On Sat, 13 Mar 2010 17:12 +0200, "Lars Nooden" <lars.cura...@gmail.com> wrote: > Brad and Ozgur, > > If your file is in the server's document root, then it is published [1]. > For whatever reason, a lot of C-Levels act as if they are unclear on > that. There is also often the false belief among them that security and > usability are mutually exclusive. I don't understand the rules in their > fantasy role playing, but facts and (ALL) opinions seem to have equal > valence there unlike the real world. > > Some of the people who have spent time addressing your question are > globally recognized as being top in the area in which you are asking. > That makes their answers on the topic quite relevant. Further, there is > consensus among the answers. > > If for some reason, that is not enough, then it should be noted that > what they say is backed up by the specification defining the web traffic > you are asking about: > > Hypertext Transfer Protocol -- HTTP/1.1. RFC 2616. W3C. (1999) > http://tools.ietf.org/html/rfc2616 > > On 2010-3-13 4:18 AM, Brad Tilley wrote: > > I can make the config change myself. > > Or you can submit a patch to the vulnerability scanner and get that > fixed rather than trying to break OpenBSD to match the defect in the > broken scanner you found somewhere.
Thank you Lars, I understand what you say and I appreciate you taking the time to write. Hiding files or pretending others can't see them doesn't make us more secure. I guess the real issue is that sometimes people use check lists. Items such as this are on those lists. Technical people are asked to make changes to systems that satisfy the check lists. It's unfortunate, but the actuality of day to day IT sometimes comes down to this. I realize that security outcomes are what is important, not check lists... but we still have to deal with these things as politely and professionally as possible and for me, that is a simple config change. I appreciate all the feedback. Brad
