# Linux's NEW 8 year old privilege escalation bug



## baaz (Aug 24, 2022)

8-year-old Linux Kernel flaw DirtyCred is nasty as Dirty Pipe
					

Researchers shared details of an eight-year-old flaw dubbed DirtyCred, defined as nasty as Dirty Pipe, in the Linux kernel. Researchers from Northwestern University (Zhenpeng Lin  |  PhD Student,Yuhang Wu  |  PhD Student, Xinyu Xing  |  Associate Professor) disclosed an eight-year-old security...



					securityaffairs.co
				




With every one of these Iam more and more happy that lam useing BSDs and more scared of my android phone.


----------



## richardtoohey2 (Aug 24, 2022)

Sadly nothing is perfect - this is a six-year old one from FreeBSD, versions 11 onwards:



			https://www.freebsd.org/security/advisories/FreeBSD-SA-22:10.aio.asc
		


There was a good web page explaining how it worked but it doesn't seem to be responding right now.  A local user could escalate themselves to root without too much effort; just like the Linux issue.

Whatever you use - keep patching.


----------



## drhowarddrfine (Aug 25, 2022)

richardtoohey2  The difference is with FreeBSD there's this:



> V.   Solution
> 
> Upgrade your vulnerable system to a supported FreeBSD stable or
> release / security branch (releng) dated after the correction date,
> and reboot.


----------



## CuatroTorres (Aug 25, 2022)

Are the BSDs dying? Some security researchers think so
					

To few eyeballs on code is a security issue. Can FreeBSD, OpenBSD, and NetBSD survive?




					www.csoonline.com
				



Is this a personal appreciation or a truth?
I think even professionals look after number one.


----------



## kpedersen (Aug 25, 2022)

baaz said:


> and more scared of my android phone.


Linux has bugs, just like FreeBSD unfortunately. But Android is absolute trash and happens to have many more bugs than both combined (by design).



CuatroTorres said:


> Is this a personal appreciation or a truth?


That article is 4 years old! One day it will get to the point where FreeBSD will have outlived those original authors.


----------



## CuatroTorres (Aug 25, 2022)

It is 4 years old but the argument is lack of eyes, lack of developers and losing, how true is it?


----------



## kpedersen (Aug 25, 2022)

CuatroTorres said:


> It is 4 years old but the argument is lack of eyes, lack of developers and losing, how true is it?


More eyes have been looking at FreeBSD than that article. And yet that article seems to keep popping back up and seems to be alive and well.


----------



## drhowarddrfine (Aug 25, 2022)

CuatroTorres said:


> Is this a personal appreciation or a truth?


The article's title is "researchers" (plural) but only mentions and quotes two people.

The "FreeBSD is dying" meme is a community joke.


----------



## gotnull (Aug 25, 2022)

There is so many talking about Linux, it comes really often in conversations, it feels strange . 
Focus on BSD world instead, it could be better for the community and in the end it sends out more positive energy


----------



## getopt (Aug 25, 2022)

Having read those articles I ask myself why people are so eager consuming such headlines?

There were little numbers given and interpretations are questionable. What is wanted are your clicks and data left on such sites. Doomsday phrases do sell.

If you got a “feeling” that a project is stalling, look at the source repos and try to extract committer metadata _over the time_. With the data you can plot nice graphs over time visualizing personnel fluctuations. It would take me wonder if the FreeBSD Foundation would not have the whole picture of actual trends. But I’m not seeing any detailed statistics published.

Microsoft as the owner of Github does frequent analysis on any public repos they do host. They know who might be a good catch for their own staff.


----------



## thindil (Aug 25, 2022)

richardtoohey2 said:


> Sadly nothing is perfect - this is a six-year old one from FreeBSD, versions 11 onwards:
> 
> 
> 
> ...


My guess, you mean this article: https://accessvector.net/2022/freebsd-aio-lpe

Looks like it back to life.


----------



## drhowarddrfine (Aug 25, 2022)

When is the last time you read something really important in the technology media that affected your field of work or life in any way?

