Back in March and April, when the Java browser plugin was getting hammered with security holes that were being exploited in the wild, we conducted a couple of unscientific polls here on FOSS Force to determine how our visitors were handling this security crisis.
To call the problems that Java was experiencing at the time a “crisis” is not an exaggeration. If you’ll remember, the situation was considered so serious that here in the U.S., the Department of Homeland Security was urging everyone to disable the Java plugin.
These two Java polls were among the first we conducted on FOSS Force and received about the fewest votes of any polls we’ve conducted so far. Undoubtedly, this was partially due to the fact that we were just beginning to conduct polls on the site, and so polling here was something new to our visitors. Also, our articles on Java security issues received a smaller number of page views than most articles we publish. However, low readership notwithstanding, we will continue to cover serious security issues, because we think it’s important that we do so.
In both polls, we attempted to limit votes to one vote per IP address. Although this is not a perfect way to limit votes, we feel that it suffices for the purpose of these unscientific polls.
The first Java poll began on April 14th and ended on April 28th. It ran inside the article Java Remains Unsafe–Not Likely To Be Fixed Soon. In this poll we wanted to see if our visitors were taking the security warnings about Java seriously, and to see if they were heeding concerns expressed by some security experts that Internet-facing Java was inherently unsafe.
[yop_poll id=”5″] |
This poll posed the question, “Have you disabled Java in your browser and do you intend to keep it disabled even after all security issues have been fixed?” This poll received a total of 35 answers. Those taking the poll were allowed to select one answer only from a list of seven. In the list below, after each answer is the percentage and exact number of votes received by that answer.
I’ve disabled Java and I intend to keep it disabled forever – 40% ( 14 votes )
I’ve disabled Java but I’ll enable it again as soon as it’s safe – 17% ( 6 votes )
I have not disabled Java but I intend to do so – 6% ( 2 votes )
I haven’t disabled Java and I’m not going to do so – 26% ( 9 votes )
I don’t know how to disable Java – 0% ( 0 votes )
I don’t know – 6% ( 2 votes )
Other – 6% ( 2 votes )
Those who chose the answer “Other” were given the opportunity to supply their own answer. The two answers received here were “needed for work” and “either fix or trashcan Java security hole.”
In the second Java poll we attempted to discover if people thought the security problems in Java were specifically due to the program’s ownership by Oracle, a company that’s often not held in high esteem by members of the Free Software community. This poll was very simple and straightforward, asking the question, “Do you trust Oracle to keep browser-side Java secure?” The four answers available in this poll were Yes; No; Doesn’t matter, I’ve disabled Java; and Other. Again, users answering “Other” were allowed to supply their own answers.
[yop_poll id=”8″] |
This poll ran from April 22nd through May 6th and was placed inside the article Oracle Serious About Java Security–Maybe and received a total of 16 votes, half of which voted No. Second place went to “Doesn’t matter, I’ve disabled Java” with five votes or 31% of those cast. Two people voted Yes and Other received one vote. The Other vote indicated that he or she trusted Oracle “somewhat.”
Although both of these polls represent much too small of a sampling to be considered indicative of anything–it’s still fair to say that FOSS Force’s readers don’t particularly trust either browserside Java or Oracle, which is pretty much what we expected.
I remember I saw the polls, but don’t remember if I voted or not (or were even able to, see below), but I do remember I was missing one (for me) huge choice: “Would you disable/remove java permanently if you weren’t forced to use it?” (for example DK’s national online banking system) so if I voted, I probably used “other”.
Also “we attempted to limit votes to one vote per IP address”: Obviously you then only want votes from mostly 1st world countries 🙁 Speaking from personal experience many 3rd world countries have 1000’s of users per public ip-address, since a public ip-address is actually quite costly for these countries (hopefully it’ll change when all is shifted to ipv6 in 100-200 years :p). And in many cases (also in 1st world countries) mobile internet users share an public ip-address. My main point is, it’s not a good thing to limit per ip-address! :/
Just my ¥0.02
@tik tik One person who chose “Other” did write “needed for work,” so that might’ve been you! We didn’t include more choices because the list was already quite long and “Other” gives a chance for folks like you to supply an answer not on the list. On some of our polls, the “Other” choice get’s a lot of votes, and I enjoy reading all of the answers given.
As to limiting the voting by IP address… You’re correct, that’s not an idea solution but it’s about all we’ve got. We could limit by cookie, but many people set their browsers to delete cookies when their computer’s shut down. Also, it’s very easy to flush cookies from a browsers settings. The only other way would be to only allow registered users of our site to vote, one per username. The trouble with that approach, of course, is that we don’t offer “user accounts” on FOSS Force, as there would really be no reason to do so and are a security risk.
Of course, we could just let people vote as often as they like, and we considered that. We even thought about putting people on the honor system and asking them to vote only once. In the end, we decided that would only serve to make the polls meaningless, as there will always the the overzealous types who won’t mind spending a whole afternoon stuffing the ballot box.
Unfortunately, for the time being, the limiting by IP address will have to stand–and we apologize to anyone this inconveniences.
BTW, are you from China or Japan?
Dear Christine,
Some points for you to consider:
1. This is not a matter of China or 3rd world anymore. Unless you consider the UK under 3rd world (and some might agree with you), the fact is that the IPv4 crunch is pushing providers to switch to carrier-grade NAT (see http://tech.slashdot.org/story/13/05/07/1232234/bt-begins-customer-tests-of-carrier-grade-nat for example).
2. This decision sounds like a case of “premature-optimization”. First collect the data – maybe there is nothing wrong there? Why assume the worst upfront?
3. Lastly, you could easily store a cookie with a first-seen timestamp and then consider for voting only if the first-seen is (say) older than 4 days. This way, regular users would have their first-seen old enough and would not be subjected to this insensitive treatment… Sure, really opinionated hackers can try to bypass this but you too could detect that if you sign the cookie or if not, just pay attention if something looks fishy…
Dror,
I consider either that the whole world is the third world or none of it is. In these times, the term is used primarily either as a way for Westerners from “developed nations” (what we used to call the “civilized world”) to feel superior to everyone else or as a somewhat confusing excuse for ignoring the plight of people who live “elsewhere.”
I’ve talked with our IT people and we’re going to try limiting voting by use of a cookie. At first we’ll try this on one poll only, the poll that will begin running on Monday, May 20. After that poll expires, we’ll determine how to proceed.
We certainly don’t want to exclude anyone from voting in our polls who would like to take part, no matter whether they live in the UK, China, the Sudan or next door to my house.
We’ll see how it goes. I thank you and tik tik for pushing us a little bit on this matter.