httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Geoff Thorpe <ge...@geoffthorpe.net>
Subject Re: [users@httpd] Limiting HTTP Methods
Date Thu, 20 Nov 2003 21:00:36 GMT
On November 20, 2003 02:42 pm, Joshua Slive wrote:
> I still maintain that encouraging people to do things like this is
> overall harmful to security.  It is true that few people make use of
> TRACE (though it does have important uses for diagnostics and
> debugging), so it is not very harmful to disable it.  But having
> security professionals waste their times on things like this takes time
> away from real security issues (like making sure all client machines
> are well patched, and auditing cgi/php/java scripts where security
> vulnerabilities are much more likely to live).

And for many "professionals", a few false postives is better than zero 
true positives, right? (Particularly when justifying invoices.)

Dumb managers feel that endless diatribes on corporate governance 
reporting schemas is "significant value add", just like dumb 
adminstrators feel that endless logs of questionable attack fingerprints 
are the hallmarks of a "good audit". Don't forget, these people also tend 
to use those shiny virus scanners that reply to blocked email - after 
all, how else do you show attackers how secure your network is? This is 
the product of a generation of point-and-click ignorance. Thank god for 
Dilbert.

<sigh> Still you gotta laugh.

Cheers,
Geoff

-- 
Geoff Thorpe
geoff@geoffthorpe.net
http://www.geoffthorpe.net/


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message