Forgot your password?
typodupeerror
Censorship Red Hat Software Security Linux

Fedora Project Drops SQLNinja 'Hacker' Tool 159

Posted by kdawson
from the dual-use dept.
simonb writes, "In what can only be described as a fit of insanity, the Fedora Board have declared a 'hacker tool' not fit for entry into their software repositories. Today your SQL injection tools, tomorrow your nmap?" The Register links the Fedora board's meeting minutes. From the story: "The move came on Monday in a unanimous vote by the Fedora Project's board of directors rejecting a request that SQLNinja be added to the archive of open-source applications. It came even as a long list of other hacker tools are included in the bundle and was harshly criticized by some security watchers. 'It seems incredibly short sighted to reject software based on perceived legal usage,' said Jacob Appelbaum, a full-time programmer for the Tor Project. 'They have decided to become judges of likely usage based on their own experience. That is a path of madness.' ... [T]he board unanimously decided to add a new statement to Fedora's legal guidelines concerning the inclusion of hacking tools. ... Smith said the language is intended to clarify its stance on a class of software that can be used both to secure and penetrate protected networks."
This discussion has been archived. No new comments can be posted.

Fedora Project Drops SQLNinja 'Hacker' Tool

Comments Filter:
  • by Anonymous Coward on Saturday November 13, 2010 @02:50PM (#34216688)

    Oh wait.

    Who cares if X or Y is left out of a distro? If it's available, it's installable.

    • I find that the natural ultimate Pentool Linux Distro is clearly Backtrack.

      That said, often fedora and Ubuntu 10 will act a lot friendlier in a live cd (or usb) format.

      Thus my pentest drive contains bootable versions of all 3. Looks like that might be changing.......

    • by b100dian (771163)
      And now they increased their press coverage too;)
    • > Who cares if X or Y is left out of a distro? If it's available, it's installable.

      Yes, the distro compilers could make their ISOs much quicker to download if they omitted X and Gnome. After all, they're available in source format for later download and compilation.

      And as for Open Office, well that'll only take 6 hours to compile...

      The *point* of a distro is to provide a convenient, tested, coherent system.

  • by fotbr (855184) on Saturday November 13, 2010 @02:54PM (#34216720) Journal

    If you don't like the way we do it, do it yourself.

    Isn't that kind of the point of things being open? That you don't have to agree with the way things are done -- you have the source, change/fix/fork it yourself.

    In other words -- non-story. Those that want this specific tool (black, white,or grey hat) will know how to get it. It's not like anyone capable of using such tools cannot handle tar, make, and make install.

    • Re: (Score:3, Informative)

      by think_nix (1467471)

      might get flamed for this but this is exactly why I love running gentoo. Sources are mostly widely available, if for some reason emerge is throwing a fit about masked packages. Anyways from TFA:

      'Argument for SQLninja to be added to Fedora is that it is a 'penetration testing tool.'

      I still do not quite understand the grounds here. Honestly, nmap, wireshark, and tcpdump are just a few tools also 'freely' available that do similar things on a different level. Whatever the fedora board is smoking I want some.

      • by Tacvek (948259) on Saturday November 13, 2010 @04:14PM (#34217126) Journal

        The flip side of the coin though is that nmap, wireshark, and tcpdump all have uses beyond pen-testing or hacking. nmap can be used to help diagnose routing issues (I've actually used it for that), as well as for veryifying your network map, and other similar uses.

        Wireshark is similarly very useful for debugging. For example, it can quickly help you determine that your software is creating malformed packets, or determine exactly what order your packets are being sent, or exactly what they contain. tcpdump is similar.

        Even password cracking tools like jack the ripper can be used for purposes other than hacking or pen-testing. One possible such use (despite being a bit questionable) is ensuring minimum password strength, by running it for a fixed amount of time, and rejecting any passwords it can crack in that timeframe.

        The difference is that sqlninja really has no use beyond hacking or pen-testing. It does not even pretend it might have other uses.

        That all said, I'm not saying that refusing to package it is the right course of action. Indeed that seems questionable at best. I'm merely pointing out how sqlninja is different from the other tools you mentioned.

        • Re: (Score:3, Informative)

          by RichiH (749257)

          > nmap can be used to help diagnose routing issues (I've actually used it for that)

          If you use nmap to diagnose routing, you are doing something wrong. Heard of mtr and looking glasses?

