So, I lost it on the birdsite reading yet another ego-tripping security researcher pulling water to something they wrote two years ago about a concept developed in the 1980s.
https://twitter.com/cynicalsecurity/status/862637099215880193
This stuff whereby all old stuff is ignored and re-invented with more holes than the original (e.g. "cloud computing") is really demoralising.
Don't people read anything except stuff no more than one week old? Is "research" no longer taught?
@cynicalsecurity To be fair: It is entirely normal in the scientific process for stuff to be invented, forgotten, reinvented under different name, forgotten again, buried in wet mud for a few years, used as paper airplane, and eventually taught in universities as trivial.
See the many times automatic differentiation was invented. Or anything else, really.
Even if you try, literature research is hard, and a surprising amount of pre-late-90s-research isn't available in indexable form.
@HalvarFlake literature research is hard but the ego-tripping that comes with reinvention in ITsec is rather unique.
All these people claiming to have the perfect design totally ignoring what came before them?
Seriously, how can you talk "stateless computing" without knowing about VNC's past: it isn't exactly hidden nor is it impossible read about it.
I'll agree that some stuff from the 90's is hard, not to mention 70's and 80's but it can be done.
While I agree that it is normal in...
@HalvarFlake scientific process for stuff to be invented & reinvented there does not seem to be a marketing-led involution like there is in computing and ITsec in particular.
The techniques are worsening, not improving, there is a stagnation of research into new stuff and an acceleration towards cheaper, weaker reimplementations.
It really smells of profit-driven research to me.
@cynicalsecurity So I think this is a general trend, both in infosec and academia. The fallacy "what doesn't get measured doesn't get managed" led to the creation of proxy metrics, which then "became the goal".
The salami-slicing of results in academic publication has gotten quite dramatic - e.g. a small paragraph in a 2003 USENIX paper is tooday worth a full paper.
On the infosec side: A lot of it is due to the ridiculous growth of the industry. At a 20%+ growth rate, infosec doubles in ...
@cynicalsecurity ... less than 4 years, which means at least half of infosec at almost any point has been doing this for *less* than 4 years. In general, there are *very* few experienced infosec people around, and those few that are around get swamped in trying to impart a bit of their experience.
Infosec-wise: A lot of things have existed before, but are poorly documented, not documented, lost to the internet's amnesia for non-cat-videos, or difficult to surface.
Also: For academic papers,..
@cynicalsecurity ... exhaustive bibliographies are explicitly not wanted - e.g. there are surveys, which need to be exhaustive, and there are research contributions, which cite the most relevant bits. The trouble is that CS's conference culture (vs. maths journal culture) means that surveys of the state of the art and systematization-of-knowledge doesn't happen nearly enough -- see the lack of papers comparable to the heap survey Sean Heelan surfaced recently.
So yeah, everything that has ....
@cynicalsecurity ... been done gets redone, and it is frustrating - but the right response is to point people to the previous work, not be smarting about it :-)
There's an old performance artist who is a prof in Muenster, who has done all sorts of things since the 60s. At one point, his students noticed that a lot of modern performance art had a predecessor in one of his performances, and printed stickers: "Didn't XYZ do this already?" - which then became 'viral' in the early 2000s and a bit ..
@HalvarFlake I have been desperately trying to educate people about the historical aspects of computing. I can probably even dig out someone who remembers me discussing the finer points of the i432 processor in Hillsboro while explaining current processor design fallacies...
The problem is that, at least in infosec, I find a lot more of the "old stuff: irrelevant" culture which does (did not?) permeate, say, Mathematics.
After a while saying "oooh, how exciting" ironically becomes sadly normal
@HalvarFlake So, yes, I have become a cynical curmudgeon because I can't find anyone willing to listen about past designs to "build upon the shoulders of giants".
How can I accept someone allegedly known as a smart cookie getting all excited because Windows 10 on ARM emulates x86?
Emulation has been around in forever, let's discuss the monumental decision by Microsoft to make Windows 10S a gated community instead.
@HalvarFlake but no, "emulation, so sexy!".
Do we start with the S/36 requirement that 1401 software run unchanged and the emulation built in there? Move on to the Tandem ports which still ensure original Cyclone code runs unmodified? Discuss how each subsequent model of Cray was emulated on its predecessor? No, we discuss "wow ARM emulates x86" in 2017 and not even in the context of "how can we turn this into a security feature"!
I find this depressing and yes, perhaps literature reviews...
@HalvarFlake are what is missing from CompSci and especially InfoSec, perhaps youthful exuberance, but we do live in an era where even Karger's 1974 security evaluation of Multics can be found with Google and sci-hub allows us to bypass ridiculous publisher fees.
So, I think we are not teaching the younger generation how to look for stuff. This is something my dad taught me from the youngest age and I feel we are spoonfeeding too much instead of teaching.
This worries me.
@cynicalsecurity How about a reading list of good papers / resources to read about historical security research? Right now, the best thing we have is Daniel Bilar's memory ;) and Haroon's talk about the history of memory corruptions.
I agree with Mara: Infosec needs a proper library culture. And reading lists for history.
I <3 reading CS history myself, but most CS profs (especially younger, not long-tenured) do not read history :-/
@csirac2 if you are interested in the picoJava processor then read the history of the Western Digital Pascal microEngine, running a WD9000 processor executing p-code natively (p-code being the intermediate product of the UCSD Pascal compiler) https://en.wikipedia.org/wiki/Pascal_MicroEngine https://randoc.wordpress.com/2014/05/01/western-digital-pascal-microengine-wd900/
https://www.brouhaha.com/~eric/retrocomputing/wd/microengine/
http://www.mwigan.com/mrw/7_WD_MicroEngine.html
I like the history. It's a shame so few of the up and coming folks want to learn about it :-(
@HalvarFlake @cynicalsecurity I am one of those young infosec people mentionned earlier in the thread, and I'd totally love this kind of compilation.
Not that it's a problem to do literature research, sometimes you just don't have enough experience/general infosec knowledge to judge whether an 80-era paper could still be relevant today, or was relevant at the time.
@Harvesterify Well, I cannot answer for @HalvarFlake but you can definitely try asking me (amongst others) for "has this been done before, do you know anything about it?".
I might or I might not but asking has never hurt anyone (or, if it has, then that is bad on the part whoever did so in ITsec).
It really is - because they're trying to "disrupt" with things that can be relied upon for continual income streams, but the fundamentals of how they work really don't change that much because things that work...well, work.
cynicalsecurity ->@bsd.network
peter hessler - inactive
Tanuki
donb
HalvarFlake
Paul Harvey
Munin, Keeper of Lore
Harvester