Slashdot Mirror
Will Security Task Force Affect OSS Acceptance?
An anonymous reader writes "An interesting article published by SD Times: "Application Security Goes National" discusses some of the talking points generated by a federal task force that will make recommendations to the Department of Homeland Security. One of these talking points is to license software developers and make them accountable for security breaches. Licensed developers would get paid more as well. The article also mentions that "Executives" might not wish to work with smaller undiciplined partners and a little further down that "Hobbyists create Web services [and] professionals create them" and that "companies relying on critical infrastructure Web services need confidence". Would OSS have to be writen entirely by licensed developers to be considered secure? . Yahoo Finance has another article on the subject." The SD Times article is current, despite the incorrect date on it.
But programs are only as secure as the platform they run on, and of course the same as the people who use them. If people don't run their system properly, I'd say that's worse. Not to mention that people would use trusted vendors anyway, so I don't see what this adds.
Do they really believe that licensing software developers will lead to more secure software?
I'm not following their train of thought. Software development is an industry which constantly has to defend itself from **NEW** hack attacks. The best we can do is protect ourselves from known attacks, and try our best to forsee future ones.
It puts yet another industry under undo government control, and yet against shifts the focus away from the people actually doing harm--the hackers.
For commonly used software this provision of jobs increasingly depends on artificial barriers to the acceptance of free alternatives. Now that millions of people are programmers with supercomputers on their desks and an itch to scratch, and now that the cost of software distribution is approximately zero, the unconstrained market value of a line of code for a commonly used application is rapidly converging to zero.
The anti-FOSS lobbying is merely an example of the artificial barriers that prop of the prices and keep all those people employed. (Though I doubt that there are actually that many people earning their living by programming operating systems, Web browsers, and word processors these days. In the future the way to make money as a programmer will be to implement special-purpose applications that only scratch the itch of some company's shareholders.)
One problem (of many) is of course that if you make programmers legally responsible for security failures you also need to give them the authority to say "No! You can't do it that way! I don't care WHAT Marketeering says!"
Texas has had licensing for a few years. Anyone know how it's worked out?
THe idea was to give licenses to only those who can actually drive safely. But, if they really implement that there will be very few people with licenses and car companies will go bankrupt ( no more wars maybe??). So, they give this easy test for the license and every TD&H can drive. Of course we have had over 40,000 fatalities and 2 million crashes every year in the US for past 20 years.
Similarly, the licensing scheme will again create a dearth of licened software professionals,leading to high salaries for the licensed initially and then the bubble will burst. Everyone will have a license eventually, and we will be back to square one. So, the solution is to come up with better error prevention and correction methods for existing software professionals/ (drivers) rather than try to create licensed professionals. SO, as of now OSS still rocks and it will be good to see more OSS testing volunteers rather than just OSS developers.
New year Resolution: Don't change sig this year
May be the SD Times should hire a "licensed developper" to fix the date. They appears to be one year late "January 1, 2003".
I got annoyed at the slashdot comments last time there was security hole in OpenSSH and wrote this page (copy pasted below). I count OpenSSL as insecure software - we need a secure replacement. GNUTLS looks somewhat better, but I don't trust it too much either.
Why is some software more secure than others?
How do you measure software security?
Here's my definition on what is secure software.
Intro
I get really tired of seeing these kinds of comments every time some widely used software has security holes:
While they may be partially true, I think they're also very misleading and disparages the hard work that some secure software authors have done.
Simplicity Is Security
The difference between secure and insecure software is really the coding techniques being used by it's authors. Authors of secure software do everything they can to prevent accidental mistakes from ever happening. Authors of insecure software just fixes the accidental mistakes. There are very few secure software authors.
Auditing insecure software doesn't make it secure. Sendmail is a good example of this. It's been audited countless times by competent people. The simplest mistakes were catched easily long time ago, but a few very difficult to find vulnerabilities were found only recently.
How do secure software authors then avoid the kind of security holes that are difficult to find? By keeping the code simple. The code doesn't get secure by polluting it with tons of security checks. It gets secure by keeping the security checks in as few places as possible.
Auditing secure software is easy. You can just quickly browse through most of the sources without having to stop and look at it carefully. Everything just looks clean, simple and correct. vsftpd is a good example of this.
Sure, it's still possible that secure software has some security holes occationally. It just happens a lot less often (if ever) and usually the problems are less critical. For example none of the security holes in Postfix have lead to arbitrary code execution or being able to read other peoples mails. Denial of Service attacks are nothing compared to them.
(some examples in the web page not included)
--Brought to you by the DB tool
7098931
The linux hacker
This is the grant of government license to do a specific type of work. That's akin to the government granting the title of Lord, and is technically illegal.
That said, the idea itself is good -- but let ACM *and* IEEE *and* Sun *and* whatever other institution do certifications... That avoids the government regulation, and allows potential employers to select "qualified" individuals.
All this does is create a person who can be targeted if Something Goes Wrong(tm).
With OSS there is no "someone". With a licenced developer you have someone to blame.
- - - - - - - - - - -
I am a programmer. I am paid to produce syntax not grammar. Deal with it.
I recall a quote from John Milton that went something like this, "None can love freedom but good men. Others love not freedom, but license."
How much would licensing developers much like doctors, lawyers, architects, etc. affect development? It would likely mean more than, say, an MCSE or RHCE, or NCE. Would developers need to be licensed for a specialty?
Most likely there would be some sort of age and education requirement which would prevent some of the younger and perhaps self-taught developers from contributing to certain projects. Also, what about code developed outside the USA? One would have to be rather naive to assume that all the software in use was written in the USA, but sadly, I think that perception is all too common.
Happy 2004, everyone!
- Nate >>
"Insanity is doing the same thing over again expecting a different result."
Quite honestly, the SD Times article told me nothing about what they're really going to do about improving security in applications. You could substitute "licensing" in that article for "certification", as in some vendor's certification of developers. Then, it looks like a useless measure of what that person knows about security. If, however, it is more of a civil service exam, and they're going to test for knowledge of how to write secure code, then it would make a lot more sense.
Always look on the briight side of life! (whistle, whistle)
The US military brass decided at one point that it would be great if all of their software was written in one language. They forned a comittee to design what they wanted. Ada was created and various military agencies started insisting on its use.
The problem was that what they designed wasn't flexible enough and over time Ada became less and less important.
Licensing will go a similiar route. The government will spend millions on a comittee to come up with requirements for a standard software engineer license. Then they'll find out that their licensed folks STILL screw up and eventually it'll become less of a big deal.
That being said, if software engineering licenses come into existance at the federal level you can bet I'm going to get one.
Does it mean that software created by those same developers, now licensed, in the past is now cleared? Are they going to hold developers and engineers accountable even if they're forced to produce code based on inherently flawed design, driven solely by profit and questionable business practices?
If suits really need someone to offload risks to, there's always your friendly insurance company that wants to earn a living by assessing and managing risks. I can see people contributing code for free but I doubt people are going to put their financial future on the line for free.
The stupid part is, paid programmers won't either. They'll get insurance against being sued, just like doctors take out malpractise insurance. Then they'll go on writing the same shitty code because the end users continue to demand ease of use and featurisim ahead of security.
The better idea is to just take out insurance against being hacked in the first place. Insurance companies already offer this.
455fe10422ca29c4933f95052b792ab2
If this if for homeland security does that mean the only people who can be licensed are US citizens native to this country? If so, that may help with our outsourcing epidemic.
Make me your friend. All my friends get +1 modifier and I need friends :)
As the past owner of two different businesses and the present manager of a mid size company, I can confidently say that the answer is no.
This is very simple. Over the years, I have hired a wide range of different people to work as programmers. I had everything from masters degree programmers with 20 years experience to kids out of school who do it as a hobby. In all cases, what determined the success or failure of the project was not the qualifications of the programmer. I had masters degree programmers write such gibberish that multi-hundred-thousand dollar projects were cancelled. I had masters degree programmers who did a marvelous job. I had some kids code up another product that worked so beautifully that it only made the company money. I also had kids who did a crappy job and the project failed. In other words, success or failure is determined by results, and nothing else.
Returning to the above question, software is considered secure if it is tested for vulnerabilities and is found to be strong against attempts to break in. If the programmer has a Ph.D., that's all nice and pretty, but it means exactly Jack Schitt. The results are the only thing that matter.
Therefore, I think this committee should not waste its time with issues like licensing, because that will only create more bureaucracy, more fees, and entire administrative efforts... and it provides no guarantees of success. They should figure out a way to measure the reliability of a piece of software (reliability is the parent category of security, because an insecurity reduces reliability). They should make up some guidelines for how mission critical systems should be judged and tested. Perhaps they should recommend that the government should hire its own crackers to constantly look for and help fix vulnerabilities. Because security isn't a one-time thing. "Let's license programmers and the problems will go away." It doesn't work like that. Like everything else related to management, in security, the only constant is change.
