SQLninja denial
Eric "Sparks" Christensen
sparks at fedoraproject.org
Mon Nov 15 15:09:19 UTC 2010
2010/11/15 Máirín Duffy <duffy at fedoraproject.org>:
> On Sun, 2010-11-14 at 18:05 -0800, David Wagner wrote:
>> The minutes also suggest confusion about penetration
>> testing tools in general.
>
> What confusion did you see?
>
>> I saw in the minutes the objection that
>> SQLninja is advertised as 'get root on remote systems'. Are the board
>> members aware that many penetration testing tools can be used to get
>> root on remote systems, and it is precisely for this reason that they
>> are useful for (legal, lawful, authorized) penetration testing?
>
> It may not have been clear from the minutes, but it's pretty safe to say
> the board members are & were aware of this.
>
>> Are the
>> board members aware that legal penetration testing can, and sometimes
>> does, include getting root on remote systems?
>
> Do you use SQLninja for penetration testing? Had you heard of it before?
> What penetration testing tools do you use? Is the language they use to
> explain & advertise their tools similar to that used for SQLninja? How
> do you find out about penetration testing tools? How many of the ones
> you use are GPL?
So the problem is that it can be used to hack into a system and isn't
passive like Nessus (is this really passive?), nmap, telnet (the
client), airsnort, and wireshark, just to name a few?
>
>> 2) Some board members appear to have raised legal concerns. However
>> those were not made explicit in the minutes and it looks like there has
>> not been an analysis or ruling from Fedora Legal. Before the board
>> ruled, the add package request (bug #63402) was blocked on FE-LEGAL,
>> but it looks like the board voted to deny the request before hearing
>> from FE-LEGAL. Moreover, I cannot find any place where the legal
>> concerns are articulated, let alone reference to particular statute or
>> justification for a concern.
>
> I took the meeting minutes. Generally sensitive discussion is excluded
> from meeting minutes.
So are you saying this was a legal issue?
>
> ~m
--Eric
More information about the advisory-board
mailing list