Why you should avoid the news media


----------



## drhowarddrfine (Aug 25, 2022)

thindil said:


> Looks like it back to life.



No it hasn't. 



> I reported the missing backport to the FreeBSD Security Officer Team on the 25th of June, 2022 and it was backported to stable/12 two days later. *The fix was merged *into supported releng/* branches on the 25th of July, 2022.


----------



## cynwulf (Aug 25, 2022)

CuatroTorres said:


> Are the BSDs dying? Some security researchers think so
> 
> 
> To few eyeballs on code is a security issue. Can FreeBSD, OpenBSD, and NetBSD survive?
> ...


There is no suggestion from van Sprundel that any of  the 'BSDs are "dying".  The other "security researcher" merely states an opinion.  Plenty of "security researchers" also have very negative opinions of Linux and other OS.

No idea why this one gets dragged out over and over again...  despite the research being perfectly valid and bugs being found and fixed, the conclusions drawn are sensationalist and bordering on ridiculous.  According to certain quarters of the tech press, the BSDs have probably been dying since 1995 due to "lack of developers".  Despite such claims, active development continues.  Click bait crap.


----------



## SirDice (Aug 25, 2022)

cynwulf said:


> the BSDs have probably been dying since 1995 due to "lack of developers". Despite such claims, active development continues.


It was "dying" when I first started with FreeBSD some 25 years ago. Yet here we are, still kicking and screaming.



richardtoohey2 said:


> Sadly nothing is perfect - this is a six-year old one from FreeBSD, versions 11 onwards:
> 
> https://www.freebsd.org/security/advisories/FreeBSD-SA-22:10.aio.asc


Yeah, how about this one? 








						When seekdir() Won’t Seek to the Right Position
					

Back in 2008, I discovered a bug in the BSD filesystem that has been there for more than 25 years, in all of the major BSDs, read the…




					marcbalmer.ch


----------



## astyle (Aug 25, 2022)

Good thing this is in the 'Off-Topic' section... 

Unresolved bugs this old are exactly why I roll my eyes at 'Debugging Bootcamps'.  Just a quick Google search on that term turned up stuff like a $4200 camp in Atlanta, GA... Even if a bug is properly defined, there's plenty of bugs a debugger won't catch. Calling the wrong API, graceful handling of errors, using incorrect formula, and whatnot. 

Don't get me wrong, there are benefits to learning how to use a debugger. It's just that sometimes, to really fix a bug/design flaw/mistake/whatever, you gotta redo the whole enchilada from ground up.


----------



## thindil (Aug 25, 2022)

drhowarddrfine said:


> No it hasn't.


I should be more wordy. I was referring to the state of the article, not the bug. The bug should be fixed.


----------



## richardtoohey2 (Aug 26, 2022)

Not sure if this one is patched but hopefully no-one running telnetd:



			2-byte DoS in freebsd-telnetd / netbsd-telnetd / netkit-telnetd / inetutils-telnetd / telnetd in Kerberos Version 5 Applications - Binary Golf Grand Prix 3 - IT Security Research by Pierre


----------



## SirDice (Aug 26, 2022)

richardtoohey2 said:


> Not sure if this one is patched


It seems nobody bothered to contact secteam@freebsd.org



> Vendor Response
> 
> Reaching and coordinating with all the vendors and software maintainers will take too much time and effort.





> It is 2022. Do not use telnet. Seriously!


Fully agree. That said, it should be fixed.


----------



## hardworkingnewbie (Aug 26, 2022)

baaz said:


> 8-year-old Linux Kernel flaw DirtyCred is nasty as Dirty Pipe
> 
> 
> Researchers shared details of an eight-year-old flaw dubbed DirtyCred, defined as nasty as Dirty Pipe, in the Linux kernel. Researchers from Northwestern University (Zhenpeng Lin  |  PhD Student,Yuhang Wu  |  PhD Student, Xinyu Xing  |  Associate Professor) disclosed an eight-year-old security...
> ...


/me yawns... 

