Open Source Subnet An independent Open Source community View more

Fedora Board likely to reconsider SQLNinja, but should they?

Board should stick with original decision

According to a comment today from Tom "spot" Callaway on the SQL Ninja request, it looks like the Fedora Board will reconsider allowing the takeover tool into Fedora. The initial decision drew quite a lot of criticism, but that doesn't mean the board was wrong.

I've been watching the news and discussions on various Fedora lists responding to the board's decision not to include SQLNinja in Fedora. It's typical, but disappointing. The slightest hint of moderation in an open community — whether it's being picky about the packages included in the distribution or setting policies about civil behavior on communication channels — draws rapid criticism. Predictably, many people have reacted to the decision as if it's a huge restriction that keeps the freedom-loving masses of Fedora users apart from the full treasure trove of free and open source software.

Let's step back for a second and examine what really happened. The Fedora Board was asked about including SQLNinja, "a SQL Server injection and takeover tool." SQLNinja just had a fresh release after a two-year hiatus. (Previous release was October 2008.)

After consulting with Red Hat legal, the board discussed and decided about the policy in general and with regards to SQLNinja in particular. The policy is:

Where, objectively speaking, the package has essentially no useful foreseeable purposes other than those that are highly likely to be illegal or unlawful in one or more major jurisdictions in which Fedora is distributed or used, such that distributors of Fedora will face heightened legal risk if Fedora were to include the package, then the Fedora Project Board has discretion to deny inclusion of the package for that reason alone.

Now people are using slippery slope arguments with ridiculous statements like "what if someone uses a server with Fedora on it to serve child porn?" Others are claiming that Fedora is "banning," SQLNinja. In general, quite a few Fedora users and contributors have come out against the omission of a package they'd never heard of before or wished to use before the board said no.

The chorus crying about the exclusion of SQLNinja has nothing at stake, nothing at risk if Fedora ships SQLNinja. On the other hand, Fedora as a project under Red Hat's wing can expose the parent company to legal risk — not to mention risk to its reputation. Imagine for a moment the headlines about Red Hat shipping a SQL Server takeover tool in Fedora 15, especially if it actually is used to conduct an attack of any magnitude. If you want to get on the slippery slope, Red Hat and the Fedora Board have very good reasons for rejecting SQLNinja.

As described on its Website, SQLNinja is a single-purpose takeover tool. It's aimed only at taking over sites running SQL Server, not at penetration testing using SQL injection against any SQL server. While that could be used for legitimate purposes, it seems much more targeted at penetrating sites where the attacker is not doing so with permission. To be fair, digging into the site there are disclaimers that tell users that they need to have permission or they could run afoul of law enforcement. I'm sure that admonition will be given due weight by people well outside the jurisdiction of the servers that they're attacking... but it's not likely to hold a lot of sway in the U.S. court system.

There's also the fact that legitimate penetration testers ought to be able to compile SQLNinja on their own. Some folks have claimed that the board is "banning" SQLNinja — but that's not the case. The board is simply saying it won't be packaged and hosted in the Fedora repos.

It's not like Fedora is standing alone on this. Guess how many major Linux distributions have chosen to ship SQLNinja? If you guessed "none," you'd be correct. Its utility and scope of use are very limited, its development community very small, and the speed of development is glacial. The developer even says "there are far more interesting things to have fun with" than working on SQLNinja — making it likely that the package is going to sit fairly stagnant in the repos.

Given the pressure, the Fedora Board may reconsider and allow SQLNinja. I think the policy they drafted on short notice could use some polish, but I don't think SQLNinja particularly belongs in Fedora. It's out there for the exceedingly small number of users who actually have a legitimate use for the program. Maybe someone will even work on it and make it a functional penetration testing tool with a real community behind it, rather than a blunt force instrument for site takeover. If that happens, then it should be admitted into Fedora. As it stands, it looks very much like a potential headache for Fedora and its sponsor and not much of a win for the larger community.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Must read: 10 new UI features coming to Windows 10