          > Wireshark is similarly very useful for debugging. For example, it can quickly help you determine that your software is creating malformed packets, or determine exactly what order your packets are being sent, or exactly what they contain. tcpdump is similar.

          As both use libpcap, they would be.

          > Even password cracking

          • by Tacvek (948259)

            If you use nmap to diagnose routing, you are doing something wrong. Heard of mtr and looking glasses?

            Looking glasses are very useful. MTR is also a prefered tool. But nmap does have a few good tricks up its sleeve. As the name suggests, it can help with mapping out networks, which unfortunately is often necessarily when diagnosing routing issues through an unfamiliar public network. After all, many networks don't provide looking glass services, or other ways of getting much information about the network map.

            > Wireshark is similarly very useful for debugging. For example, it can quickly help you determine that your software is creating malformed packets, or determine exactly what order your packets are being sent, or exactly what they contain. tcpdump is similar.

            As both use libpcap, they would be.

            I would certainly hope so, I mean pretty much all packet sniffers seem to be based on libpcap. Of co

        • While I understand that you aren't passing judgment, there are reasons for cracking other than pen-testing
          I have a friend who works as a computer techie at a school. In most cases, if you were to ask a teacher what type of computer they had, they would answer "a white one".
          What he often finds is that when a teacher wants something fixed (read: they somehow found their way to the control panel and messed something up, or want something installed) on their laptop, they give it to him and then leave withou
          • by Tacvek (948259)

            Fair enough. I most certainly have used LiveCDs to bypass password checks. The case of this specific tool has fewer indisputably acceptable non-(pen-test) use cases.

            For example, while it could be used to penetrate a rouge MS SQL Server install in your network, you can disconnect the device forcibly (if it is not one of yours), or physically go to the device, and kill the server. MS SQL Server is not protected against access by the admins of the machine it is running on.

            In the end nobody is really harmed by

      • Re: (Score:2, Insightful)

        by dbialac (320955)

        As a white hat developer, I've found tools such as nmap, wireshark and tcpdump useful in my daily life. While I can see that this tool can be used by security researchers, I cannot imagine a scenario where I would use a tool such as this one. Forget about the security objections of Fedora. On its own, this tool is a highly specialized utility. It is not something the everyday user or developer really needs.

        • Penetration testing should be part of the regular testing process. We would see fewer hacked stuff.

      • Re: (Score:3, Insightful)

        by mrphoton (1349555)
        Why are these guys surprised that a project backed by a company rejected there hacking tool. Firstly the name 'sqlninja', I mean come on, it's got to be a hacking tool, can you imagine that on the front page of a news paper 'evil open source firm ok's sqlninja'. Then when I googled it, the website declares it is a 'sqlninja - a SQL Server injection & takeover tool'. In no way do they pretend it is for testing or whatnot. They had to reject the tool. And what business is red hat in, oh year selling a
    • Re: (Score:1, Insightful)

      by Anonymous Coward

      Then the question becomes: "Why use a distribution at all? Why not compile everything from scratch?"

      The answer is: convenience.

      Leaving out any useful tool is just stupid. If you want to leave out the slirp package, that's understandable. People actually use this tool though.

    • If the people at SQLNinja really want a to have it easy to use/install on a redhat machine all they have to do is make their own RPM file and host it themselves. Currently, it looks like all they have available is the source code available. Although I don't know why they made such a request when they don't have any 'easy' (RPM/DEB file) installation process available yet. I'd think RH would tell them to make a RPM file to submit before rejecting them on philosophical grounds.
    • There is no reason you cant get it elsewhere and install it yourself on Fedora. That works for windows folks..

      ( now if RedHat started blocking or reporting installs of stuff they don't like THEN there would be a problem )

    • Re: (Score:3, Insightful)

      by ScrewMaster (602015) *

      If you don't like the way we do it, do it yourself.

      Isn't that kind of the point of things being open? That you don't have to agree with the way things are done -- you have the source, change/fix/fork it yourself.

      In other words -- non-story. Those that want this specific tool (black, white,or grey hat) will know how to get it. It's not like anyone capable of using such tools cannot handle tar, make, and make install.

      True. The net effect of the Board's decision, so far as people actually using said tool, will be nil. My guess is that this is some kind of "cover their collective asses" move, over perceived liability for distributing such software. Given the current legal climate in many countries towards "hacking" tools (doesn't Germany take a rather hard line there?) they may actually have a legitimate concern. I don't know, not a lawyer, etc. etc.

      Smith said the language is intended to clarify its stance on a class of software that can be used both to secure and penetrate protected networks.

      There really should be no "stance", in that sense. They're blaming the to

      • by fluffy99 (870997) on Saturday November 13, 2010 @04:32PM (#34217220)

        Smith said the language is intended to clarify its stance on a class of software that can be used both to secure and penetrate protected networks.....If a piece of software can be used to test a network for vulnerability, it can likely be used to penetrate said network.

        This software does not secure or test anything. It's used to a exploit SQL injection vulnerability found by other means. Go read its sourceforge page which says.

        There are a lot of other SQL injection tools out there but sqlninja, instead of extracting the data, focuses on getting an interactive shell on the remote DB server and using it as a foothold in the target network

        • Smith said the language is intended to clarify its stance on a class of software that can be used both to secure and penetrate protected networks.....If a piece of software can be used to test a network for vulnerability, it can likely be used to penetrate said network.

          This software does not secure or test anything. It's used to a exploit SQL injection vulnerability found by other means. Go read its sourceforge page which says.

          There are a lot of other SQL injection tools out there but sqlninja, instead of extracting the data, focuses on getting an interactive shell on the remote DB server and using it as a foothold in the target network

          I'm afraid that I don't understand your point. Are you saying that, because this isn't a program that just goes "oh look, I think I found a vulnerability" but actually exploits it, that it's any less valuable to someone in charge of network security?

          • by fluffy99 (870997) on Saturday November 13, 2010 @06:56PM (#34217900)

            I'm afraid that I don't understand your point. Are you saying that, because this isn't a program that just goes "oh look, I think I found a vulnerability" but actually exploits it, that it's any less valuable to someone in charge of network security?

            If you're trying to secure a system, a tool which identifies the vulnerabilities is of great use. This tool doesn't find the vulnerabities, you have to do that yourself. Once you find a vulnerable webpage, you use this tool to exploit it.

            It's kind like checking a building for open doors, actively trying to jimmy the doors, or see how easily the locks can be picked. That's valuable as it identifies weaknesses. This tool would be more akin to going in and stealing things after someone else pointed out the unlocked door.

            Of course no-one has pointed out the political angle. I doubt RedHat wants to host a tool in the repositories whose stated purpose is for compromising Microsoft SQL databases.

        • by blincoln (592401)

          So, in other words, this is another in a long line of questionable and sensationalistic articles by The Register? I don't even bother to read anything they publish anymore, because their standards are so low these days.

          Everything seemed to go downhill starting with that series of articles they ran a few years ago where they published truly bizarre and (AFAIK) unsubstantiated claims about some dot-com CEO.

        • Re: (Score:3, Interesting)

          by VortexCortex (1117377)

          This software does not secure or test anything. [...]

          There are a lot of other SQL injection tools out there but sqlninja, instead of extracting the data, focuses on getting an interactive shell on the remote DB server

          Sounds pretty handy as a password recovery tool for database servers.

    • by shaitand (626655)

      "It's not like anyone capable of using such tools cannot handle tar, make, and make install."

      Hopefully not on fedora. You shouldn't install from source on binary based systems the package manager doesn't know about your install and this can lead to library incompatibilities. In the best case this will cause something to break, in the worst case it will lead to application instability and bitrot similar to that seen on windows.

      You should always roll up an RPM if there isn't one available.

  • I can kind of understand the decision. If someone gets hacked, is the Fedora distribution liable for providing the tool? (Similar to how you can be charged with Accessory to Murder for providing a weapon, or an ISP is now somehow responsible for any illegal traffic.) They probably want to cover their butts, but it also seems like unfair censorship.
    • WOW lol ? Ok, lets start holding distro's liable for providing basic things like tcpdump.

      • by phantomfive (622387) on Saturday November 13, 2010 @03:18PM (#34216868) Journal
        The difference between tcpdump, nmap, and sqlninja is that tcpdump and nmap have a lot of uses (is my port open?). SQLNinja is marketed entirely as an "SQL Server injection & takeover tool." Obviously marketing isn't the most important thing, but penetration testing is about all it can do (unless you're dumb and actually want to take over other people's computers). Fedora users aren't primarily penetration testers.

