LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Fedora rejects SQLninja

Fedora rejects SQLninja

Posted Nov 10, 2010 18:02 UTC (Wed) by fandingo (subscriber, #67019)
In reply to: Fedora rejects SQLninja by peter_lemenkov
Parent article: Fedora rejects SQLninja

That's not a reasonable comparison. Nmap and nc can't be used directly to hack into a box. Nmap and nc are tools, which need to be carefully configured to attack someone. Realistically nmap, at best, could be considered a reconnaissance tool. On the other hand, SQLninja is specifically designed to find and attack servers. Sure there are legitimate uses, but including (semi-)automated attack tools has ethical and, less likely, legal implications. We don't really think that much about 'branding' with Linux Distros, but blog entries with titles like "How to hack SQL servers in Fedora X" can deeply undermine the credibility of a distro.

On sqlninja's web page, the only two demos both detail how to not only identify vulnerable servers, but to hack into them and gain shell/GUI access. I would argue that this isn't a "security" tool insofar as it is useful to use tools that attackers use. Instead, this is a hacking tool, and should not be included.

(Log in to post comments)

Fedora rejects SQLninja

Posted Nov 10, 2010 18:34 UTC (Wed) by ewan (subscriber, #5533) [Link]

Instead, this is a hacking tool, and should not be included.

The problem with that is that it's an ethical position, and people's ethics differ. Fedora is an explicitly pro-Free software organisation, so it makes sense to take a distribution wide view on that, but there's no such single view on other issues. This particular issue may seem like a relatively uncontentious one, but it's just as 'off topic' for Fedora as more obviously controversial ethical stances would be.

Fedora rejects SQLninja

Posted Nov 10, 2010 20:48 UTC (Wed) by ebiederm (subscriber, #35028) [Link]

Following your own personal ethics is always ethically sound.

Your objection to an ethical stance on ethical grounds is amusing.

Fedora rejects SQLninja

Posted Nov 10, 2010 22:07 UTC (Wed) by ewan (subscriber, #5533) [Link]

This isn't about personal ethics though, it's about a small group of people imposing their personal ethics on others who may or may not share them. It's one thing some Fedorans deciding that they personally don't want to use a particular tool, quite another to make it harder than necessary for others to use it.

Fedora rejects SQLninja

Posted Nov 11, 2010 11:26 UTC (Thu) by jwakely (subscriber, #60262) [Link]

make it harder than necessary? in what way? I didn't see any suggestion of preventing users installing it themselves. If you can't install it without the help of PackageKit then I'm fairly sure you don't need it.

Fedora rejects SQLninja

Posted Nov 11, 2010 13:32 UTC (Thu) by fandingo (subscriber, #67019) [Link]

Well, it actually goes further than that. SQLNinja was never considered for a default install. This change was to remove it from Fedora's repositories. Maybe RPMFusion or the like will offer it, but the project's site doesn't list repos, so you'd have to build from source. I don't think that's much of a problem, though. Users of something this powerful should at least be able to compile a program...

Fedora rejects SQLninja

Posted Nov 11, 2010 13:38 UTC (Thu) by rahulsundaram (subscriber, #21946) [Link]

"Well, it actually goes further than that. SQLNinja was never considered for a default install. This change was to remove it from Fedora's repositories. "

Actually, the review request filed was blocking on legal to approve it. So it was never in the Fedora repository at any point.

Fedora rejects SQLninja

Posted Nov 11, 2010 13:53 UTC (Thu) by ewan (subscriber, #5533) [Link]

I'm fairly sure I could build a working system from original source tarballs from around the web, but I'd still rather not. Your logic could happily eliminate most special purpose technical tools from a distribution on the basis that would-be users should be capable of getting them themselves. Like a poster above, I'm not too concerned about SQLninja specifically, but about the policy. We have been here before with bits of Free software that some people find 'unethical', and it still doesn't seem like a good basis for making technical decisions.

The problem with this specific decision is that the policy wording seeks to exclude things that have "no useful foreseeable purposes other than those that are highly likely to be illegal or unlawful" but SQLninja doesn't seem to meet that test - using it on your own systems, as has been mentioned several times in this thread alone, is both legal and foreseeable.

If Fedora is going to set up a policy that says one thing, then do something else because the software makes the board members feel icky, that seems like a bad thing.

Fedora rejects SQLninja

Posted Nov 11, 2010 17:21 UTC (Thu) by Cato (subscriber, #7643) [Link]

I think it's about probability of illegal use. Perl can be and is used to hack systems via libwww-perl exploit scripts (in fact some site owners block its user agent for this reason), but the percentage of illegal use of Perl is tiny. SQLninja and other pen testing tools are highly likely to be used illegally.

The solution is for someone to do a Fedora-based security oriented distro, like Backtrack, which is aimed at pen testing: http://www.backtrack-linux.org/

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds