Fedora Project Drops SQLNinja 'Hacker' Tool

simonb writes, "In what can only be described as a fit of insanity, the Fedora Board have declared a 'hacker tool' not fit for entry into their software repositories. Today your SQL injection tools, tomorrow your nmap?" The Register links the Fedora board's meeting minutes. From the story: "The move came on Monday in a unanimous vote by the Fedora Project's board of directors rejecting a request that SQLNinja be added to the archive of open-source applications. It came even as a long list of other hacker tools are included in the bundle and was harshly criticized by some security watchers. 'It seems incredibly short sighted to reject software based on perceived legal usage,' said Jacob Appelbaum, a full-time programmer for the Tor Project. 'They have decided to become judges of likely usage based on their own experience. That is a path of madness.' ... [T]he board unanimously decided to add a new statement to Fedora's legal guidelines concerning the inclusion of hacking tools. ... Smith said the language is intended to clarify its stance on a class of software that can be used both to secure and penetrate protected networks."

Because it's impossible to install from sources

Oh wait.

Who cares if X or Y is left out of a distro? If it's available, it's installable.

As the old linux community saying goes...

[fotbr]

If you don't like the way we do it, do it yourself.

Isn't that kind of the point of things being open? That you don't have to agree with the way things are done -- you have the source, change/fix/fork it yourself.

In other words -- non-story. Those that want this specific tool (black, white,or grey hat) will know how to get it. It's not like anyone capable of using such tools cannot handle tar, make, and make install.

Re:As the old linux community saying goes...

[Tacvek]

The flip side of the coin though is that nmap, wireshark, and tcpdump all have uses beyond pen-testing or hacking. nmap can be used to help diagnose routing issues (I've actually used it for that), as well as for veryifying your network map, and other similar uses.

Wireshark is similarly very useful for debugging. For example, it can quickly help you determine that your software is creating malformed packets, or determine exactly what order your packets are being sent, or exactly what they contain. tcpdump is similar.

Even password cracking tools like jack the ripper can be used for purposes other than hacking or pen-testing. One possible such use (despite being a bit questionable) is ensuring minimum password strength, by running it for a fixed amount of time, and rejecting any passwords it can crack in that timeframe.

The difference is that sqlninja really has no use beyond hacking or pen-testing. It does not even pretend it might have other uses.

That all said, I'm not saying that refusing to package it is the right course of action. Indeed that seems questionable at best. I'm merely pointing out how sqlninja is different from the other tools you mentioned.

Re:As the old linux community saying goes...

[fluffy99]

Smith said the language is intended to clarify its stance on a class of software that can be used both to secure and penetrate protected networks.....If a piece of software can be used to test a network for vulnerability, it can likely be used to penetrate said network.

This software does not secure or test anything. It's used to a exploit SQL injection vulnerability found by other means. Go read its sourceforge page which says.

There are a lot of other SQL injection tools out there but sqlninja, instead of extracting the data, focuses on getting an interactive shell on the remote DB server and using it as a foothold in the target network

Re:As the old linux community saying goes...

[fluffy99]

I'm afraid that I don't understand your point. Are you saying that, because this isn't a program that just goes "oh look, I think I found a vulnerability" but actually exploits it, that it's any less valuable to someone in charge of network security?

If you're trying to secure a system, a tool which identifies the vulnerabilities is of great use. This tool doesn't find the vulnerabities, you have to do that yourself. Once you find a vulnerable webpage, you use this tool to exploit it.

It's kind like checking a building for open doors, actively trying to jimmy the doors, or see how easily the locks can be picked. That's valuable as it identifies weaknesses. This tool would be more akin to going in and stealing things after someone else pointed out the unlocked door.

Of course no-one has pointed out the political angle. I doubt RedHat wants to host a tool in the repositories whose stated purpose is for compromising Microsoft SQL databases.

"Not Fit For Entry" vs. "Drops"

Does a package have a right to be included in a distribution?
Is failing to include a package censorship?

Hardly. These are the decisions that distribution maintainers face every day. You can't include everything, so there doesn't really need to be much of a reason to not include any particular program.