        From reading the minutes, it seems like the Fedora board rejected it, not because it's a hacker tool (they include jack-the-ripper), but because it doesn't provide any real benefit for their customer base, certainly not enough to outweigh the small legal risk entailed. Fedora isn't a penetration testing distro, it's a server distro. They don't include metasploit either, there's just no demand for it, and the authors of metasploit don't need to get attention for their product by begging people to put it in their distro.
        • The difference between tcpdump, nmap, and sqlninja is that tcpdump and nmap have a lot of uses (is my port open?).

          Yes of course, but there are also plugins for e.g. nmap that will give you 'recommendations' for _said_ open ports on target which in the end is also a 'penetration tool' which was one of the reasons for not adding this particular package. So how is that so much different ?

          • The reason the Fedora board gave was (and if you had read the link you would know this) is that the nmap is used probably the majority of the time to check if your own ports are open. Of course even a compiler can be used as a penetration tool, so the ability to use something as a penetration tool is not enough to keep it from the distro, which I think you're getting at.

            Really, from reading the minutes, I think they basically decided it wasn't useful enough for their user base. You might disagree, but I t
          • Re: (Score:3, Insightful)

            by fluffy99 (870997)

            The difference between tcpdump, nmap, and sqlninja is that tcpdump and nmap have a lot of uses (is my port open?).

            Yes of course, but there are also plugins for e.g. nmap that will give you 'recommendations' for _said_ open ports on target which in the end is also a 'penetration tool' which was one of the reasons for not adding this particular package. So how is that so much different ?

            Because the sole purpose of SQLninja is to exploit a SQL injection vulnerability once detected by other means, not to actually discover them. To me, that is a black hat tool with no redeeming use as a pen testing program.

            • by Raenex (947668)

              Because the sole purpose of SQLninja is to exploit a SQL injection vulnerability once detected by other means, not to actually discover them. To me, that is a black hat tool with no redeeming use as a pen testing program.

              Given that security best comes in layers, it would be good to know how much damage a successful injection can do, and design your system in accordance, including alerts for people attempting to use this tool.

        • Re: (Score:3, Informative)

          by arose (644256)
          From their "Introduction" section on the home page:

          It should be used by penetration testers to help and automate the process of taking over a DB Server when a SQL Injection vulnerability has been discovered.

        • And more importantly the name is kewl and sensational. If they called it SQLSecurityVerificationTool, they would have no problems.

          • That's a good point, but as the Fedora board mentioned, the sensational name alone isn't enough to keep it out, since jack-the-ripper is in the distribution. I really think they left it out because they didn't see it as being particularly useful (for their user base).

            BTW, I am fairly certain that your sig is the reason Nancy Pelosi keeps getting re-elected in San Francisco......yeah, she's just like a Republican....but at least she's not a Republican (although she did represent fairly well in the last yea
        • "SQLNinja, jack-the-ripper, metasploit."

          The geek has a genius for putting names to his projects that are certain to raise red flags.

          The Gimp carries baggage into the OSX and Windows shop that the charity providing services for the disabled does not need or want. Fedora and Red Hat need to maintain their credibility in the enterprise environment.

          Time and money spent in explanation and recovery - PR - can always be put to better uses.
             

        • by 6031769 (829845)

          Fedora isn't a penetration testing distro, it's a server distro.

          What on earth makes you think that? I've never seen any comment from the fedora project to the effect of "this is a server distro". In fact given the bleeding-edge approach Fedora has to including new packages I would suggest that it's not really suited to being a server distro at all. Good enough on the desktop, though.

    • by nurb432 (527695)

      Its not censorship since they are not a government entity.

      They really aren't exposing themselves any more to suits by including it then not as long as it has a legitimate purpose and there is a statement to some effect that they only intend it to be used that way. ( else every gun and knife maker in the world would be gone by now )

      • by arose (644256)

        Its not censorship since they are not a government entity.

        Censorship isn't restricted to governments. Government censorship just happens to be a particularly nasty type so it's talked about more.

        • Censorship involves denying people access to information. This is more like a magazine choosing not to publish a story—Fedora users can still acquire the tool themselves, after all!
      • Its not censorship since they are not a government entity.

        Wrong. It's not illegal since they are not a government entity. It's still censorship.

    • "I can kind of understand the decision. If someone gets hacked, is the Fedora distribution liable for providing the tool? (Similar to how you can be charged with Accessory to Murder for providing a weapon, or an ISP is now somehow responsible for any illegal traffic.)"

      When was the last time Colt or Smith & Wesson were charged with Accessory to Murder?

