Two weeks ago, an automatic session-hijacking plugin was released for Firefox. It was named Firesheep, and it's been downloaded over 600,000 times so far.
The decision to release Firesheep publicly is a controversial one. On the good side, it's reminded people that some of their common web surfing habits are dangerously insecure. [...]
Since Firesheep proves just how dangerous it is to send session cookies in insecure network packets, it is likely to push businesses such as Facebook and Twitter to adopt HTTPS as an all-session default much sooner than they might otherwise have done. [...]
On the bad side, those 600,000 downloads of Firesheep are 599,999 more than were strictly needed for the software to prove its point.
The author of Firesheep, Eric Butler, is unrepentant about releasing the tool. He's publicly commented that, "like any tool, Firesheep can be used for many things. In addition to raising awareness, it has already proven very useful for people who want to test their own security as well as the security of their (consenting) friends."
He's also aghast that Microsoft has started detecting his software as a potential threat, ranting that "by installing anti-virus, you grant a third party the ability to remove files from your system trusting that only malicious code will be targeted. Microsoft and other anti-virus vendors abuse this trust and assert what they think you should or should not be doing with your computer." [...]
Moral of the story:
* Just because you can write code to prove a point doesn't mean you have to release it.
* If you do release it, you don't have to package it with a one-click install and a use-it-without-understanding-it GUI.
* If you download code which makes anti-social (and probably also illegal) online behaviour easy, don't be anti-social with it.
Facebook, Twitter, WordPress Fail Security Report Card
Microsoft responds to Firesheep cookie-jacking tool