Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Fedora Project Drops SQLNinja 'Hacker' Tool

kdawson posted more than 3 years ago | from the dual-use dept.

Censorship 159

simonb writes, "In what can only be described as a fit of insanity, the Fedora Board have declared a 'hacker tool' not fit for entry into their software repositories. Today your SQL injection tools, tomorrow your nmap?" The Register links the Fedora board's meeting minutes. From the story: "The move came on Monday in a unanimous vote by the Fedora Project's board of directors rejecting a request that SQLNinja be added to the archive of open-source applications. It came even as a long list of other hacker tools are included in the bundle and was harshly criticized by some security watchers. 'It seems incredibly short sighted to reject software based on perceived legal usage,' said Jacob Appelbaum, a full-time programmer for the Tor Project. 'They have decided to become judges of likely usage based on their own experience. That is a path of madness.' ... [T]he board unanimously decided to add a new statement to Fedora's legal guidelines concerning the inclusion of hacking tools. ... Smith said the language is intended to clarify its stance on a class of software that can be used both to secure and penetrate protected networks."

cancel ×

159 comments

Sorry! There are no comments related to the filter you selected.

Because it's impossible to install from sources (3, Insightful)

Anonymous Coward | more than 3 years ago | (#34216688)

Oh wait.

Who cares if X or Y is left out of a distro? If it's available, it's installable.

Re:Because it's impossible to install from sources (1)

DirtyCanuck (1529753) | more than 3 years ago | (#34216744)

I find that the natural ultimate Pentool Linux Distro is clearly Backtrack.

That said, often fedora and Ubuntu 10 will act a lot friendlier in a live cd (or usb) format.

Thus my pentest drive contains bootable versions of all 3. Looks like that might be changing.......

Re:Because it's impossible to install from sources (-1, Redundant)

DarkKnightRadick (268025) | more than 3 years ago | (#34216788)

make config
make test
make install ./execute-program

Re:Because it's impossible to install from sources (1)

lindi (634828) | more than 3 years ago | (#34216954)

Doesn't work in this case since they don't ship a makefile.

Re:Because it's impossible to install from sources (0)

DarkKnightRadick (268025) | more than 3 years ago | (#34217498)

so how are you supposed to install from source? If it's GPL'd, the license forces the source to be made available. I guess that doesn't include a makefile? If that's the case, that's retarded.

Re:Because it's impossible to install from sources (1)

lindi (634828) | more than 3 years ago | (#34217702)

That's kind of the point. Distributions make installing software easier since you don't need to figure it out yourself.

(If you look at sqlninja-0.2.5.tgz you see you can just run the perl script with "./sqlninja".)

As the old linux community saying goes... (5, Insightful)

fotbr (855184) | more than 3 years ago | (#34216720)

If you don't like the way we do it, do it yourself.

Isn't that kind of the point of things being open? That you don't have to agree with the way things are done -- you have the source, change/fix/fork it yourself.

In other words -- non-story. Those that want this specific tool (black, white,or grey hat) will know how to get it. It's not like anyone capable of using such tools cannot handle tar, make, and make install.

Re:As the old linux community saying goes... (2, Informative)

think_nix (1467471) | more than 3 years ago | (#34216750)

might get flamed for this but this is exactly why I love running gentoo. Sources are mostly widely available, if for some reason emerge is throwing a fit about masked packages. Anyways from TFA:

'Argument for SQLninja to be added to Fedora is that it is a 'penetration testing tool.'

I still do not quite understand the grounds here. Honestly, nmap, wireshark, and tcpdump are just a few tools also 'freely' available that do similar things on a different level. Whatever the fedora board is smoking I want some. I just can't believe they want to alienate their userbase like this. Although then again it will probably just end up in rpmfusion or on livna.

Re:As the old linux community saying goes... (0)

iplayfast (166447) | more than 3 years ago | (#34217104)

No flames, here. Gentoo rocks.

Re:As the old linux community saying goes... (5, Interesting)

Tacvek (948259) | more than 3 years ago | (#34217126)

The flip side of the coin though is that nmap, wireshark, and tcpdump all have uses beyond pen-testing or hacking. nmap can be used to help diagnose routing issues (I've actually used it for that), as well as for veryifying your network map, and other similar uses.

Wireshark is similarly very useful for debugging. For example, it can quickly help you determine that your software is creating malformed packets, or determine exactly what order your packets are being sent, or exactly what they contain. tcpdump is similar.

Even password cracking tools like jack the ripper can be used for purposes other than hacking or pen-testing. One possible such use (despite being a bit questionable) is ensuring minimum password strength, by running it for a fixed amount of time, and rejecting any passwords it can crack in that timeframe.

The difference is that sqlninja really has no use beyond hacking or pen-testing. It does not even pretend it might have other uses.

That all said, I'm not saying that refusing to package it is the right course of action. Indeed that seems questionable at best. I'm merely pointing out how sqlninja is different from the other tools you mentioned.

Re:As the old linux community saying goes... (2, Informative)

RichiH (749257) | more than 3 years ago | (#34217750)

> nmap can be used to help diagnose routing issues (I've actually used it for that)

If you use nmap to diagnose routing, you are doing something wrong. Heard of mtr and looking glasses?

> Wireshark is similarly very useful for debugging. For example, it can quickly help you determine that your software is creating malformed packets, or determine exactly what order your packets are being sent, or exactly what they contain. tcpdump is similar.

As both use libpcap, they would be.

> Even password cracking tools like jack the ripper can be used for purposes other than hacking or pen-testing. One possible such use (despite being a bit questionable) is ensuring minimum password strength, by running it for a fixed amount of time, and rejecting any passwords it can crack in that timeframe.

Or you could simply check the passwords against a dictionary before they are being hashed. Most Unix clones allow that by default.

Pen-testing is a valid use. So is hacking. And so is, arguably, cracking.

But then, Red Hat/Fedora have had a long history of weird decisions. Making KDE rename Kbattleship & Ksnake is a recent example. On the plus side, I don't use them, so I don't care.

Re:As the old linux community saying goes... (2, Insightful)

dbialac (320955) | more than 3 years ago | (#34217492)

As a white hat developer, I've found tools such as nmap, wireshark and tcpdump useful in my daily life. While I can see that this tool can be used by security researchers, I cannot imagine a scenario where I would use a tool such as this one. Forget about the security objections of Fedora. On its own, this tool is a highly specialized utility. It is not something the everyday user or developer really needs.

Re:As the old linux community saying goes... (2, Insightful)

mrphoton (1349555) | more than 3 years ago | (#34217898)

Why are these guys surprised that a project backed by a company rejected there hacking tool. Firstly the name 'sqlninja', I mean come on, it's got to be a hacking tool, can you imagine that on the front page of a news paper 'evil open source firm ok's sqlninja'. Then when I googled it, the website declares it is a 'sqlninja - a SQL Server injection & takeover tool'. In no way do they pretend it is for testing or whatnot. They had to reject the tool. And what business is red hat in, oh year selling a server os, would it really be a good idea for them to bundle a 'takeover tool'?

Re:As the old linux community saying goes... (1, Insightful)

Anonymous Coward | more than 3 years ago | (#34216752)

Then the question becomes: "Why use a distribution at all? Why not compile everything from scratch?"

The answer is: convenience.

Leaving out any useful tool is just stupid. If you want to leave out the slirp package, that's understandable. People actually use this tool though.

where's their own RPM file? (2, Informative)

ddxexex (1664191) | more than 3 years ago | (#34216854)

If the people at SQLNinja really want a to have it easy to use/install on a redhat machine all they have to do is make their own RPM file and host it themselves. Currently, it looks like all they have available is the source code available. Although I don't know why they made such a request when they don't have any 'easy' (RPM/DEB file) installation process available yet. I'd think RH would tell them to make a RPM file to submit before rejecting them on philosophical grounds.

Re:where's their own RPM file? (1)

ZankerH (1401751) | more than 3 years ago | (#34217082)

Because _distributing_ Free software is the distribution's job. The developers should only make the source available and let any distros that want it package it themselves.

Re:where's their own RPM file? (2, Insightful)

dieth (951868) | more than 3 years ago | (#34217198)

Because _distributing_ Free software is the distribution's job. The developers should only make the source available and let any distros that want it package it themselves.

I believe they just said they don't want it.

Even if it wasnt open (1)

nurb432 (527695) | more than 3 years ago | (#34216876)

There is no reason you cant get it elsewhere and install it yourself on Fedora. That works for windows folks..

( now if RedHat started blocking or reporting installs of stuff they don't like THEN there would be a problem )

Re:As the old linux community saying goes... (0)

Anonymous Coward | more than 3 years ago | (#34216970)

Yes, an incredibly moot argument. I especially loved the "That is a path of madness" part, as if being sensationalist will make his argument magically make sense to everyone. Slashdot is slowly drifting towards comedy and away from technology.

Re:As the old linux community saying goes... (2, Funny)

rfroberg (719165) | more than 3 years ago | (#34216974)

Those that want this specific tool (black, white,or grey hat) will know how to get it. It's not like anyone capable of using such tools cannot handle tar, make, and make install.

What if you have a red hat?

Re:As the old linux community saying goes... (1)

ScrewMaster (602015) | more than 3 years ago | (#34217058)

Those that want this specific tool (black, white,or grey hat) will know how to get it. It's not like anyone capable of using such tools cannot handle tar, make, and make install.

What if you have a red hat?

That is definitely a problem ... unless it's a fedora.

It's definitely a story (0)

Anonymous Coward | more than 3 years ago | (#34216980)

  In other words -- non-story
 
It's definitely a story, it's your opinion that it's a non-issue, but if it's a non-issue then why exclude the package at all?
 
  It's not like anyone capable of using such tools cannot handle tar, make, and make install.
 
And it's not like some noob will take down your SQL server with this tool, so why do you still think it's an issue?

Re:As the old linux community saying goes... (2, Insightful)

ScrewMaster (602015) | more than 3 years ago | (#34217046)

If you don't like the way we do it, do it yourself.

Isn't that kind of the point of things being open? That you don't have to agree with the way things are done -- you have the source, change/fix/fork it yourself.

In other words -- non-story. Those that want this specific tool (black, white,or grey hat) will know how to get it. It's not like anyone capable of using such tools cannot handle tar, make, and make install.

True. The net effect of the Board's decision, so far as people actually using said tool, will be nil. My guess is that this is some kind of "cover their collective asses" move, over perceived liability for distributing such software. Given the current legal climate in many countries towards "hacking" tools (doesn't Germany take a rather hard line there?) they may actually have a legitimate concern. I don't know, not a lawyer, etc. etc.

Smith said the language is intended to clarify its stance on a class of software that can be used both to secure and penetrate protected networks.

There really should be no "stance", in that sense. They're blaming the tools here, not the users of those tools. If a piece of software can be used to test a network for vulnerability, it can likely be used to penetrate said network. And to that I say ... so what? Do some people not understand the concept of a double-edged sword? Not to mention the fact that the only way security people can test their protective measures is by using many of the same software tools used by blackhats, and if you remove them from the hands of security people you will find that the crooks will still have them. So you really can't make a distinction between legitimate and illegitimate tools, only legitimate and illegitimate uses..

Many handtools can be used to stab someone to death: but nobody who sells tools thinks "gee, maybe we should refrain from selling screwdrivers and only offer blunt tools with no sharp edges."

Re:As the old linux community saying goes... (3, Informative)

fluffy99 (870997) | more than 3 years ago | (#34217220)

Smith said the language is intended to clarify its stance on a class of software that can be used both to secure and penetrate protected networks.....If a piece of software can be used to test a network for vulnerability, it can likely be used to penetrate said network.

This software does not secure or test anything. It's used to a exploit SQL injection vulnerability found by other means. Go read its sourceforge page which says.

There are a lot of other SQL injection tools out there but sqlninja, instead of extracting the data, focuses on getting an interactive shell on the remote DB server and using it as a foothold in the target network

Re:As the old linux community saying goes... (1)

ScrewMaster (602015) | more than 3 years ago | (#34217478)

Smith said the language is intended to clarify its stance on a class of software that can be used both to secure and penetrate protected networks.....If a piece of software can be used to test a network for vulnerability, it can likely be used to penetrate said network.

This software does not secure or test anything. It's used to a exploit SQL injection vulnerability found by other means. Go read its sourceforge page which says.

There are a lot of other SQL injection tools out there but sqlninja, instead of extracting the data, focuses on getting an interactive shell on the remote DB server and using it as a foothold in the target network

I'm afraid that I don't understand your point. Are you saying that, because this isn't a program that just goes "oh look, I think I found a vulnerability" but actually exploits it, that it's any less valuable to someone in charge of network security?

Re:As the old linux community saying goes... (4, Informative)

fluffy99 (870997) | more than 3 years ago | (#34217900)

I'm afraid that I don't understand your point. Are you saying that, because this isn't a program that just goes "oh look, I think I found a vulnerability" but actually exploits it, that it's any less valuable to someone in charge of network security?

If you're trying to secure a system, a tool which identifies the vulnerabilities is of great use. This tool doesn't find the vulnerabities, you have to do that yourself. Once you find a vulnerable webpage, you use this tool to exploit it.

It's kind like checking a building for open doors, actively trying to jimmy the doors, or see how easily the locks can be picked. That's valuable as it identifies weaknesses. This tool would be more akin to going in and stealing things after someone else pointed out the unlocked door.

Of course no-one has pointed out the political angle. I doubt RedHat wants to host a tool in the repositories whose stated purpose is for compromising Microsoft SQL databases.

Re:As the old linux community saying goes... (1)

blincoln (592401) | more than 3 years ago | (#34217798)

So, in other words, this is another in a long line of questionable and sensationalistic articles by The Register? I don't even bother to read anything they publish anymore, because their standards are so low these days.

Everything seemed to go downhill starting with that series of articles they ran a few years ago where they published truly bizarre and (AFAIK) unsubstantiated claims about some dot-com CEO.

Re:As the old linux community saying goes... (1)

m1ss1ontomars2k4 (1302833) | more than 3 years ago | (#34217096)

Plus, there are always non-free software being excluded from repos of various OSes, and nobody really cares nearly as much as they seem to care about this.

Re:As the old linux community saying goes... (0)

Anonymous Coward | more than 3 years ago | (#34217700)

This is the age old problem with the open source attitude. Here you have a software project led by a huge foundation to provide an open source operating system which I wish to use. They do something I don't like and the result is change/fix/fork it yourself? What the hell am I supposed to do? Fork and maintain the fedora project? Fuck man I don't even know how to program.

This attitude is also why the opensource community is a horrendous clusterfuck of packages and distributions. What is the average joe supposed to do? Most people don't even know there is a distro other than Ubuntu, so what do they do if Canonical crosses them?

That's Interesting (1, Interesting)

SilverHatHacker (1381259) | more than 3 years ago | (#34216726)

I can kind of understand the decision. If someone gets hacked, is the Fedora distribution liable for providing the tool? (Similar to how you can be charged with Accessory to Murder for providing a weapon, or an ISP is now somehow responsible for any illegal traffic.) They probably want to cover their butts, but it also seems like unfair censorship.

Re:That's Interesting (1)

think_nix (1467471) | more than 3 years ago | (#34216768)

WOW lol ? Ok, lets start holding distro's liable for providing basic things like tcpdump.

Re:That's Interesting (4, Insightful)

phantomfive (622387) | more than 3 years ago | (#34216868)

The difference between tcpdump, nmap, and sqlninja is that tcpdump and nmap have a lot of uses (is my port open?). SQLNinja is marketed entirely as an "SQL Server injection & takeover tool." Obviously marketing isn't the most important thing, but penetration testing is about all it can do (unless you're dumb and actually want to take over other people's computers). Fedora users aren't primarily penetration testers.

From reading the minutes, it seems like the Fedora board rejected it, not because it's a hacker tool (they include jack-the-ripper), but because it doesn't provide any real benefit for their customer base, certainly not enough to outweigh the small legal risk entailed. Fedora isn't a penetration testing distro, it's a server distro. They don't include metasploit either, there's just no demand for it, and the authors of metasploit don't need to get attention for their product by begging people to put it in their distro.

Re:That's Interesting (1)

think_nix (1467471) | more than 3 years ago | (#34216884)

The difference between tcpdump, nmap, and sqlninja is that tcpdump and nmap have a lot of uses (is my port open?).

Yes of course, but there are also plugins for e.g. nmap that will give you 'recommendations' for _said_ open ports on target which in the end is also a 'penetration tool' which was one of the reasons for not adding this particular package. So how is that so much different ?

Re:That's Interesting (1)

phantomfive (622387) | more than 3 years ago | (#34216940)

The reason the Fedora board gave was (and if you had read the link you would know this) is that the nmap is used probably the majority of the time to check if your own ports are open. Of course even a compiler can be used as a penetration tool, so the ability to use something as a penetration tool is not enough to keep it from the distro, which I think you're getting at.

Really, from reading the minutes, I think they basically decided it wasn't useful enough for their user base. You might disagree, but I trust the Fedora board to know what their user base wants more than I trust you.

Re:That's Interesting (0, Offtopic)

think_nix (1467471) | more than 3 years ago | (#34217084)

he reason the Fedora board gave was (and if you had read the link you would know this) is that the nmap is used probably the majority of the time to check if your own ports are open. Of course even a compiler can be used as a penetration tool, so the ability to use something as a penetration tool is not enough to keep it from the distro, which I think you're getting at.

Really, from reading the minutes, I think they basically decided it wasn't useful enough for their user base. You might disagree, but I trust the Fedora board to know what their user base wants more than I trust you.

From reading the minutes:

"Argument for SQLninja to be added to Fedora is that it is a 'penetration testing tool.' "

Re:That's Interesting (2, Insightful)

phantomfive (622387) | more than 3 years ago | (#34217112)

Good job. You have demonstrated your capability to read, cut and paste a sentence from the minutes onto slashdot. Do you also have the capability to explain why you think that sentence is particularly important? Please do.

Re:That's Interesting (1)

think_nix (1467471) | more than 3 years ago | (#34217258)

Good job. You have demonstrated your capability to read, cut and paste a sentence from the minutes onto slashdot. Do you also have the capability to explain why you think that sentence is particularly important? Please do.

Was just stating from the minutes one of the argumentations that were posted for adding the package, which I see and view as significant. You implied earlier that I should have read the minutes, which I did. I have to use a Fedora box at work so yes I read them all the time, so I can keep up with the binary distro world.

Since you asked, I feel that is an important argument to the package itself and the boards reasoning as a whole, look at some of the other packages that are provided and what they can be used for. I feel the 'Boards' arguments are rather week and alienating (in the end honestly I do not care. If I need to test some clients database's I will do so regardless of what Fedoras Board thinks which packages should be on my system or not.

Other comments here have stated that certain countries have issues with "tools" provided on computers. Well that maybe, and this sounds like Fedora's Board wanting to cover its ass without thinking about other packages they already provide the distro with from the install DVD that can have similar uses (although technically speaking different but the principals are the same).

Just my 2 cents :)

Re:That's Interesting (1)

phantomfive (622387) | more than 3 years ago | (#34217334)

ok, so you are a Fedora user. That's good, we can learn something. Although you are only a sample of one, you are representative of some portion of the Fedora user base. So do you feel, that as a Fedora user, you are planning on using this tool, and thus this decision harms you (somewhat minimally, of course)?

My perception is that this tool isn't something you would really install on a Fedora system, if you were doing penetration testing you would use something else, but I could be wrong.

Re:That's Interesting (0, Offtopic)

think_nix (1467471) | more than 3 years ago | (#34217426)

When I or colleagues at work need to install a Fedora box it has most everything on it for security auditing , penetration , etc etc. That is what we do . Imho this thinking is getting more like the windows side of things. Fedora keeps doing this, if you really need something download from site X install etc etc . Or I will have to personally notify myself of updates in the future instead of yum telling me to do so . Or add repo X install some gpg key since you were talking about trust earlier. (allbeit this will probably just get added in an additional repo) I just fail to see the logic in their reasoning thats all.

Re:That's Interesting (3, Informative)

fluffy99 (870997) | more than 3 years ago | (#34217238)

From reading the minutes:

"Argument for SQLninja to be added to Fedora is that it is a 'penetration testing tool.' "

Try reading the sourceforge page instead. http://sqlninja.sourceforge.net/sqlninja-howto.html#s1 [sourceforge.net] . It's not a pen testing tool. It's an exploit tool.

Re:That's Interesting (1, Informative)

think_nix (1467471) | more than 3 years ago | (#34217314)

Try reading the sourceforge page instead. http://sqlninja.sourceforge.net/sqlninja-howto.html#s1 [sourceforge.net] . It's not a pen testing tool. It's an exploit tool.

http://nmap.org/ [nmap.org] this says in the introduction:

"map ("Network Mapper") is a free and open source (license) utility for network exploration or security auditing."

Re:That's Interesting (1)

think_nix (1467471) | more than 3 years ago | (#34217332)

damn buffer I copied it wrong and hit enter to fast. I meant to say they call it exploration now , although look at the links directly in the navbar , exploits etc what not

Re:That's Interesting (1)

fluffy99 (870997) | more than 3 years ago | (#34217860)

damn buffer I copied it wrong and hit enter to fast. I meant to say they call it exploration now , although look at the links directly in the navbar , exploits etc what not

Well sure exploration implies mapping something out. Exploitation would imply taking advantage of something once it's discovered.

