Fedora Project Drops SQLNinja 'Hacker' Tool 159
simonb writes, "In what can only be described as a fit of insanity, the Fedora Board have declared a 'hacker tool' not fit for entry into their software repositories. Today your SQL injection tools, tomorrow your nmap?" The Register links the Fedora board's meeting minutes. From the story: "The move came on Monday in a unanimous vote by the Fedora Project's board of directors rejecting a request that SQLNinja be added to the archive of open-source applications. It came even as a long list of other hacker tools are included in the bundle and was harshly criticized by some security watchers. 'It seems incredibly short sighted to reject software based on perceived legal usage,' said Jacob Appelbaum, a full-time programmer for the Tor Project. 'They have decided to become judges of likely usage based on their own experience. That is a path of madness.' ... [T]he board unanimously decided to add a new statement to Fedora's legal guidelines concerning the inclusion of hacking tools. ... Smith said the language is intended to clarify its stance on a class of software that can be used both to secure and penetrate protected networks."
Because it's impossible to install from sources (Score:3, Insightful)
Oh wait.
Who cares if X or Y is left out of a distro? If it's available, it's installable.
As the old linux community saying goes... (Score:5, Insightful)
If you don't like the way we do it, do it yourself.
Isn't that kind of the point of things being open? That you don't have to agree with the way things are done -- you have the source, change/fix/fork it yourself.
In other words -- non-story. Those that want this specific tool (black, white,or grey hat) will know how to get it. It's not like anyone capable of using such tools cannot handle tar, make, and make install.
LOL @ Censorship tag. (Score:4, Insightful)
Guess what. You can always install this app yourself, if you really want to use it. I'm sure someone wanting a hacking tool can figure out how to install software...
Re:As the old linux community saying goes... (Score:1, Insightful)
Then the question becomes: "Why use a distribution at all? Why not compile everything from scratch?"
The answer is: convenience.
Leaving out any useful tool is just stupid. If you want to leave out the slirp package, that's understandable. People actually use this tool though.
Exaggerate much? (Score:5, Insightful)
"In what can only be described as a fit of insanity"
Holy crap. Get some perspective. It's not that big a deal. Go outside and get some fresh air and sunshine.
Re:That's Interesting (Score:5, Insightful)
From reading the minutes, it seems like the Fedora board rejected it, not because it's a hacker tool (they include jack-the-ripper), but because it doesn't provide any real benefit for their customer base, certainly not enough to outweigh the small legal risk entailed. Fedora isn't a penetration testing distro, it's a server distro. They don't include metasploit either, there's just no demand for it, and the authors of metasploit don't need to get attention for their product by begging people to put it in their distro.
Re:As the old linux community saying goes... (Score:3, Insightful)
If you don't like the way we do it, do it yourself.
Isn't that kind of the point of things being open? That you don't have to agree with the way things are done -- you have the source, change/fix/fork it yourself.
In other words -- non-story. Those that want this specific tool (black, white,or grey hat) will know how to get it. It's not like anyone capable of using such tools cannot handle tar, make, and make install.
True. The net effect of the Board's decision, so far as people actually using said tool, will be nil. My guess is that this is some kind of "cover their collective asses" move, over perceived liability for distributing such software. Given the current legal climate in many countries towards "hacking" tools (doesn't Germany take a rather hard line there?) they may actually have a legitimate concern. I don't know, not a lawyer, etc. etc.
Smith said the language is intended to clarify its stance on a class of software that can be used both to secure and penetrate protected networks.
There really should be no "stance", in that sense. They're blaming the tools here, not the users of those tools. If a piece of software can be used to test a network for vulnerability, it can likely be used to penetrate said network. And to that I say ... so what? Do some people not understand the concept of a double-edged sword? Not to mention the fact that the only way security people can test their protective measures is by using many of the same software tools used by blackhats, and if you remove them from the hands of security people you will find that the crooks will still have them. So you really can't make a distinction between legitimate and illegitimate tools, only legitimate and illegitimate uses..
Many handtools can be used to stab someone to death: but nobody who sells tools thinks "gee, maybe we should refrain from selling screwdrivers and only offer blunt tools with no sharp edges."
Re:That's Interesting (Score:3, Insightful)
Fine Lines... (Score:3, Insightful)
Being reasonable requires we be willing to draw lines and pass judgement. There are some tools that are mostly legitimate, some that see substantial illegitimate use, and some that are mostly illegitimate. It's fine for a Linux distro to decide not to ship with (or include in repositories) tools that are mostly used for illegitimate ends, even if they have some theoretical legitimate uses. They're not under any obligation to package everything, and "stuff that's mostly used to do harm" is just as reasonable to filter out as "things with ugly licenses".
By analogy, it is usually hard to get lockpicking tools, assault weapons/vehicles, nuclear materials, radar detectors, unsafe foods, homemade alcohols, and many other things in most countries. Can you manage it? Usually, either by legitimate means if you can get a permit, or by making them yourself.
This is entirely different (and much more mild) than blacklisting those applications.
Re:where's their own RPM file? (Score:2, Insightful)
Because _distributing_ Free software is the distribution's job. The developers should only make the source available and let any distros that want it package it themselves.
I believe they just said they don't want it.
It's an exploit tool, not a vulnerability checker (Score:5, Insightful)
You may be right, but it would be especially ironic since if those companies would have had ninjaSQL, and used it effectively in testing their networks, then they wouldn't have been a victim of SQL exploits in the first place...
This isn't a tool to find vulnerabilities. It's a tool to exploit them once found.
From the sourcforge page for this tool
"Sqlninja's goal is to exploit SQL injection vulnerabilities on web applications that use Microsoft SQL Server as back end. It is released under the GPLv2.
There are a lot of other SQL injection tools out there but sqlninja, instead of extracting the data, focuses on getting an interactive shell on the remote DB server and using it as a foothold in the target network. In a nutshell, here's what it does: "
As you probably have figured out, sqlninja does not look for SQL injection vulnerabilities. Again, there are already several tools that perform that task already.
Re:That's Interesting (Score:3, Insightful)
The difference between tcpdump, nmap, and sqlninja is that tcpdump and nmap have a lot of uses (is my port open?).
Yes of course, but there are also plugins for e.g. nmap that will give you 'recommendations' for _said_ open ports on target which in the end is also a 'penetration tool' which was one of the reasons for not adding this particular package. So how is that so much different ?
Because the sole purpose of SQLninja is to exploit a SQL injection vulnerability once detected by other means, not to actually discover them. To me, that is a black hat tool with no redeeming use as a pen testing program.
Re:As the old linux community saying goes... (Score:2, Insightful)
As a white hat developer, I've found tools such as nmap, wireshark and tcpdump useful in my daily life. While I can see that this tool can be used by security researchers, I cannot imagine a scenario where I would use a tool such as this one. Forget about the security objections of Fedora. On its own, this tool is a highly specialized utility. It is not something the everyday user or developer really needs.
by your idea (Score:0, Insightful)
Re:As the old linux community saying goes... (Score:3, Insightful)
Re:As the old linux community saying goes... (Score:1, Insightful)
I'm afraid that I don't understand your point. Are you saying that, because this isn't a program that just goes "oh look, I think I found a vulnerability" but actually exploits it, that it's any less valuable to someone in charge of network security?
"Oh look, you left your computer logged on" versus "Oh look, you left your computer logged on. I think I'll empty your bank account to prove you shouldn't do that". No it's not useful to someone trying to improve security.
Re:Fine Lines... (Score:1, Insightful)
The thing I like about Unix is that everything is designed to give me more power. No "Oh, you can't do that because you might hose your computer." or "You can't have that because you could use it for hacking!". If I want something done, my computer damn well does it.
From this perspective, rejecting a package from a repository because it gives the user the wrong sort of power is an alien concept. Fortunately, the idea of open source is that something like this is never permanent - it lasts only until someone includes the package in a competing repository.
You find vulnerabilities by attempting to exploit (Score:3, Insightful)
How do you expect to test if someone can break into your system with SQLNinja without running it and attempting to break in? How do you plan on proving to upper management that there really is a vulnerability, and that your conjecture that you could break in is something more than mere conjecture?