Slashdot Mirror

← Back to Stories (view on slashdot.org)

Python is a Hit With Hackers, Report Finds (zdnet.com)

Posted by msmash on from the closer-look dept.

After breaking into the top three most popular programming languages for the first time this month, behind C and Java, Python has also won the hearts of hackers and web nasties, according to attack statistics published this week by web security biz Imperva. From a report: The company says more than a third of daily attacks against sites the company protects come from a malicious or legitimate tool coded in Python. Imperva says that around 77 percent of all the sites the company protects, have been attacked by at least one Python-based tool. Furthermore, when the company looked at the list of tools that hackers used for their attacks, more than a quarter were coded in Python, by far the attackers' favorite tool. "Hackers, like developers, enjoy Python's advantages which makes it a popular hacking tool," the Imperva team says.

72 comments

  1. Write vs Use by Anonymous Coward · · Score: 0

    Back in the day, we called them "script kiddies" for a reason.

    1. Re:Write vs Use by Anonymous Coward · · Score: 0

      Sucker, you've been a naughty script kiddie. YOU LET YOUR KNICKERS DOWN

  2. update their CoC by Anonymous Coward · · Score: 1

    Obviously, Python needs to update their Code of Conduct to exclude the web nasties from using the language to create tools to attack systems.

  3. Python advantages? by 4wdloop · · Score: 1

    or simply popularity?

    --
    4wdloop
    1. Re:Python advantages? by Narcocide · · Score: 3, Insightful

      Yea that's sortof my take on this, too. It's got a lot less to do with Python's practical usefulness and a lot more to do with how trends get set in script kiddie communities.

    2. Re:Python advantages? by Anonymous Coward · · Score: 0

      Popularity.

    3. Re:Python advantages? by Anonymous Coward · · Score: 0

      Or the fact a brain dead monkey with no coding experience can make something halfway useful in it? Maybe that's included in "advantages".

    4. Re:Python advantages? by 0100010001010011 · · Score: 1

      Ecosystem.

    5. Re:Python advantages? by h33t+l4x0r · · Score: 2

      He's talking about scraping apparently. These aren't real attacks IMHO. If someone is after my data I would actually prefer that they use Python because at least it will take a while.

    6. Re:Python advantages? by ArchieBunker · · Score: 1

      It's hot now but so was Perl in the 1990s.

      --
      Only the State obtains its revenue by coercion. - Murray Rothbard
    7. Re:Python advantages? by Anonymous Coward · · Score: 0

      Your mother was hot in the 1990s too.

    8. Re:Python advantages? by LostMyBeaver · · Score: 1

      He calls himself Archie Bunker...

      1) Archie bunker was already dead in the 90's from an old age related thing
      2) Even if it was young Archie, do you really think something that could make something that looks like that could ever be hot?

      I hate how no one on this damn site thinks about these things!

    9. Re:Python advantages? by jellomizer · · Score: 1

      And a large collection of solid libraries.
      Language written to be easy to code and read.
      Low barrier to begin a program.
      Cross platform.
      Support is easy to get.

      --
      If something is so important that you feel the need to post it on the internet... It probably isn't that important.
    10. Re: Python advantages? by Anonymous Coward · · Score: 0

      I think it referred to her cremation.

  4. I like VB too by Anonymous Coward · · Score: 0

    VB is easy too but the main advantage of python is that it doesn't need to be compiled and just runs as well as the vast array of network type modules that it has.

    1. Re:I like VB too by Tablizer · · Score: 2

      I'm not really sure what your point is, but remember that there is something called "VBscript" that is interpreted and was common for a while.

      --
      Table-ized A.I.
    2. Re:I like VB too by jellomizer · · Score: 1

      VB script wasn’t VB like JavaScript isn’t Java.
      VB script wasn’t nearly as nice as python is. And it only worked in Windows

      --
      If something is so important that you feel the need to post it on the internet... It probably isn't that important.
  5. Under Wear is Also Hit with hackers by Anonymous Coward · · Score: 0

    Under Wear is Also Hit with hackers, apparently coding requires ones nuts to be held by clothing.

  6. Why Python? by hparker · · Score: 1

    Python: The tool to use when you want to get things done fast.

    1. Re:Why Python? by JoeyRox · · Score: 3, Interesting

      Python is definitely the language to use when you want to get the tool developed fast, but not the best if that tool needs to run fast.

    2. Re:Why Python? by Anonymous Coward · · Score: 0

      That is where you are wrong. There are more ways to run Python code other than CPython. Some are slower, but some, like Pypy and Numba are native speed. Not to mention, with asynchronous programming and the right problem, you can get near-native speeds with CPython, and even better than that with uvloop.

    3. Re:Why Python? by Anonymous Coward · · Score: 0

      Python - the duct tape of computing!

    4. Re:Why Python? by Anonymous Coward · · Score: 0

      Because it is succinct, as opposed to Java which is verbose.

      I tend to use PHP.

    5. Re:Why Python? by smi.james.th · · Score: 1

      True but Numba is hardly useful if you want to exploit a system. Scientific computing yes. Gaining root access no.

      --
      One thing I know, and that is that I am ignorant...
    6. Re: Why Python? by Anonymous Coward · · Score: 0

      Addiction is powerful. Maybe one day, with enough will power, you'll be able to quit.

    7. Re:Why Python? by LostMyBeaver · · Score: 1

      Hmmm... I'll bite

      Ok, Python as a language can in fact be compiled... this is true. It can also be run through modern JITs. But

      I have no idea what you mean by native speed... are you suggesting that Python can be compiled into native code? Ok... great...JIT is almost always faster than compiled code if the programmer understands the JIT and can optimize towards it. This is no different than how we used to sit with profilers and C code and shaving clock cycles off of compiled code. It's far more effective with a JIT so long as the execution time is greater enough to justify the extended startup time.

      That said, No one with an education in computer science would ever suggest that Python can be fast. This is because we have this thing called Big-O which is a means of measuring and calculating the computational complexity of an algorithm.

      Python for example is plagued with a data structure infrastructure that was designed entirely for functionality and completely disregards any aspect of reduction of computational complexity. I wouldn't care if you had the worlds most amazing compiler and language, when the underlying data structures don't consider performance at all, it simply doesn't matter.

      Then there's PIP... oh no... yeh... I'm going to talk about the world's largest cesspool of code ever made. Python not only has a library to do just about anything you want... it has at least 10 that do everything you want.... none of them particularly well and almost none of them done by someone that knows the difference between a doubly linked list and an array.

      Does this mean Python is bad?

      No.. it's an amazing language for doing many things.... but

      1) Don't use it if you need performance.
      2) Don't use it if you want to keep your code clean
      3) Don't use it if you're concerned about stability
      4) Don't use it if you're concerned about security. The code audit costs would be mind boggling

      Do use it if you need to do something now, quick and plan to toss the code after.

    8. Re:Why Python? by jellomizer · · Score: 1

      Python isn’t a slacker in performance. You do need to know how it handles stuff. Such as if you are appending a string you do
      Stuff += otherstuff vs Stuff = Stuff + otherstuff
      Plus there is a big supply of well made libaries. Which may be hard for you code as well (I know, I know you are the best coder in the world, Baratte us with you exploits where you fixed some guys code who was supposed to be the expert or did a fix to the system in record time. Or how you aced some coding competition... )

      --
      If something is so important that you feel the need to post it on the internet... It probably isn't that important.
    9. Re:Why Python? by Anonymous Coward · · Score: 0

      This. Duck tape is very useful

  7. Re:my python is a hit with msmashâ(TM)s mom by msmash++(Info+King) · · Score: 0

    Reveal thyself TROLL so we can BANS you right NOW.

    You not insult my mother or I insult your GODS

  8. haxxy haxxy haxx0rz! wif de hax! by Anonymous Coward · · Score: 0

    Another stupid content-free fluff piece so msmash can pretend to be k-rad. Shyeah, keep trying harder, maybe you'll get it sometime.

  9. Red programming language... by fbobraga · · Score: 1

    ... the devil, the fundamentalists, the commies, the language of terrorists! /irony

    USA nonsense all over the place...

    1. Re:Red programming language... by Tablizer · · Score: 1

      Polymorphism is gender fiddling, bannit!

