eWEEK is, of course, a good place to get security content. One reason is that we wade through the mucky raw materials of security news and give you the important stuff.
If youve got the time, or if its your job, you can also follow those raw materials. Because its a relatively old field, in the world of security e-mail is still the dominant form of communication. For the general public, if you want to follow the absolute latest in unfiltered security news, there are a few mailing lists you should follow.
These lists are the highest-volume sources of security information. Some of them are also high-volume sources of complete garbage. Here are the major ones:
- Full-Disclosure—Generally the busiest and most “open” of the lists. Dont let your kids subscribe. The site is sponsored and hosted by Secunia but it doesnt seem to interfere much.
- Funsec—This site usually has higher-quality discussion than on F-D. Owned by security maven Gadi Evron who moderates with a very light hand.
- BugTraq—This site features moderated postings, so it has a higher signal/noise ratio. Its “owned” by Symantec, but operated independently as part of the SecurityFocus site. (Click here to subscribe to this or their other lists (beware, not https!).
There are many other security mailing lists, the most famous being the more focused ones on the SecurityFocus site. There can be good stuff on these lists, but some of them are very low volume. There are also many private security mailing lists for professionals with white hats and black. Im on one of them, but usually they dont want “press” people anywhere near them.
Full-Disclosure is really the prototype list. Anything goes, including personal attacks and racist rants. Im serious, it gets ugly now and then. Consider a recent thread announcing another new vulnerability in Acrobat reader. The post was made simultaneously to F-D and BugTraq. Here are the official archives of the thread on F-D and BugTraq.
But theres also an unofficial archive, run on seclists.org, which archives many security mailing lists. Looking at that guys archive you can see several messages that I remember from the actual e-mail exchange, containing personal attacks on posters with juvenile insults. In fact, they are lead by a famous F-D pain in the @$$. BugTraq mailings are moderated, so if thats all you read you wouldnt have seen any of this.
But if BugTraq is all you read, youd miss a lot. First, the moderation introduces a delay which sometimes seems to take a day or so. In a way its like reading the Washington Post as opposed to having Fox News on the TV. Do you really want to read todays news tomorrow morning? Do you really want to watch Fox News? Another problem with BugTraq lately is that if you ever post to it youll get a dozen or more bounce messages, vacation messages and other annoying trash. Its not a very clean list.
Funsec started out trying to be about “fun” things in security, but its really just a general topics list for people involved in security. Its passively moderated; start making trouble and you can be unsubscribed, especially if you bring up unrelated political arguments. But messages go through without filtering.
Are Blogs the Future
of Security Lists?”>
Youd think blogs would have taken over security news and there are a large number of important security blogs out there. But theres nothing that publishes with the frequency of F-D or Funsec. Since blogs are usually the product of an individual they usually have a narrower focus. Here are some of my favorite security blogs:
- Bruce Schneiers Schneier on Security—Schneirer has a very good head for cryptography. Gets political a lot, talks about privacy.
- Exploit Prevention Labs—A vendor of browser security products, written by Roger Thompson, who is well-known in anti-malware circles.
- F-Secure Anti-Virus Research Weblog—A leading European AV vendor; a good, active blog.
- Jespers Blog—Jesper is a long-time Windows security guy and author of many books.
- Matasano Chargen—Matasano Security is a tools and consulting company. A bold and interesting blog.
- Symantec Security Response Weblog—Im leery of it since its Symantecs official blog and they dont allow comments, but theres interesting stuff here. Better than the other big security company blogs.
- SunbeltBlog—Sunbelt Software, security product company. Great blog.
- Uninformed.org—Really advanced research
Personally I think that mailing lists like BugTraq should move to a blog format so that I can use RSS to get better control over them. It also adds a better authentication system to posting. This would be anathema to those who run, and believe in, Full-Disclosure.
You can also use digest mode to try and manage the trash. I dont think digests are useful; its too hard to figure out whats worth reading.
One last plea: If youre reading security lists, even moderated ones, dont make the mistake of being credulous. People make mistakes and make things up all the time. Respectable news sources report unverified claims on these lists every now and then and they turn out to be untrue, or maybe not as true as they were claimed to be. Be skeptical until you see verification.
Most of you are better off staying away from all of this. Its our job to read it so that you dont have to. Unless its really your job to stay totally on top of security issues, youre better off reading a novel or the sports page.
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.
More from Larry Seltzer