[nibbleshifter]

Most of the actually groundbreaking and useful research in security happens out of necessity in the industry as opposed to in academia, where they seem to rediscover things that are widely known in the hacker community a few years later.

[m000]

I would argue that the industry may stumble upon a security-related issue first. But stumbling, and being aware of something is not research.

Anecdotally, I vividly remember industry people showing up in academic conferences, bragging how they knew everything about bit-flips already. They didn't. They just happened to know to be aware of the phenomenon, and smart enough to understand that it should have security implications of some kind. But that's not research.

[nibbleshifter]

A good amount of the industry has dedicated research departments these days. At least, the better consultancies have.

As for the bitflips example, are you talking about Rowhammer? That and the CPU side channel issues are the kind of area academia really tends to do great work on.

Where I find academia incredibly disappointing is in areas like covert channels - there's a fucking paper mill in Israel that keeps shitting out implausible "covert channel" research.

Also stuff like memory corruption techniques - academia seems to spend a lot of its time reinventing shit that has been done to death in industry or even has papers in Phrack.