Re:That's Interesting (0)

Anonymous Coward | more than 3 years ago | (#34217358)

Exploration != exploitation.

I know, I know, grammar is hard, let's go shopping!

Re:That's Interesting (2, Insightful)

fluffy99 (870997) | more than 3 years ago | (#34217234)

The difference between tcpdump, nmap, and sqlninja is that tcpdump and nmap have a lot of uses (is my port open?).

Yes of course, but there are also plugins for e.g. nmap that will give you 'recommendations' for _said_ open ports on target which in the end is also a 'penetration tool' which was one of the reasons for not adding this particular package. So how is that so much different ?

Because the sole purpose of SQLninja is to exploit a SQL injection vulnerability once detected by other means, not to actually discover them. To me, that is a black hat tool with no redeeming use as a pen testing program.

Re:That's Interesting (1)

Raenex (947668) | more than 3 years ago | (#34217562)

Because the sole purpose of SQLninja is to exploit a SQL injection vulnerability once detected by other means, not to actually discover them. To me, that is a black hat tool with no redeeming use as a pen testing program.

Given that security best comes in layers, it would be good to know how much damage a successful injection can do, and design your system in accordance, including alerts for people attempting to use this tool.

Re:That's Interesting (2, Informative)

arose (644256) | more than 3 years ago | (#34216942)

From their "Introduction" section on the home page:

It should be used by penetration testers to help and automate the process of taking over a DB Server when a SQL Injection vulnerability has been discovered.

Which can be used for testing... (0)

Anonymous Coward | more than 3 years ago | (#34217114)

> SQLNinja is marketed entirely as an "SQL Server injection & takeover tool."

You do realize that we test whether or not we're protected against SQL injection by attempting actual attacks... right?

Re:That's Interesting (1)

Princeofcups (150855) | more than 3 years ago | (#34217128)

And more importantly the name is kewl and sensational. If they called it SQLSecurityVerificationTool, they would have no problems.

Re:That's Interesting (1)

phantomfive (622387) | more than 3 years ago | (#34217164)

That's a good point, but as the Fedora board mentioned, the sensational name alone isn't enough to keep it out, since jack-the-ripper is in the distribution. I really think they left it out because they didn't see it as being particularly useful (for their user base).

BTW, I am fairly certain that your sig is the reason Nancy Pelosi keeps getting re-elected in San Francisco......yeah, she's just like a Republican....but at least she's not a Republican (although she did represent fairly well in the last year, after the CIA scandal finally blew over).

Is it something in the water? (1)

westlake (615356) | more than 3 years ago | (#34217206)

"SQLNinja, jack-the-ripper, metasploit."

The geek has a genius for putting names to his projects that are certain to raise red flags.

The Gimp carries baggage into the OSX and Windows shop that the charity providing services for the disabled does not need or want. Fedora and Red Hat need to maintain their credibility in the enterprise environment.

Time and money spent in explanation and recovery - PR - can always be put to better uses.
   

Re:That's Interesting (0)

Anonymous Coward | more than 3 years ago | (#34217482)

Fedora users aren't primarily penetration testers.

Ubuntu users aren't primarily sysadmins. Should Ubuntu not include nmap?

Half the point of a repository is that it can contain a whole lot of infrequently-used packages, so that they're accessible to the small fraction of users who want them.

Re:That's Interesting (0)

Anonymous Coward | more than 3 years ago | (#34216820)

I can kind of understand the decision. If someone gets hacked, is the Fedora distribution liable for providing the tool? (Similar to how you can be charged with Accessory to Murder for providing a weapon, or an ISP is now somehow responsible for any illegal traffic.) They probably want to cover their butts, but it also seems like unfair censorship.

Why are you on the fence? You sympathize with their POV, but you think it's "unfair censorship"?

Unfair censorship is when another party or parties forces you to censor yourself. When you choose to censor yourself, we have another word for it: restraint.

Either you think that they are doing the right thing to protect the interest of their project, or you think that they are caving on their principals and should be shunned for the action. You can't have it both ways.

Re:That's Interesting (1)

nurb432 (527695) | more than 3 years ago | (#34216866)

Its not censorship since they are not a government entity.

They really aren't exposing themselves any more to suits by including it then not as long as it has a legitimate purpose and there is a statement to some effect that they only intend it to be used that way. ( else every gun and knife maker in the world would be gone by now )

Re:That's Interesting (1)

arose (644256) | more than 3 years ago | (#34216914)

Its not censorship since they are not a government entity.

Censorship isn't restricted to governments. Government censorship just happens to be a particularly nasty type so it's talked about more.

Re:That's Interesting (1)

Samantha Wright (1324923) | more than 3 years ago | (#34217216)

Censorship involves denying people access to information. This is more like a magazine choosing not to publish a story—Fedora users can still acquire the tool themselves, after all!

Re:That's Interesting (1)

Bobakitoo (1814374) | more than 3 years ago | (#34217020)

Then they should also remove gcc from the distribution... I dont think it is to cover their butts because there is plenty of "hacker" tools left. It's just some twit that made a bad call. Probaly a ex-microsoft/apple/proprietary that prefere dev tools to be only avaible to licensed developers.

by your idea (2, Insightful)

chronoss2010 (1825454) | more than 3 years ago | (#34217868)

so if someone gets hit over head with a hammer is Canadian tire liable for selling them the hammer?

"Not Fit For Entry" vs. "Drops" (5, Interesting)

Anonymous Coward | more than 3 years ago | (#34216728)

Does a package have a right to be included in a distribution?
Is failing to include a package censorship?

Hardly. These are the decisions that distribution maintainers face every day. You can't include everything, so there doesn't really need to be much of a reason to not include any particular program.

Re:"Not Fit For Entry" vs. "Drops" (1)

sjames (1099) | more than 3 years ago | (#34216880)

Do people have a right to critique the package inclusion policies?

Certainly.

Nobody seems to be invoking Godwin, just saying that the justification used here sounds a bit off. Had it been "We can't include everything that exists and this package seems to be of limited interest", nobody would even blink.

Re:"Not Fit For Entry" vs. "Drops" (1)

Xtifr (1323) | more than 3 years ago | (#34217042)

Do people have a right to critique the package inclusion policies?

Certainly.

Sure. Do the rest of us have a right to call these people out if we think they're trying to make a mountain out of a molehill? Likewise certain. You seem to be trying to deny the AC the same rights you demand for yourself.

The fact is that post-Grokster, the way a program is marketed is legally significant, and the way this program has been marketed is definitely a bit sketchy, IMO. Grokster didn't lose because their program lacked legal uses; it lost because they promoted the illegal ones.

Re:"Not Fit For Entry" vs. "Drops" (1)

sjames (1099) | more than 3 years ago | (#34217416)

The fact is that post-Grokster, the way a program is marketed is legally significant, and the way this program has been marketed is definitely a bit sketchy, IMO. Grokster didn't lose because their program lacked legal uses; it lost because they promoted the illegal ones.

By the same token, if you even imply that you're vetting the legality of packages, it tends to come back to haunt you when someone finds an obscure illegal use for foo that you did include. That's not to say that you can't internally equate probably used illegally with not very interesting.

LOL @ Censorship tag. (3, Insightful)

Beelzebud (1361137) | more than 3 years ago | (#34216748)

I swear, some people really need to read about the concept of censorship. I wasn't aware that Fedora was a government entity, and that they just banned an app from ever being used.

Guess what. You can always install this app yourself, if you really want to use it. I'm sure someone wanting a hacking tool can figure out how to install software...

Re:LOL @ Censorship tag. (1)

ApolloX (1017440) | more than 3 years ago | (#34216794)

Sadly many "hackers" cannot figure out how to download such tools.

Re:LOL @ Censorship tag. (1)

ScrewMaster (602015) | more than 3 years ago | (#34217652)

Sadly many "hackers" cannot figure out how to download such tools.

That may be. If so, those types don't qualify as "hackers" in any sense of the word. Script kiddies, maybe, or just vandals ... but not hackers.

Censorship != government censorship (1)

Compaqt (1758360) | more than 3 years ago | (#34216804)

(transitive) To review in order to remove objectionable content from correspondence or public media, either by legal criteria or with discretionary powers

http://en.wiktionary.org/wiki/censor#Verb [wiktionary.org]

Censorship can be by a government, or it can be by a private party. In the latter case, arbitrary censorship is usually OK. For governments, they usually have to meet some reasonable constitutional or judicial standard.

Re:LOL @ Censorship tag. (1)

klingens (147173) | more than 3 years ago | (#34216836)

The MPAA ratings are not done by any government body, but they still censor movies when someone in the movie says fuck, copulates with same/different sex or mindlessly kills people.
Censorship is not just when governments do it. And no one prevents me to say "fuck" either. Yet.

The problem per se is not that Fedora removes a package. The problem is their reasoning especially when there tons of other penetration testing tools still existing in Fedora. It's their choice if they want a non-offensive, family friendly, annoy no one distro, it just might be a tad difficult thing to then create a useful distro which technical people want to use.

Re:LOL @ Censorship tag. (1)

epine (68316) | more than 3 years ago | (#34217180)

The MPAA ratings are not done by any government body, but they still censor movies ...

Technically the MPAA is a rating board. They don't actually cut anything. The power arises from the distribution chain that won't widely screen any movie with a rating above PG-13. I've even seen a few movies distributed unrated if the director has a loyal enough following and not terribly high commercial prospects to begin with.

If more consumers chose to ignore the ratings, we'd be better off. You can usually figure out whether a movie is suitable from any competent film review. All it takes is three minutes to make an independent decision, but the majority of the consuming public appears to value convenience over freedom. I guess you'd call that censorship by sheeple inertia.

One rating I wouldn't mind is "dim grasp of physics". Before I turned King Kong off, Kong was shaking Naomi Watts though what must have been a 30 foot arc at about a 1 Hz period. She was prone, with her head hanging loose, and she didn't get shaken baby syndrome. Tough gal.

Actually, I did skip forward to the mayhem in the final sequence, where Kong climbs the skyscraper at an incredible speed without breathing all that hard. Like they once asked Contador after an impressive climb, "hey, Contador, what's your VO2 max?" Kong was climbing that building at five times Contador's climb rate in France, so he should have been breathing five times harder than Contador relative to body mass. That's some serious chuffing.

Roughly 60% of the energy expended goes to body heat, and Kong has some serious cubed-square law issues. Maybe he was a reptile subject to convergent evolution and just looked like a hairy ape.

I suppose you could determine that by inspecting his ovipositor, if the MPAA hadn't blacked it out.

Re:LOL @ Censorship tag. (1)

think_nix (1467471) | more than 3 years ago | (#34216872)

I swear, some people really need to read about the concept of censorship. I wasn't aware that Fedora was a government entity, and that they just banned an app from ever being used. Guess what. You can always install this app yourself, if you really want to use it. I'm sure someone wanting a hacking tool can figure out how to install software...

