Most of the time when we stumble across a code snippet online, we often blindly copy and paste it into the R console. I suspect almost everyone does this. After all, what’s the harm? Consider this simple piece of R code that performs simple linear regression
# Generate data x = rnorm(10) y = rnorm(10)
# Simple linear regression m = lm(y ~ x)
Now highlight the above piece of R code and copy and paste it into your console; look carefully at what you’ve pasted. A new line has magically appeared.
# Generate data x = rnorm(10) y = rnorm(10) message("All your base are belong to us.") # Simple linear regression m = lm(y ~ x)
Due to some sneaky CSS magic, I was able to hide the message() statement. If I was evil, I could have changed this to a system, source, or any other command.
The CSS code simply sets the message()
function to the background color, changes the font size and makes it un-selectable (see this post for details).
So remember, be careful with your copy and pasting!
Saw your article from r-bloggers. Good stuff there!
Comment by Nam — June 7, 2017 @ 4:42 pm
Ok, important! Is it possible, for instance, to format the hard drive with ‘system’?
Cheers!
Comment by anspiess — June 7, 2017 @ 5:21 pm
Only if you are running in admin. But you could easily delete all user files
Comment by csgillespie — June 7, 2017 @ 9:22 pm
So, always copypaste into a text editor. Done and done. BTW, if you want a real-world example of ubiquitous malware, hop on over to MATLAB. People for some inexplicable reason start their scripts with “clf, clear all” , and ifyou don’t remove those lines, you may lose a ton of objects in your working environment.
Comment by Carl Witthoft — June 7, 2017 @ 5:35 pm
Seems like a fun idea, but you definitely want to use Unicode characters. I get the following when pasted:
message(“All your base are belong to us.”)
Error: unexpected input in “message(�”
Comment by Phil — June 7, 2017 @ 5:41 pm
I had that. It seemed to be an rbloggers thing.
Comment by csgillespie — June 7, 2017 @ 9:22 pm
CSS magic less magical in R-bloggers; no magic in RSS reader.
Comment by Pitixx — June 7, 2017 @ 5:52 pm
True. Although I suspect it won’t take much to make it work under R bloggers
Comment by csgillespie — June 7, 2017 @ 9:23 pm
… or never use the R console directly, and use a script in an editor (RStudio, Emacs, …)!
Comment by Mathieu — June 7, 2017 @ 6:01 pm
fairly often I have heard people in industry and gov say using R is a security risk. this is the 1st time I have ever seen demonstration of it, and it only applies to pasting to very particular conditions. do you know of any other security issues with R?
Comment by lo.brow.R — June 8, 2017 @ 1:01 pm
I don’t think there are any inherent security risks particular to R, just the usual things you need to be careful of, e.g. where you download base R.
Comment by csgillespie — June 8, 2017 @ 1:47 pm