Slashdot Mirror
Fedora Project Drops SQLNinja 'Hacker' Tool
simonb writes, "In what can only be described as a fit of insanity, the Fedora Board have declared a 'hacker tool' not fit for entry into their software repositories. Today your SQL injection tools, tomorrow your nmap?" The Register links the Fedora board's meeting minutes. From the story: "The move came on Monday in a unanimous vote by the Fedora Project's board of directors rejecting a request that SQLNinja be added to the archive of open-source applications. It came even as a long list of other hacker tools are included in the bundle and was harshly criticized by some security watchers. 'It seems incredibly short sighted to reject software based on perceived legal usage,' said Jacob Appelbaum, a full-time programmer for the Tor Project. 'They have decided to become judges of likely usage based on their own experience. That is a path of madness.' ... [T]he board unanimously decided to add a new statement to Fedora's legal guidelines concerning the inclusion of hacking tools. ... Smith said the language is intended to clarify its stance on a class of software that can be used both to secure and penetrate protected networks."
Oh wait.
Who cares if X or Y is left out of a distro? If it's available, it's installable.
If you don't like the way we do it, do it yourself.
Isn't that kind of the point of things being open? That you don't have to agree with the way things are done -- you have the source, change/fix/fork it yourself.
In other words -- non-story. Those that want this specific tool (black, white,or grey hat) will know how to get it. It's not like anyone capable of using such tools cannot handle tar, make, and make install.
I can kind of understand the decision. If someone gets hacked, is the Fedora distribution liable for providing the tool? (Similar to how you can be charged with Accessory to Murder for providing a weapon, or an ISP is now somehow responsible for any illegal traffic.) They probably want to cover their butts, but it also seems like unfair censorship.
Funny may not give karma, but +5 Informative never made anyone snort coffee out their nose.
Does a package have a right to be included in a distribution?
Is failing to include a package censorship?
Hardly. These are the decisions that distribution maintainers face every day. You can't include everything, so there doesn't really need to be much of a reason to not include any particular program.
I swear, some people really need to read about the concept of censorship. I wasn't aware that Fedora was a government entity, and that they just banned an app from ever being used.
Guess what. You can always install this app yourself, if you really want to use it. I'm sure someone wanting a hacking tool can figure out how to install software...
Several nudie shots would make a useful addition to the repository, but I'll bet the committee is already too far down that "path of madness" to include them.
(transitive) To review in order to remove objectionable content from correspondence or public media, either by legal criteria or with discretionary powers
http://en.wiktionary.org/wiki/censor#Verb
Censorship can be by a government, or it can be by a private party. In the latter case, arbitrary censorship is usually OK. For governments, they usually have to meet some reasonable constitutional or judicial standard.
I'm not a lawyer, but I play one on the Internet. Blog
We have our own open source, Steve Jobs. And isn't it fitting that it's a committee?
"In what can only be described as a fit of insanity"
Holy crap. Get some perspective. It's not that big a deal. Go outside and get some fresh air and sunshine.
-- I'm old enough to have lived through six different meanings of the word "hacker."
If the people at SQLNinja really want a to have it easy to use/install on a redhat machine all they have to do is make their own RPM file and host it themselves. Currently, it looks like all they have available is the source code available. Although I don't know why they made such a request when they don't have any 'easy' (RPM/DEB file) installation process available yet. I'd think RH would tell them to make a RPM file to submit before rejecting them on philosophical grounds.
There is no reason you cant get it elsewhere and install it yourself on Fedora. That works for windows folks..
( now if RedHat started blocking or reporting installs of stuff they don't like THEN there would be a problem )
---- Booth was a patriot ----
Linux prides itself on having all hacking tools available so system administrators know how to attack so they know how to defend, and system admins are godly people that do not like to be told what to do, so 2 things will happen, distro switch or config their own repositories where they can still get them. I think fedora has forgotten target audience. Its like taking food away from a baby, good luck with that.
Red Hat is in the business of selling linux support to companies. It is not too surprising that some of those companies (who very well may have been the target of SQL injection exploits) have said in return for our businesses, remove all software that supports SQL injection from your repos. This is a useless measure for sure, but it may make the companies happy. I would suspect this is the case given the unanimity of the board's approval.
And the impact on people actually using these type of tools: 0.
Welcome our new SQLInjection overloads. I used it on my own site, www.jeufeng.com
In other words -- non-story
It's definitely a story, it's your opinion that it's a non-issue, but if it's a non-issue then why exclude the package at all?
It's not like anyone capable of using such tools cannot handle tar, make, and make install.
And it's not like some noob will take down your SQL server with this tool, so why do you still think it's an issue?
Nobody used Feduhra anyway.
The board meeting minutes were published on lwn.net more than three days ago.
See subject-line above, because imo @ least? To secure yourself, you've got to be able to "hack/crack" yourself, & it's typically called "pen testing", which yes, you should exercise on yourself...
I.E.-> Regularly use logs, or directly probe, & see what's coming AND going out of your systems over IP (especially lately, your databases via their "front ends" on the web mostly - stored procs, trim your sends/receive inputs/outputs, & other types of sanity checking.... but also, know your data &/or typical userbase + usepatterns and TCP/IP ports & their uses).
I think it's as important as updating your machine's OS &/or Applications in fact. A pain for sure, especially some of what I noted above if it's not done regularly, but you have to do some work on your own, no automator can do what you can in full, or have your judgement.
So, by removing this tool being commonly available has that "other side", as so many tools do, of being like a razor? You cripple yourself in this capacity... others here cited pulling tools like nmap being the same thing in this very thread here on /., & it's a good solid example also.
Like a razor, many apps are: You can use it to shave, which is of course useful, OR, to cut your own throat. Removing it's removing its possible potentially important useful uses also.
2 sides to every coin.
Additionally, yes: It happens in the Win32/64 world too!
E.G.-> Nir Sofer of NIRSOFT's had it happen (he writes nice useful smallish utils that get this bad rap, most do not though), so has Dr. Mark Russinovich of Microsoft (on certain of his "pstools" & others he wrote, but not all), and even to myself on 1 app (that I never intended for usage as a malware, & it's only listed with a "zero threat level" yet it never violated even 1 of 21 questions CA asked for removal completely).
APK
P.S.=> Like guns & people: Tools don't kill servers/systems, people do... Same with some programs on PC's &/or Servers!
Ping's another "classic example" here really as well - it used to be able to issue a "ping of death" and on older OS it still can!
(Yet, no one ever removed it from systems (oh, they altered things in it, but it's still here), because it's so useful - & I have yet to see PING listed as a weapon in any malware tracking DB, even when it was potentially dangerous at the same time as being really useful!)... apk
> SQLNinja is marketed entirely as an "SQL Server injection & takeover tool."
You do realize that we test whether or not we're protected against SQL injection by attempting actual attacks... right?
Being reasonable requires we be willing to draw lines and pass judgement. There are some tools that are mostly legitimate, some that see substantial illegitimate use, and some that are mostly illegitimate. It's fine for a Linux distro to decide not to ship with (or include in repositories) tools that are mostly used for illegitimate ends, even if they have some theoretical legitimate uses. They're not under any obligation to package everything, and "stuff that's mostly used to do harm" is just as reasonable to filter out as "things with ugly licenses".
By analogy, it is usually hard to get lockpicking tools, assault weapons/vehicles, nuclear materials, radar detectors, unsafe foods, homemade alcohols, and many other things in most countries. Can you manage it? Usually, either by legitimate means if you can get a permit, or by making them yourself.
This is entirely different (and much more mild) than blacklisting those applications.
For every problem, there is at least one solution that is simple, neat, and wrong.
While I'll be the first to acknowledge that this is clearly a "CYA" move on Fedora's part, I don't see why it is such a big deal. Ubuntu/Debian don't appear to have this tool in their repositories, and I'm pretty sure SuSE doesn't either, so it's not like Fedora is bucking a consensus. If there's enough demand for it, RPM Fusion will probably pick it up.
Furthermore, if the person responsible for your network vulnerability testing doesn't have the basic skills to install it from the upstream sources, is this really the caliber of person you want to trust with your network security?
