Recently, on a popular security awareness mailing list, Carolyn Meinel, author of "The Happy Hacker blah blah blah", was responsible for a post of supposed full disclosure information on wuftpd version 2.6.1. This post included a bit of seemlying harmless code that was actually a malicious rm -rf ~/* code.

Seeing Carolyn's place in the security field, and her experience, would one have trusted code that was released by her?

Well, I did. I did check over the C source, it looked good, pushing large amounts of data into the USER variable of the FTP daemon, typical buffer overflow.

So, I compiled it, and ran it as per the "usage" instructions in the header, and low and behold, I get rm: responses of not being able to delete certain things in my directory. Interesting.

I go open the code, and poof, it's gone as is everything in that directory that wasn't owned by root.

The malicious bit of code was int eh shellcode of the buffer over. As I sit now, I regret not taking that assembly language class, but that is here nor there..

My question to you all is, is this ethical? Should this be allowed? Would this tarnish the reputation of a once, supposed, respectable security specialist? Should this be thought of as a "lesson to script kiddies" ( which I am not )? OR thought of as a violation of the "full disclosure" and open source idea? The idea of being able to share information without fear for the advancement of knowledge, isn't that why we're all here.