close

Sam D. Gomez

Python community

Poison Packages – User “Supply Chain Risks” hits Python community with 4000 fake modules – Naked Security

If you’ve ever used the Python programming language or installed software written in Python, you’ve probably used PyPI before, even if you didn’t at the time.

PyPI is the abbreviation of Python package index, and it currently has just under 300,000 open source add-ons (290,614 of them when we checked [2021-03-07T00:10Z]).

You can download and install any of these modules automatically by simply running a command such as pip install [nameofpackage], or by letting a software installer recover the missing components for you.

The complete list includes, to put it plainly, a few specific projects, the first five in alphanumeric order being …

     0
     0-._.-._.-._.-._.-._.-._.-0
     00000a
     0.0.1
     007

… and the bottom five do their best to be the last on the list:

     zzzfs
     zzzutils
     zzz-web
     zzzz
     zzzZZZzzz

Take-a-package

As you probably know, many contemporary programming ecosystems such as Python, Node.js, and Ruby provide huge free public repositories like this and come with easy-to-use tools to grab all the add-ons you need. and install them automatically.

If you suddenly realize that you want to use the Python module called asteroid, for example, you can just do pip install asteroid, after which your own Python programs may say import asteroid, and start using the package.

The packet asteroid is not a double of Atari’s Asteroids game, nor is it linked to astronomy. This is an audio processing system that claims to be able to separate voice recordings with multiple participants into separate channels for each speaker.

Malicious updates

The ease with which trusted users download and install new Python components (and Node.js, and Ruby, etc.) has led to a series of cybercrime attacks on package managers.

Crooks sometimes use a Trojan horse to repository a legitimate project, usually by guessing or deciphering the package owner’s account password, or by usefully but dishonestly offering to “help” a project whose owner original no longer has time to deal with it.

Once the fake version is uploaded to the genuine repository, users of the now hacked package are automatically infected as soon as they update to the new version, which works as before, except that it includes hidden malware that crooks can to exploit. .

Another trick is to create public versions of Trojans from private packages that the attacker knows are being used internally by a software company.

The public version of the package is given a higher version number than the internal version, and if the company has not properly secured its automatic update processes, the attacker may be able to fool the entire team. development of a company, even the person in charge of the organization. software building system, updating private code from an unreliable (and malicious) external source.

Cyber ​​security researcher Alex Birsan recently earned over $ 100,000 in bug bounties by providing external versions of so-called internal software to dozens of IT giants, including Apple, PayPal, Microsoft and Shopify.

This kind of trick is known as supply chain attack, for obvious reasons.

In a supply chain attack, crooks do not break into your network and install the malware directly.

Instead, they push their malware upstream of you, implanting it into someone else’s network, repository, or distribution mechanism, and waiting for the infection to pass down the chain. ‘until it reaches you.

Squatting package

A third type of supply chain attack – a rather less sophisticated attack with no guarantee of success, but extremely easy to perform – involves creating a fake package with a deceptive name that rushed users could download and install. by mistake. .

Much like typosquatting in the world of websites, where crooks register near-missed domain names in the hope that you won’t notice you’re on the wrong site (e.g. by typing c0mpany in the place of company), package squatters register near-accidental or credible package names that they hope you’ll get back by mistake.

Recent, now-deleted examples that appeared in the Python Package Index last week include:

   Fake name       Possible target  Function of real package  Difference
   --------------  ---------------  ------------------------  -----------------------
   asteroids       asteroid         Audio processing          Plural, not singular 
   beauitfulsoup4  beautifulsoup4   HTML/XML parsing          Typo (letters swapped)
   llvm            llvmpy           LLVM compiler             Suffix left off
   winpty          winpy            Windows functions         Extra letter inserted
   wwebsite        website          HTML manipulation         Doubled letter at start

Interference considered harmful

As far as we know, none of these bogus packages contained outright malware, or even permanent package code.

However, some of them (if not all – it’s hard to verify now that they’ve been removed) included a Python command that was meant to run when installing the package, rather than when using it.

The command looked like this:

   url = "h"+"t"+"t"+"p"+":"+"/"+"/"+[REDACTED IP NUMBER]+"/name?FAKEPACKAGENAME"
   requests.get(url, timeout=30)

This is a crass but simple way of doing what is called in the jargon telemetry – in other words, to remotely track who downloaded and installed the package.

The code above simply calls home to a remote web server with the name of the installed package in the URL and ignores any data that comes back, if any.

Presumably the IP number written in the URL above (it’s a Tencent cloud server hosted in Tokyo, Japan, for what it’s worth) is being leveraged by the downloader of the above packages …

… which goes by the unusual and slightly agrammatical nickname Remind the risks of the supply chain.

Fascinatingly, if not unnecessary, this user not only downloaded the five bogus libraries listed above, but a grand total, according to the Wayback Machine, of 3951 totally bogus PyPI packages.

Oddly enough, many, if not most, of the package names were either incongruous or unlikely to be chosen in error, such as Build-Number-Incrementor-for-C-Sharp and Web-Service-for-Android-GMaps-AsyncTask-Demo.

We have not been able to understand where or how our mystery Supply chain risks The user generated his list of fake package names, but maybe having just a small number of “real” fake typosquats among the vast sea of ​​fakes and even ridiculous was part of the plan?

Anyway, it looks like Remind the risks of the supply chain subscribes to the idea that a job worth doing (or, as in this case, a job not really worth doing) is worth overdoing.

Fortunately, the Python team has already removed all these offending elements …

… although we couldn’t help but notice that there is already a new fake beautifulsoup4 impostor in the PyPI database, this time titled beatufulsoup4, uploaded 03/03/2021.

This one doesn’t contain any code, but it has the project title this-would-be-wittier-if-it-were-not-wearing-a-bit-thin-by-now “You may want to install beautifulsoup4, not beautfulsoup4”To prove that it didn’t really need to be proven again.

What has to be done?

  • Don’t make bogus bulk downloads like this to prove your point. We appreciate the message you’re trying to convey, but it’s already been documented, so you’re just distracting the work of other people who might more usefully do something else for the project.
  • Do not choose a PyPI package just because the name looks correct. Check that you are really downloading the right module from the right editor. Even legitimate modules sometimes have names that collide, compete with, or cause confusion.
  • Do not mistakenly connect internal projects to external repositories. If you’re using Python packages that you haven’t published externally, the only thing you can be sure of is that all external copies of “your” package are impostor modules, possibly malware.
  • Don’t blindly download package updates into your own development or build systems. Test and review everything you download before approving it for use. Keep in mind that packages usually include update scripts that run when you update, so malware infections can be transmitted as part of the update process, and not from the source code of the module that is finally installed.


Source link

read more
Python community

Python community prepares AI developers in Nigeria

Ifé Ogunfuwa

The Python Nigeria community is committed to raising an army of artificial intelligence developers in the country by training young Nigerians in the use of the Python programming language.

Community president Pius Okigbo Jnr described artificial intelligence as the new frontier for Nigeria and developing countries to play in the Fourth Industrial Revolution.

He spoke at a press conference in Lagos and pledged to use his vast experience in the software industry to deepen the knowledge and understanding of using python software to provide premier services. order in the country and, ultimately, for the benefit of young people. .

“I will ensure that we have some kind of interface where we can share our progress and reach within the community and see how we can best propagate the goals and objectives that we think we can gain by promoting the use of python in our software community, ”he said. Noted.

Outgoing Python Nigeria Community President Kelvin Oyanna explained that the community basically trains people to develop skills and expertise in the Python programming language to solve problems.

He said: “When young people are armed with skills, they are able to use them to create technological tools to solve finance, infrastructure and agriculture problems and find solutions to solve our Nigerian problems.

“We are really looking for people who have no skills, no experience to join us. We can confidently say that we have given them the platform to develop the skills and expertise they need in their jobs or to build business around technology. At the end of the day, we have people coming from different spheres of interest, from the public, financial and educational sectors, among others, ”said Oyanna.

Read also

“Whatever your level of qualification, we are ready, through our various initiatives such as meetings and training, to maintain and train people to develop their expertise to become better at their work or to create companies around technology. that they wish to develop.

According to the President of the Institute of Software Practitioners of Nigeria, Dr Yele Okeremi, as a member of the Python developer community, you need to understand that there are certain things in life that the value placed on them is derived from the community and how big the community is.

He said, “For platform owners like Microsoft, Apple, and Google, what they’re doing is trying as much as possible to get developers to their platforms. (This is) because when you bring in developers, once you are able to attract developers using your platform, your platform becomes more valuable.

“The same is happening with python, which is a development tool. They realized that the best thing was to unite so that no one could kill them. They want to share experiences, challenges, fears and aspirations so that together they can make the platform much more acceptable to people; and in doing so, making it much more valuable.

He said that ISPON will continue to support all these communities created to develop intellectual property in Nigeria.

Copyright PUNCH.
All rights reserved. This material and any other digital content on this website may not be reproduced, published, broadcast, rewritten or redistributed in whole or in part without the express prior written permission of PUNCH.

Contact: [email protected]


Source link

read more
Python community

IT developers organize the 1st ‘Python’ community

A GROUP of young computer scientists organized the very first community of programmers in Davao City nicknamed “Durianpy” with the aim of strengthening the talent pool in Python programming.

When he first met at Ingenuity headquarters along Quirino Avenue on Saturday, Earvin Gemenez, one of the main organizers, said the community intends to unite programmers, whether they are beginners or professionals, who use the computer programming language called “Python” in the city.

The exponential growth in demand for expert programmers, especially on Python, calls for more skilled talent who have the skills necessary for online job opportunities.

“Python (the programmers) is very active, but mostly freelancers. There are a lot of start-ups using Python in the city, but we are not united,” he said.

Forming a community, Gemenez added, allows for easy collaboration of ideas and new projects among other programmers.

“Through this, we can find more experienced developers who are willing to volunteer to speak up and get involved to help others,” he said.

The group got the idea to hatch the city’s own community after attending one of the events for Python programmers in Manila called PyCon Philippines 2014, a conference organized by volunteers and non-profit.

“The main objective of this conference is to provide a place where the Python programming language and surrounding technologies can be explored, discussed and practiced,” said the Pycon PH website.

The community based in Cebu, meanwhile, is called Pizzapy.

Once active, this will encourage international start-ups to set up their headquarters in the city, even if their operations are abroad.

“There are a lot of international startups but their headquarters are in Cebu and Manila,” he said, adding that this is exactly what they intend to do for Davao – be present on the menu.

He said investors won’t come unless they learn how active the community is.

Ingenuity, a local IT company, headed by John Naranjo, is said to be a strong supporter of Python programmers, as its own group of developers use the computer language as well.

Ralph Leyga, a freelance writer and ograniser for Durianpy, said he started programming in 2009 and was later introduced to the computer language Python.

“I just read the documentation, since then I started learning Python,” he said.

Along with Gemenez and Leyga, Ed Patrick Tan and Nathaniel Varona were also among the organizers of the first Durianpy meet-up.

The group plans to hold a monthly meeting where senior developers are invited to speak in front of technical and non-technical community members.
Thanks to monthly meetings, talents can improve their skills, and thus increase their employability with foreign employers.

“Let’s say you can learn Python in a week but you can never master it,” Gemenez said.

Huge opportunities await online home-based job seekers if they learn Python.

“For online jobs, and for Python developers. Pero gamay lang pud ang naga-Python (For online jobs, Python developers are paid higher rates, but only a few are in Python,” said he added.

Gemenez added that one of the things they want to tackle is giving young people another way to spend their extra time, instead of finding themselves tied to online gaming.

Python, as a computer programming language, is used to develop websites, computer and mobile applications, and animation.
style = “display: block; text-align: center;”
data-ad-layout = “in-article”
data-ad-format = “fluid”
data-ad-client = “ca-pub-2836569479021745”
data-ad-slot = “1977900730”>


Source link

read more
Python documentation

Python documentation at your fingertips

[In this reprinted #altdevblogaday in-depth piece, Arrived’s senior software engineer Gustavo Ambrozio shares the useful tool he created for searching Python documentation with Dash.]

As I mentioned in my last blog post, I started learning Python some time ago and fell in love with it. But, as with any new programming language, I spent a lot of time going through the documentation to find the correct method name to find a substring in a string for example.

Is it indexOf, find, rangeOfString, locate ??? I went to the online Python documentation (very well done, by the way) to find the correct method in the string module.

In the meantime, I also fell in love with another tool: Hyphen. If you are an iOS developer and don’t have Dash, you should download it now! This is one of the most useful tools in my tool belt right now. And for the very low price of free You can not be wrong. As I told the author, I would gladly pay dearly for it.

The first use of Dash for me was browsing the iOS documentation. I never liked XCode Organizer’s documentation browser. The search is incredibly slow, the pages take forever to load, there is no easy way to access the documentation for a method, name it …

Dash is quite the opposite:

  • The search is incredibly fast;
  • Once you find the class you are looking for, it creates a list of all the methods so that you can access them quickly;
  • If you click on the declaration of a method, it automatically copies it to your clipboard. Now it’s a snap to create delegate methods;
  • You can search the documentation for a class just as easily;

Not to mention some other great features, such as a snippet collector and an automatic text expansion tool. Even if you are not an iOS or OSX developer, Dash can be a great tool just for collecting snippets and developing text automatically. Enough praise, back to the problem.

Dash can be used to browse any documentation that has been gathered in Apple’s docset format. When I learned about this, one of those flash bulbs popped over my head and I immediately started scouring the web looking for a version of the Python documentation in docset format to find that one such thing does not exist or is very well hidden.

Use the snake to help the snake

So I decided to take matters into my own hands and build this documentation myself. Using Python, of course.

With the help of the author of Dash, I learned how to build docsets which were easily searchable in Dash. After a few hours of coding, reading Apple’s docs, and creating regular expressions to collect all the info I thought should be in the docs, I managed to create a docset, configure Dash for the use and, voila, an instant search for Python documentation!

I managed to generate some documentation for Python 2.7.2 and for 3.2.2, the latest versions at the moment. Click on the links to download and feel free to use them.

You will need to unzip the file and place the resulting .docset bundle somewhere. I would recommend putting them in ~ / Library / Developer / Shared / Documentation / DocSets as this is the place XCode will look for when searching for docsets. I think Dash will also look in this folder or at least is the default folder when trying to add new docsets to it.

And I’m proud to say that the author of Dash will bundle this bundle (version 2.7.2) with the new version of Dash. If you want to have documentation for version 3.2.2, you can download my version and use it instead. Oh, and before I forget, Dash now ships with a lot of author-created docsets. Currently, Android, Java, Perl, Python, PHP, Ruby, jQuery, and Cocos2D document sets are included.

In addition, I add this script to my PythonScripts github repository. Don’t hesitate to grab it, fork it, use it and improve it. I like to receive draw requests with improvements on my deposits.

To use the script you will need the Beautiful Soup module installed (sudo pip install beautifulsoup4). I use it to parse the HTML code of the documentation to find all the interesting methods, functions and classes to grab. I also had to add anchor tags to all HTML files so Dash could jump to the right place in the HTML code.

Here is what you need to do to generate a new version of the documentation from the HTML version:

  1. Download the documentation for the desired version here. You need to download the zip file for the HTML version of the documents.
  2. Expand the documentation somewhere.
  3. Open Terminal and navigate to the folder where you expanded the documents.
  4. Run the script from this folder.
  5. The script will create a python.docset bundle with all the necessary files.
  6. Move the python.docset bundle into a folder. Again, I recommend ~ / Library / Developer / Shared / Documentation / DocSets
  7. Use it!

Conclusion

This is my first contribution to the Python community. Hope you like it and that using Hyphen with this docset simplifies your life. He certainly did mine. If you have any comments on this docset, please leave a comment in my blog post.

The docset doesn’t have the full documentation (it doesn’t have the tutorials and howto for example), as I only use it personally as a reference. But, like I said before, feel free to edit the script to include more stuff and make a pull request so I can add it to my repository.

[This piece was reprinted from #AltDevBlogADay, a shared blog initiative started by @mike_acton devoted to giving game developers of all disciplines a place to motivate each other to write regularly about their personal game development passions.]



Source link

read more