You may be right, but it would be especially ironic since if those companies would have had ninjaSQL, and used it effectively in testing their networks, then they wouldn't have been a victim of SQL exploits in the first place...
This isn't a tool to find vulnerabilities. It's a tool to exploit them once found.
From the sourcforge page for this tool
"Sqlninja's goal is to exploit SQL injection vulnerabilities on web applications that use Microsoft SQL Server as back end. It is released under the GPLv2.
There are a lot of other SQL injection tools out there but sqlninja, instead of extracting the data, focuses on getting an interactive shell on the remote DB server and using it as a foothold in the target network. In a nutshell, here's what it does: "
As you probably have figured out, sqlninja does not look for SQL injection vulnerabilities. Again, there are already several tools that perform that task already.
"SQLNinja, jack-the-ripper, metasploit."
The geek has a genius for putting names to his projects that are certain to raise red flags.
The Gimp carries baggage into the OSX and Windows shop that the charity providing services for the disabled does not need or want. Fedora and Red Hat need to maintain their credibility in the enterprise environment.
Time and money spent in explanation and recovery - PR - can always be put to better uses.
They should be careful about apache2, it could be used to distribute malicious code over these-here-internets. Or maybe Wireshark will be dropped, I hear it could be used for bad things.
Today your SQL injection tools, tomorrow your nmap?
Why did you have to tell them about nmap for?
I can always cook up whatever distro I want. Despite the issues with nmap and friends, I can always build an image with things like SQLNinja.
Twitter supports and protects racists - by smearing their critics with the "Hate Speech" label.
If this story is true the *AA must be very happy.
so if someone gets hit over head with a hammer is Canadian tire liable for selling them the hammer?
In my opinion this all about managing the perception on whether or not a particular piece of software is a required component for any particular os distribution and whether the distro managers have the right to decide what they include and what they don't for any reason.
I am reminded of incident recently where to set up a particular development environment on my fedora desktop box required the use of apache as a reverse proxy, which only required very simple configuration of the httpd.conf file. Assisting someone setup their Ubuntu desktop box not only required installing apache and configuration, but also adding the required apache modules, not overly difficult, but annoying me none the less. It was my perception that the Ubuntu desktop provided an inferior solution than Fedora, but to the many Ubuntu fans that I work with, this was a non issue, because it was still possible to add the webserver and required modules. "And who needs a webserver on a desktop anyway"
I was unconvinced until recently I needed to install nmap on my mac os x box, and I realise that its all a matter of perspective and what is important to me and what i am prepared to accept in an os distribution of what and what not should be included.
I see the the inclusion or exclusion of sqlninja the same way, totally abstract from the deciding reasonings of the os distributor. It really does not matter if its included by default or easily obtainable in a package, it is still possible to do, so therefore not important, it is just someone else's opinion on what should and should not be rightfully included.
No vim or gcc for you!
How do you expect to test if someone can break into your system with SQLNinja without running it and attempting to break in? How do you plan on proving to upper management that there really is a vulnerability, and that your conjecture that you could break in is something more than mere conjecture?
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
Disclaimer: I used to work for Red Hat and personally know some of the board.
SQLNinja is not a security analysis tool. It is no more useful for telling you if your database app is insecure than a blowtorch is for telling you if you have a gas leak. SQL injection vulnerabilities are *trivial* to detect with simple input fuzzing.
SQLNinja is certainly a legitimately useful *demonstration* tool for developers and administrators to show their bosses just how severe their problems are, such that they might be prioritized, but it's designed for software that doesn't even run on Fedora, so it provides negligible benefit to the Fedora community. Anyone who knows enough to search for "SQL injection tool" can find it and install it, so there's really not much of a barrier here, but leaving it out of the distribution reduces the risk of Fedora being used as a gateway to the fat wallet of Red Hat in any litigation, a problem which most community distributions do not suffer from.
Fedora takes a lot of moral stands, but they're ultimately about things that will somehow benefit the Fedora community in the long term, and there's really no foreseeable payoff here, or certainly none that overrides the fantastic headache it could incur. I certainly can't fault them for picking their battles.
