Where do you go to get your security news?

Anyone who's hung around me for a while knows that I'm a bit of a security geek.  As such,I try to keep up on what's going on in the industry and try to keep current on what's going on in the vulnerability research community.

Yesterday, someone in my division asked me where I go to get my security-related news.


I thought about it a bit, and came up with a couple of places:

First off, there are a number of internal mailing lists I'm on, lots of times, other people post interesting stuff to them.

I also lurk on a couple of the mailing lists related to vulnerability disclosure (full-disclosure, bugtraq), although I find that the noise-to-signal ratio is somewhat high on them.

And I read Slashdot - again, a high noise-to-signal ratio, but the discussions can be quite fascinating (seriously).

For blogs, I read (in no particular order)

Matasano Chargen - consistantly interesting reading about a relatively wide range of vulnerability related topics

rdist: setuid - Nate Lawson's blog. 

Skywing - Ken Johnson's blog - he does some fascinating research into reverse engineering.

Emergent Chaos - Adam Shostak and friends

Bunnie Huang - What can I say about a guy who has a scanning electron microscope in his living room? 

Bruce Schneier - I don't agree with a lot of what he says, but he's always interesting.

Jesper Johansson - Always interesting, doesn't post enough 🙂

Michael Howard and David Leblanc - these guys literally wrote the book on writing secure code 🙂

Jeff Jones - He does MAD Statistics.

Alun Jones - Not much to say except "always interesting" (but then again everyone on this list fits into that category).

Mark Russinovich - Newly at Microsoft, does great "why does this happen?" tutorials where he shows end-to-end how he troubleshoots problems.

I'm sure I've got others but those are a good overview...


Edit: Sorry Skywing 🙂 

Edit2: Fixed Alun Jones link.


Comments (15)

  1. Skywing says:

    Oh, wow, didn’t know you read Nynaeve.  Nice 🙂

    BTW, it’s Ken Johnson, not Kevin Johnson.. 🙂

  2. Anonymous says:

    Interesting. You’re the first smart person I’ve encountered who doesn’t think Schneier is pretty definitive on security-related topics. (http://geekz.co.uk/schneierfacts/, for example 😉 )

    I’m curious about what the nature of your disagreement is…

  3. Anonymous says:

    <blockquote>Bruce Schneier – I don’t agree with a lot of what he says, but he’s always interesting.</blockquote>

    How can you disagree with Bruce Schneier and maintain security self-respect? What are your particular issues?

  4. Anonymous says:

    And the URL to "Alun Jones" Blog has typo. It’s msmvps.com not wsmvps.com.

  5. Anonymous says:

    I generally find myself agreeing with Schneier. Care to elaborate on where you part company with him?

    Also, Ken, Matt Miller (skape), and a talented group of others regularly publish in uninformed (uninformed.org). Pretty technical / long papers, but some real gems there.

  6. Anonymous says:


    I subscribe to F-Secures weblog feed for my small security news needs 🙂

  7. Anonymous says:

    I just keep an RSS feed on milw0rm.

  8. Anonymous says:

    i dont think disagreeing with schneier is that hard to conceive. (his famed ability to divide by 0 aside), he has also gone on record saying things like "i used to think crypto was the answer.. it clearly is not" (a good indication i guess that anyone who disagreed with him between his starting point and his realization would at least by his current perspective be proven correct.)

    His question on "do we need a security industry" a few months after selling his security company also raised a few eyebrows..

    Take nothing away from him, he is a smart man with interesting thoughts (which i guess is why the author reads him) but he is human, fallible,comes with his own personal biases, and i suspect will be the first person to tell you that you shouldn’t be blindly following _any_ authority figure..


  9. Anonymous says:

    Schneier did  pretty uncritically link to the Gutman DRM paper. I could see how one could find Schneier in a different light after giving airtime to that tripe.

  10. Anonymous says:

    > Edit: Sorry Skywing 🙂

    Unnecessary ^_^

    If he wanted people to remember his real name, he wouldn’t use a pseudonym ^_^

    Hmm, I wonder if I should use a pseudonym.  rwx—rwx.

  11. Anonymous says:

    Friday’s post about security blogs apparently contained a bit of unintended controversy. When describing

  12. Skywing says:

    Norman:  I typically go by both.  The reason I don’t drop the pseudonym (other than that I happen to like it) is that a lot of people know (or knew) me by it exclusively.

  13. Anonymous says:

    Norman, the way you’re always complaining about MSDN Japan, your pseudonym should really be rwxrwx—.

  14. Anonymous says:

    Shodan recommends unsigned kernel-mode drivers.

Skip to main content