Greenarrow 1 wrote: >But, the problem I see with this survey is they only polled 1,000 out of >what over 5 million users in the USofA. Political pollsters regularly sample 1000 Americans to get a prediction of 100,000 voters that is accurate to 5% or so. 1000 people should be sufficient to sample software users, unless there is something else wrong with the sample or the questions.
> Just randomly suppose they >accidently picked everyone that >has superb software and hardware on their systems (unlikely but probable). > Just what does "unlikely but probable" mean? To "suppose" this, we have to think there is something wrong with the sample or the questions. What is it you think is wrong with the sample or the questions? Or is it just that you find the result to be improbable? >On repairing systems for my customers I say 1 of of 20 are only satisfied >with their programs so who is right Harris Poll or my customers? No *there* is a skewed sample; the set of people currently experiencing a problem so severe that they have to call in a professioal to repair it. Under just about any circumstance, I would expect this group to be highly unsatisfied with vendors. It's like taking a survey of auto quality in the waiting room of a garage. What really mystifies me is the anlogy to fire insurance. *Everyone* keeps their fire insurance up to date, it costs money, and it protects against a very rare event that most fire insurance customers have never experienced. What is it that makes consumers exercise prudent good sense for fire insurance, but not in selecting software? The only factor I can think of is that mortgage carriers insist that their customers maintain fire insurance. No fire insurance, no loan, and most people cannot afford to pay cash for their home. So to impose a "prudence" requirement on software consumers, perhaps some outside force has to impose a "pay to play" requirement on them. Who could that be? IPSs, perhaps? Similar to mortgage companys, ISPs pay a lot of the cost of consumer software insecurity: vulnerable software leads to virus epidemics, and to botnets of spam relays. Perhaps if ISPs recognized the cost of consumer insecurity on their operations, they might start imposing minimum standards on consumer connections, and cutting them off if they fall below that standard. Larry Seltzer has advocated a form of this, that ISPs should block port 25 for consumer broadband in most cases http://www.eweek.com/article2/0,1759,1784276,00.asp There are several other actions that ISPs could take: * egress filtering on all outbound connections to block source IP spoofing * deploy NIPS on outbound traffic and disconnect customers who are emitting attacks * require customers to have some kind of personal firewall or host intrusion prevention The catch: the above moves are all costly and, to some degree, anti-competitive, in that they make the consumer's Internet connection less convenient. So to be successful, ISPs would have to position these moves as a "security enhancement" for the consumer, which AOL is doing with bundled antivirus service as advertised on TV. ISPs could also position a non-restricted account as an "expert" account and charge extra for it. Crispin -- Crispin Cowan, Ph.D. http://immunix.com/~crispin/ CTO, Immunix http://immunix.com