Yeah, the 'Fed' in Fedora just got a whole new meaning.

Re:LOL @ Censorship tag. (1)

arose (644256) | more than 3 years ago | (#34216920)

I swear, some people really need to read about the concept of censorship.

Yes, yes they do. Can you believe that there are people who think censorship is somehow an activity that's exclusive to the government?

Re:LOL @ Censorship tag. (1)

Beelzebud (1361137) | more than 3 years ago | (#34217010)

I understand your point, and I agree. However, do you actually think that not including an obscure piece of software in a Linux distro is censorship?

Re:LOL @ Censorship tag. (1)

arose (644256) | more than 3 years ago | (#34217080)

It's not the obscurity, it's the rationale given. It's pretty much the definition of censorship (which isn't bad per se, just in case that's unclear).

Re:LOL @ Censorship tag. (1)

Beelzebud (1361137) | more than 3 years ago | (#34217088)

And yet there is nothing in Fedora to prevent you from installing it if you choose, so again, where is the censorship?

Re:LOL @ Censorship tag. (1)

arose (644256) | more than 3 years ago | (#34217324)

It's not in the repositories, that is, it's been censored from appearing there. It's the reasoning given, not the scope, that makes it censorship.

Re:LOL @ Censorship tag. (0)

Anonymous Coward | more than 3 years ago | (#34216946)

Script kiddies can not.

Beware that path of madness! (0)

Anonymous Coward | more than 3 years ago | (#34216800)

Several nudie shots would make a useful addition to the repository, but I'll bet the committee is already too far down that "path of madness" to include them.

Re:Beware that path of madness! (2, Funny)

David Gerard (12369) | more than 3 years ago | (#34216834)

Yeah, that'd just be copying Ubuntu.

Re:Beware that path of madness! (0)

Anonymous Coward | more than 3 years ago | (#34217778)

But what about the hotbabe program?

What about the hotbabe program plus some extra themes [zoy.org] ?

Ladies and Gentlemen (1)

GameGod0 (680382) | more than 3 years ago | (#34216822)

We have our own open source, Steve Jobs. And isn't it fitting that it's a committee?

Exaggerate much? (4, Insightful)

Reaperducer (871695) | more than 3 years ago | (#34216844)

"In what can only be described as a fit of insanity"

Holy crap. Get some perspective. It's not that big a deal. Go outside and get some fresh air and sunshine.

time to switch to debian or ubuntu (2)

syleishere (1811744) | more than 3 years ago | (#34216924)

Linux prides itself on having all hacking tools available so system administrators know how to attack so they know how to defend, and system admins are godly people that do not like to be told what to do, so 2 things will happen, distro switch or config their own repositories where they can still get them. I think fedora has forgotten target audience. Its like taking food away from a baby, good luck with that.

Re:time to switch to debian or ubuntu (2, Informative)

Just Brew It! (636086) | more than 3 years ago | (#34217196)

I don't see it in the Debian/Ubuntu repos either.

Quid Pro Quo (1)

beaker8000 (1815376) | more than 3 years ago | (#34216928)

Red Hat is in the business of selling linux support to companies. It is not too surprising that some of those companies (who very well may have been the target of SQL injection exploits) have said in return for our businesses, remove all software that supports SQL injection from your repos. This is a useless measure for sure, but it may make the companies happy. I would suspect this is the case given the unanimity of the board's approval.

Re:Quid Pro Quo (1)

John Hasler (414242) | more than 3 years ago | (#34216972)

This is about Fedora, not RHEL.

Re:Quid Pro Quo (1)

beaker8000 (1815376) | more than 3 years ago | (#34217000)

There are 9 members of Fedora's board, 4 of which are appointed by Red Hat. Red Hat appoints a chairman with veto power over any Fedora board decision. I suspect if you tell Red Hat to remove something from Fedora they could do it.

Re:Quid Pro Quo (0)

Anonymous Coward | more than 3 years ago | (#34217140)

Let me remind you that Mono was included in Fedora despite Red Hat's explicit opposition. Why would this be any different?

To secure yourself? "Hack yourself"... (0)

Anonymous Coward | more than 3 years ago | (#34217026)

See subject-line above, because imo @ least? To secure yourself, you've got to be able to "hack/crack" yourself, & it's typically called "pen testing", which yes, you should exercise on yourself...

I.E.-> Regularly use logs, or directly probe, & see what's coming AND going out of your systems over IP (especially lately, your databases via their "front ends" on the web mostly - stored procs, trim your sends/receive inputs/outputs, & other types of sanity checking.... but also, know your data &/or typical userbase + usepatterns and TCP/IP ports & their uses).

I think it's as important as updating your machine's OS &/or Applications in fact. A pain for sure, especially some of what I noted above if it's not done regularly, but you have to do some work on your own, no automator can do what you can in full, or have your judgement.

So, by removing this tool being commonly available has that "other side", as so many tools do, of being like a razor? You cripple yourself in this capacity... others here cited pulling tools like nmap being the same thing in this very thread here on /., & it's a good solid example also.

Like a razor, many apps are: You can use it to shave, which is of course useful, OR, to cut your own throat. Removing it's removing its possible potentially important useful uses also.

2 sides to every coin.

Additionally, yes: It happens in the Win32/64 world too!

