Going on Record Against the Fedora Board’s SQLninja Decision.

I think this is a stupid decision[1]. By the boards reasoning we shouldn’t package apache either, what if someone uses a server with fedora on it to serve child porn? What’s next are we gonna remove wireshark and etherape? What about Firefox, you can hack into things with a webbrowser?!? What about the security labs spin? This harmful to the community and to computer security in general. I hope the board reconsiders their position.

[1] http://fedoraproject.org/wiki/Meeting:Board_meeting_2010-11-08

15 thoughts on “Going on Record Against the Fedora Board’s SQLninja Decision.

    • Mike:

      Assuming by “you” you mean “the user” then the legal weight is already on the user. If I commit a crime, I go to prison/pay the fine/etc. If I use transmission to download movies and tv shows fedora doesn’t into any legal trouble.

      And if you mean “you” to be me specificly, I still say sure. I haven’t had an income in 2 years what are they take from me my 1994 Saturn SL1 that doesn’t run? 🙂

      • Mike McGrath says:

        Your response indicates you didn’t read the link I sent. I’m very clearly talking about you, not the user.

      • I hadn’t had a chance to read it, having done so now. My answer is still yes, INAL but AFAIK Software vendors are not liable for what is done with the software. Are gun makers in the hook for crimes committed using their product? I understand the fear but I don’t think the reaction quite fits. This sets a really bad precedent.

  1. Davide Repetto says:

    I agree. To censor programs just because they are hacking tools is not the way to go for Fedora.
    I do believe that the board was terribly wrong on this call.

  2. bochecha says:

    > “By the boards reasoning we shouldn’t package apache either, what if someone uses a server with fedora on it to serve child porn? What’s next are we gonna remove wireshark and etherape? What about Firefox, you can hack into things with a webbrowser?!? What about the security labs spin?”

    I think the reasoning is that while with those examples you **can** do nasty things, it is not their **main intent**.

    From http://sqlninja.sourceforge.net :
    “””Its main goal is to provide a remote access on the vulnerable DB server”””

    I don’t really have any opinion on this topic though, so don’t take my comment for a full endorsement of the Board’s decision.

    • There are still legit reasons to want this tool, a buddy of mine does infosec as part of his job at a college. If he runs this tool and gets root on the DB server he knows any skiddie could do so and he’ll know that it is a priority.

      I like that you don’t have an opinion, that is a harder stance to take than for or against put together 🙂

  3. I appreciate your input on the matter, and hope to provide a bit of clarification on the Board’s decision.

    Your comments here seem to come from a false assumption that the Fedora Board is somehow going after any program that could be used maliciously. That is not our intention at all. I think the discussion is much more nuanced than that, so please allow me to explain if I may.

    In our Board meeting, we looked at SQLNinja specifically (and discussed the fact that we’re not setting precedent for doing a package-by-package review of tools already in Fedora).

    In the specific case of the SQLNinja tool, it’s obviously in the gray area between “security professional tool” and “script-kiddie tool”. Since it’s in the gray area and was flagged for legal review, it’s the Board job to decide whether it adds legal risk to Fedora to carry the package, and whether the advantages of carrying the package outweigh those risks. Since it was flagged for legal review, Spot took it to Red Hat’s legal department and determined that it does in fact add some additional legal risk to Fedora to carry the SQLNinja package. But that wasn’t the only reason we decided not to carry it. As I’ve articulated on the advisory-board list, there were several questions we asked ourselves as we made the determination:

    * Does the application have the potential to increase our legal liability in a significant way?
    * Does the application have significant legitimate uses outside of attacking a system?
    * How does the application market itself? As a security tool? As an easy way to exploit others?
    * How difficult would it be for knowledgeable security professional to build, versus an unskilled script-kiddie?
    * Is this an application that could be easily hosted in a third-party repository instead of Fedora?

    Considering these questions against the other packages you mentioned (apache, wireshark, firefox), it’s easy to see how they’re different than SQLNinja. In addition, the SQLNinja package is already available in one of the more popular third-party repositories for Fedora packages, so I’m not sure this is quite the big deal that people are making it out to be.

    That being said, Spot has agreed to go back and work with Red Hat’s legal team to further enumerate the possible risks,and then the Board will reconsider the matter. Please be aware, however, that doing that work could take some time.

      • I agree about the quality of this comment, every time I re-read it I get a little more info out of it.

        I still disagree that this doesn’t set a precedent. This kind of decision will defiantly influence future decisions.

        Thank you Jared for taking the time to write such a lengthy and well put together argument.

    • Can someone link me to one? (you don’t need to do this publicly if you are worried) Because I’m sure this will come up on Kernel Panic and I would like to have an answer for the listeners.

  4. Chad says:

    This issue seems to be a bit of a grey area. What about distros like backtrack? They are loaded with pen testing tools. Fedora is worried about that single app? What about a port scanner? It can be used for bad. Were do you draw the line?

  5. hicroet says:

    Очень крутая новость! Админ делайте новости в том же стиле.

    Translated by Google Translate: Very cool news! Admin to make news in the same style.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s