Last week I did something stupid and I think its important to own up to it in public---both as a means of penence and as a way of recording mistakes so that they can be avoided in the future by myself and others.
I was testing a piece of security software called WebInspect from SpiDynamics. WebInspect tests web sites for a large number of known security vulnerabilities. The tool inventories the contents of a site and then checks against a set of known vulnerabilities in Web applications. Its a very interesting application and I'll write more about it later. I played around with WebInspect on my own machines for a bit and got to understand a little (read: not enough) about how it worked. Here's where the stupid part comes in. Wanting something bigger to test and having always had some curiousity about the security of utah.gov while I was CIO, I pointed the tool at utah.gov.
I know what you're thinking. In the stark light of day, it seems pretty stupid, but late last Thursday night it struck me as perfectly reasonable. Given the tool's behavior on my much smaller sites, I figured it would run for an hour or so and give me a nice report that I could share with the State and we'd all get something out of it. I forgot about it until the next day when I realized it was still trying to run. Trying because the folks at Utah Interactive, who run utah.gov, had blocked my IP address. I guess I'm pretty dense because even at that point, I failed to see the seriousness the situation. I figured, I'd been trapped by the intrusion detection software on the State network and I'd send a short note to own up to my mistake and we'd get the IP unblocked.
That's when things went downhill: my Internet service stopped working. I called my ISP and realized that someone was taking this much more seriously than I was. Well, to make a long story short, after thinking about it over the weekend, I called Amy at Utah Interactive yesterday and offered her my apology for being a bonehead and causing her organization trouble. From talking to her, I think some people thought it was a denial of service attack, but that's not what the tool does. After my conversation with Amy, I decided that a public apology was in order.
I had no idea that the tool would be as aggressive as it was, but I should have known better than to use it on a production site in any event. My actions were born of ignorance, not malice. Nevertheless, I caused some people quite a bit of trouble and I want to take responsiblity for that and say "I'm sorry."