      --
      Table-ized A.I.
  10. Better ban it by schitso · · Score: 1

    Thing is used for evil -> better ban said thing.

  11. Writing vs. Reading by Tablizer · · Score: 2

    Python: The tool to use when you want to get things done fast.

    Write fast, not necessarily read fast. Perl had a reputation for being quick and short to write code with, but such code had very questionable readability by somebody besides the author.

    Remember, roughly 2/3 of software cost is maintenance, not original writing. I'm not claiming Python has a problem in this area, only saying that quick/short writing of code is only part of a real-world score.

    --
    Table-ized A.I.
    1. Re:Writing vs. Reading by Anonymous Coward · · Score: 0

      Python fixed the readability problem

    2. Re: Writing vs. Reading by Anonymous Coward · · Score: 0

      Hmmmmm.....maintenance.

      How much code product (not subsections) is used for particular task accomplishment and never used again or only for a limited time period? Such code would require no maintenance and thus maintainabilityis a null issue.

      Before getting all sactimonious and how important all the code you write is, just think about the question. I'll conjecture that nearly half of the code lines written are either one off use or targeted to the point that maintenance is not a requirement.

    3. Re: Writing vs. Reading by Tablizer · · Score: 1

      The original statement was "...get things done". It didn't define "things", so I assumed it was about general coding-related tasks, which on average has maintenance involved. If your shop/task/situation doesn't need maintenance, then it should go without saying that it doesn't need maintenance. If they meant only hacking and not general, they should not have used "things".

      I suppose I should have been clearer, but a perfectly clear statement, including all interpretation assumptions made, would probably require writing 100 times more, and put people to sleep. Whenever I tried to be as clear as possible; readers complained it was "too wordy" and ignored it. Thus, one has to balance brevity and clarity.

      --
      Table-ized A.I.
    4. Re:Writing vs. Reading by Anonymous Coward · · Score: 0

      Ehh? Python has its own readability issues, namely crazy things you can do with list comprehensions, and decorators used everywhere. Decorators are handy, but it's not obvious what they do at a first glance, thus hurts readability.

    5. Re:Writing vs. Reading by Anonymous Coward · · Score: 0

      Remember, roughly 2/3 of software cost is maintenance

      Oh, really? Whose butt did you pull that out of?

  12. Re:Under Wear is Also Hit with hackers by Opportunist · · Score: 2

    I always hack naked. When you abuse someone, you can as well do it right.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  13. Most people can't run it... by Anonymous Coward · · Score: 1

    Unless they deliver the Python runtime along with it (which no longer makes it "just a Python script"), any Python-based malware won't do shit on anyone's machine except for servers and web developer boxes where the runtime is already there.

    Have I missed something?

    1. Re: Most people can't run it... by Anonymous Coward · · Score: 0

      Yes.

  14. For the same reason... by Anonymous Coward · · Score: 0

    Python is popular on both sides for the same reasons that others have discussed.
    There are many, many books on using Python to develop tools for IT Security, systems automation, AI, you name it.
    Some of the best SOAR products run Python at their core (I'm talking 6-digit packages here).

    In short, yeah, it's popular with the blackhats for the same reason it's popular with the whitehats and greyhats.

    1. Re:For the same reason... by LostMyBeaver · · Score: 1

      Ok ... I'm currently in the process of completely rebuilding the operations department of a company who manages networks for over a million users. I've been suffering through one argument on this topic or another in meeting rooms for a year.

      "Some of the best SOAR products" followed by "I'm talking 6-digit packages here".

      If you find a SOAR product that costs that much... they aren't good to begin with. Let me justify this clearly.

      Security can only work in mass economy. That means that there must be as many sensors as possible in as many locations as possible to gather and identify actual security threats. So, if you're talking about things like IPS, e-mail security or anything else that needs to detect anything through finger printing, that means any product that costs more than maybe $5000 and doesn't have a free version as well will be utterly useless. Look at Cisco's FirePower... great products!!! Yeh!!! they have Snort and ClamAV and others which are truly amazingly good stuff.... too bad the charge so much for their products that they don't notice things like that they're running on Linux kernels that are compromised in the network stack and allow hackers to code inject to the kernel before the packet ever reached the Snort or ClamAV...

      Don't worry, running most of your fancy security tools in a virtualized environment is meaningless as well as they also typically run on Linux or FreeBSD and run inside of VMware with VMXNET3 drivers which are so compromised they're like Christmas to hackers.

      Let's also consider that "Best SOAR products" in general... I've evaluated many of them and have pockets deep enough to buy any of them that I consider useful. I then spend a massive amount of my budget in code review and performing line by line audits because those "best SOAR tools" almost always are coded to protect what's inside by have the worst security themselves.

      Consider that most of these best SOAR products don't even have the option for client certificate authentication enforcement.

      Making tools for security in Python can be fun... like "I found a security hole, let me write a small exploit to test it".

      I just switched back to bash scripting after a failed Ansible project that just was absolutely shit because Ansible is designed for script kiddies who don't actually care whether their code breaks things by accident. Then you have Ansible crap code all over the place. Cisco has now released hundreds of Ansible tasks that completely lack idempotency. And they even have entire certification tracks on how to make Python and Ansible worse.

  15. I don't know what tool he's talking about by h33t+l4x0r · · Score: 1

    Metasploit is the biggest one AFAIK and it's Ruby not Python.

  16. Re:Cracker by Anonymous Coward · · Score: 0

    With the libtards and never-trumpers like yourself extinguished, Trump will turn his newly unfettered attention to solving the global Muslim Problem. Happy now?

    That's a shame really. The Islamic world was once the light of the world intellectually, in terms of things like mathematics, architecture, basic sanitation. While Europe experienced a Dark Age they were fluorishing and provided centers of learning. The very numerals we use now are Arabic numerals. They work much better than Roman numerals and actually have a useful concept of a zero.

    How far they have fallen. The silent majority yields to their more extreme elements. Just like American politics. Ever hear that saying that one becomes like what one hates? They have more in common than they would like to admit.

  17. hackers by Anonymous Coward · · Score: 0

    That's "hackers" used unironically to refer exclusively to unauthorized intruders into computer systems on the front page of Slashdot, three times in one day. These are dark times, there is no denying.

  18. Re:Cracker by Anonymous Coward · · Score: 0

    Yeah if the FBI loses all the testimony of perjury and forgets Mark Judge's name and believes Kavanaugh never once got drunk... sure maybe, lol. Good luck nazi faggots, your hero is going down like Trump Jr in Federal prison.

    Approximately 9:15pm Trump Junior is raped by large inmates for the first time, his asshole torn over 12 inches wide.
    America is great again despite Trump traitors, tear them a new one and fuck it also. Prison was MADE for Trumps.

  19. Re:Cracker by Anonymous Coward · · Score: 0

    LOL
    Arabic numerals are from what is now India / Pakistan. Muslims conquered existing civilizations and stole their tech. They had contributions to be sure; but let us not credit them for creating all the differences between Europe and Southwest Asia.

  20. Switch to COBOL! by JoeCommodore · · Score: 1

    You know, in my extensive research, Ive found indications that HACKERS HATE COBOL, you would be really hard pressed to find a COBOL rootkit attached to an email. I think we should all switch over!

    --
    "Enjoy what you're doing! If it becomes drudgery, you're doing it wrong!" - Jim Butterfield
    1. Re:Switch to COBOL! by Anonymous Coward · · Score: 0

      If your job is something sequential COBOL is still one of the fastest and simply made to the job. Sure, it's an ugly bloated language. COBOL doesn't let you directly manage memory so it takes heroic efforts to do something bad. Python is basically going to be used for system library attacks or web attacks (the web interface is so easy, we could make an argument that it is the best for that job).

  21. Says Rumanian guy by Anonymous Coward · · Score: 0

    Consider the source

  22. How do they know it's python? by smi.james.th · · Score: 1

    I may be showing my ignorance here, but unless on the target system some python thing is being exploited, how do you know what the crackers will use? I'm not aware that calling cards are left after a system has been compromised. Sockets, file reads, etc. all look the same if they're done by a python script or a compiled program.

