OK, maybe if I'm being generous the word frustration is more appropriate, but the bottom line was I'd heard one too many relatively young practitioners come up with this 'totally new' idea...that was really something someone else had come up with five years prior, that was an extension of something someone else had done 10 years before that, and so on. I've been witnessing the same phenomenon happen month after month, year after year, for over 20 years and wondering why it kept happening. Did nobody study our history? Did they even know we had a history? We pride ourselves on being scientific, but we're the least scientific in nature when it comes to some basic practices.
One obvious contributing factor is that unlike a lot of other fields of study, anyone can buy a computer, learn some code, and start to poke around in the innards of software and hardware. Its a little more difficult to become a basement bio-chemist or nuclear physicist, what with the expense associated with equipment and supplies, and the questions from the FBI about the supplies...and the EPA about the leftovers.
As a discipline we're also very small. Practically an also-ran to our big brothers in computer science and engineering, which is why we don't have our own dedicated repository. And that's just the academic side of things; there are thousands of independent researchers whose work might look something like an academic paper, but it is more likely to be a hastily assembled slide deck and some cryptic speaker notes. Sure, its the work that counts, but what's the point of publishing research findings if only you and two other people can figure out what you're talking about?
If you want to be a PhD in physics, you can look up all the physics, in a reasonable amount of time, and find a sliver of a slice of a subject that hasn't been tackled; if you want to break ground in cybersecurity your ability to have a comprehensive understanding of what came before is so handicapped as to be nearly impossible. Don't take my word for it: ask any major security conference CFP board what percentage of submissions are someone stumbling unawares onto the work of someone who came before? Come at it from the other direction: ask a random security researcher who Donn Parker, Carole Jordan, or Peter Neumman are. The answers are going to be "a lot" and blank stares, respectively, because we do a terrible job of preserving our history and promulgating lessons learned.
Without a concerted effort to capture security research and make it accessible, we run the risk of outright forgetting what came before. Conferences (and their proceedings) come and go. People take down web sites and GitHub repos for various reasons. The Wayback Machine doesn't capture everything, and we shouldn't have to rely on a general purpose archiving effort to preserve such an important set of information. If we have a talent shortage in this field, shouldn't we be doing everything we can to ensure that rare talent spends it time working on the novel, or making substantial new contributions, vice stunt hacking and reinventing the wheel?
Building and maintaining an archive is probably the least exciting thing one can do in any field, but based on early feedback it is something that is clearly needed. Given the ubiquity of computer technology in our lives, and the persistence of connectivity, can we really afford not to make the effort? Do you want to see us keep doing what we've been doing and hoping that the results will change this time, or do you want to try something new, no matter the lack of sex appeal?
My name is Mike, and I've been involved in security in one way shape or form for almost 30 years. I'm done wishing and hoping someone else would do what needs to be done on this issue. If any of this resonates with you and you want to support the cause, check out our requirements page. If you just want to sound off, please feel free to contact us at your convenience: we'd love to hear from you.