Slashdot Mirror
Fedora Project Drops SQLNinja 'Hacker' Tool
simonb writes, "In what can only be described as a fit of insanity, the Fedora Board have declared a 'hacker tool' not fit for entry into their software repositories. Today your SQL injection tools, tomorrow your nmap?" The Register links the Fedora board's meeting minutes. From the story: "The move came on Monday in a unanimous vote by the Fedora Project's board of directors rejecting a request that SQLNinja be added to the archive of open-source applications. It came even as a long list of other hacker tools are included in the bundle and was harshly criticized by some security watchers. 'It seems incredibly short sighted to reject software based on perceived legal usage,' said Jacob Appelbaum, a full-time programmer for the Tor Project. 'They have decided to become judges of likely usage based on their own experience. That is a path of madness.' ... [T]he board unanimously decided to add a new statement to Fedora's legal guidelines concerning the inclusion of hacking tools. ... Smith said the language is intended to clarify its stance on a class of software that can be used both to secure and penetrate protected networks."
Oh wait.
Who cares if X or Y is left out of a distro? If it's available, it's installable.
If you don't like the way we do it, do it yourself.
Isn't that kind of the point of things being open? That you don't have to agree with the way things are done -- you have the source, change/fix/fork it yourself.
In other words -- non-story. Those that want this specific tool (black, white,or grey hat) will know how to get it. It's not like anyone capable of using such tools cannot handle tar, make, and make install.
I can kind of understand the decision. If someone gets hacked, is the Fedora distribution liable for providing the tool? (Similar to how you can be charged with Accessory to Murder for providing a weapon, or an ISP is now somehow responsible for any illegal traffic.) They probably want to cover their butts, but it also seems like unfair censorship.
Funny may not give karma, but +5 Informative never made anyone snort coffee out their nose.
Does a package have a right to be included in a distribution?
Is failing to include a package censorship?
Hardly. These are the decisions that distribution maintainers face every day. You can't include everything, so there doesn't really need to be much of a reason to not include any particular program.
I swear, some people really need to read about the concept of censorship. I wasn't aware that Fedora was a government entity, and that they just banned an app from ever being used.
Guess what. You can always install this app yourself, if you really want to use it. I'm sure someone wanting a hacking tool can figure out how to install software...
(transitive) To review in order to remove objectionable content from correspondence or public media, either by legal criteria or with discretionary powers
http://en.wiktionary.org/wiki/censor#Verb
Censorship can be by a government, or it can be by a private party. In the latter case, arbitrary censorship is usually OK. For governments, they usually have to meet some reasonable constitutional or judicial standard.
I'm not a lawyer, but I play one on the Internet. Blog
We have our own open source, Steve Jobs. And isn't it fitting that it's a committee?
Yeah, that'd just be copying Ubuntu.
http://rocknerd.co.uk
"In what can only be described as a fit of insanity"
Holy crap. Get some perspective. It's not that big a deal. Go outside and get some fresh air and sunshine.
-- I'm old enough to have lived through six different meanings of the word "hacker."
If the people at SQLNinja really want a to have it easy to use/install on a redhat machine all they have to do is make their own RPM file and host it themselves. Currently, it looks like all they have available is the source code available. Although I don't know why they made such a request when they don't have any 'easy' (RPM/DEB file) installation process available yet. I'd think RH would tell them to make a RPM file to submit before rejecting them on philosophical grounds.
There is no reason you cant get it elsewhere and install it yourself on Fedora. That works for windows folks..
( now if RedHat started blocking or reporting installs of stuff they don't like THEN there would be a problem )
---- Booth was a patriot ----
Linux prides itself on having all hacking tools available so system administrators know how to attack so they know how to defend, and system admins are godly people that do not like to be told what to do, so 2 things will happen, distro switch or config their own repositories where they can still get them. I think fedora has forgotten target audience. Its like taking food away from a baby, good luck with that.
Red Hat is in the business of selling linux support to companies. It is not too surprising that some of those companies (who very well may have been the target of SQL injection exploits) have said in return for our businesses, remove all software that supports SQL injection from your repos. This is a useless measure for sure, but it may make the companies happy. I would suspect this is the case given the unanimity of the board's approval.
Welcome our new SQLInjection overloads. I used it on my own site, www.jeufeng.com
The board meeting minutes were published on lwn.net more than three days ago.
