10 September 2006

"...but you're Not a Programmer"

Never trust a programmer who says something can't be done (so don't worry about it)...

When programmers say something can't be done, they mean they can't see a way to do it - and after all, they made the code, so surely they would know, right?

When an interested non-programmer asks themselves if something can be done, they work from a higher level of abstraction, disregarding the details of how it might be done.

The programmer's views are informed by the intended behaviour of what they made, and may be blind to the full range of possible behaviors.

Look at the track record of exploitability that results from design safety failure; the MS Office macro malware generation, the email script generation, malware like Melissa that scripts Outlook to send itself out, and so on.

The stupidity/perfidity question (see previous blog entry, it's not Googleable yet) arises at this point, but either way, the result is the same; trust in these programmers may be misplaced. Either they weren't aware of the implications of what they created, and are thus liklely to fail the lower levels of the Trust Stack, or they have a hidden agenda that fails the upper levels of that stack.

Either way, I wouldn't stop worrying because they tell me to.

No comments: