If youve got the time, or if its your job, you can also follow those raw materials. Because its a relatively old field, in the world of security e-mail is still the dominant form of communication. For the general public, if you want to follow the absolute latest in unfiltered security news, there are a few mailing lists you should follow.
These lists are the highest-volume sources of security information. Some of them are also high-volume sources of complete garbage. Here are the major ones:
- Full-Disclosure—Generally the busiest and most "open" of the lists. Dont let your kids subscribe. The site is sponsored and hosted by Secunia but it doesnt seem to interfere much.
- Funsec—This site usually has higher-quality discussion than on F-D. Owned by security maven Gadi Evron who moderates with a very light hand.
- BugTraq—This site features moderated postings, so it has a higher signal/noise ratio. Its "owned" by Symantec, but operated independently as part of the SecurityFocus site. (Click here to subscribe to this or their other lists (beware, not https!).
Full-Disclosure is really the prototype list. Anything goes, including personal attacks and racist rants. Im serious, it gets ugly now and then. Consider a recent thread announcing another new vulnerability in Acrobat reader. The post was made simultaneously to F-D and BugTraq. Here are the official archives of the thread on F-D and BugTraq.
But theres also an unofficial archive, run on seclists.org, which archives many security mailing lists. Looking at that guys archive you can see several messages that I remember from the actual e-mail exchange, containing personal attacks on posters with juvenile insults. In fact, they are lead by a famous F-D pain in the @$$. BugTraq mailings are moderated, so if thats all you read you wouldnt have seen any of this.
But if BugTraq is all you read, youd miss a lot. First, the moderation introduces a delay which sometimes seems to take a day or so. In a way its like reading the Washington Post as opposed to having Fox News on the TV. Do you really want to read todays news tomorrow morning? Do you really want to watch Fox News? Another problem with BugTraq lately is that if you ever post to it youll get a dozen or more bounce messages, vacation messages and other annoying trash. Its not a very clean list.
Funsec started out trying to be about "fun" things in security, but its really just a general topics list for people involved in security. Its passively moderated; start making trouble and you can be unsubscribed, especially if you bring up unrelated political arguments. But messages go through without filtering.