The Cutting, Biting Edge of Security News

Opinion: The key security mailing lists can be almost unbearable to read, but that's where the action is.

eWEEK is, of course, a good place to get security content. One reason is that we wade through the mucky raw materials of security news and give you the important stuff.

If youve got the time, or if its your job, you can also follow those raw materials. Because its a relatively old field, in the world of security e-mail is still the dominant form of communication. For the general public, if you want to follow the absolute latest in unfiltered security news, there are a few mailing lists you should follow.

These lists are the highest-volume sources of security information. Some of them are also high-volume sources of complete garbage. Here are the major ones:

  • Full-Disclosure—Generally the busiest and most "open" of the lists. Dont let your kids subscribe. The site is sponsored and hosted by Secunia but it doesnt seem to interfere much.
  • Funsec—This site usually has higher-quality discussion than on F-D. Owned by security maven Gadi Evron who moderates with a very light hand.
  • BugTraq—This site features moderated postings, so it has a higher signal/noise ratio. Its "owned" by Symantec, but operated independently as part of the SecurityFocus site. (Click here to subscribe to this or their other lists (beware, not https!).
There are many other security mailing lists, the most famous being the more focused ones on the SecurityFocus site. There can be good stuff on these lists, but some of them are very low volume. There are also many private security mailing lists for professionals with white hats and black. Im on one of them, but usually they dont want "press" people anywhere near them.

Full-Disclosure is really the prototype list. Anything goes, including personal attacks and racist rants. Im serious, it gets ugly now and then. Consider a recent thread announcing another new vulnerability in Acrobat reader. The post was made simultaneously to F-D and BugTraq. Here are the official archives of the thread on F-D and BugTraq.

But theres also an unofficial archive, run on seclists.org, which archives many security mailing lists. Looking at that guys archive you can see several messages that I remember from the actual e-mail exchange, containing personal attacks on posters with juvenile insults. In fact, they are lead by a famous F-D pain in the @$$. BugTraq mailings are moderated, so if thats all you read you wouldnt have seen any of this.

/zimages/5/28571.gifA security analyst learns the lingo and gains cyber-crooks trust to penetrate the phishing underworld. Click here to read more.

But if BugTraq is all you read, youd miss a lot. First, the moderation introduces a delay which sometimes seems to take a day or so. In a way its like reading the Washington Post as opposed to having Fox News on the TV. Do you really want to read todays news tomorrow morning? Do you really want to watch Fox News? Another problem with BugTraq lately is that if you ever post to it youll get a dozen or more bounce messages, vacation messages and other annoying trash. Its not a very clean list.

Funsec started out trying to be about "fun" things in security, but its really just a general topics list for people involved in security. Its passively moderated; start making trouble and you can be unsubscribed, especially if you bring up unrelated political arguments. But messages go through without filtering.

Next page: Are Blogs the Future of Security Lists?