Slashdot Mirror

← Back to Stories (view on slashdot.org)

Fedora Project Drops SQLNinja 'Hacker' Tool

Posted by kdawson on from the dual-use dept.

simonb writes, "In what can only be described as a fit of insanity, the Fedora Board have declared a 'hacker tool' not fit for entry into their software repositories. Today your SQL injection tools, tomorrow your nmap?" The Register links the Fedora board's meeting minutes. From the story: "The move came on Monday in a unanimous vote by the Fedora Project's board of directors rejecting a request that SQLNinja be added to the archive of open-source applications. It came even as a long list of other hacker tools are included in the bundle and was harshly criticized by some security watchers. 'It seems incredibly short sighted to reject software based on perceived legal usage,' said Jacob Appelbaum, a full-time programmer for the Tor Project. 'They have decided to become judges of likely usage based on their own experience. That is a path of madness.' ... [T]he board unanimously decided to add a new statement to Fedora's legal guidelines concerning the inclusion of hacking tools. ... Smith said the language is intended to clarify its stance on a class of software that can be used both to secure and penetrate protected networks."

29 of 159 comments (clear)

  1. Because it's impossible to install from sources by Anonymous Coward · · Score: 3, Insightful

    Oh wait.

    Who cares if X or Y is left out of a distro? If it's available, it's installable.

  2. As the old linux community saying goes... by fotbr · · Score: 5, Insightful

    If you don't like the way we do it, do it yourself.

    Isn't that kind of the point of things being open? That you don't have to agree with the way things are done -- you have the source, change/fix/fork it yourself.

    In other words -- non-story. Those that want this specific tool (black, white,or grey hat) will know how to get it. It's not like anyone capable of using such tools cannot handle tar, make, and make install.

    1. Re:As the old linux community saying goes... by think_nix · · Score: 2, Informative

      might get flamed for this but this is exactly why I love running gentoo. Sources are mostly widely available, if for some reason emerge is throwing a fit about masked packages. Anyways from TFA:

      'Argument for SQLninja to be added to Fedora is that it is a 'penetration testing tool.'

      I still do not quite understand the grounds here. Honestly, nmap, wireshark, and tcpdump are just a few tools also 'freely' available that do similar things on a different level. Whatever the fedora board is smoking I want some. I just can't believe they want to alienate their userbase like this. Although then again it will probably just end up in rpmfusion or on livna.

    2. Re:As the old linux community saying goes... by ScrewMaster · · Score: 2, Insightful

      If you don't like the way we do it, do it yourself.

      Isn't that kind of the point of things being open? That you don't have to agree with the way things are done -- you have the source, change/fix/fork it yourself.

      In other words -- non-story. Those that want this specific tool (black, white,or grey hat) will know how to get it. It's not like anyone capable of using such tools cannot handle tar, make, and make install.

      True. The net effect of the Board's decision, so far as people actually using said tool, will be nil. My guess is that this is some kind of "cover their collective asses" move, over perceived liability for distributing such software. Given the current legal climate in many countries towards "hacking" tools (doesn't Germany take a rather hard line there?) they may actually have a legitimate concern. I don't know, not a lawyer, etc. etc.

      Smith said the language is intended to clarify its stance on a class of software that can be used both to secure and penetrate protected networks.

      There really should be no "stance", in that sense. They're blaming the tools here, not the users of those tools. If a piece of software can be used to test a network for vulnerability, it can likely be used to penetrate said network. And to that I say ... so what? Do some people not understand the concept of a double-edged sword? Not to mention the fact that the only way security people can test their protective measures is by using many of the same software tools used by blackhats, and if you remove them from the hands of security people you will find that the crooks will still have them. So you really can't make a distinction between legitimate and illegitimate tools, only legitimate and illegitimate uses..

      Many handtools can be used to stab someone to death: but nobody who sells tools thinks "gee, maybe we should refrain from selling screwdrivers and only offer blunt tools with no sharp edges."

      --
      The higher the technology, the sharper that two-edged sword.
    3. Re:As the old linux community saying goes... by Tacvek · · Score: 5, Interesting

      The flip side of the coin though is that nmap, wireshark, and tcpdump all have uses beyond pen-testing or hacking. nmap can be used to help diagnose routing issues (I've actually used it for that), as well as for veryifying your network map, and other similar uses.