E.G.-> Nir Sofer of NIRSOFT's had it happen (he writes nice useful smallish utils that get this bad rap, most do not though), so has Dr. Mark Russinovich of Microsoft (on certain of his "pstools" & others he wrote, but not all), and even to myself on 1 app (that I never intended for usage as a malware, & it's only listed with a "zero threat level" yet it never violated even 1 of 21 questions CA asked for removal completely).

APK

P.S.=> Like guns & people: Tools don't kill servers/systems, people do... Same with some programs on PC's &/or Servers!

Ping's another "classic example" here really as well - it used to be able to issue a "ping of death" and on older OS it still can!

(Yet, no one ever removed it from systems (oh, they altered things in it, but it's still here), because it's so useful - & I have yet to see PING listed as a weapon in any malware tracking DB, even when it was potentially dangerous at the same time as being really useful!)... apk

Re:Quid Pro Quo (1)

B1oodAnge1 (1485419) | more than 3 years ago | (#34217162)

You may be right, but it would be especially ironic since if those companies would have had ninjaSQL, and used it effectively in testing their networks, then they wouldn't have been a victim of SQL exploits in the first place...

It's an exploit tool, not a vulnerability checker (4, Insightful)

fluffy99 (870997) | more than 3 years ago | (#34217204)

You may be right, but it would be especially ironic since if those companies would have had ninjaSQL, and used it effectively in testing their networks, then they wouldn't have been a victim of SQL exploits in the first place...

This isn't a tool to find vulnerabilities. It's a tool to exploit them once found.

From the sourcforge page for this tool

"Sqlninja's goal is to exploit SQL injection vulnerabilities on web applications that use Microsoft SQL Server as back end. It is released under the GPLv2.

There are a lot of other SQL injection tools out there but sqlninja, instead of extracting the data, focuses on getting an interactive shell on the remote DB server and using it as a foothold in the target network. In a nutshell, here's what it does: "

As you probably have figured out, sqlninja does not look for SQL injection vulnerabilities. Again, there are already several tools that perform that task already.

Much ado about null (0)

Anonymous Coward | more than 3 years ago | (#34216944)

And the impact on people actually using these type of tools: 0.

I, Juefeng Ge, for one (1)

juefengge (1939920) | more than 3 years ago | (#34216968)

Welcome our new SQLInjection overloads. I used it on my own site, www.jeufeng.com

And what is the problem? (0)

Anonymous Coward | more than 3 years ago | (#34217002)

Nobody used Feduhra anyway.

Published on lwn.net last Wednesday (2, Informative)

nick_urbanik (534101) | more than 3 years ago | (#34217014)

The board meeting minutes were published on lwn.net [lwn.net] more than three days ago.

Fine Lines... (2, Insightful)

Improv (2467) | more than 3 years ago | (#34217136)

Being reasonable requires we be willing to draw lines and pass judgement. There are some tools that are mostly legitimate, some that see substantial illegitimate use, and some that are mostly illegitimate. It's fine for a Linux distro to decide not to ship with (or include in repositories) tools that are mostly used for illegitimate ends, even if they have some theoretical legitimate uses. They're not under any obligation to package everything, and "stuff that's mostly used to do harm" is just as reasonable to filter out as "things with ugly licenses".

By analogy, it is usually hard to get lockpicking tools, assault weapons/vehicles, nuclear materials, radar detectors, unsafe foods, homemade alcohols, and many other things in most countries. Can you manage it? Usually, either by legitimate means if you can get a permit, or by making them yourself.

This is entirely different (and much more mild) than blacklisting those applications.

Re:Fine Lines... (0)

Anonymous Coward | more than 3 years ago | (#34217434)

I think that probably the key thing here was that this tool doesn't just test your websites and produce a report saying "hey, these servers are vulnerable to SQL injections and those servers aren't", which it could do by trying out some innocuous, safe SQL injections. Instead it actually roots the machine for you. On the other hand, NMAP will (effectively) give you a list of possible vulnerable points but doesn't offer to go ahead and take over the machines for you.

If a webserver is vulnerable to SQL injection at all, it is unsafe. I have a hard time understanding why a white-hat penetration tester would need to actually root a production server. Are there really any webservers out there that deliberately allow "safe" SQL injections but would reject "unsafe" ones? WTF?

Much ado about nothing? (3, Interesting)

Just Brew It! (636086) | more than 3 years ago | (#34217186)

While I'll be the first to acknowledge that this is clearly a "CYA" move on Fedora's part, I don't see why it is such a big deal. Ubuntu/Debian don't appear to have this tool in their repositories, and I'm pretty sure SuSE doesn't either, so it's not like Fedora is bucking a consensus. If there's enough demand for it, RPM Fusion will probably pick it up.

Furthermore, if the person responsible for your network vulnerability testing doesn't have the basic skills to install it from the upstream sources, is this really the caliber of person you want to trust with your network security?

Apache2, Wireshark (1)

arhhook (995275) | more than 3 years ago | (#34217296)

They should be careful about apache2, it could be used to distribute malicious code over these-here-internets. Or maybe Wireshark will be dropped, I hear it could be used for bad things.

Don't give them any ideas... (1)

narooze (845310) | more than 3 years ago | (#34217352)

Today your SQL injection tools, tomorrow your nmap?

Why did you have to tell them about nmap for?

This is why I use SuSE Studio. (1)

sethstorm (512897) | more than 3 years ago | (#34217756)

I can always cook up whatever distro I want. Despite the issues with nmap and friends, I can always build an image with things like SQLNinja.

Auto-censure (0)

Anonymous Coward | more than 3 years ago | (#34217808)

If this story is true the *AA must be very happy.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?