Hackers weigh in on programming languages of choice

Small, self-described sample, sure. But results show shifts over time


Never mind what enterprise programmers are trained to do, a self-defined set of hackers has its own programming language zeitgeist, one that apparently changes with the wind, at least according to the relatively small set surveyed.

Members of Europe's Chaos Computer Club, which calls itself "Europe's largest association of hackers" were part of a pool for German researchers to poll. The goal of the study was to discover what tools and languages hackers prefer, a mission that sparked some unexpected results.

The researchers were interested in understanding what languages self-described hackers use, and also asked about OS and IDE choice, whether or not an individual considered their choice important for hacking and how much experience they had as a programmer and hacker.

How are CCC hackers hacking?

To be fair, the survey only had 43 respondents, so it's too small to allow for representative conclusions, but even with a tiny sample, they note the results "add to the extremely scarce literature on the subject. The approach could serve as a model for future surveys, possibly at international level," the paper said. 

The experience of respondents gives the survey more weight, though. Nearly three-quarters said they had five or more years of experience as a hacker, and 93 percent have five or more years of programming experience. 

As for which programming languages the hackers from CCC prefer (respondents could choose more than one answer), it appears that Bash/Shell/PowerShell are the most popular, with 72.5 percent saying they've used it to hack in the past year. The next most popular is Python, with 70 percent saying they used it for hacking in the past year. 

For those arguing that Bash isn't a programming language, the researchers understand. However, "we have included them in the list anyway to avoid possible gaps in the study," the paper said.

Beyond Python, language use drops off dramatically: C, the next most popular, was only used by 32.5 percent, as was JavaScript. HTML/CSS was used by 30 percent, C++ by 27.5 percent, Go by 22.5 percent, and the list goes on. 

Unsurprisingly, 95 percent of respondents said they used a Linux-based OS for hacking in the past year, while only 40 percent used Windows, 32 percent used macOS, and 17.5 percent used BSD. IDE choice was similarly concentrated, with 60 percent saying they used Vim and 50 percent saying they used Visual Studio Code. 

What the numbers mean

At the heart of the study is the question of what programming languages hackers use, from which follows an additional question: is that language an important part of your hacking process? The results suggest no.

Only 25 percent of respondents said that they agreed or strongly agreed with the statement "The choice of the programming language is important for hacking." Otherwise, 32.5 percent said it didn't matter, and the remaining 42.5 percent said they disagreed or strongly disagreed that language choice was important.

From that, it seems the definition of hacker that the paper puts forward, "someone who uses his/her technical expertise to deal with computers with special regard to their security," means hackers are more interested in the process of hacking than the particular language used to do it.

It also indicates that "the prevalence of Python for hacking might therefore simply reflect the general increase in its use in recent years," the paper said. "Consequently, one could expect that the language preference of hackers will continue to change in future as technology evolves." ®

Similar topics

Broader topics


Other stories you might like

  • Inside the RSAC expo: Buzzword bingo and the bear in the room
    We mingle with the vendors so you don't have to

    RSA Conference Your humble vulture never liked conference expos – even before finding myself on the show floor during a global pandemic. Expo halls are a necessary evil that are predominatly visited to find gifts to bring home to the kids. 

    Do organizations really choose security vendors based on a booth? The whole expo hall idea seems like an outdated business model – for the vendors, anyway. Although the same argument could be made for conferences in general.

    For the most part, all of the executives and security researchers set up shop offsite – either in swanky hotels and shared office space (for the big-wigs) or at charming outdoor chess tables in Yerba Buena Gardens. Many of them said they avoided the expo altogether.

    Continue reading
  • CISA and friends raise alarm on critical flaws in industrial equipment, infrastructure
    Nearly 60 holes found affecting 'more than 30,000' machines worldwide

    Updated Fifty-six vulnerabilities – some deemed critical – have been found in industrial operational technology (OT) systems from ten global manufacturers including Honeywell, Ericsson, Motorola, and Siemens, putting more than 30,000 devices worldwide at risk, according to private security researchers. 

    Some of these vulnerabilities received CVSS severity scores as high as 9.8 out of 10. That is particularly bad, considering these devices are used in critical infrastructure across the oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining and building and automation industries. 

    The most serious security flaws include remote code execution (RCE) and firmware vulnerabilities. If exploited, these holes could potentially allow miscreants to shut down electrical and water systems, disrupt the food supply, change the ratio of ingredients to result in toxic mixtures, and … OK, you get the idea.

    Continue reading
  • 1Password's Insights tool to help admins monitor users' security practices
    Find the clown who chose 'password' as a password and make things right

    1Password, the Toronto-based maker of the identically named password manager, is adding a security analysis and advice tool called Insights from 1Password to its business-oriented product.

    Available to 1Password Business customers, Insights takes the form of a menu addition to the right-hand column of the application window. Clicking on the "Insights" option presents a dashboard for checking on data breaches, password health, and team usage of 1Password throughout an organization.

    "We designed Insights from 1Password to give IT and security admins broader visibility into potential security risks so businesses improve their understanding of the threats posed by employee behavior, and have clear steps to mitigate those issues," said Jeff Shiner, CEO of 1Password, in a statement.

    Continue reading

Biting the hand that feeds IT © 1998–2022