Forgot your password?
typodupeerror
Censorship Red Hat Software Security Linux

Fedora Project Drops SQLNinja 'Hacker' Tool 159

Posted by kdawson
from the dual-use dept.
simonb writes, "In what can only be described as a fit of insanity, the Fedora Board have declared a 'hacker tool' not fit for entry into their software repositories. Today your SQL injection tools, tomorrow your nmap?" The Register links the Fedora board's meeting minutes. From the story: "The move came on Monday in a unanimous vote by the Fedora Project's board of directors rejecting a request that SQLNinja be added to the archive of open-source applications. It came even as a long list of other hacker tools are included in the bundle and was harshly criticized by some security watchers. 'It seems incredibly short sighted to reject software based on perceived legal usage,' said Jacob Appelbaum, a full-time programmer for the Tor Project. 'They have decided to become judges of likely usage based on their own experience. That is a path of madness.' ... [T]he board unanimously decided to add a new statement to Fedora's legal guidelines concerning the inclusion of hacking tools. ... Smith said the language is intended to clarify its stance on a class of software that can be used both to secure and penetrate protected networks."
This discussion has been archived. No new comments can be posted.

Fedora Project Drops SQLNinja 'Hacker' Tool

Comments Filter:
  • by think_nix (1467471) on Saturday November 13, 2010 @01:59PM (#34216750)

    might get flamed for this but this is exactly why I love running gentoo. Sources are mostly widely available, if for some reason emerge is throwing a fit about masked packages. Anyways from TFA:

    'Argument for SQLninja to be added to Fedora is that it is a 'penetration testing tool.'

    I still do not quite understand the grounds here. Honestly, nmap, wireshark, and tcpdump are just a few tools also 'freely' available that do similar things on a different level. Whatever the fedora board is smoking I want some. I just can't believe they want to alienate their userbase like this. Although then again it will probably just end up in rpmfusion or on livna.

  • by ddxexex (1664191) on Saturday November 13, 2010 @02:15PM (#34216854)
    If the people at SQLNinja really want a to have it easy to use/install on a redhat machine all they have to do is make their own RPM file and host it themselves. Currently, it looks like all they have available is the source code available. Although I don't know why they made such a request when they don't have any 'easy' (RPM/DEB file) installation process available yet. I'd think RH would tell them to make a RPM file to submit before rejecting them on philosophical grounds.
  • by arose (644256) on Saturday November 13, 2010 @02:37PM (#34216942)
    From their "Introduction" section on the home page:

    It should be used by penetration testers to help and automate the process of taking over a DB Server when a SQL Injection vulnerability has been discovered.

  • by nick_urbanik (534101) <`nicku' `at' `nicku.org'> on Saturday November 13, 2010 @02:51PM (#34217014) Homepage
    The board meeting minutes were published on lwn.net [lwn.net] more than three days ago.
  • by Just Brew It! (636086) on Saturday November 13, 2010 @03:26PM (#34217196)
    I don't see it in the Debian/Ubuntu repos either.
  • by fluffy99 (870997) on Saturday November 13, 2010 @03:32PM (#34217220)

    Smith said the language is intended to clarify its stance on a class of software that can be used both to secure and penetrate protected networks.....If a piece of software can be used to test a network for vulnerability, it can likely be used to penetrate said network.

    This software does not secure or test anything. It's used to a exploit SQL injection vulnerability found by other means. Go read its sourceforge page which says.

    There are a lot of other SQL injection tools out there but sqlninja, instead of extracting the data, focuses on getting an interactive shell on the remote DB server and using it as a foothold in the target network

  • by fluffy99 (870997) on Saturday November 13, 2010 @03:36PM (#34217238)

    From reading the minutes:

    "Argument for SQLninja to be added to Fedora is that it is a 'penetration testing tool.' "

    Try reading the sourceforge page instead. http://sqlninja.sourceforge.net/sqlninja-howto.html#s1 [sourceforge.net]. It's not a pen testing tool. It's an exploit tool.

  • by think_nix (1467471) on Saturday November 13, 2010 @03:54PM (#34217314)

    Try reading the sourceforge page instead. http://sqlninja.sourceforge.net/sqlninja-howto.html#s1 [sourceforge.net]. It's not a pen testing tool. It's an exploit tool.

    http://nmap.org/ [nmap.org] this says in the introduction:

    "map ("Network Mapper") is a free and open source (license) utility for network exploration or security auditing."

  • by RichiH (749257) on Saturday November 13, 2010 @05:19PM (#34217750) Homepage

    > nmap can be used to help diagnose routing issues (I've actually used it for that)

    If you use nmap to diagnose routing, you are doing something wrong. Heard of mtr and looking glasses?

    > Wireshark is similarly very useful for debugging. For example, it can quickly help you determine that your software is creating malformed packets, or determine exactly what order your packets are being sent, or exactly what they contain. tcpdump is similar.

    As both use libpcap, they would be.

    > Even password cracking tools like jack the ripper can be used for purposes other than hacking or pen-testing. One possible such use (despite being a bit questionable) is ensuring minimum password strength, by running it for a fixed amount of time, and rejecting any passwords it can crack in that timeframe.

    Or you could simply check the passwords against a dictionary before they are being hashed. Most Unix clones allow that by default.

    Pen-testing is a valid use. So is hacking. And so is, arguably, cracking.

    But then, Red Hat/Fedora have had a long history of weird decisions. Making KDE rename Kbattleship & Ksnake is a recent example. On the plus side, I don't use them, so I don't care.

  • by fluffy99 (870997) on Saturday November 13, 2010 @05:56PM (#34217900)

    I'm afraid that I don't understand your point. Are you saying that, because this isn't a program that just goes "oh look, I think I found a vulnerability" but actually exploits it, that it's any less valuable to someone in charge of network security?

    If you're trying to secure a system, a tool which identifies the vulnerabilities is of great use. This tool doesn't find the vulnerabities, you have to do that yourself. Once you find a vulnerable webpage, you use this tool to exploit it.

    It's kind like checking a building for open doors, actively trying to jimmy the doors, or see how easily the locks can be picked. That's valuable as it identifies weaknesses. This tool would be more akin to going in and stealing things after someone else pointed out the unlocked door.

    Of course no-one has pointed out the political angle. I doubt RedHat wants to host a tool in the repositories whose stated purpose is for compromising Microsoft SQL databases.

  • by Chris Snook (872473) on Saturday November 13, 2010 @08:46PM (#34219108)

    Disclaimer: I used to work for Red Hat and personally know some of the board.

    SQLNinja is not a security analysis tool. It is no more useful for telling you if your database app is insecure than a blowtorch is for telling you if you have a gas leak. SQL injection vulnerabilities are *trivial* to detect with simple input fuzzing.

    SQLNinja is certainly a legitimately useful *demonstration* tool for developers and administrators to show their bosses just how severe their problems are, such that they might be prioritized, but it's designed for software that doesn't even run on Fedora, so it provides negligible benefit to the Fedora community. Anyone who knows enough to search for "SQL injection tool" can find it and install it, so there's really not much of a barrier here, but leaving it out of the distribution reduces the risk of Fedora being used as a gateway to the fat wallet of Red Hat in any litigation, a problem which most community distributions do not suffer from.

    Fedora takes a lot of moral stands, but they're ultimately about things that will somehow benefit the Fedora community in the long term, and there's really no foreseeable payoff here, or certainly none that overrides the fantastic headache it could incur. I certainly can't fault them for picking their battles.

In order to get a loan you must first prove you don't need it.

Working...