      Wireshark is similarly very useful for debugging. For example, it can quickly help you determine that your software is creating malformed packets, or determine exactly what order your packets are being sent, or exactly what they contain. tcpdump is similar.

      Even password cracking tools like jack the ripper can be used for purposes other than hacking or pen-testing. One possible such use (despite being a bit questionable) is ensuring minimum password strength, by running it for a fixed amount of time, and rejecting any passwords it can crack in that timeframe.

      The difference is that sqlninja really has no use beyond hacking or pen-testing. It does not even pretend it might have other uses.

      That all said, I'm not saying that refusing to package it is the right course of action. Indeed that seems questionable at best. I'm merely pointing out how sqlninja is different from the other tools you mentioned.

      --
      Stylish sheet to fix many problems in Slashdot's D3: https://gist.github.com/801524
    4. Re:As the old linux community saying goes... by fluffy99 · · Score: 3, Informative

      Smith said the language is intended to clarify its stance on a class of software that can be used both to secure and penetrate protected networks.....If a piece of software can be used to test a network for vulnerability, it can likely be used to penetrate said network.

      This software does not secure or test anything. It's used to a exploit SQL injection vulnerability found by other means. Go read its sourceforge page which says.

      There are a lot of other SQL injection tools out there but sqlninja, instead of extracting the data, focuses on getting an interactive shell on the remote DB server and using it as a foothold in the target network

    5. Re:As the old linux community saying goes... by dbialac · · Score: 2, Insightful

      As a white hat developer, I've found tools such as nmap, wireshark and tcpdump useful in my daily life. While I can see that this tool can be used by security researchers, I cannot imagine a scenario where I would use a tool such as this one. Forget about the security objections of Fedora. On its own, this tool is a highly specialized utility. It is not something the everyday user or developer really needs.

    6. Re:As the old linux community saying goes... by RichiH · · Score: 2, Informative

      > nmap can be used to help diagnose routing issues (I've actually used it for that)

      If you use nmap to diagnose routing, you are doing something wrong. Heard of mtr and looking glasses?

      > Wireshark is similarly very useful for debugging. For example, it can quickly help you determine that your software is creating malformed packets, or determine exactly what order your packets are being sent, or exactly what they contain. tcpdump is similar.

      As both use libpcap, they would be.

      > Even password cracking tools like jack the ripper can be used for purposes other than hacking or pen-testing. One possible such use (despite being a bit questionable) is ensuring minimum password strength, by running it for a fixed amount of time, and rejecting any passwords it can crack in that timeframe.

      Or you could simply check the passwords against a dictionary before they are being hashed. Most Unix clones allow that by default.

      Pen-testing is a valid use. So is hacking. And so is, arguably, cracking.

      But then, Red Hat/Fedora have had a long history of weird decisions. Making KDE rename Kbattleship & Ksnake is a recent example. On the plus side, I don't use them, so I don't care.

    7. Re:As the old linux community saying goes... by mrphoton · · Score: 2, Insightful

      Why are these guys surprised that a project backed by a company rejected there hacking tool. Firstly the name 'sqlninja', I mean come on, it's got to be a hacking tool, can you imagine that on the front page of a news paper 'evil open source firm ok's sqlninja'. Then when I googled it, the website declares it is a 'sqlninja - a SQL Server injection & takeover tool'. In no way do they pretend it is for testing or whatnot. They had to reject the tool. And what business is red hat in, oh year selling a server os, would it really be a good idea for them to bundle a 'takeover tool'?

    8. Re:As the old linux community saying goes... by fluffy99 · · Score: 4, Informative

      I'm afraid that I don't understand your point. Are you saying that, because this isn't a program that just goes "oh look, I think I found a vulnerability" but actually exploits it, that it's any less valuable to someone in charge of network security?

      If you're trying to secure a system, a tool which identifies the vulnerabilities is of great use. This tool doesn't find the vulnerabities, you have to do that yourself. Once you find a vulnerable webpage, you use this tool to exploit it.

      It's kind like checking a building for open doors, actively trying to jimmy the doors, or see how easily the locks can be picked. That's valuable as it identifies weaknesses. This tool would be more akin to going in and stealing things after someone else pointed out the unlocked door.

      Of course no-one has pointed out the political angle. I doubt RedHat wants to host a tool in the repositories whose stated purpose is for compromising Microsoft SQL databases.

    9. Re:As the old linux community saying goes... by VortexCortex · · Score: 2, Interesting

      This software does not secure or test anything. [...]