I am pretty sure that a well experienced security researcher is able to find some bugs at least that old as well in any of the BSD's kernels, may it be FreeBSD, NetBSD or OpenBSD.


----------



## Menelkir (Aug 26, 2022)

SirDice said:


> Fully agree. That said, it should be fixed.


But then how would i watch star wars?


----------



## SirDice (Aug 26, 2022)

Menelkir said:


> But then how would i watch star wars?


You don't need the telnet daemon for that


----------



## CuatroTorres (Aug 26, 2022)

It is not the case but I still use telnet if I want to look at the line noise values of my home router. `telnet 192.168.0.1`


----------



## ralphbsz (Aug 26, 2022)

kpedersen said:


> But Android is absolute trash and happens to have many more bugs than both combined (by design).


That is a very interesting statement. Do you have any evidence to back it up? In particular the "by design" part?



astyle said:


> Unresolved bugs this old are exactly why I roll my eyes at 'Debugging Bootcamps'. ...


Note that the OP is not an 8-year old bug. It is an 8-year old vulnerability, which was only found in 2022. So it is a weeks- or months-old bug.


----------



## kpedersen (Aug 26, 2022)

ralphbsz said:


> That is a very interesting statement. Do you have any evidence to back it up? In particular the "by design" part?


Not fantastic evidence (I try to stay away from this naff consumer-heavy stuff as much as possible after all!). However, some papers and examples as to why they are relevant:

Planned obsolescence (i.e Too locked down. You are prevented from applying security updates to your own device when the manufacturer drops support. IoT and Phones both running Android exhibit the same issues)
Purposefully naive permissions system (i.e To run a note taking app, you are required to allow it full access to your camera, emails, mic arbitrarily. It should be no-permission by default unless the user manually changes the *necessary* ones. However this current default is for the vendor to harvest as much data as possible)
Lack of user control / access (i.e Too locked down. You don't have the necessary permissions to audit your own device, often you can't install a proper trusted firewall, often you can't even install an ad-blocker, etc)
It basically stems from the underlying business case for these devices to take as much control away from the user as possible which means that you can't properly maintain it. The business case is the same as with games consoles. By design locking it down to protect the publishers / partners / content owners (i.e DRM) more so than the users. Some general discussion here.

Imagine being given a mature 3 years old Windows laptop to use without admin rights to put your credit card details into in order to purchase something. Could you really trust it? It would be a mess of Simpsons mouse cursors. An Android phone is really no different; actually worse. You can't see inside the filesystem / process list on many of them and yet many people input their card details and personal information on a daily basis.

I assume that is why Windows is changing in such the way that people are becoming more and more concerned about its data harvesting. Microsoft is a little late to the data selling party and wants a piece of the pie that Google's Android (and Apple) has made for itself.


----------



## hardworkingnewbie (Aug 26, 2022)

kpedersen said:


> Planned obsolescence (i.e Too locked down. You are prevented from applying security updates to your own device when the manufacturer drops support. IoT and Phones both running Android exhibit the same issues)
> Purposefully naive permissions system (i.e To run a note taking app, you are required to allow it full access to your camera, emails, mic arbitrarily. It should be no-permission by default unless the user manually changes the *necessary* ones. However this current default is for the vendor to harvest as much data as possible)
> Lack of user control / access (i.e Too locked down. You don't have the necessary permissions to audit your own device, often you can't install a proper trusted firewall, often you can't even install an ad-blocker, etc)It basically stems from the underlying business case for these devices to take as much control away from the user as possible which means that you can't properly maintain it. The business case is the same as with games consoles. By design locking it down to protect the publishers / partners / content owners (i.e DRM) more so than the users. Some general discussion here.


These papers don't support your statement. 

To address them in chronological order: 

1. Planned obolescence - the paper talks about IoT devices, not smartphones per se. So same could also be said about iPhones. 
2. Permission system - dates back to 2012, so you're not taking one decade of progress into account. 
3. Lack of user control/access - dates back to 2010, so even more outdated. 

Overall: if you do really value your privacy, you simply should not get a smartphone, period. Even if the OS could be trusted, the base band processor cannot. It's a black box.