... syndrome. Lawmakers always want something that sounds good, looks good, and will make them appear to be addressing the problem.
The conceptual framework they're working under is wrong. They assume that a single person is the author of a program. Maybe some programs have just one author, but most have several. The main, lead programmer, who is typcially the copyright holder, may not even look at every line of code in a program.
The bit about a culture shift is valuable. Projects should be built with security in mind, using basic principles (least privelege, minimize scope, check your loop bounds, etc.) that are, coincidentally, good programming practice.
But the culture shift that's needed is away from blame-based analysis of security failures and toward cooperative assistance. That shift is assisted by opening source code. Licensing programmers will tend to accentuate the blame attacks when bugs are found, and will provide incentive to hide them.
No program is bug-free. No committee of Licensed Gurus can eyeball scan a progran and find all its bugs. It takes running the program in real-world situations to find some (most) bugs. Licensing the programmer will not decrease the number of bugs in a given program.
Lawmakers would do better to simply stay out of the matter entirely than to introduce bureaucracy for the sake of appearance.
sigs, as if you care.
usually is a 2nd person
Not always, especially in police cars.
that actually adds to safety
Maybe. But why should I be penalized because of other bad drivers? I have driven with a CB for many, many years, and have driven a big rig. No accidents. So now I can't drive responsibly because some idiot who can barely keep it within the lines normally is using a cell phone?
Our civilization is becoming run over with laws that only idiots need. I blame it on the court system and law suits. If you are an idiot and use a product wrong, then you should take the blame. For instance toasters do not work in a bathtub, yet if the toaster company does not have that specific warning on the label, they can be held liable. Bah!
Yes, this is a hot button issue with me.
- - - - - - - - - - -
I am a programmer. I am paid to produce syntax not grammar. Deal with it.
The proof of the pudding is in the eating, and free software has done pretty damn well on the security front. If some pinhead executive wants to pay for "confidence" -- well, I'm sure someone will be happy to take that money off him.
And getting paid more for jumping through silly hoops when you're writing for free? How much more? 10% more than zero is -- zero. The whole thing is silly.
Unlimited growth == Cancer.
- A software developer (ie a programmer) gets licensed
- works on a project for (name some large company)
- company management provides direction for the programming efforts (as they do)
- software is iunsecure by design, due to management decisions (happens now, and the plan changes nothing here)
- software is finished
- ....marketed
- ....purchased
- ....deploy
e d - ....ends up killing over 10 thousand people for some trivial reason
- programmer takes 100% of the blame; firing squad at dawn
- company/management who made the decisions which introduced the lack of security get off Scott Free; zero legal consequences of their stupidity
Or am I misunderstanding the whole point of the exercise?Visit CryptoGnome in his home.
Let us not forget that the IBM Linux Technology Center has certified a Linux distribution (SLES 8) under the Common Criteria Evaluation Assurance Level 2, and they are currently working on EAL 3. This qualifies a Linux distro, composed largely of Open Source software, to take part in bids on certain security-sensitive government contracts. This sounds just like the kind of assurance that this security task force is looking for.
An unjust law is no law at all. - St. Augustine
Licensing Software professionals and holding them accountable for software security is the Palladium concept applied to people. Once you have to license "software engineers" in general, you will have them digitally signing their code and then only software duly signed will run on your Palladium Computer. Otherwise, your computer might run (gasp!) pirate code!
I am assuming the compiler will digitally brand your code with your signature, in order to find out who wrote the "unsafe" code that was breached.
Exactly who will be willing to take personal responsibility for a security breach? How many new legal cases will come up trying to prove that a breach is the "other guy's" fault? "We'll show, your honor, that it was the 'evil bit' hidden in the compiler that caused the security hole!" I suppose we'll see programmer malpractice insurance not long after too.
Would this mean we could go after MS for monetary damages? Somehow I doubt it. Would MS's recourse be to say "Don't worry, that developer has had his license revoked."?
This whole thing seems like a big CYA bid. Just make sure someone else is available to blame. Seems like they are saying, "We can't blame the hackers because we can't find them. But don't worry, you can blame the programmer now."
Regardless of the intent, I don't see this doing a bit of good for security. People with real talent, but who want to reliable income will shy away from a system which they could easily be responsible for damages, or alternatively lose a license to practice their trade. I have a wife and kids... no matter what I think of my skills, if I'm at the mercy of every hacker out there I'll find another field.
