a Gamayun Project
The Gamayun Corporation ("Gamayun") is a (pending) 501(c)(3) focused on leveraging security research in all its forms and from all sources in order to serve the public good. It will accomplish its mission primarily through the creation and operation of the Computer and Information Security Research Repository (CSIRR - "scissor").
OK, the word frustration is probably more appropriate, but the bottom line was I'd heard one too many practitioners come up with this 'totally new' idea...that was really something someone else had come up with five years prior, that was an extension of something someone else had done 10 years before that, and so on. I've been witnessing the same phenomenon happen month after month, year after year, for over 20 years and wondering why it kept happening. Did nobody study our history? Did they even know we had a history? We pride ourselves on being scientific, but we're the least scientific in nature when it comes to some basic practices.
One obvious contributing factor to this situation is that unlike a lot of other fields of study, anyone can buy a computer, learn some code, and start to poke around in the innards of software and hardware. It is a little more difficult to become a basement bio-chemist or nuclear physicist, what with the expense associated with equipment and supplies, and the questions from the FBI about the supplies...and the EPA about the leftovers.
As a discipline we're also relatively small. Practically an also-ran to our big brothers in computer science and engineering. And that's just the academic side of things; there are thousands of independent researchers whose work might look something like an academic paper, but it is more likely to be a hastily assembled slide deck and some cryptic speaker notes. Sure, its the work that counts, but more than you and three other people need to be able to understand and repeat what you did.
If you want to be a PhD in physics, you can look up all the physics, in a reasonable amount of time, and find a sliver of a slice of a subject that hasn't been tackled. If you want to break ground in cybersecurity your ability to have a comprehensive understanding of what came before is so handicapped as to be nearly impossible. Don't take my word for it: ask any major security conference CFP board what percentage of submissions are someone stumbling unawares onto the work of someone who came before? Come at it from the other direction: ask a random security researcher who Donn Parker, Carole Jordan, or Peter Neumann are. The answers are going to be "a lot" and blank stares, respectively, because we do a terrible job of preserving our history and promulgating lessons learned.
Without a concerted effort to capture security research and make it accessible, we run the risk of outright forgetting what came before. Conferences (and their proceedings) come and go. People take down web sites and GitHub repos for various reasons. The Wayback Machine doesn't capture everything, and we shouldn't have to rely on a general purpose archiving effort to preserve such an important set of information. If we have a talent shortage in this field, shouldn't we be doing everything we can to ensure that rare talent spends it time working on the novel, or making substantial new contributions, vice stunt hacking and reinventing the wheel?
Building and maintaining an archive is probably the least exciting thing one can do in any field, but based on early feedback it is something that is clearly needed. Given the ubiquity of computer technology in our lives, and the persistence of connectivity, can we really afford not to make the effort? Do you want to see us keep doing what we've been doing and hoping that the results will change this time, or do you want to try something different?
My name is Mike, and I've been involved in security in one way shape or form for almost 30 years. I'm done wishing and hoping someone else would do what needs to be done on this issue. If any of this resonates with you and you want to support the cause, check out our requirements page.