There's no failure quite as dissatisfying as a complete and total solution to the wrong problem.
> 'It seems incredibly short sighted to reject software based on perceived legal usage,'
I fully agree, but this isn't the first time I've ran into this problem.
Eg. I currently run Ubuntu in a dual-boot configuration on an Apple MacBook. I thought that dual-booting sucks, and it would be better if I could just delete the OS X partition entirely and run it in a VirtualBox VM on the off chance I find I need it.
This should not cause any licensing issues AFAICT. I would only have a single installation of OS X on my Apple MacBook. Sounds completely logical, but Sun (now Oracle) wouldn't hear of it. Apparently if that feature was included, people could use it to easily run OS X on non-apple hardware.
Just another case of rejecting a feature based on perceived *possible* illegal usage.
It's GNU/Linux dammit!
How do you expect to test if someone can break into your system with SQLNinja without running it and attempting to break in? How do you plan on proving to upper management that there really is a vulnerability, and that your conjecture that you could break in is something more than mere conjecture?
Valid points. Still doesn't mean that Redhat should include this in their repositories any more than they should include virus building tools.
How do you expect to test if someone can break into your system with SQLNinja without running it and attempting to break in? How do you plan on proving to upper management that there really is a vulnerability, and that your conjecture that you could break in is something more than mere conjecture?
How do you expect to test if someone can install a botnet on your servers via running IE as admin to visit porn sites unless you use IE on your servers as admin to visit porn sites?
Well, son, an executable is what happens when a compiler and a source file fall in love and decide to start a family. The little object source is all limp and lifeless until he's tickled with a chmod u+x. Now some irresponsible folks just let their executables wander all over the place unrestrained, but more mindful traditionalists put them in an appropriate bin for proper care, like /usr/bin or /usr/local/bin. That way when the shell comes looking for the executable it will be on the standard path and won't have to be manually rounded up.
Help stamp out iliturcy.
Any real hacker creates their own tools to do the job (or in fact doesn't need tools in the first place). SQL injection isn't rocket science after all.
Less soft = lower distro size :)
Recipes for USA bankrupt - http://tinypaste.com/0d66f dd = dollar deluge (printed in the infinity)
I just closed 'sqlninja's ' review request in Fedora's bugzilla https://bugzilla.redhat.com/show_bug.cgi?id=637402 . Fedora does have a "security spin" , we are little worried about this decision.
While I understand that you aren't passing judgment, there are reasons for cracking other than pen-testing
I have a friend who works as a computer techie at a school. In most cases, if you were to ask a teacher what type of computer they had, they would answer "a white one".
What he often finds is that when a teacher wants something fixed (read: they somehow found their way to the control panel and messed something up, or want something installed) on their laptop, they give it to him and then leave without telling him the password to the damn thing so that he can log in and either install what they want or undo whatever changes they made.
Long story short, the only way that he can actually do his job short of hunting down the teacher every single time this happens is to use a linux boot cd or a password cracker to either recover or reset the password.
Even if something has no purpose other then breaking into a system, there are situations where it's required. Security tools are just that. Tools, like a tazer or a lockpick - while both are unarguably single-purposed, the reasons for using them can vary. A tazer could be used to assault someone, but it could also be used in self defense. A lockpick can be used to break into someone's house, but it can also be used by a locksmith in the course of their work.
Our culture doesn't get smarter, it just finds new ways of being retarded.
to continue this trend, it would be a bye bye to security. Every single "hacker tool" is a 2 edged sword, it can be used for both good and bad. Just like almost anything can be used for good and bad. Should we ban knives because some people use them to hack'n'slice living meat (people) instead of dead?
Maybe we should just lock ourselves into soft rooms, there's the least likelyness for using anything for bad, and problem will soon be completely solved as we would die out as a race, no more people to do bad things with good tools!
Pulsed Media Seedboxes
Not quite the "penetration testing" we were going for
That's exactly what Apple was doing
I hate to say it, but apple's way of things seems to be pleasing to other companies who want more control on their products, so I guess we have to thank them for this, hopefully not everyone jumps on this band wagon!