[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Packages suggestion and "Sponsor needed"

On Mon, 23 Jun 2003, Yves Teixeira wrote:

> It would be great, IMHO, if we could see more security tools in Debian,
> even those that are commonly used only by the crackers, like rootkits and
> sniffers. Knowing these tools is an important task for security
> professionals and system administrators. It is quite desirable to make
> them largely available. An issue is that I don't know wheter this kind of
> applications can enter the official Debian repository or not.

If they pass the DFSG, I don't see the official obstacle to them going in. 
I don't know whether you'd be able to find a licence for most blackhat
tools, though, since they're not typically used by people with high regard
for moral and legal guidelines...

> Among these applications I would include packet sniffers (czsniff,

These could have their uses on a system.

> readsmb, linsniffer [old] etc), common rootkits (adore, suckit, etc [see
> chkrootkit]) and other tools (hydra and other bruteforce applications,
> glftpd [a free "beer" ftpd application with features that please
> pirates]).

I could see no reason to package the rootkits, I've heard of hydra but don't
know what it does, and if glftpd is only free beer, then it won't pass
muster with ftpmaster.

> I also think that distributing exploits that could be used to test
> vulnerabilites is interesting too.  I don't think exploits would ever
> enter official debian repository. But I am thinking about making a
> repository for that, and, either or both, publish only verified (which is
> not hard) exploits and warn the admins not to use them in their production
> systems. But this would be a future work.

Big, flashy warnings to keep away from such things would be mandatory, I
would think.  Distributing a set of test exploits (as in, "I'll pretend to
be a worm and see if I can get in, and let you know if I do") is quite
useful, and has been done before.  I think there's something already in
Debian which does it, but I can't for the life of me remember what it is
(nessus?  is that it?).

> It is obvious that these tools are to be used by system administrators,
> not crackers.

Don't make arguments like that.  They look stupid.  Acknowledge that if you
provide it, and it looks good to the bad guys, they'll use it, no matter
what you say.  Stick with "yes, it can be used for both good and evil, but I
think the good uses outweigh the evil ones".

> Also, rootkits wouldn't just start and run after an 'apt-get install'
> instruction. The admin would have to be warned about what that rootkit
> does and how do remove it. Efforts would be made so that the rootkits were
> easy to be uninstalled or disabled, and to avoid accidents (like
> losing/deleting the "uninstall" tool).

I don't see the value in installing a rootkit, myself, since there are
dozens of ways of leaving a backdoor open on your system normally.  The only
thing rootkits do differently is try to avoid detection.

My general reaction to this proposal is a reserved "maybe".  I see a useful
legitimate "market" for some tools generally considered to be on the
blackhat's shopping list, but I don't see a use for a package of a live
exploit or rootkit.  It's like computer virus research - don't play with
fire, you *will* eventually get burnt.

Another possibility to putting them in Debian would be to start your own
repository of packages somewhere else.  List them on apt-get.org, and people
can get them from there.  Much less likely to cause harm (and ruffled
feathers) than a copy of lion on every debian mirror...

> If, after that, I perform a good job, can I apply to be a DD? As a
> thankful and happy Debian user, I would be very glad if I could make it.

Yup, if whoever sponsors you advocates for you, you can go through NM just
like everyone else.

> Sorry for my poor english.

Beats my portuguese.  <g>

#include <disclaimer.h>
Matthew Palmer, Geek In Residence

Reply to: