The Cutting, Biting Edge of Security News

By Larry Seltzer  |  Posted 2007-09-24 Print this article Print

Opinion: The key security mailing lists can be almost unbearable to read, but that's where the action is.

eWEEK is, of course, a good place to get security content. One reason is that we wade through the mucky raw materials of security news and give you the important stuff. If youve got the time, or if its your job, you can also follow those raw materials. Because its a relatively old field, in the world of security e-mail is still the dominant form of communication. For the general public, if you want to follow the absolute latest in unfiltered security news, there are a few mailing lists you should follow. These lists are the highest-volume sources of security information. Some of them are also high-volume sources of complete garbage. Here are the major ones:
  • Full-Disclosure—Generally the busiest and most "open" of the lists. Dont let your kids subscribe. The site is sponsored and hosted by Secunia but it doesnt seem to interfere much.
  • Funsec—This site usually has higher-quality discussion than on F-D. Owned by security maven Gadi Evron who moderates with a very light hand.
  • BugTraq—This site features moderated postings, so it has a higher signal/noise ratio. Its "owned" by Symantec, but operated independently as part of the SecurityFocus site. (Click here to subscribe to this or their other lists (beware, not https!).
There are many other security mailing lists, the most famous being the more focused ones on the SecurityFocus site. There can be good stuff on these lists, but some of them are very low volume. There are also many private security mailing lists for professionals with white hats and black. Im on one of them, but usually they dont want "press" people anywhere near them.
Full-Disclosure is really the prototype list. Anything goes, including personal attacks and racist rants. Im serious, it gets ugly now and then. Consider a recent thread announcing another new vulnerability in Acrobat reader. The post was made simultaneously to F-D and BugTraq. Here are the official archives of the thread on F-D and BugTraq.
But theres also an unofficial archive, run on, which archives many security mailing lists. Looking at that guys archive you can see several messages that I remember from the actual e-mail exchange, containing personal attacks on posters with juvenile insults. In fact, they are lead by a famous F-D pain in the @$$. BugTraq mailings are moderated, so if thats all you read you wouldnt have seen any of this. A security analyst learns the lingo and gains cyber-crooks trust to penetrate the phishing underworld. Click here to read more. But if BugTraq is all you read, youd miss a lot. First, the moderation introduces a delay which sometimes seems to take a day or so. In a way its like reading the Washington Post as opposed to having Fox News on the TV. Do you really want to read todays news tomorrow morning? Do you really want to watch Fox News? Another problem with BugTraq lately is that if you ever post to it youll get a dozen or more bounce messages, vacation messages and other annoying trash. Its not a very clean list. Funsec started out trying to be about "fun" things in security, but its really just a general topics list for people involved in security. Its passively moderated; start making trouble and you can be unsubscribed, especially if you bring up unrelated political arguments. But messages go through without filtering. Next page: Are Blogs the Future of Security Lists?

Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel