polict.net / blog /

Old tools to keep up with technical security news

November 7, 2020

tl;dr

using rss/atom feeds might save you time

Too many mediums

Almost a year ago, I felt it was getting increasingly difficult to keep up with the news: twitter, reddit, medium, youtube, telegram, hackernews, custom blogs, git repositories, issue trackers, bug hunting platforms, conferences material, advisories – and I’m pretty sure I’m missing a few – are all useful sources for news and know-how, but checking all of them is expensive timewise. I think many people can relate to this situation, that’s why I chose to write about the alternative coming from the past I have been testing these months.

At first I chose to create a sheet with the blogs I considered interesting to routinely check and focus on twitter, but it still wasn’t a decent improvement. So I kept searching.

RSS and Atom

Some days later I noticed on some website an icon I haven’t seen for a looong time and wondered if there was anybody still using RSS: since it’s a relatively old technology, I expected only nerdy and forgotten websites would have kept using it.

(yes, google had an app for RSS feeds and discontinued it some years ago ☠️).

Instead, it turned out that it’s still widely used and many blogging frameworks (wordpress, blogspot/blogger, medium, …) make it available by default, so even without the blog owner consciously knowing it, it’s available to readers. That’s exactly what I was looking for.

digression: XXE, SSRF and XSS issues

The first second time I thought about RSS I wondered whether any client/service could be vulnerable to XXE, SSRF or XSS: the first candidates coming to mind when third-party XMLs, URLs and contents are handled. Honestly I didn’t invest any time to check, but I wouldn’t be much surprised – let me know if anybody looks into this! 👽

Signal/noise/time ratio

So far I’m satisfied, signal/noise ratio is better than twitter and that’s already a win, plus I have missed only a couple of on-twitter-only discussions but generally interesting news spread to at least one of the other feeds/sources. In a specific case it even happened that I read the blogpost before the writer published and shared it, because the blogging framework already “leaked” the private URL in their feed. 😂

Unfortunately not everything I follow exposes a RSS/atom feed, for example monorail doesn’t (yet?), but some workarounds are possible, such as those “Saved queries” they mention, or RSS generators for twitter timelines.

That being said the situation is way more manageable than previously and I’m sure many other people in the community have already been doing this, thought I couldn’t find it mentioned – but if you have a simpler approach do let me know! 🙂

URLs

In case you are interested, here you can find the public sources I’m following: most of them are well known but I think people new in the community will benefit from having it.

(Note: the list reflects my interests at the moment, so for example research focused on Microsoft Windows is missing.)

Until next time and stay safe! 🤟🏼