Why is it we always see these gatekeeping comments on every thread about software engineering? It’s as if we can’t accept that words can have different meanings and if millions of people are using a word a certain way then perhaps that meaning is also valid.
In some states, you can go to jail for calling yourself an engineer without the state licensure. Words have multiple meanings, but "Engineer" is a title, not just a word.
---
Why the gatekeeping? Because Software "Engineering" isn't really what most of those with the title are capable of doing.
Let's talk about Electrical Engineering for a moment... a typical house in the US has many circuits supplying 120 volts at 15 amps, 60 Hz. You can plug any combination of loads into any of the outlets, and, if they are installed and maintained properly, you won't damage the wiring in the walls, nor are you likely to start a fire.
This is accomplished with engineering (the design of breaker panels, outlets, etc) a strict set of rules, (the electrical code) licenses for the electricians, and state inspection of the circuits before they are put into use.
---
Programming is the wild west compared to this. You have no way to run a piece of code on a machine without risking all the data on the machine, and/or all the machines networked to it. Our hardware is sub-standard (RowHammer shouldn't ever have worked), our operating systems give everything ambient authority. It's actually less secure now than it was in 1982, when you at least had write protectable media that the OS couldn't over-ride.
There's no way to take a random executable piece of code and run it safely. There is NO ENGINEERING in software engineering. It's all band aids and bailing wire.
The temptation is to cite the halting problem, but that's not it.
The Bell-LaPadula model[0] has been proven to be able to provide security, but due to historical accident, you generally can't implement it in Linux, MacOS, Linux, etc al.
The necessary CS theory was developed to make things safe in the 1970s, as I've stated, over and over in various threads here[1-4] and elsewhere on the internet[5], ad nauseum. But we, the programmers, "software engineers", hackers, whatever you want to call us, don't apply those systems, and continue to pile layer upon layer of band-aid to systems that are insecure by design.
It's like building all of your bunkers out of crates of TNT, and wonder why they keep blowing up at the first rifle shot, then concluding you need thicker walls.
Rice’s theorem. btw capabilities are cool but it’s very difficult to actually deploy them to real-world software without accidentally giving things more access than intended.
Rice's theorem can quickly prove that antivirus software is always a waste of time, so that's a plus. It can not, however, do anything to help jailbreak out of a process that has no access to the outside, no matter how evil or clever it (the code in that process) is.
Think of capabilities as cash in your wallet... fairly easy to manage, as long as you can secure the wallet.
In engineering, lives are often on the line, but there are also plenty of areas of engineering where most of the work is also band aids and balling wire. For example, lots of product design isn't safety critical and doesn't need to meet any formal standards. Maybe you don't consider that engineering because it's not rigorous enough - I certainly do though.