----------



## kpedersen (Aug 26, 2022)

hardworkingnewbie said:


> These papers don't support your statement.


In what way? Your issues with them only really seem concerned with the age and scope of the sources which I don't believe to be valid concerns. Lets go through them.



hardworkingnewbie said:


> 1. Planned obolescence - the paper talks about IoT devices, not smartphones per se. So same could also be said about iPhones.


Exactly. The same *can* be said about iPhones. Why wouldn't it? This specific paper was discussing Android running on IoT. Same Android used on a phone. Same planned obsolescence, same flaws. Can you claim smartphone vendors specifically support their hardware longer than other hardware vendors? Often I see the opposite. I can find many sources discussing the security issues inherent in planned obsolescence of Apple, even non technical i.e news articles are aware of it for the average consumer.


hardworkingnewbie said:


> 2. Permission system - dates back to 2012, so you're not taking one decade of progress into account.


What progress do you think has been made since? You use a new phone today, the same naive permissions box comes up. Google did trial a "per-permission" setting but backtracked on it. The year could be 2040 and this paper will still likely be discussing the (then current) state of the art.

But there are much newer papers reiterating the same old problems with the permissions system. Nothing has changed. Just to clarify the part from the paper that supports my statement and the issue I am trying to describe:



> The user can grant permission for requested resources either at runtime or during the installation process. However, this system is often misused in practice by demanding extra permissions that are not required to provide services. These kinds of apps stop functioning if all permissions are not granted to them





hardworkingnewbie said:


> 3. Lack of user control/access - dates back to 2010, so even more outdated.


Again, since the issue is by design rather than a technical one; what has exactly changed in 10 years? Are you suggesting that people are now able to install reputable firewalls or ad-blocks on all modern phones? They can't, especially if the phone can't be rooted (which also voids support from vendor). If anything the inbuilt chrome browser has become *more* restrictive to 3rd party privacy providing plugins.



hardworkingnewbie said:


> Overall: if you do really value your privacy, you simply should not get a smartphone, period.


Completely agree. Going back to my original statement, they are unfortunately extremely scummy bits of kit governed by equally scummy businesses. The only winning move is to not play. Especially when they are so easy to avoid.

Either way, I have written too much and smartphones seriously bore me. Apologies for the noise!


----------



## astyle (Aug 27, 2022)

ralphbsz said:


> Note that the OP is not an 8-year old bug. It is an 8-year old vulnerability, which was only found in 2022. So it is a weeks- or months-old bug.


So, a 'vulnerability' is not a 'bug' until a bug report is filed? 

That makes me kind of lost as to what even counts as a bug in the first place... Originally, it was an actual squished bug that gummed up the mechanical works of a Harvard calculating device (Mark II/III), then it became a running joke that hit the pop culture... 










						Software bug - Wikipedia
					






					en.wikipedia.org


----------



## baaz (Aug 27, 2022)

gotnull said:


> There is so many talking about Linux, it comes really often in conversations, it feels strange .
> Focus on BSD world instead, it could be better for the community and in the end it sends out more positive energy


There is a old saying here that translates into:
*from whom have you learnt civility?

‘From those who had no civility because what appeared to me unbecoming in them I refrained from doing.’
*


----------



## SWIFTYLIFT (Aug 29, 2022)

CuatroTorres said:


> Are the BSDs dying? Some security researchers think so
> 
> 
> To few eyeballs on code is a security issue. Can FreeBSD, OpenBSD, and NetBSD survive?
> ...








						Is BSD Dead Yet?
					






					isbsddeadyet.com


----------



## hardworkingnewbie (Aug 29, 2022)

kpedersen said:


> In what way? Your issues with them only really seem concerned with the age and scope of the sources which I don't believe to be valid concerns. Lets go through them.


10 up to 12 years in software development is like several life spans in software development. This means that the kernel has been changed a lot, frameworks have changed a lot, and stuff within the framework as well.

So taking such old papers, which found issues from back then and saying "it was bad way back then, and still is today" is bonkers, wrong, because it totally neglects what has been changed since then.