LOL @ Censorship tag.

[Beelzebud]

I swear, some people really need to read about the concept of censorship. I wasn't aware that Fedora was a government entity, and that they just banned an app from ever being used.

Guess what. You can always install this app yourself, if you really want to use it. I'm sure someone wanting a hacking tool can figure out how to install software...

Exaggerate much?

[Reaperducer]

"In what can only be described as a fit of insanity"

Holy crap. Get some perspective. It's not that big a deal. Go outside and get some fresh air and sunshine.

Re:That's Interesting

[phantomfive]

The difference between tcpdump, nmap, and sqlninja is that tcpdump and nmap have a lot of uses (is my port open?). SQLNinja is marketed entirely as an "SQL Server injection & takeover tool." Obviously marketing isn't the most important thing, but penetration testing is about all it can do (unless you're dumb and actually want to take over other people's computers). Fedora users aren't primarily penetration testers.

From reading the minutes, it seems like the Fedora board rejected it, not because it's a hacker tool (they include jack-the-ripper), but because it doesn't provide any real benefit for their customer base, certainly not enough to outweigh the small legal risk entailed. Fedora isn't a penetration testing distro, it's a server distro. They don't include metasploit either, there's just no demand for it, and the authors of metasploit don't need to get attention for their product by begging people to put it in their distro.

Much ado about nothing?

[Just+Brew+It!]

While I'll be the first to acknowledge that this is clearly a "CYA" move on Fedora's part, I don't see why it is such a big deal. Ubuntu/Debian don't appear to have this tool in their repositories, and I'm pretty sure SuSE doesn't either, so it's not like Fedora is bucking a consensus. If there's enough demand for it, RPM Fusion will probably pick it up.

Furthermore, if the person responsible for your network vulnerability testing doesn't have the basic skills to install it from the upstream sources, is this really the caliber of person you want to trust with your network security?

It's an exploit tool, not a vulnerability checker

[fluffy99]

You may be right, but it would be especially ironic since if those companies would have had ninjaSQL, and used it effectively in testing their networks, then they wouldn't have been a victim of SQL exploits in the first place...

This isn't a tool to find vulnerabilities. It's a tool to exploit them once found.

From the sourcforge page for this tool

"Sqlninja's goal is to exploit SQL injection vulnerabilities on web applications that use Microsoft SQL Server as back end. It is released under the GPLv2.

There are a lot of other SQL injection tools out there but sqlninja, instead of extracting the data, focuses on getting an interactive shell on the remote DB server and using it as a foothold in the target network. In a nutshell, here's what it does: "

As you probably have figured out, sqlninja does not look for SQL injection vulnerabilities. Again, there are already several tools that perform that task already.

Re:That's Interesting

[fluffy99]

From reading the minutes:

"Argument for SQLninja to be added to Fedora is that it is a 'penetration testing tool.' "

Try reading the sourceforge page instead. http://sqlninja.sourceforge.net/sqlninja-howto.html#s1. It's not a pen testing tool. It's an exploit tool.

Not a security analysis tool

[Chris+Snook]

Disclaimer: I used to work for Red Hat and personally know some of the board.

SQLNinja is not a security analysis tool. It is no more useful for telling you if your database app is insecure than a blowtorch is for telling you if you have a gas leak. SQL injection vulnerabilities are *trivial* to detect with simple input fuzzing.

SQLNinja is certainly a legitimately useful *demonstration* tool for developers and administrators to show their bosses just how severe their problems are, such that they might be prioritized, but it's designed for software that doesn't even run on Fedora, so it provides negligible benefit to the Fedora community. Anyone who knows enough to search for "SQL injection tool" can find it and install it, so there's really not much of a barrier here, but leaving it out of the distribution reduces the risk of Fedora being used as a gateway to the fat wallet of Red Hat in any litigation, a problem which most community distributions do not suffer from.

Fedora takes a lot of moral stands, but they're ultimately about things that will somehow benefit the Fedora community in the long term, and there's really no foreseeable payoff here, or certainly none that overrides the fantastic headache it could incur. I certainly can't fault them for picking their battles.