\/schema\\\/person\\\/d7cb7487ab0527447f7fda5c423ff886\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/rud.is\\\/b\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":[\"Person\",\"Organization\"],\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/#\\\/schema\\\/person\\\/d7cb7487ab0527447f7fda5c423ff886\",\"name\":\"hrbrmstr\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/i0.wp.com\\\/rud.is\\\/b\\\/wp-content\\\/uploads\\\/2023\\\/10\\\/ukr-shield.png?fit=460%2C460&ssl=1\",\"url\":\"https:\\\/\\\/i0.wp.com\\\/rud.is\\\/b\\\/wp-content\\\/uploads\\\/2023\\\/10\\\/ukr-shield.png?fit=460%2C460&ssl=1\",\"contentUrl\":\"https:\\\/\\\/i0.wp.com\\\/rud.is\\\/b\\\/wp-content\\\/uploads\\\/2023\\\/10\\\/ukr-shield.png?fit=460%2C460&ssl=1\",\"width\":460,\"height\":460,\"caption\":\"hrbrmstr\"},\"logo\":{\"@id\":\"https:\\\/\\\/i0.wp.com\\\/rud.is\\\/b\\\/wp-content\\\/uploads\\\/2023\\\/10\\\/ukr-shield.png?fit=460%2C460&ssl=1\"},\"description\":\"Don't look at me\u2026I do what he does \u2014 just slower. #rstats avuncular \u2022 ?Resistance Fighter \u2022 Cook \u2022 Christian \u2022 [Master] Chef des Donn\u00e9es de S\u00e9curit\u00e9 @ @rapid7\",\"sameAs\":[\"http:\\\/\\\/rud.is\"],\"url\":\"https:\\\/\\\/rud.is\\\/b\\\/author\\\/hrbrmstr\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"On Watering Holes, Trust, Defensible Systems and Data Science Community Security - rud.is","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/rud.is\/b\/2017\/02\/23\/on-watering-holes-trust-defensible-systems-and-data-science-community-security\/","og_locale":"en_US","og_type":"article","og_title":"On Watering Holes, Trust, Defensible Systems and Data Science Community Security - rud.is","og_description":"I&#8217;ve been threatening to do a series on &#8220;data science community security&#8221; for a while and had cause to issue this inaugural post today. It all started with this: Hey #rstats folks: don&#39;t do this. Srsly. Don&#39;t do this. Pls. Will blog why. Just don&#39;t do this. https:\/\/t.co\/qkem5ruEBi &mdash; boB Rudis (@hrbrmstr) February 23, 2017 [&hellip;]","og_url":"https:\/\/rud.is\/b\/2017\/02\/23\/on-watering-holes-trust-defensible-systems-and-data-science-community-security\/","og_site_name":"rud.is","article_published_time":"2017-02-23T17:16:37+00:00","article_modified_time":"2018-03-07T22:22:27+00:00","og_image":[{"width":1426,"height":1230,"url":"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2017\/02\/hieRarchy.png?fit=1426%2C1230&ssl=1","type":"image\/png"}],"author":"hrbrmstr","twitter_card":"summary_large_image","twitter_misc":{"Written by":"hrbrmstr","Est. reading time":"8 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/rud.is\/b\/2017\/02\/23\/on-watering-holes-trust-defensible-systems-and-data-science-community-security\/#article","isPartOf":{"@id":"https:\/\/rud.is\/b\/2017\/02\/23\/on-watering-holes-trust-defensible-systems-and-data-science-community-security\/"},"author":{"name":"hrbrmstr","@id":"https:\/\/rud.is\/b\/#\/schema\/person\/d7cb7487ab0527447f7fda5c423ff886"},"headline":"On Watering Holes, Trust, Defensible Systems and Data Science Community Security","datePublished":"2017-02-23T17:16:37+00:00","dateModified":"2018-03-07T22:22:27+00:00","mainEntityOfPage":{"@id":"https:\/\/rud.is\/b\/2017\/02\/23\/on-watering-holes-trust-defensible-systems-and-data-science-community-security\/"},"wordCount":1723,"commentCount":13,"publisher":{"@id":"https:\/\/rud.is\/b\/#\/schema\/person\/d7cb7487ab0527447f7fda5c423ff886"},"image":{"@id":"https:\/\/rud.is\/b\/2017\/02\/23\/on-watering-holes-trust-defensible-systems-and-data-science-community-security\/#primaryimage"},"thumbnailUrl":"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2017\/02\/hieRarchy.png?fit=1426%2C1230&ssl=1","keywords":["datascisec","post"],"articleSection":["R","Security Awareness"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/rud.is\/b\/2017\/02\/23\/on-watering-holes-trust-defensible-systems-and-data-science-community-security\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/rud.is\/b\/2017\/02\/23\/on-watering-holes-trust-defensible-systems-and-data-science-community-security\/","url":"https:\/\/rud.is\/b\/2017\/02\/23\/on-watering-holes-trust-defensible-systems-and-data-science-community-security\/","name":"On Watering Holes, Trust, Defensible Systems and Data Science Community Security - rud.is","isPartOf":{"@id":"https:\/\/rud.is\/b\/#website"},"primaryImageOfPage":{"@id":"https:\/\/rud.is\/b\/2017\/02\/23\/on-watering-holes-trust-defensible-systems-and-data-science-community-security\/#primaryimage"},"image":{"@id":"https:\/\/rud.is\/b\/2017\/02\/23\/on-watering-holes-trust-defensible-systems-and-data-science-community-security\/#primaryimage"},"thumbnailUrl":"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2017\/02\/hieRarchy.png?fit=1426%2C1230&ssl=1","datePublished":"2017-02-23T17:16:37+00:00","dateModified":"2018-03-07T22:22:27+00:00","breadcrumb":{"@id":"https:\/\/rud.is\/b\/2017\/02\/23\/on-watering-holes-trust-defensible-systems-and-data-science-community-security\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/rud.is\/b\/2017\/02\/23\/on-watering-holes-trust-defensible-systems-and-data-science-community-security\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/rud.is\/b\/2017\/02\/23\/on-watering-holes-trust-defensible-systems-and-data-science-community-security\/#primaryimage","url":"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2017\/02\/hieRarchy.png?fit=1426%2C1230&ssl=1","contentUrl":"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2017\/02\/hieRarchy.png?fit=1426%2C1230&ssl=1","width":1426,"height":1230},{"@type":"BreadcrumbList","@id":"https:\/\/rud.is\/b\/2017\/02\/23\/on-watering-holes-trust-defensible-systems-and-data-science-community-security\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/rud.is\/b\/"},{"@type":"ListItem","position":2,"name":"On Watering Holes, Trust, Defensible Systems and Data Science Community Security"}]},{"@type":"WebSite","@id":"https:\/\/rud.is\/b\/#website","url":"https:\/\/rud.is\/b\/","name":"rud.is","description":"&quot;In God we trust. All others must bring data&quot;","publisher":{"@id":"https:\/\/rud.is\/b\/#\/schema\/person\/d7cb7487ab0527447f7fda5c423ff886"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/rud.is\/b\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":["Person","Organization"],"@id":"https:\/\/rud.is\/b\/#\/schema\/person\/d7cb7487ab0527447f7fda5c423ff886","name":"hrbrmstr","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2023\/10\/ukr-shield.png?fit=460%2C460&ssl=1","url":"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2023\/10\/ukr-shield.png?fit=460%2C460&ssl=1","contentUrl":"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2023\/10\/ukr-shield.png?fit=460%2C460&ssl=1","width":460,"height":460,"caption":"hrbrmstr"},"logo":{"@id":"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2023\/10\/ukr-shield.png?fit=460%2C460&ssl=1"},"description":"Don't look at me\u2026I do what he does \u2014 just slower. #rstats avuncular \u2022 ?Resistance Fighter \u2022 Cook \u2022 Christian \u2022 [Master] Chef des Donn\u00e9es de S\u00e9curit\u00e9 @ @rapid7","sameAs":["http:\/\/rud.is"],"url":"https:\/\/rud.is\/b\/author\/hrbrmstr\/"}]}},"jetpack_featured_media_url":"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2017\/02\/hieRarchy.png?fit=1426%2C1230&ssl=1","jetpack_shortlink":"https:\/\/wp.me\/p23idr-1kd","jetpack_likes_enabled":true,"jetpack-related-posts":[{"id":3662,"url":"https:\/\/rud.is\/b\/2015\/09\/06\/three-new-rstats-twitter-bots-to-follow\/","url_meta":{"origin":5097,"position":0},"title":"Three New #rstats Twitter Bots To Follow","author":"hrbrmstr","date":"2015-09-06","format":false,"excerpt":"I engage with the Stack[Overflow|Exchange] community quite a bit and was super-happy @treycausey made the [Stack Overflow #rstats bot](https:\/\/twitter.com\/StackOverflowR) (@StackOverflowR) since I'm also on Twitter alot (mostly hanging out in #rstats these days). However, #rstats questions exist in other Stack watering holes, like the [Geographic Information Systems Stack Exchange](http:\/\/gis.stackexchange.com\/questions\/tagged\/r). [Cross\u2026","rel":"","context":"In &quot;cartography&quot;","block_context":{"text":"cartography","link":"https:\/\/rud.is\/b\/category\/cartography\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":12570,"url":"https:\/\/rud.is\/b\/2019\/12\/23\/using-rstats-to-help-santa-deliver-presents-this-christmas\/","url_meta":{"origin":5097,"position":1},"title":"Using #rstats to Help Santa Deliver Presents This Christmas!","author":"hrbrmstr","date":"2019-12-23","format":false,"excerpt":"The right jolly old elves over at Alteryx created a \"Santalytics\" challenge back in 2016 to see if their community members could help Santa deliver presents to kids all across the globe. They posted data for four challenges along with solutions and I've made a git repo & RStudio project\u2026","rel":"","context":"In &quot;R&quot;","block_context":{"text":"R","link":"https:\/\/rud.is\/b\/category\/r\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2019\/12\/christmas-hulls.png?fit=1200%2C526&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2019\/12\/christmas-hulls.png?fit=1200%2C526&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2019\/12\/christmas-hulls.png?fit=1200%2C526&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2019\/12\/christmas-hulls.png?fit=1200%2C526&ssl=1&resize=700%2C400 2x, https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2019\/12\/christmas-hulls.png?fit=1200%2C526&ssl=1&resize=1050%2C600 3x"},"classes":[]},{"id":11427,"url":"https:\/\/rud.is\/b\/2018\/08\/24\/friday-rstats-twofer-finding-macos-32-bit-apps-processing-data-from-system-commands\/","url_meta":{"origin":5097,"position":2},"title":"Friday #rstats twofer: Finding macOS 32-bit apps &#038; Processing Data from System Commands","author":"hrbrmstr","date":"2018-08-24","format":false,"excerpt":"Apple has run the death bell on 32-bit macOS apps and, if you're running a recent macOS version on your Mac (which you should so you can get security updates) you likely see this alert from time-to-time: If you're like me, you click through that and keep working but later\u2026","rel":"","context":"In &quot;Apple&quot;","block_context":{"text":"Apple","link":"https:\/\/rud.is\/b\/category\/apple\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2018\/08\/Screen-Shot-2018-08-24-at-4.58.41-AM.png?fit=1200%2C612&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2018\/08\/Screen-Shot-2018-08-24-at-4.58.41-AM.png?fit=1200%2C612&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2018\/08\/Screen-Shot-2018-08-24-at-4.58.41-AM.png?fit=1200%2C612&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2018\/08\/Screen-Shot-2018-08-24-at-4.58.41-AM.png?fit=1200%2C612&ssl=1&resize=700%2C400 2x, https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2018\/08\/Screen-Shot-2018-08-24-at-4.58.41-AM.png?fit=1200%2C612&ssl=1&resize=1050%2C600 3x"},"classes":[]},{"id":6078,"url":"https:\/\/rud.is\/b\/2017\/06\/13\/keeping-users-safe-while-collecting-data\/","url_meta":{"origin":5097,"position":3},"title":"Keeping Users Safe While Collecting Data","author":"hrbrmstr","date":"2017-06-13","format":false,"excerpt":"I caught a mention of this project by Pete Warden on Four Short Links today. If his name sounds familiar, he's the creator of the DSTK, an O'Reilly author, and now works at Google. A decidedly clever and decent chap. The project goal is noble: crowdsource and make a repository\u2026","rel":"","context":"In &quot;AppSec&quot;","block_context":{"text":"AppSec","link":"https:\/\/rud.is\/b\/category\/appsec\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2017\/06\/Cursor_and___Development_scamtracker_-_master_-_RStudio.png?fit=1200%2C529&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2017\/06\/Cursor_and___Development_scamtracker_-_master_-_RStudio.png?fit=1200%2C529&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2017\/06\/Cursor_and___Development_scamtracker_-_master_-_RStudio.png?fit=1200%2C529&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2017\/06\/Cursor_and___Development_scamtracker_-_master_-_RStudio.png?fit=1200%2C529&ssl=1&resize=700%2C400 2x, https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2017\/06\/Cursor_and___Development_scamtracker_-_master_-_RStudio.png?fit=1200%2C529&ssl=1&resize=1050%2C600 3x"},"classes":[]},{"id":5929,"url":"https:\/\/rud.is\/b\/2017\/05\/08\/travis-ci-flaw-exposed-some-secure-environment-variable-contents\/","url_meta":{"origin":5097,"position":4},"title":"Travis-CI Flaw Exposed Some &#8216;Secure&#8217; Environment Variable Contents","author":"hrbrmstr","date":"2017-05-08","format":false,"excerpt":"Tagging this as #rstats-related since many R coders use Travis-CI to automate package builds (and other things). Security researcher Ivan Vyshnevskyi did some ++gd responsible disclosure to the Travis-CI folks letting them know they were leaking the contents of \"secure\" environment variables in the build logs. The TL;DR on \"secure\"\u2026","rel":"","context":"In &quot;Information Security&quot;","block_context":{"text":"Information Security","link":"https:\/\/rud.is\/b\/category\/information-security\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":2153,"url":"https:\/\/rud.is\/b\/2013\/02\/22\/rsa-metricon-round-up\/","url_meta":{"origin":5097,"position":5},"title":"RSA &#038; Metricon Speaking &#038; Dining Round Up","author":"hrbrmstr","date":"2013-02-22","format":false,"excerpt":"Just joining in the fray of \"where I'm speaking\/where I'll be the week of @RSAConference\" posts\u2026 \u261b SEM-003 - Information Security Leadership Development: Surviving as a Security Leader (Half Day - Delegates only) WHEN: Monday : 0830-1130 I'm very pleased to be able to join: - Derek Brink, Vice President\u2026","rel":"","context":"In &quot;RSA&quot;","block_context":{"text":"RSA","link":"https:\/\/rud.is\/b\/category\/rsa\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]}],"jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/posts\/5097","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/comments?post=5097"}],"version-history":[{"count":0,"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/posts\/5097\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/media\/5098"}],"wp:attachment":[{"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/media?parent=5097"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/categories?post=5097"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/tags?post=5097"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}