Being reasonable requires we be willing to draw lines and pass judgement. There are some tools that are mostly legitimate, some that see substantial illegitimate use, and some that are mostly illegitimate. It's fine for a Linux distro to decide not to ship with (or include in repositories) tools that are mostly used for illegitimate ends, even if they have some theoretical legitimate uses. They're not under any obligation to package everything, and "stuff that's mostly used to do harm" is just as reasonable to filter out as "things with ugly licenses".
By analogy, it is usually hard to get lockpicking tools, assault weapons/vehicles, nuclear materials, radar detectors, unsafe foods, homemade alcohols, and many other things in most countries. Can you manage it? Usually, either by legitimate means if you can get a permit, or by making them yourself.
This is entirely different (and much more mild) than blacklisting those applications.
For every problem, there is at least one solution that is simple, neat, and wrong.
While I'll be the first to acknowledge that this is clearly a "CYA" move on Fedora's part, I don't see why it is such a big deal. Ubuntu/Debian don't appear to have this tool in their repositories, and I'm pretty sure SuSE doesn't either, so it's not like Fedora is bucking a consensus. If there's enough demand for it, RPM Fusion will probably pick it up.
Furthermore, if the person responsible for your network vulnerability testing doesn't have the basic skills to install it from the upstream sources, is this really the caliber of person you want to trust with your network security?
You may be right, but it would be especially ironic since if those companies would have had ninjaSQL, and used it effectively in testing their networks, then they wouldn't have been a victim of SQL exploits in the first place...
This isn't a tool to find vulnerabilities. It's a tool to exploit them once found.
From the sourcforge page for this tool
"Sqlninja's goal is to exploit SQL injection vulnerabilities on web applications that use Microsoft SQL Server as back end. It is released under the GPLv2.
There are a lot of other SQL injection tools out there but sqlninja, instead of extracting the data, focuses on getting an interactive shell on the remote DB server and using it as a foothold in the target network. In a nutshell, here's what it does: "
As you probably have figured out, sqlninja does not look for SQL injection vulnerabilities. Again, there are already several tools that perform that task already.
"SQLNinja, jack-the-ripper, metasploit."
The geek has a genius for putting names to his projects that are certain to raise red flags.
The Gimp carries baggage into the OSX and Windows shop that the charity providing services for the disabled does not need or want. Fedora and Red Hat need to maintain their credibility in the enterprise environment.
Time and money spent in explanation and recovery - PR - can always be put to better uses.
They should be careful about apache2, it could be used to distribute malicious code over these-here-internets. Or maybe Wireshark will be dropped, I hear it could be used for bad things.
Today your SQL injection tools, tomorrow your nmap?
Why did you have to tell them about nmap for?
I can always cook up whatever distro I want. Despite the issues with nmap and friends, I can always build an image with things like SQLNinja.
Twitter supports and protects racists - by smearing their critics with the "Hate Speech" label.
In my opinion this all about managing the perception on whether or not a particular piece of software is a required component for any particular os distribution and whether the distro managers have the right to decide what they include and what they don't for any reason.
I am reminded of incident recently where to set up a particular development environment on my fedora desktop box required the use of apache as a reverse proxy, which only required very simple configuration of the httpd.conf file. Assisting someone setup their Ubuntu desktop box not only required installing apache and configuration, but also adding the required apache modules, not overly difficult, but annoying me none the less. It was my perception that the Ubuntu desktop provided an inferior solution than Fedora, but to the many Ubuntu fans that I work with, this was a non issue, because it was still possible to add the webserver and required modules. "And who needs a webserver on a desktop anyway"
I was unconvinced until recently I needed to install nmap on my mac os x box, and I realise that its all a matter of perspective and what is important to me and what i am prepared to accept in an os distribution of what and what not should be included.
I see the the inclusion or exclusion of sqlninja the same way, totally abstract from the deciding reasonings of the os distributor. It really does not matter if its included by default or easily obtainable in a package, it is still possible to do, so therefore not important, it is just someone else's opinion on what should and should not be rightfully included.
How do you expect to test if someone can break into your system with SQLNinja without running it and attempting to break in? How do you plan on proving to upper management that there really is a vulnerability, and that your conjecture that you could break in is something more than mere conjecture?
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
Disclaimer: I used to work for Red Hat and personally know some of the board.
SQLNinja is not a security analysis tool. It is no more useful for telling you if your database app is insecure than a blowtorch is for telling you if you have a gas leak. SQL injection vulnerabilities are *trivial* to detect with simple input fuzzing.