  • by Anonymous Coward on Saturday November 13, 2010 @02:55PM (#34216728)

    Does a package have a right to be included in a distribution?
    Is failing to include a package censorship?

    Hardly. These are the decisions that distribution maintainers face every day. You can't include everything, so there doesn't really need to be much of a reason to not include any particular program.

    • by sjames (1099)

      Do people have a right to critique the package inclusion policies?

      Certainly.

      Nobody seems to be invoking Godwin, just saying that the justification used here sounds a bit off. Had it been "We can't include everything that exists and this package seems to be of limited interest", nobody would even blink.

      • by Xtifr (1323)

        Do people have a right to critique the package inclusion policies?

        Certainly.

        Sure. Do the rest of us have a right to call these people out if we think they're trying to make a mountain out of a molehill? Likewise certain. You seem to be trying to deny the AC the same rights you demand for yourself.

        The fact is that post-Grokster, the way a program is marketed is legally significant, and the way this program has been marketed is definitely a bit sketchy, IMO. Grokster didn't lose because their program lacked legal uses; it lost because they promoted the illegal ones.

        • by sjames (1099)

          The fact is that post-Grokster, the way a program is marketed is legally significant, and the way this program has been marketed is definitely a bit sketchy, IMO. Grokster didn't lose because their program lacked legal uses; it lost because they promoted the illegal ones.

          By the same token, if you even imply that you're vetting the legality of packages, it tends to come back to haunt you when someone finds an obscure illegal use for foo that you did include. That's not to say that you can't internally equate probably used illegally with not very interesting.

          • by Urkki (668283)

            The fact is that post-Grokster, the way a program is marketed is legally significant, and the way this program has been marketed is definitely a bit sketchy, IMO. Grokster didn't lose because their program lacked legal uses; it lost because they promoted the illegal ones.

            By the same token, if you even imply that you're vetting the legality of packages, it tends to come back to haunt you when someone finds an obscure illegal use for foo that you did include. That's not to say that you can't internally equate probably used illegally with not very interesting.

            I think this wasn't about use, but about marketing. So you should say, if someone finds some other packet you included officially marketed as suitable for illegal uses. This can of course happen, but isn't as likely as finding illegal use for, say, a compiler that can be used for writing or downloading and compiling a program that hacks various government computers and initiates a nuclear war.

          • by Xtifr (1323)

            it tends to come back to haunt you when someone finds an obscure illegal use for foo that you did include.

            No, obscurity doesn't matter. The earlier Betamax case established (thank you Sony) that a tool can be blatantly used primarily for illegal purposes, and still be perfectly legal as long as there exist substantial legal uses. The Grokster case merely narrowed that by establishing that you cannot promote the illegal uses.

            • by sjames (1099)

              The problem is on the other side of it. If you have a policy of excluding tools that are rimarily for illegal uses, suddenly people try to sue you if one slips through the cracks. OTOH, if you use popularity, utility, or other measures instead, it doesn't come up.

              Perhaps that shouldn't (since it is more than a bit self defeating), but it seems to be the case.

  • by Beelzebud (1361137) on Saturday November 13, 2010 @02:59PM (#34216748)
    I swear, some people really need to read about the concept of censorship. I wasn't aware that Fedora was a government entity, and that they just banned an app from ever being used.

    Guess what. You can always install this app yourself, if you really want to use it. I'm sure someone wanting a hacking tool can figure out how to install software...
    • by ApolloX (1017440)
      Sadly many "hackers" cannot figure out how to download such tools.
      • Sadly many "hackers" cannot figure out how to download such tools.

        That may be. If so, those types don't qualify as "hackers" in any sense of the word. Script kiddies, maybe, or just vandals ... but not hackers.

      • by Urkki (668283)

        Sadly many "hackers" cannot figure out how to download such tools.

        And that's actually best reason to exclude any "hacker tool" for official distributions, unless they have a solid use case for regular Linux-user

        And yes, testing what ports are open is a solid use case, even if these days it probably goes way over the head of most regular Linux users. IMHO of course.

    • (transitive) To review in order to remove objectionable content from correspondence or public media, either by legal criteria or with discretionary powers

      http://en.wiktionary.org/wiki/censor#Verb [wiktionary.org]

      Censorship can be by a government, or it can be by a private party. In the latter case, arbitrary censorship is usually OK. For governments, they usually have to meet some reasonable constitutional or judicial standard.

