On 10 Weeks of Security Longreads

August 6, 2014

I’m an avid reader and particularly enjoy long, in depth pieces. I was an early subscriber to Longreads (when it was just a twitter feed). As a security professional who subscribed to a bunch of newsletters and twitter feeds, there were very few in depth pieces. Brian Krebs of Krebs on Security was one of the few exceptions — in fact his short posts were longer than most security articles.

While my Pocket reading list is a nice curated collection of longreads, I was struggling to find a pretty way to build the newsletter. Along came Goodbits which made it incredibly easy to publish the Security Longreads. And so, ten weeks ago I began publishing the Security Longreads newsletter. [Look right and subscribe!]

On Finding Long Reads

I knew this effort would take a little curation but I am surprised at how few organizations are investing in long form security journalism. My bar for a long read is actually pretty short. Five minutes which by most accounts isn’t a very long read — it’s not unusual to find an 8000 word, 30 minute read on longreads.com.

In a typical week, Wired.com and NYTimes.com are the two organizations generating the most options for security long reads. Both are investing in the information security space and it shows by the quality and depth of the reporting.

It’s also amazing how many organizations re-report on others original work. This weeks 11th longreads newsletter will feature a piece from the New York Times on a Russian Gang which has amassed a billion passwords. The piece appears to have started from a press release by Hold Security which the New York Times picked up but added to the report:

At the request of The New York Times, a security expert not affiliated with Hold Security analyzed the database of stolen credentials and confirmed it was authentic.

A wide variety of websites picked up the NYT piece and rewrote it linking back to the original NYT article. I find it fascinating how many articles get posted requoting the original report.

While sometimes I fail, I always try to find the original long form report for the newsletter.

On Technical versus Non

It’s called the Security Longreads. I figured there would be reporting for both a mainstream and technical audience — both would be included. I was surprised to see a greater emphasis on the extremes — very technical and very not. If someone is stealing personal information, it’s worth an in depth article. Passwords missing? Let’s report on it. Tor broken? Let’s write such a technical dissertation that it requires a PhD to comprehend.

It’s certainly been a challenge to find the right balance of articles that appeal to a wide variety of technical backgrounds.

On the Schulman Bias

There are a ton of interesting topics to read each week. I try to distill it down to 3 great reads. What’s great? I try to think beyond what I like. The data beyond the newsletter points to obscurity over anything else. The less reported the piece, the greater the clicks. Second to obscurity are the “Other Reads” which are non-security articles I find worth reading. I spend most of my day job thinking about application security and understanding developer behaviors. For the last few weeks, I’ve posted a bunch of articles about developers and developing apps.

This week: Staring at your screen all day.

One thing I try to avoid — getting sucked into the BuzzFeed “21 security things you should read today.” Otherwise I would have called this post Three reasons my security longreads is great.

Here is the complete list of the first ten weeks of Security Longreads: