On Mon, 23 Jun 2003, Yves Teixeira wrote: > It would be great, IMHO, if we could see more security tools in Debian, > even those that are commonly used only by the crackers, like rootkits and > sniffers. Knowing these tools is an important task for security > professionals and system administrators. It is quite desirable to make > them largely available. An issue is that I don't know wheter this kind of > applications can enter the official Debian repository or not.
If they pass the DFSG, I don't see the official obstacle to them going in. I don't know whether you'd be able to find a licence for most blackhat tools, though, since they're not typically used by people with high regard for moral and legal guidelines... > Among these applications I would include packet sniffers (czsniff, These could have their uses on a system. > readsmb, linsniffer [old] etc), common rootkits (adore, suckit, etc [see > chkrootkit]) and other tools (hydra and other bruteforce applications, > glftpd [a free "beer" ftpd application with features that please > pirates]). I could see no reason to package the rootkits, I've heard of hydra but don't know what it does, and if glftpd is only free beer, then it won't pass muster with ftpmaster. > I also think that distributing exploits that could be used to test > vulnerabilites is interesting too. I don't think exploits would ever > enter official debian repository. But I am thinking about making a > repository for that, and, either or both, publish only verified (which is > not hard) exploits and warn the admins not to use them in their production > systems. But this would be a future work. Big, flashy warnings to keep away from such things would be mandatory, I would think. Distributing a set of test exploits (as in, "I'll pretend to be a worm and see if I can get in, and let you know if I do") is quite useful, and has been done before. I think there's something already in Debian which does it, but I can't for the life of me remember what it is (nessus? is that it?). > It is obvious that these tools are to be used by system administrators, > not crackers. Don't make arguments like that. They look stupid. Acknowledge that if you provide it, and it looks good to the bad guys, they'll use it, no matter what you say. Stick with "yes, it can be used for both good and evil, but I think the good uses outweigh the evil ones". > Also, rootkits wouldn't just start and run after an 'apt-get install' > instruction. The admin would have to be warned about what that rootkit > does and how do remove it. Efforts would be made so that the rootkits were > easy to be uninstalled or disabled, and to avoid accidents (like > losing/deleting the "uninstall" tool). I don't see the value in installing a rootkit, myself, since there are dozens of ways of leaving a backdoor open on your system normally. The only thing rootkits do differently is try to avoid detection. My general reaction to this proposal is a reserved "maybe". I see a useful legitimate "market" for some tools generally considered to be on the blackhat's shopping list, but I don't see a use for a package of a live exploit or rootkit. It's like computer virus research - don't play with fire, you *will* eventually get burnt. Another possibility to putting them in Debian would be to start your own repository of packages somewhere else. List them on apt-get.org, and people can get them from there. Much less likely to cause harm (and ruffled feathers) than a copy of lion on every debian mirror... > If, after that, I perform a good job, can I apply to be a DD? As a > thankful and happy Debian user, I would be very glad if I could make it. Yup, if whoever sponsors you advocates for you, you can go through NM just like everyone else. > Sorry for my poor english. Beats my portuguese. <g> -- ----------------------------------------------------------------------- #include <disclaimer.h> Matthew Palmer, Geek In Residence http://ieee.uow.edu.au/~mjp16