Laurie Wired - Cybersecurity "Experts" suck at coding. It's a problem.


This is interesting, but it makes me really sad. She is explaining how the whole cyber-security industry works (or doesn't). It's sad because people who have enough talent and technical skill to do this work (even if most of the people in the industry don't!) could be so much more profitably employed if they were working on actually creating something that does something useful, which we desperately need. Instead, this is what they do, presumably because nobody who actually wants to do the stuff we need has any money to pay them to do it. That looks like quite a good driving game, ... 

If you want to see how languages and programming should be done, read the preface and introduction to The Definition of Standard ML (Revised):

Then in the introduction:

The point I'm trying to make is that language definition is a mathematical exercise, and takes the form of a series of mathematical definitions and proofs, and these objects are entirely formal, which means they have a definite well-understood structure which makes them ideally suited to being  rendered in a machine readable form. So another program, perhaps even one written in Standard ML itself, can read those formal definitions and mechanically generate code directly from them. If that code happens to be in some particular machine code, and if there is a formal sprcification of that machine (often there is, especially when the machine is a very simple one explicitly designed with formal verification in mind) then that whole translation process can in principle be formally verified as just another layer in the language specification. Furthermore, testing of the resulting programs can be done by auttomatically generating test systems that efficiently explore the space of possible behaviours of the resulting low-level system. See Volker Barthelmann's compilers in RP2040 - 6502 Emulator - TIM, Tiny Basic, and EHBasic. The mathematics involved in proving correctness is significantly simplified when the languages are designed with this in mind. See for example Total Functional Programming and System F.

Now that process I've described above is not programming, it's the process of developing useful software tools. Programming actual computers is another thing entirely. It requires an enormous amount of technical skill and an encyclopaedic knowledge of all the different hardware systems and peripherals that have been and are being and will be manufactured. Developing software for these devices is a matter of designing Application and Domain Specific Languages at many different levels which provide layers of formal specifications which can be used by tools designed to generate reliable and efficient systems from those formal specifications. Just getting at the necessary information is hard, and there are very few people even trying to do it. See the series "Bare Metal Adventures" by Life With David.

There are a lot of people who have the necessary skills and knowledge, but they are all busy maintaining insecure Operating Systems and Applications Software (see What's an Operating System for?), and none of them have the time to dedicate themselves to doing The Right Thing, because they;re too busy doing the other thing. See Modeling Probability Distributions and Solving Differential Equations and Matt Godbolt and Ben Rady Talking About Data Compression.

Here is Laurie showing how much concrete data is inside an iOS App written in Objective-C:


Man, that is insane! I guess they do it so that people in cyber-security can reverse-engineer the apps easily to see what they actually do?

Subscribe to LaurieWired.

Comments

Popular posts from this blog

Live Science - Leonardo da Vinci's Ancestry

David Turner Obituary by Sarah Nicholas Fri 24 Nov 2023