1/13 For my non-cybersecurity followers: I rarely (apologies) explain my cybersecurity tweets. Let me fix that for this situation.

This first tweet in the retweeted thread has two acronyms: LFI and RCE.

LFI => Local File Inclusion
RCE => Remote Code Execution

https://twitter.com/wugeej/status/1280008779359125504

2/

HTTP (web) LFI == I can retrieve a file with a specially crafted URL/web request

HTTP RCE == I can execute code on the system with said web server via a specially crafted URL/web request

The first tweet in the thread has 2 URLs. Each is a complete "hack" of a remote system.

@serdarbalci "Kinda" (perhaps a better scare-quoted word is "Yes" :-)

The 3.6.3 tgz link is presently busted on mac.r-project.org (which is one reason for the scare quoted words).

So, one possible solution is to:

1. use the R-3.6.3.nn.pkg *installer* off of CRAN … @serdarbalci this will overwrite "Current" but that's OK for now.

2. Use the "--forget" method in RIA manual cran.r-project.org/doc/manuals/r-… to then remove .pkg metadata

3. Grab mac.r-project.org/high-sierra/R-… and do the `tar xvzf R-4.0-branch.tar.gz -C /` dance …

Unpopular #rstats macro-opinion (it seems):

{datatable} is great (I use it in local-compute necessary "biggish" data casts all the time. I'm not a fan of the shortcut syntax, but it's grokable. {dplyr} ({tidyverse}) is great! (I use it regularly since it comms explicit intent even if you aren't an R user — those folks actually exist in orgs, too!).

Everything is fine. A kind of central takeaway here is that you really need to ensure you stand up hardened cloud images with firewall enabled and only exposing what you really want to. You don't have much time before bad ppl look for things to do bad things to.