Simple as that - so yes, these are valid concerns. Aside that: if privacy really is an issue, there's only one suitable solution: don't use a cellphone at all.


----------



## getopt (Aug 29, 2022)

kpedersen said:


> ... extremely scummy bits of kit governed by equally scummy businesses. *The only winning move is to not play.* Especially when they are so easy to avoid.


Unfortunately this is reality. People around the globe have been made depending on "Smart-Phones". Next step is making them depend on projects like:



			https://id2020.org/
		


People with a strong personality being aware of the the background problems can freely make a personal decision preferring not to.

Obviously the overwhelming consuming majority cannot or wants not to resist the seducing technology which is promising lulling accommodativeness everywhere.

Kids in a peer-group quickly become outsiders without a Smart-Phone. They are socially forced to participate and get used to Smart-Phones like junkies.


----------



## kpedersen (Aug 29, 2022)

getopt said:


> Unfortunately this is reality. People around the globe have been made depending on "Smart-Phones". Next step is making them depend on projects like:


This might be location specific but here in the UK there is nothing that particularly depends on them yet. Perhaps this is due to the aging population that stands no chance at engaging with them. I think the market even fell since COVID.

The personal ID is an interesting one. As seen fairly successfully in Denmark, I actually agree with it (not necessarily digital). However in the UK specifically, it is partially run by criminals who really do *not* want this form of central ID. I don't believe this will change for a long time.



getopt said:


> Kids in a peer-group quickly become outsiders without a Smart-Phone. They are socially forced to participate and get used to Smart-Phones like junkies.


You aren't wrong. However I would add that kids tend to use smart-phones like a toy. Whether it is a gameboy or a smart-phone, nothing they do with it is particularly important in the grand scheme of things. Whether this is pulled through into industry with them (as was the case with macOS) remains to be seen however. This is maybe the biggest risk but I can't see how they are going to be productive with a consumer phone vs even a computer from the 90s.


----------



## CuatroTorres (Aug 29, 2022)

_Off-topic_:

In Spain, ING Bank forces you to use your smartphone as an authentication method once it detects that you are using its app, even if you use web banking later.
I resist using web banking exclusively and receiving an SMS from time to time.
At some point of time the obligation of the app will be effective.


----------



## kpedersen (Aug 29, 2022)

CuatroTorres said:


> _Off-topic_:
> 
> In Spain, ING Bank forces you to use your smartphone as an authentication method once it detects that you are using its app.


Makes sense. You jump into the app workflow, you are committed 

My bank sends me a OTP dongle (which admittedly I am terrible with and write all of my details onto the back).

I would prefer if they just sent me the C source code, private key and random seed!


----------



## mer (Aug 29, 2022)

kpedersen said:


> I would prefer if they just sent me the C source code, private key and random seed!


Heh.  Then you find out it's like that scene in the movie Spaceballs about the combination to a lock:
The combination is 12345
No idiot would use that it's stupid
Wait!  That's my combination!


----------



## zirias@ (Aug 29, 2022)

kpedersen said:


> Makes sense. You jump into the app workflow, you are committed


Actually, I'm quite happy about that workflow for 2FA.

At least in Europe, 2FA is mandatory for banking nowadays... and _why_? Because after decades, people _still_ used guessable passwords. Yep, even Mel Brooks failed to get the message through, mer 

Sure, cracking is a thing as well (e.g. by getting hold of an insufficiently encrypted password database, or client-side sniffing using some malware ...), but most of the time, the major problem still is weak passwords.

So, I'm forced to use 2FA. And seriously, just presenting my finger to my phone's sensor is the quickest and least annoying way for the second factor. And as my passwords are fine, I'm not _too_ worried about the security of this _second_ factor.


----------



## CuatroTorres (Aug 29, 2022)

I don't need an app for each account I have at each bank, and there are quite a few. A simple SMS does the double factor. Even Microsoft Authenticator can take care of that.


----------



## Jose (Aug 29, 2022)

zirias@ said:


> So, I'm forced to use 2FA. And seriously, just presenting my finger to my phone's sensor is the quickest and least annoying way for the second factor. And as my passwords are fine, I'm not _too_ worried about the security of this _second_ factor.


Yeah, and now Apple or whomever has a digital representation of your fingerprint that is stored somewhere in the "cloud". Under fantastic security, no doubt. In any case, changing your fingerprints is trivial should they ever get compromised.

If you want me to use 2FA you must provide me a non-cellphone dependent way of sending you a public key. I will accept nothing else.


----------



## zirias@ (Aug 29, 2022)

Jose said:


> Yeah, and now Apple or whomever has a digital representation of your fingerprint that is stored somewhere in the "cloud". Under fantastic security, no doubt. In any case, changing your fingerprints is trivial should they ever get compromised.


Nope. Any sync is off, I even disabled the services (and yes, the system _is_ nagging me from time to time to enable them).


Jose said:


> If you want me to use 2FA you must provide me a non-cellphone dependent way of sending you a public key. I will accept nothing else.


If you ever want to have a bank account in the EU, good luck to find one still offering all services at the counter.


----------



## Jose (Aug 29, 2022)

zirias@ said:


> Nope. Any sync is off, I even disabled the services (and yes, the system _is_ nagging me from time to time to enable them).


How can you be sure on a completely closed platform like a cell phone? How do you know those knobs do anything? How can you be sure that there isn't a "bug" where it syncs your biometrics anyway?



zirias@ said:


> If you ever want to have a bank account in the EU, good luck to find one still offering all services at the counter.


Good to know. I will have to think about this, since I am considering retiring in the EU.


----------



## zirias@ (Aug 29, 2022)

Jose said:


> How can you be sure on a completely closed platform like a cell phone? How do you know those knobs do anything? How can you be sure that there isn't a "bug" where it syncs your biometrics anyway?


How do you know it's a "closed platform"? It isn't. It does have _some_ closed-source software on it, but that's about it. But hey, I'm pretty sure even Apple wouldn't dare to store any personal data without proper consent in face of GPDR. This is really a PITA for any vendor or operator of IT services, which I know from work at a financial corp targeted at b2b (so, not even interested in personal data too much, and still we're struggling a lot to comply). Of course, consent is given by many not even reading small text before touching this OK button 


Jose said:


> Good to know. I will have to think about this, since I am considering retiring in the EU.


Well, 2FA is mandatory. There _are_ ways to comply with that without a (smart)phone, but I don't think many banks will offer that in the future.


----------



## mer (Aug 29, 2022)

zirias@ said:


> I'm not _too_ worried about the security of this _second_ factor.


"Until someone cuts my finger off"   
Sarcasm, but a real possibility.  Although if it were me, if someone wants to cut my finger off to gain access, I've got bigger problems to worry about.


----------



## Jose (Aug 29, 2022)

mer said:


> "Until someone cuts my finger off"


There were places where you should not wear rings when I was growing up in Latin America in the '70s. I believe the situation has improved, but given how popular cell phone stealing is, this is not all that ridiculous a possibility.


----------



## CuatroTorres (Aug 29, 2022)

The manufacturer of each device has something to say. Xiaomi asks for acceptance of conditions for something as simple as the calculator, and so with all its apps. I don't want to know what he's going to do with his fingerprint.


----------



## kpedersen (Aug 29, 2022)

zirias@ said:


> Well, 2FA is mandatory. There _are_ ways to comply with that without a (smart)phone, but I don't think many banks will offer that in the future.



Currently they are quite happy to hand out these things:
https://www.hsbc.com.hk/content/dam/hsbc/hk/images/security-device.jpg

Will this change in the future? Not sure, I do think the ever changing nature of phones will ensure that there will always be a stable alternative. For example I think it is unreasonable to ask an 80 year old to update their iPhone 4s to access their bank. Likewise in 30 years, it will be unreasonable to ask an 80 year old to update their iPhone 10 to access their bank.


----------



## hardworkingnewbie (Aug 29, 2022)

mer said:


> Heh.  Then you find out it's like that scene in the movie Spaceballs about the combination to a lock:
> The combination is 12345
> No idiot would use that it's stupid
> Wait!  That's my combination!











						Air Force Swears: Our Nuke Launch Code Was Never '00000000'
					

For nearly a decade, an awkward debate has raged about the U.S. military's nuclear force: Did top Air Force officials really choose "00000000" as a…




					foreignpolicy.com


----------



## msplsh (Aug 29, 2022)

Jose said:


> Apple or whomever has a digital representation of your fingerprint that is stored somewhere in the "cloud".


This is wrong particularly about how Apple's TouchID works.  The fingerprint data never leaves the processor that the sensor is connected directly to.


----------



## bob2112 (Aug 29, 2022)

zirias@ said:


> Because after decades, people _still_ used guessable passwords.
> 
> Sure, cracking is a thing as well (e.g. by getting hold of an insufficiently encrypted password database, or client-side sniffing using some malware ...), but most of the time, the major problem still is weak passwords.


It's pretty much the same thing. The reason that weak passwords are a problem is they make it feasible to perform offline attacks against salted-hashed password databases.


----------



## astyle (Sep 2, 2022)

kpedersen said:


> I can't see how they are going to be productive with a consumer phone vs even a computer from the 90s.


For kids, 'productivity' is not the point, 'aptitude' is. 'productivity' is what the boss can get out of you. 'aptitude' is *a* measure of potential that gets realized (and paid for) by the boss later.


----------



## kpedersen (Sep 2, 2022)

astyle said:


> For kids, 'productivity' is not the point, 'aptitude' is. 'productivity' is what the boss can get out of you. 'aptitude' is *a* measure of potential that gets realized (and paid for) by the boss later.


I was discussing productivity specifically once their smart phone is "pulled through into industry with them". From what I have experienced, ancient computers are still more productive than smart phones due to their openness and ability to get things done / developed on them. This same thing happened with macs ~2007 (before then, they were very rare!) but wasn't quite as damaging because they are still workable as fairly capable workstations. Phones are not (terrible keyboards for one).

But whilst you are bringing up aptitude, this is relevant too. I strongly feel that someone brought up in a "click and play" environment like a phone appstore vs being exposed to the problem solving required for i.e DOS, computers back in the day will be at a disadvantage. I *think* this is starting to show from some of the recent candidates I have interviewed. But it could also be too early to tell.


----------



## richardtoohey2 (Sep 2, 2022)

kpedersen said:


> I strongly feel that someone brought up in a "click and play" environment like a phone appstore vs being exposed to the problem solving required for i.e DOS, computers back in the day will be at a disadvantage. I *think* this is starting to show


This is getting very off-topic, but I don't think it's just phones and apps - it's the overall "modern" operating systems (on all "devices" and computers) too.

Most decisions are hidden from you, most configuration options are hidden from you, you point and click or type one command at the most, and huge complex applications are downloaded, auto-configured, auto-started.

Then when there's a problem - you have no idea where to start.  Well, you go and post questions on forums or elsewhere on the internet.

Sometimes the *BSDs and older-style Linux distributions are put down for being complex, or forcing the user to make "choices" or forcing the user to "know too much" about configuration files, where they are stored and so on.  Or that the default settings are "too conservative" and the the "poor user" has to find the configuration files, do some R&D, tweak, trial & error etc.

With *BSDs you are forced to make some decisions at installation time, things are rarely completely auto-configured or auto-started - you have to do some reading, some thinking, and some decision-making and configuration.  You'll probably have to find out where error logs go as you make mistakes.

Which can seem a waste of time or painful when you just want to install & run application "X".  But in a few months time when "X" isn't behaving, you know where to look for errors, you know where the configuration files are, etc. so personally I think you end up better equipped than the user who just typed "install X".

That's not to say I don't really appreciate the ease of use of "install & run application X" without having to think about it too hard - but I think the approach that forces a bit more thinking from the end-user (myself included) does help in the long run.


----------