    --
    One thing I know, and that is that I am ignorant...
    1. Re:How do they know it's python? by CODiNE · · Score: 1

      You'll mostly be able to tell with HTTP requests, the user agent header will have a default python.requests or whatever library they're using for their script. Some guys will take the time to put in a fake browser user agent, but generally you see their Python library version. If you're in a SOC you can just watch for python in the user agent and 99% of the time it'll be malicious traffic.

      --
      Cwm, fjord-bank glyphs vext quiz
    2. Re:How do they know it's python? by smi.james.th · · Score: 1

      Interesting... again, pardon my ignorance, but what does SOC mean?

      --
      One thing I know, and that is that I am ignorant...
    3. Re:How do they know it's python? by CODiNE · · Score: 1

      Security Operations Center. Like how a NOC is for network operations.

      --
      Cwm, fjord-bank glyphs vext quiz
    4. Re:How do they know it's python? by Anonymous Coward · · Score: 0

      Interesting... again, pardon my ignorance, but what does SOC mean?

      It means "learn how to use Google you fucking nígger bastard".

      Actually, I shouldn't say such things. About 90% of níggers are bastards so it's completely redundant. They can't be bothered with things like fatherhood you know. It cuts into valuable time they'd rather spend using drugs and doing gangsta shit.

  23. python is a hit with anyone who has experienced it by Anonymous Coward · · Score: 0

    Python is a hit with anyone who has experienced it with an open mind, IMHO.

    I was a perl-let-me-code-my-style! developer. Once I got past the oh-no-space-formatted-code-that-looks-all-the-same! barrier, I discovered that the freedom of "there is more than way to do it", does not really trumps the "there is one simpler and clearer pythonic way" way to do it of python.

    It's a wonderful, powerful language with good libraries on nearly every programming subject.

    It lets you focus more on the problem, and makes it easier to read other people code, and binds with C.

    I consider it the closest language to pseudo code description of a program

  24. Why is Python Popular with Hackers? by Anonymous Coward · · Score: 0

    If Python is an interpreted language then how does it run on computers that hackers target if the python interpreter has not also been installed? Embedding the python interpreter in the executable would seem to result in larger executable sizes which is not the sort of thing that attackers should want when writing malware since smaller programs are faster to download, take up less space and are less likely to be noticed as resource hogs. Perhaps I'm missing something here?

  25. Re:Cracker by Anonymous Coward · · Score: 0

    FBI investigates and (due to wrangling inside the FBI) takes the entire week to dismisses the fiction due to utter lack of basic facts that need investigating.

    Every man watching this charade gets an education - you're next. If you have any kind of responsibility... the left (feminists in particular) want your job and will stop at nothing to get it. They don't need evidence - they are taking their cues straight from Mao and Stalin. Show trials.

    The entire establishment in the west need purging of women... stop whining ladies you aren't fit to run nations... and male feminist geldings.

  26. Re:Under Wear is Also Hit with hackers by CODiNE · · Score: 1

    I always hack naked.

    Looks like Sparc Flow's TTP are spreading.

    http://hacklikeapornstar.com/

    --
    Cwm, fjord-bank glyphs vext quiz
  27. Java is shit by Anonymous Coward · · Score: 0

    Java is the second most awful language I've ever programmed in behind JavaScript. How it continues to rank in popularity is entirely beyond me. Go is the third worst, but not because it fundamentally sucks, like Java and JavaScript do. Go sucks because of all the fanboy hipsters that circle jerk with it.

  28. Of course they are! by Anonymous Coward · · Score: 0

    Python's what they're teaching the kids these days in school! XD

  29. Re: Cracker by Anonymous Coward · · Score: 0

    You tell 'em, Fritz! Europa uber alles! Death to the American working class! Long live the financial oligarchy!

  30. Taught in schools by TJHook3r · · Score: 1

    I imagine Python is also a hit with people trying to do useful things as well, particularly things involving Raspberry Pi and automation - it's been taught in schools for the last few years as well. Nice try educators though, trying to make coding more 'cool' by writing this article!

  31. Re:Cracker by Anonymous Coward · · Score: 0

    All fake. I actually watched it and nothing you say is true as usual. Wishful thinking Ivan.