    • by klingens (147173)

      The MPAA ratings are not done by any government body, but they still censor movies when someone in the movie says fuck, copulates with same/different sex or mindlessly kills people.
      Censorship is not just when governments do it. And no one prevents me to say "fuck" either. Yet.

      The problem per se is not that Fedora removes a package. The problem is their reasoning especially when there tons of other penetration testing tools still existing in Fedora. It's their choice if they want a non-offensive, family frie

      • by epine (68316)

        The MPAA ratings are not done by any government body, but they still censor movies ...

        Technically the MPAA is a rating board. They don't actually cut anything. The power arises from the distribution chain that won't widely screen any movie with a rating above PG-13. I've even seen a few movies distributed unrated if the director has a loyal enough following and not terribly high commercial prospects to begin with.

        If more consumers chose to ignore the ratings, we'd be better off. You can usually figure out whether a movie is suitable from any competent film review. All it takes is three

    • I swear, some people really need to read about the concept of censorship. I wasn't aware that Fedora was a government entity, and that they just banned an app from ever being used. Guess what. You can always install this app yourself, if you really want to use it. I'm sure someone wanting a hacking tool can figure out how to install software...

      Yeah, the 'Fed' in Fedora just got a whole new meaning.

    • by arose (644256)

      I swear, some people really need to read about the concept of censorship.

      Yes, yes they do. Can you believe that there are people who think censorship is somehow an activity that's exclusive to the government?

      • I understand your point, and I agree. However, do you actually think that not including an obscure piece of software in a Linux distro is censorship?
        • by arose (644256)
          It's not the obscurity, it's the rationale given. It's pretty much the definition of censorship (which isn't bad per se, just in case that's unclear).
          • And yet there is nothing in Fedora to prevent you from installing it if you choose, so again, where is the censorship?
            • by arose (644256)
              It's not in the repositories, that is, it's been censored from appearing there. It's the reasoning given, not the scope, that makes it censorship.
  • We have our own open source, Steve Jobs. And isn't it fitting that it's a committee?
  • Exaggerate much? (Score:5, Insightful)

    by Reaperducer (871695) on Saturday November 13, 2010 @03:13PM (#34216844)

    "In what can only be described as a fit of insanity"

    Holy crap. Get some perspective. It's not that big a deal. Go outside and get some fresh air and sunshine.

  • Linux prides itself on having all hacking tools available so system administrators know how to attack so they know how to defend, and system admins are godly people that do not like to be told what to do, so 2 things will happen, distro switch or config their own repositories where they can still get them. I think fedora has forgotten target audience. Its like taking food away from a baby, good luck with that.
  • Red Hat is in the business of selling linux support to companies. It is not too surprising that some of those companies (who very well may have been the target of SQL injection exploits) have said in return for our businesses, remove all software that supports SQL injection from your repos. This is a useless measure for sure, but it may make the companies happy. I would suspect this is the case given the unanimity of the board's approval.
    • This is about Fedora, not RHEL.

    • You may be right, but it would be especially ironic since if those companies would have had ninjaSQL, and used it effectively in testing their networks, then they wouldn't have been a victim of SQL exploits in the first place...

      • by fluffy99 (870997) on Saturday November 13, 2010 @04:28PM (#34217204)

        You may be right, but it would be especially ironic since if those companies would have had ninjaSQL, and used it effectively in testing their networks, then they wouldn't have been a victim of SQL exploits in the first place...

        This isn't a tool to find vulnerabilities. It's a tool to exploit them once found.

        From the sourcforge page for this tool

        "Sqlninja's goal is to exploit SQL injection vulnerabilities on web applications that use Microsoft SQL Server as back end. It is released under the GPLv2.

        There are a lot of other SQL injection tools out there but sqlninja, instead of extracting the data, focuses on getting an interactive shell on the remote DB server and using it as a foothold in the target network. In a nutshell, here's what it does: "

        As you probably have figured out, sqlninja does not look for SQL injection vulnerabilities. Again, there are already several tools that perform that task already.

        • "This isn't a tool to find vulnerabilities. It's a tool to exploit them once found."

          How do you expect to test if someone can break into your system with SQLNinja without running it and attempting to break in? How do you plan on proving to upper management that there really is a vulnerability, and that your conjecture that you could break in is something more than mere conjecture?

          • by fluffy99 (870997)

            "This isn't a tool to find vulnerabilities. It's a tool to exploit them once found."

            How do you expect to test if someone can break into your system with SQLNinja without running it and attempting to break in? How do you plan on proving to upper management that there really is a vulnerability, and that your conjecture that you could break in is something more than mere conjecture?

            Valid points. Still doesn't mean that Redhat should include this in their repositories any more than they should include virus building tools.

          • by Culture20 (968837)

            "This isn't a tool to find vulnerabilities. It's a tool to exploit them once found."

            How do you expect to test if someone can break into your system with SQLNinja without running it and attempting to break in? How do you plan on proving to upper management that there really is a vulnerability, and that your conjecture that you could break in is something more than mere conjecture?

            How do you expect to test if someone can install a botnet on your servers via running IE as admin to visit porn sites unless you use IE on your servers as admin to visit porn sites?

    • time for Wikileaks to ferret this out then.

  • by nick_urbanik (534101) <nicku&nicku,org> on Saturday November 13, 2010 @03:51PM (#34217014) Homepage
    The board meeting minutes were published on lwn.net [lwn.net] more than three days ago.
  • Fine Lines... (Score:3, Insightful)

    by Improv (2467) <pgunn@dachte.org> on Saturday November 13, 2010 @04:16PM (#34217136) Homepage Journal

    Being reasonable requires we be willing to draw lines and pass judgement. There are some tools that are mostly legitimate, some that see substantial illegitimate use, and some that are mostly illegitimate. It's fine for a Linux distro to decide not to ship with (or include in repositories) tools that are mostly used for illegitimate ends, even if they have some theoretical legitimate uses. They're not under any obligation to package everything, and "stuff that's mostly used to do harm" is just as reasonable to filter out as "things with ugly licenses".

    By analogy, it is usually hard to get lockpicking tools, assault weapons/vehicles, nuclear materials, radar detectors, unsafe foods, homemade alcohols, and many other things in most countries. Can you manage it? Usually, either by legitimate means if you can get a permit, or by making them yourself.

    This is entirely different (and much more mild) than blacklisting those applications.

  • by Just Brew It! (636086) on Saturday November 13, 2010 @04:25PM (#34217186)

    While I'll be the first to acknowledge that this is clearly a "CYA" move on Fedora's part, I don't see why it is such a big deal. Ubuntu/Debian don't appear to have this tool in their repositories, and I'm pretty sure SuSE doesn't either, so it's not like Fedora is bucking a consensus. If there's enough demand for it, RPM Fusion will probably pick it up.

    Furthermore, if the person responsible for your network vulnerability testing doesn't have the basic skills to install it from the upstream sources, is this really the caliber of person you want to trust with your network security?

  • I can always cook up whatever distro I want. Despite the issues with nmap and friends, I can always build an image with things like SQLNinja.

  • by Chris Snook (872473) on Saturday November 13, 2010 @09:46PM (#34219108)

    Disclaimer: I used to work for Red Hat and personally know some of the board.

    SQLNinja is not a security analysis tool. It is no more useful for telling you if your database app is insecure than a blowtorch is for telling you if you have a gas leak. SQL injection vulnerabilities are *trivial* to detect with simple input fuzzing.

    SQLNinja is certainly a legitimately useful *demonstration* tool for developers and administrators to show their bosses just how severe their problems are, such that they might be prioritized, but it's designed for software that doesn't even run on Fedora, so it provides negligible benefit to the Fedora community. Anyone who knows enough to search for "SQL injection tool" can find it and install it, so there's really not much of a barrier here, but leaving it out of the distribution reduces the risk of Fedora being used as a gateway to the fat wallet of Red Hat in any litigation, a problem which most community distributions do not suffer from.

    Fedora takes a lot of moral stands, but they're ultimately about things that will somehow benefit the Fedora community in the long term, and there's really no foreseeable payoff here, or certainly none that overrides the fantastic headache it could incur. I certainly can't fault them for picking their battles.

  • to continue this trend, it would be a bye bye to security. Every single "hacker tool" is a 2 edged sword, it can be used for both good and bad. Just like almost anything can be used for good and bad. Should we ban knives because some people use them to hack'n'slice living meat (people) instead of dead?

    Maybe we should just lock ourselves into soft rooms, there's the least likelyness for using anything for bad, and problem will soon be completely solved as we would die out as a race, no more people to do bad

"Ahead warp factor 1" - Captain Kirk

Working...