So, the result will be that it will become very HARD to hold someone responsible. Action, if ever taken, will be only in events of gross negligence. Security *may* improve short term. But, if we drive out all but the risk-takers I suspect that security will go down and the quality will go down too.
In the end I just see an institutionalized profession which hasn't given us any real benefits.
This seems like just another knee-jerk-silver-bullet attempt to fix an embarassing problem. Why do I picture a meeting somewhere running late and somebody jumps up saying, "Hey, I know! We'll license programmers and hold them responsible for breaches." Followed by, "Yeah, and licensed programmers will get higher pay, so there is an incentive right there!" Then "Discussion? None? All in favor..." And whispers of "Great.. I'll be home in time for dinner tonight!"
So, leaving aside issues of whether or not this is a good idea, are states' rights being encroached upon with this idea? States currently license engineers as they feel its necessary - why would software require federal licensing? Engineering is engineering, whether your twiddling bytes or blocks.
This goes back to the digital sigs for website shop front ends, and "signed" ActiveX controls etc. First off, just because something is liscensed, doesn't make it trustworthy. More problems will arise from people nievely trusting applications that have the "It's secure" sticker on it, instead of doing what they can to understand the application and it's proper implementation. Secondly it would destroy the market for developers who refuse to conform to, or cannot afford "liscensing". MANY useful and integral applications, especially for non M$ platforms, rely on people making improvements and fixes in their spare time. Who's going to be willing to submit a quick hack to fix a problem if they might be liable for the result? Hell who's going to code anything for free?? I'm certainly not willing to make myself personnaly liable without any monetary compensation. For legal fees if nothing else. Htf am I going to know that when my obscure software is compiled on the 2.9.4 kernel years from now, it creates an exploitable condition?? Going back to the first reply, the platform the software is running on makes a HUGE impact on it's security. How am I going to develop an application on a platform with an inherantly flawed API subject to hijacking etc? How about physical security issues? What if a compromise occurs on a machine, that resulted from say a hardware keylogger ($40 from thinkgeek), or a disgruntled employee? Must I bear the burden of proof that it was not my application but one of these or a host of other issues that caused a compromise in a system running my software? It's just a plain bad idea, poorly formulated, and not very well thought out. It's the "higher ups" deciding to place the blame on the developers, and remove personal liability from themselves.
Consider the many centuries we were building buildings before we had anything beyond a few guestimated best practices to assure that they wouldn't fall down. Eventually, the field matured and we figured out how to calculate the strength of a building in advance. Even then, it is only reletivly recently that we could do dynamic simulations. In spite of that, we still have mishaps.
Furthermore, we STILL are not at the point where we can guarantee that a building will hold up under attack. In fact, we are certain that ANY building can be destroyed using explosives. In fact, any device we invent can be destroyed and in turn cause destruction when deliberatly used contrary to it's design.
At the same time, there are levels of vulnerability that are clearly substandard. Buildings must not simply fall down in a light breeze and cars must not explode when you start them.
On the basis of that, licensing and liability will need to be restricted to a very small subset of applications, and they will be very expensive. For the same reason that most of us don't have bomb proof cars, most software will not be built to that standard.
The other case would be grievously stupid design decisions such as having email from anonymous strangers be executable or using gets for a publically acessable interface.
That condition comes from the licensing of civil engineers, too. You have to be licensed to be a civil engineer, pass some fairly effective exams and all that. You can be held personally and professionally liable for screw-ups in your designs. But there's another aspect: you have control. If you're the civil engineer on a project and you specify that it needs X grade of concrete, that's it. If management tries to say "That's too expensive, build it using a cheaper concrete.", you get to say "No can do." and they can't argue. If they do, you make a phone call and the next day some gentlemen with badges show up to discuss the fines and penalties management is going to pay. If management fires you and uses the cheaper concrete anyway, the discussion will be about criminal charges on top of their liability, not yours, for any damages done because of their illegal substitution.
If licensing of software engineers includes everything that licensing of civil engineers does, including the "those who don't have the license do not get to overrule you on how the job gets done" provisions, it's IMHO a good deal. We ought to press for exactly that in licensing, because while companies would be highly allergic to it it'll play very well with the public. Think about public reaction when a structural failure turns out to have been caused by someone substituting shoddy materials for what was originally specified or otherwise not doing things the way the engineers said to do them.
This is an attempt to divert attention from the real problem with software development, and for that matter business processes in general. Programmers and software engineers are, point-blank, not responsible for the quality or reliability of shipping code. Period. That responsibility lies with management, and the resources it chooses to devote to the initial design process (very important ... Microsoft didn't pay enough attention to this and is now paying the price in spades) and, just as significantly, to the quality-assurance cycle. Attempting to lay the blame for poor quality design and implementation solely upon the shoulders of the actual programmer simply ignores the root causes of poor software. The people that design software, and those that test it, are even more important to releasing a quality product than the programmer. However, the biggest problem that I've experienced in a quarter century as a software engineer is that management simply refuses to allocate sufficient time to initial design and prototyping. They want coding to begin as soon as possible after inception, and that often doesn't allow a good foundation to be laid before the design is frozen.
I'm tired of hearing how architectural and structural engineers are "certified", and the insipid comparisons made between this status and that of software engineering. The penalties for a bridge or building collapsing are extreme of course, and no-one would want an incompetent engineer designing such a structure. But what is lost in all this talk is the design review process that occurs long before anything is actually approved for construction. Yes, perhaps the design engineer is technically accountable for a flaw in his work (I don't know, I am not a lawyer), however in any major undertaking there are dozens of others responsible for validating and double-checking the design, and there is no way in Hell that that engineer would be considered solely responsible for a serious failure when a whole review team approved his efforts. Besides, that's what we have insurance for, anyway.
Given that corporate America has proven to be even less reliable and trustworthy than Microsoft Windows 98, I think we should start by certifying the business ethics exhibited by corporate executives and middle managers. Then let them pass tests that indicate an understanding of the software development process, and once that is done make it illegal for anyone in a marketing or sales department to influence software release dates. The programmers aren't the problem. Corporate America is the problem, and until the market decides that it is willing and able to pay for quality software no amount of legislation or governmental interference will improve matters one whit. Believing otherwise is naive or disingenuous.
Of course, it won't matter if the current trend in outsourcing continues, since there won't be any software engineers or programmers left to be certified anyway.
The higher the technology, the sharper that two-edged sword.
I was reading the first volume of Alexander Solzhenitsyn's The Gulag Archipelago the other night. (For those of you too young to remember either Solzhenitsyn or the Soviet Union it describes, go read it. Along with 1984, it ought to be required reading for citizens of putatively free countries.) The section I was reading dealt with the purges of competing socialist movements once Lenin's party had consolidated its power. Political dissenters were at this time -- 1924 -- being tried by special tribunals, denied counsel and contact with the outside world, and executed, first by tens, and ultimately by the hundreds of thousands.
The official explanation for all this was the accused were terrorists who threatened the security of the motherland. It was Guantanamo Bay writ large, and once it picked up steam, it did not stop until, after somewhere between 20 million and 40 million state murders, the Soviet Union collapsed under its own sheer inefficiency in the early 1990's.
In the Soviet era, the most improbable things were tied to the idea of, as we say today, homeland security. If you twist the logic far enough, and people are either stupid enough or frightened enough, you can get away with claiming that the manufacture of cheese is a matter of homeland security. (And why not? It is a fungal product susceptible to both accidental and intentional contamination with biotoxins; an economic resource vulnerable to sabotage; it is produced by wealthy companies whose political allegiances might not be entirely healthy; and worst of all, it is a national emblem of the hated French.)
This programmer licensing is a ruse. Like the bulk of the Department of Homeland Security, it is a crock of shit designed to convince the public that the government is "doing something" against a threat of dubious reality but great electoral usefulness, and it will serve only to centralize more power and money in the hands of large software companies.
Even if it weren't part of a fairly nefarious political trend, does anyone really believe this will make any damn difference? Commercial programmers don't make the important quality decisions -- they are handed down by management to suit marketing needs and the bottom line. If there's any professional programmer here who hasn't written inferior code to satisfy arbitrary time and resource requirements imposed from above, speak now and be counted with your five or six other brethren.
If you want to improve the quality of software, hold companies and their shareholders financially responsible. In other words, put pressure on the people who actually make the decisions, and they will select those programmers -- licensed or not -- who write quality software and give them the resources to do it.
Of course, the big software houses (read: Microsoft) will never go for that because neither they nor the subversives at the Department of Homeland Security give half a rat's ass about the well-being of the public. What they do care about is enhancing their own prestige, power, and wealth.
Proud member of the Weirdo-American community.
One of these talking points is to license software developers and make them accountable for security breaches.