SQLNinja is certainly a legitimately useful *demonstration* tool for developers and administrators to show their bosses just how severe their problems are, such that they might be prioritized, but it's designed for software that doesn't even run on Fedora, so it provides negligible benefit to the Fedora community. Anyone who knows enough to search for "SQL injection tool" can find it and install it, so there's really not much of a barrier here, but leaving it out of the distribution reduces the risk of Fedora being used as a gateway to the fat wallet of Red Hat in any litigation, a problem which most community distributions do not suffer from.
Fedora takes a lot of moral stands, but they're ultimately about things that will somehow benefit the Fedora community in the long term, and there's really no foreseeable payoff here, or certainly none that overrides the fantastic headache it could incur. I certainly can't fault them for picking their battles.
There's no failure quite as dissatisfying as a complete and total solution to the wrong problem.
> 'It seems incredibly short sighted to reject software based on perceived legal usage,'
I fully agree, but this isn't the first time I've ran into this problem.
Eg. I currently run Ubuntu in a dual-boot configuration on an Apple MacBook. I thought that dual-booting sucks, and it would be better if I could just delete the OS X partition entirely and run it in a VirtualBox VM on the off chance I find I need it.
This should not cause any licensing issues AFAICT. I would only have a single installation of OS X on my Apple MacBook. Sounds completely logical, but Sun (now Oracle) wouldn't hear of it. Apparently if that feature was included, people could use it to easily run OS X on non-apple hardware.
Just another case of rejecting a feature based on perceived *possible* illegal usage.
It's GNU/Linux dammit!
How do you expect to test if someone can break into your system with SQLNinja without running it and attempting to break in? How do you plan on proving to upper management that there really is a vulnerability, and that your conjecture that you could break in is something more than mere conjecture?
Valid points. Still doesn't mean that Redhat should include this in their repositories any more than they should include virus building tools.
How do you expect to test if someone can break into your system with SQLNinja without running it and attempting to break in? How do you plan on proving to upper management that there really is a vulnerability, and that your conjecture that you could break in is something more than mere conjecture?
How do you expect to test if someone can install a botnet on your servers via running IE as admin to visit porn sites unless you use IE on your servers as admin to visit porn sites?
Well, son, an executable is what happens when a compiler and a source file fall in love and decide to start a family. The little object source is all limp and lifeless until he's tickled with a chmod u+x. Now some irresponsible folks just let their executables wander all over the place unrestrained, but more mindful traditionalists put them in an appropriate bin for proper care, like /usr/bin or /usr/local/bin. That way when the shell comes looking for the executable it will be on the standard path and won't have to be manually rounded up.
Help stamp out iliturcy.
While I understand that you aren't passing judgment, there are reasons for cracking other than pen-testing
I have a friend who works as a computer techie at a school. In most cases, if you were to ask a teacher what type of computer they had, they would answer "a white one".
What he often finds is that when a teacher wants something fixed (read: they somehow found their way to the control panel and messed something up, or want something installed) on their laptop, they give it to him and then leave without telling him the password to the damn thing so that he can log in and either install what they want or undo whatever changes they made.
Long story short, the only way that he can actually do his job short of hunting down the teacher every single time this happens is to use a linux boot cd or a password cracker to either recover or reset the password.
Even if something has no purpose other then breaking into a system, there are situations where it's required. Security tools are just that. Tools, like a tazer or a lockpick - while both are unarguably single-purposed, the reasons for using them can vary. A tazer could be used to assault someone, but it could also be used in self defense. A lockpick can be used to break into someone's house, but it can also be used by a locksmith in the course of their work.
Our culture doesn't get smarter, it just finds new ways of being retarded.
to continue this trend, it would be a bye bye to security. Every single "hacker tool" is a 2 edged sword, it can be used for both good and bad. Just like almost anything can be used for good and bad. Should we ban knives because some people use them to hack'n'slice living meat (people) instead of dead?
Maybe we should just lock ourselves into soft rooms, there's the least likelyness for using anything for bad, and problem will soon be completely solved as we would die out as a race, no more people to do bad things with good tools!
Pulsed Media Seedboxes
That's exactly what Apple was doing
I hate to say it, but apple's way of things seems to be pleasing to other companies who want more control on their products, so I guess we have to thank them for this, hopefully not everyone jumps on this band wagon!