      There are a lot of other SQL injection tools out there but sqlninja, instead of extracting the data, focuses on getting an interactive shell on the remote DB server

      Sounds pretty handy as a password recovery tool for database servers.

  3. "Not Fit For Entry" vs. "Drops" by Anonymous Coward · · Score: 5, Interesting

    Does a package have a right to be included in a distribution?
    Is failing to include a package censorship?

    Hardly. These are the decisions that distribution maintainers face every day. You can't include everything, so there doesn't really need to be much of a reason to not include any particular program.

  4. LOL @ Censorship tag. by Beelzebud · · Score: 3, Insightful

    I swear, some people really need to read about the concept of censorship. I wasn't aware that Fedora was a government entity, and that they just banned an app from ever being used.

    Guess what. You can always install this app yourself, if you really want to use it. I'm sure someone wanting a hacking tool can figure out how to install software...

  5. Re:Beware that path of madness! by David+Gerard · · Score: 2, Funny

    Yeah, that'd just be copying Ubuntu.

    --
    http://rocknerd.co.uk
  6. Exaggerate much? by Reaperducer · · Score: 4, Insightful

    "In what can only be described as a fit of insanity"

    Holy crap. Get some perspective. It's not that big a deal. Go outside and get some fresh air and sunshine.

    --
    -- I'm old enough to have lived through six different meanings of the word "hacker."
  7. where's their own RPM file? by ddxexex · · Score: 2, Informative

    If the people at SQLNinja really want a to have it easy to use/install on a redhat machine all they have to do is make their own RPM file and host it themselves. Currently, it looks like all they have available is the source code available. Although I don't know why they made such a request when they don't have any 'easy' (RPM/DEB file) installation process available yet. I'd think RH would tell them to make a RPM file to submit before rejecting them on philosophical grounds.

    1. Re:where's their own RPM file? by dieth · · Score: 2, Insightful

      Because _distributing_ Free software is the distribution's job. The developers should only make the source available and let any distros that want it package it themselves.

      I believe they just said they don't want it.

  8. Re:That's Interesting by phantomfive · · Score: 4, Insightful

    The difference between tcpdump, nmap, and sqlninja is that tcpdump and nmap have a lot of uses (is my port open?). SQLNinja is marketed entirely as an "SQL Server injection & takeover tool." Obviously marketing isn't the most important thing, but penetration testing is about all it can do (unless you're dumb and actually want to take over other people's computers). Fedora users aren't primarily penetration testers.

    From reading the minutes, it seems like the Fedora board rejected it, not because it's a hacker tool (they include jack-the-ripper), but because it doesn't provide any real benefit for their customer base, certainly not enough to outweigh the small legal risk entailed. Fedora isn't a penetration testing distro, it's a server distro. They don't include metasploit either, there's just no demand for it, and the authors of metasploit don't need to get attention for their product by begging people to put it in their distro.

    --
    Qxe4
  9. Re:That's Interesting by arose · · Score: 2, Informative
    From their "Introduction" section on the home page:

    It should be used by penetration testers to help and automate the process of taking over a DB Server when a SQL Injection vulnerability has been discovered.

    --
    Analogies don't equal equalities, they are merely somewhat analogous.
  10. Published on lwn.net last Wednesday by nick_urbanik · · Score: 2, Informative

    The board meeting minutes were published on lwn.net more than three days ago.

  11. Re:That's Interesting by phantomfive · · Score: 2, Insightful

    Good job. You have demonstrated your capability to read, cut and paste a sentence from the minutes onto slashdot. Do you also have the capability to explain why you think that sentence is particularly important? Please do.

    --
    Qxe4
  12. Fine Lines... by Improv · · Score: 2, Insightful

    Being reasonable requires we be willing to draw lines and pass judgement. There are some tools that are mostly legitimate, some that see substantial illegitimate use, and some that are mostly illegitimate. It's fine for a Linux distro to decide not to ship with (or include in repositories) tools that are mostly used for illegitimate ends, even if they have some theoretical legitimate uses. They're not under any obligation to package everything, and "stuff that's mostly used to do harm" is just as reasonable to filter out as "things with ugly licenses".

    By analogy, it is usually hard to get lockpicking tools, assault weapons/vehicles, nuclear materials, radar detectors, unsafe foods, homemade alcohols, and many other things in most countries. Can you manage it? Usually, either by legitimate means if you can get a permit, or by making them yourself.

    This is entirely different (and much more mild) than blacklisting those applications.

    --
    For every problem, there is at least one solution that is simple, neat, and wrong.
  13. Much ado about nothing? by Just+Brew+It! · · Score: 3, Interesting

    While I'll be the first to acknowledge that this is clearly a "CYA" move on Fedora's part, I don't see why it is such a big deal. Ubuntu/Debian don't appear to have this tool in their repositories, and I'm pretty sure SuSE doesn't either, so it's not like Fedora is bucking a consensus. If there's enough demand for it, RPM Fusion will probably pick it up.

    Furthermore, if the person responsible for your network vulnerability testing doesn't have the basic skills to install it from the upstream sources, is this really the caliber of person you want to trust with your network security?

  14. Re:time to switch to debian or ubuntu by Just+Brew+It! · · Score: 2, Informative

    I don't see it in the Debian/Ubuntu repos either.

  15. It's an exploit tool, not a vulnerability checker by fluffy99 · · Score: 4, Insightful

    You may be right, but it would be especially ironic since if those companies would have had ninjaSQL, and used it effectively in testing their networks, then they wouldn't have been a victim of SQL exploits in the first place...

    This isn't a tool to find vulnerabilities. It's a tool to exploit them once found.

    From the sourcforge page for this tool

    "Sqlninja's goal is to exploit SQL injection vulnerabilities on web applications that use Microsoft SQL Server as back end. It is released under the GPLv2.

    There are a lot of other SQL injection tools out there but sqlninja, instead of extracting the data, focuses on getting an interactive shell on the remote DB server and using it as a foothold in the target network. In a nutshell, here's what it does: "

    As you probably have figured out, sqlninja does not look for SQL injection vulnerabilities. Again, there are already several tools that perform that task already.

  16. Re:That's Interesting by fluffy99 · · Score: 2, Insightful

    The difference between tcpdump, nmap, and sqlninja is that tcpdump and nmap have a lot of uses (is my port open?).

    Yes of course, but there are also plugins for e.g. nmap that will give you 'recommendations' for _said_ open ports on target which in the end is also a 'penetration tool' which was one of the reasons for not adding this particular package. So how is that so much different ?

    Because the sole purpose of SQLninja is to exploit a SQL injection vulnerability once detected by other means, not to actually discover them. To me, that is a black hat tool with no redeeming use as a pen testing program.

  17. Re:That's Interesting by fluffy99 · · Score: 3, Informative

    From reading the minutes:

    "Argument for SQLninja to be added to Fedora is that it is a 'penetration testing tool.' "

    Try reading the sourceforge page instead. http://sqlninja.sourceforge.net/sqlninja-howto.html#s1. It's not a pen testing tool. It's an exploit tool.

  18. You find vulnerabilities by attempting to exploit by Zero__Kelvin · · Score: 2, Insightful

    "This isn't a tool to find vulnerabilities. It's a tool to exploit them once found."

    How do you expect to test if someone can break into your system with SQLNinja without running it and attempting to break in? How do you plan on proving to upper management that there really is a vulnerability, and that your conjecture that you could break in is something more than mere conjecture?

    --
    Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
  19. Not a security analysis tool by Chris+Snook · · Score: 4, Informative

    Disclaimer: I used to work for Red Hat and personally know some of the board.

    SQLNinja is not a security analysis tool. It is no more useful for telling you if your database app is insecure than a blowtorch is for telling you if you have a gas leak. SQL injection vulnerabilities are *trivial* to detect with simple input fuzzing.

    SQLNinja is certainly a legitimately useful *demonstration* tool for developers and administrators to show their bosses just how severe their problems are, such that they might be prioritized, but it's designed for software that doesn't even run on Fedora, so it provides negligible benefit to the Fedora community. Anyone who knows enough to search for "SQL injection tool" can find it and install it, so there's really not much of a barrier here, but leaving it out of the distribution reduces the risk of Fedora being used as a gateway to the fat wallet of Red Hat in any litigation, a problem which most community distributions do not suffer from.

    Fedora takes a lot of moral stands, but they're ultimately about things that will somehow benefit the Fedora community in the long term, and there's really no foreseeable payoff here, or certainly none that overrides the fantastic headache it could incur. I certainly can't fault them for picking their battles.

    --
    There's no failure quite as dissatisfying as a complete and total solution to the wrong problem.