The always interesting Jon Katz has recently posted a number of thought-provoking articles on the state of computer- security research and some problems therein. (See here and the follow-up here.) I have my own thoughts on the general issue (which I will post about later) but wanted to quickly reply to one particular suggestion from the comments: that we don't need journals, or at least we don't need paper journals.

In reply, I would like to state as clearly and as emphatically as I can: we need paper journals. Why? Because we are not the end of history.

There will be future generations of researchers, they will (we hope) want to build on our work, and so they will need to be able to find our work. We have a responsibility to future generations of researchers (and those who would benefit from such research, which is everyone) to make our research as available in fifty years and a hundred years and two hundred years as it is today. We have an obligation not only to disseminate our papers but also to archive them in a stable and durable way-- and that means paper journals.

Don't believe me? Let me tell you a little story. I have been honored to serve the Computer Security Foundations Workshop/Symposium as Publications Chair for the past eight years or so. (I honestly lose count.) On one of those years (2002) we celebrated our fifteenth anniversary and wanted to mark the occasion by issuing a CD with electronic copies of all papers from all fifteen of those years. Fortunately, the previous Publications Chair (Joshua Guttman) had kept an electronic archive of papers from year eight (1995) until I took over. So, we only needed to collect electronic copies of years one (1988) through seven (1994). And as Publication Chair, it was my responsibility to contact all of the relevant authors to request any electronic copies they might have. I forget the exact figures (or even the rough ones) but this entailed contacting roughly 150 to 200 authors about 100 to 125 papers. Wanna guess how many electronic copies I received?

Less then five.

Instead, I received excuse after excuse like the following:

  • "I'm sorry, but I can't find the files any more."
  • "I'm sorry, but it seems those files were improperly restored after a drive-crash two years ago."
  • "I'm sorry, but I changed jobs and don't have access to those files any more."
  • "I'm sorry, but I don't have a device that can read the relevant disks any more."
  • "I'm sorry, but all the relevant computers burned up years ago." (Really. I got this one).

Effectively, more than 95 percent of these papers had ceased to ceased to exist in electronic form. We had to scan in the papers from paper copies of the proceedings.

The big lesson I extracted from this is that we do not know how to archive papers in electronic format yet. We do know how to archive papers, though: we print them out on paper (acid-free paper, no less) and put copies in as many libraries in as many universities in as many countries on as many continents as we can. We know how to archive paper. We've been doing it for centuries. Electronic formats? Not so much.

The situation may have improved since 2002, sure. The PDF format seems fairly stable, and there are lots of free readers for it. And there are good reasons to augment paper journals with on-line databases that allow you to search based on meta-data. But that's not the issue-- the issue is whether we still need paper journals. And if that's the question, the answer is 'yes'. We have an obligation to archive our work using the most reliable, well-understood and poven technology we know of, and right now, that's paper.

(If you need further convincing, I issue you a little challenge. Go to your university library and find the oldest journal they actually still have on the shelf. Now, go into your own archives and find the oldest non-ASCII printable document (Word, TeX, nroff, etc.) that you can print right now, on your current computer system, without translation or updating. Is it actually the oldest such file in there?)