It seems to really prevent all possible security breaches, you need to prove that the program is correct first - I don't know of many entities that even try to prove their programs. I have heard of a few telecom infrastructure programs, but remember the big SS7 outage caused by one tech some years ago? The SS7 code is probably better "audited" than most code but would that outage have been construed as a "security breach"? - Yes, after the lawyers were done with it.
What about how quickly the world changes after a program is released? You use the best encryption technology of the day, you prove your programs correct, not just audit the code or use "good" software engineering/management methodologies. But you used DES (back in the day) or MD5 more recently, then MD5crack comes along or quantum computing and suddenly you are responsible for a "security breach" because of some exploit that didn't exist when you created the program.
That is nuts, who would want to sign up for that?
Besides DJB does anyone even have the balls to reward people for finding security problems? Or even advertise security as a feature? OpenBSD (yeah, I know its dead, blah, blah, blah), pureftpd, NSA Linux
I expect not many others, because people expect code to have security issues.
Since security is such a big concern now (and in the past), I would think that people who wanted to show off their programming prowess would be bragging about how secure their code is. But no one does, that I know of - why? because its just damn hard to be sure that the code is perfect - which is what is required to prevent all possible security problems. So where are all these people with the big security cahones going to come from?
Can a program be proven correct for all inputs?
If it isn't stateless then can each permutation of state and input be proven?
Are all the protocols used by the program verified?
The impossibility of preventing security breaches seem to make this kind of government action more likely. Burn the witches!! They hexed our computers, and were seen in the woods cavorting with unaudited code fragments!
OSS has no problem with professional certification you get the source, review it, test it and certify it to a grade. The professional would do this or sign off. For closed source the process is the same except you don't have the source or your rely on the vendors professional certification.
I worked summers in an Architectural/Engineering firm before I got my degree for Computer Engineeering in 1979. The real way these firms worked at that time is that the Professionals (Registered Architects and Proffessionsal Engineers) supervised and sign off on the the work that was done by EITs (Engineers in Training - a degress but not yet passed the state boards) and Draftsmen and other technical people. This model can be used for software/hardware as well. There has been little demand or call for a state certified need for computer professionals in the last 24 years largely because the sales force said all the bugs will be fixed in the next "Gotta have" version.
Our social problem is the adoption of CPUs and related software to critical tasks in our society without review or certification for the tasks in a largely sales driven market. Having professionals review installed products would likely trim features and consider whole systems analysis of the effect of additions and changes. In the end this is a good thing because the professional at the install point can specifiy the grade and if the vendor fails he doesn't the the business.
The last point is that the State is responsible for the approval of the Professionals - so in effect the State is taking the work of people it has approved to be and act as Professionals.
In the end this just means a review of some level of quality on the software or hardware installed. We just don't take the word of the vendor.
NT was given something like a "G5" security rating, BUT is was not attached to any network what so ever. Lot of good that certification did as Win2k and XPee were then built from this so called "secure base". The "system" is the problem not the programmers. Testing and certifing software for it designed and useful purpose, which EULAs negate, would be a starting point. Also I am sitting here on a RoadRunner connection using a Motorola SurfBoard modem. Why did I have to spend $45 for a SMC 7004VBR to secure it when 1-2 chips in the modem would have taken care of a lot of issues [log is showing 4-6 denied attacks every 5-10 minutes].
Exactly right. "License" is permission to do that which would otherwise be a crime to do. If you come into my home as my guest, you are doing with permission what could send a burglar to prison.
Historically, license as a formal permission from the state stems from the general police power of the state to prohibit things that are deemed dangers to public health or safety -- such as cutting people open with knives allegedly to treat injuries or illnesses -- and then allow select people the permission to do those things under some set of conditions and qualifications, hence licensed doctors, who *are* allowed to cut people open without fear of being charged with assault with a deadly weapon, bodily injury, maiming, etc.
Where "license" goes bad is when, in complete ignorance of what it means and where it comes from, the public accepts "licensing" for purposes such as generating tax revenues. Every one of us has seen proposals to "license" something as a way to raise revenues in the form of license fees, but few people have understood that such proposals amount to "We want to make xxxx illegal so we can then turn around and collect fees for permitting just about anyone to do xxx." It's bass-ackward and contaminates the legal concept of "license."
So, yes, writing software can only be "licensed" if writing software is first made into a crime. Whether or not the proponents of such a thing can sell the idea that a vital state health or safety issue is at stake remains to be seen, but in today's climate of ignorance it probably isn't necessary to explain such reasons to sell "licensing" of anything.
Look at the bright side: there's always seppuku.