Unsecured Wi-Fi to Become Illegal?

echucker writes "News.com is carrying a story for a draft proposal for law in Westchester County in New York state that would outlaw unsecured wi-fi connections. Public internet access would require a network gateway server with a firewall and also require home/business office users to install firewalls to protect personal info, even if their connection is encrypted. Violations would carry fines of $250-$500."

Great idea!

[JanusFury]

It's not like the necessary equipment for this costs money or anything! I'm sure that this will boost internet adoption and make conusmers happy.

Re:Great idea!

[h4rm0ny]

Although depending on the wording of the law, this could be used to hinder anonymous internet access. Example - if you are providing a public internet access then unsecured could be interpreted as allowing access without identity verification.

And another bit of privacy is lost.

Re:Great idea!

[Bryansix]

So when your neighbor starts a child pornography ring and posts photos of children in sexually explicit acts to the internet using an IP address assigned to you, you'll take responsibility?

Re:Great idea!

[hector_uk]

well seeing as their will be no evidence on any of my macs/pc's and their will be on my neighbors pc's it's a moot point, my neighbor may borrow my cork screw and stab someone with it, should the lending or cork screws be illegal? hell no.

This is absurd

[TFGeditor]

It is like fining somebody for leaving their door unlocked and they get burglarized.

This is the epitome of a YRO violation. Interesting it was posted under the Hardware banner.

Re:This is absurd

[remahl]

No, it's like fining somebody for leaving their door unlocked and _not_ getting burglarized.

Re:This is absurd

[roystgnr]

No, it's like fining somebody for leaving their door unlocked and _not_ getting burglarized.

No, it's like fining somebody for not having a fence around their property and not getting burglarized.

A locked door isn't like a firewall, it's like a secure password-protected service. Firewalls easily let you limit access to "all or nothing" - but hell, if that's as "fine-grained" as you need your security to be, you can get the same effect on a good OS just by turning off the services you want inaccessible. You can use a firewall to limit access by IP, but you could do that without a separate firewall by having clients do IP (or better, asymmetric encryption key) checks themselves. What you can't do is use a firewall to forward outside connections to an inside service and expect that service to become any more secure.

Does this have something to do with the push behind SP2? I can't imagine Microsoft wanting to widely advertise, "You need to upgrade for security reasons because pre-SP2 versions of our programs are swiss cheese!" but they did need to get the "You need to upgrade for security reasons" message out there - perhaps what got across to consumers and lawmakers was "You need to upgrade for security reasons because SP2 has the all-important magic of Firewall!"

Re:This is absurd

[ThaFooz]

It is like fining somebody for leaving their door unlocked and they get burglarized.

I'm not sure I agree with your analogy. If someone owns something which is both desirable & dangerous (ie handguns, swimming pools, etc) they are required by either laws or insurance premiums to secure it.

I belive the same argument can be made for the internet. Sure the concequences aren't as severe (children having access to unfiltered content & computer virii instead of, well, death and injury), but neither are the punishments under this law with just a fine comparable to that of a speeding ticket.

Negligence is a crime, and negligent computer users are quite responsible for the botnets/internet congestion/virus outbreaks which affect us all in some way (though some, but certainly not all, of that blame can be directed at vendors). We won't see any changes until we hold users responsible for their (in)actions.

Re:This is absurd

[QuesarVII]

It wouldn't be my negligence that led to OmniCorp's problem. It is OmniCorp's job to secure their data. There are many other ways besides my access point for a hacker to get to OmniCorp's server.
You can't feasibly control every method of connecting to the internet. Besides, people with the ability to hack into OmniCorp's servers are going to have no trouble getting past a wep key!

Re:This is absurd

[bcrowell]

For instance my brother lives in a very friendly neighborhood where everybody has wifi and broadband. None of them secure it because they all get better coverage that way.
I don't use wifi and don't know much about it. Can anyone explain this using crayons? Suppose I put a wifi card in my linux box, take it to this neighborhood, and don't take any extra special precautions. What the heck is going to happen? I'm on this network with a bunch of other people. I fire up my browser and visit Slashdot, using http; the packets are available for the public to care, but so what, isn't that the same is a wired network? Now I go to Amazon.com and order a book over https; the packets are encrypted, nobody can get my credit card number, so what's the issue? Somebody tries to log in as root on my machine, but they fail because they don't know the password: so what?

Is the issue simply that Windows users leave too many services on, pick weak passwords, and normally are insulated from the consequences because they're firewalled by default by their ISP?

Re:This is absurd

[gmack]

I once talked to a USRobotics sales rep and he thought exactly the same way you do. "personally I don't have anything on my network that people would want to break into". He was completely missing the point. The issue is that someone else can come visit the neighborhood someone not so nice and doesn't belong there who can now send spam or attempt to break in to other people's servers. All those nice things that if done from their own isp connection would get them kicked off by their ISP or have the police visit. Guess who gets the blame? All traces stop with the person who owns the internet connection.

Re:This is absurd

[Midnight+Thunder]

Oops, looks like I didn't check what I had written. I should have been:

This is why a prefer the "insurance company" approach: we WON'T fine you for leaving your door unlocked, but we won't pay up if it is unlocked and you get unlawful entry either.

Remember you can walk into most buildings, but once you see the sign "authorized personnel only", have a need of a key (electronic or otherwise), or an employee of the building indicating you can not pass you know that this is where you stop, unless you have business being in the building, legitimate or otherwise.

Re:This is absurd

[Pendersempai]

This is why we need strict liability for having your customers' personal information stolen. This is not an argument for arresting/fining people with an unprotected WiFi.

Re:This is absurd

[pimpin+apollo]

So the consumer who buys the linksys box, comes home, and sets it up is liable to protect themselves... but the company that produces software that lacks these purportedly basic protections is under no similar obligation?

It just is more evidence that the legislature should be regulation of last resort. Anybody who's been on their work network or a campus resnet knows that bureaucratic rule making is the least efficient kind out there. That's why we delegate power as much as possible. This doesn't work though when legislatures (even county legislatures) start trying to write network policies for everyone.

There's a myriad of paranoia over anything that happens with a computer -- people could send anonymous emails this way! -- that conveniently forget there are always much more dangerous real world alternatives (do you show id at a mailbox?).

What's more, the only dangers to innovation aren't just patents and copyrights (although these are significant). There's also danger in over-regulating technology simply because most people don't understand it - again, conveniently forgetting that most people don't understand most things and yet this does little to engender a rash of absurd regulation.

New York State should pass a pre-emption statute so that local municipalities can't arbitrarily run over much more important things in pursuit of some meaningless 'security'.

Re:This is absurd

[ultranova]

Now I go to Amazon.com and order a book over https; the packets are encrypted, nobody can get my credit card number, so what's the issue?

The issue is that your Corporate Overlords and their Political Henchmen want to keep an eye on you, and that is easier if all the data from and to your computer goes through a single wire. In a world full of public anonymous Wi-Fi access points, anyone could connect to anything from anywhere without giving away their own identity, allowing free exchange of information without fear of legal consequences, and making things impossible to censor (since it might be impossible to find the servers the data resides in, especially if the servers are running a P2P network like Freenet); it is Big Brothers and Big Businesses worst nightmare.

Freedom is the worst enemy of Power, so of course powers-that-be try to crush it. This law is just another attempt of forces of darkness to crush all opposition and bring about a Digital Dark Age.

Re:This is absurd

[jelton]

I think one reality to face here is that while strict liability may pressure large businesses to act immediately, many smaller businesses either won't know they need to act or will simply choose to roll the dice. If the goal is to make sure businesses protect customer data, than fining companies failing to comply with a statute requiring that they secure the network would work much better than allowing people to sue after the fact.

This is really no different that the Health Department making sure that restaurants are clean and people don't get sick when they eat there or the state enforcing speed limits to proactively encourage people to slow down. you can always sue the restaurant or the driver, but does that really help the family who's member gets sick or injured after eating bad food or getting hit by a reckless driver? And no, I'm not equating food poisoning to identity theft...I think ID theft might be worse in many cases.

Re:This is absurd

[bcrowell]

The packets that are sent are recorded on the screen. You can pick up passwords, IM conversations, even (yes, that's right) credit card numbers. It's really quite scary how insecure an insecure wifi network is.
I don't see what any of this has to do with wired versus wireless networks. Packet sniffers can be used on wired networks as well. Every packet you ever send across the internet is public, and could pass through fifty different machines, none of which are guaranteed to be owned by nice people. If you're a Chinese political dissident using IM, I hope you're using an IM protocol that's encrypted -- or are you saying you're willing to trust your life to your ISP, as well as the owner of every other machine your packets pass through? In the case of credit card numbers, that's why https exists. If you want privacy on the internet, you have to use encryption.

Re:This is absurd

[mre5565]

You might not think that when you discover that your mortgage office, which stores an obscene amount of personal info, has all of that personal information on desktop computers on an unsecured wireless network.

You have single handedly undone in my knee jerk reaction; I think your point is well taken.

We have National Electric Code which most municipal electric codes based their rules on. The NEC is defined by the electrical nerds. We ought to have a National CompSec Code defined by the nerds. It appears this county is trying to fill a cap (and will likely mess it up). This is a complex area crying for straightforward guidelines. With generally accepted guidelines, it would be easier for small businesses to deploy this stuff safely.

Another reply pointed out that Sarbanes Oxley covers all this. It doesn't actually. What I've observed first hand and from reading the statute, is that there is nothing specific in the statute, and instead, corporations defer to third party auditors who define security policy. For example the auditor will often insist that passwords be changed frequently (every 3 months is often preached) and that the passwords use combinations of upper and lower case, special characters, and numbers. Thus the passwords are difficult to remember, and by changing them frequently, the result is less security because people write them down on sticky notes.

Incredibly, the auditors don't seem to care if passwords are going in the clear over the network.

This is what happens when the nerds stand around and let the idiots (politicians) make the rules. It appears the plumbers and electricians figured this out decades ago. Our turn.

Is this because of the telco's?

[koan]

Is this a response to the Google plans and various other implimentations of free wireless?
These legislators have gotten downright dangerous, I also wonder, how uesful is an open network for hacking?
If you were up to no good is an open AP the way to do it?

Luckily it is just a proposal.

[Nichotin]

This law would be impossible to enforce anyway. You would have to send a task around to track down all unsecured access points, then bust in the doors of a whole lot of white middle class people.

Speeding also illegal, as is cheating on taxes

[Gothmolly]

Um, just making something illegal doesn't stop it. Try doing the speed limit, in Westchester county of all places.
To me, this sounds like one of those "I'm protecting your children from Teh Internets" moves that politicians do periodically when they have to remind the masses that its time to vote.
How about holding someone responsible (gasp) for any malicious activity that originates FROM their network?

Re:Speeding also illegal, as is cheating on taxes

[RAMMS+EIN]

``How about holding someone responsible (gasp) for any malicious activity that originates FROM their network?''

Now there's a good idea. Actually, don't we have that already?

In related news...

[M555]

Leaving you front door unlocked is now illegal

Re:In related news...

[iggymanz]

that's a disgusting mindset that makes laws like that, people need to start taking full responsibilty for their actions rather than having government take away freedoms and meddling to protect people from themselves.

The idea is nice, but politicians are idiots

They think they can legislate network security!

They are attempting to protect citizens whose information might be exposed by business without adequate security. All they really require is a firewall which will do nothing. More of this type regulation will do nothing. Businesses need more information and resources to protect their networks, but we all realize this isn't always such a simple problem and is often a moving target. Politicians are THE LAST people I want making network security policy and attempting to legislate it. Sounds like one less reason to do business in Westchester County.

stupid stupid stupid

[Matey-O]

We've got a public access wifi point in the building for visiting salsefolks and people from other government departments.

Open you laptop and you'll get 'do you want to attach to PublicWifi?'

It's firewalled off, URL filtered, and aside from http(s), DHCP, DNS, SSH and VPN, nothing else can get through. Further, those ports will only attach to outside IPs. All traffic is monitored, and there are notices in all meeting rooms that Your security is Your problem.

This is a solution that protects OUR network, has zero admin overhead, and still permits the resource...So that's now illegal?

Re:Well, driving without a...

[capoccia]

they won't become criminals. it will be one more thing that their broadband supplier will convince them to buy.

As if it isn't enough already?

[saskboy]

As if it isn't enough that using someone's open Wireless Access Point without permission is illegal, now they're making it illegal to own current wireless technologies? That's like bank robbing being illegal, but they're banning banks just in case. And I'm not saying connecting to open wireless is like robbing a bank, it's just an extreme analogy to show what the law is outlawing.

Ok.. I just turned on WPA....

[cowmix]

The passkey is 'passkey'. Am I legal now?

Do they have standing?

[redelm]

A legislative body can pass whatever they want, but it might not withstand legal challenge. In this case, I don't see how the county can show an interest. This is clearly interstate, and the FCC has jurisdiction.

I don't mind this

[digitalgimpus]

Personally, I'm still convinced unsecure WiFi poses to large of a risk. Just think about what can happen:

- terrorists could potentially drive up, connect, and unleash an attack on infrastructure (power grid, etc.).

- peidophiles could drive up, and transmit their data, then leave... with nobody knowing who they are, and it being pretty much impossible to track down.

- lauching of a virus or bot attack.

No longer is traceroute a good solution to find out who is at the end of the line. Anyone can find any open wifi, connect, do harm... and leave. By the time the damage is realized, they can be hundreds of miles away.

Why would a criminal work from home? Use someone elses network.

And we pay these jackasses salaries'?

[Starker_Kull]

For the love of god - seatbelt laws were enacted because the consequence of not wearing a seatbelt was a much higher probability of DEATH in an auto accident (and assuming you are just injured, the associated higher costs of health care which has to be borne by everybody) - hardly the result of someone who "hack[s] into the [your] network and steal your most confidential data". Jeez, even that quote, "the network", like there is only one shows how clueless some of these politicians are. Now we need laws going after WiFi providers who don't secure themselves sufficently?

Let's pass some other useful laws, then:

1) Fine people who use unpatched OS's, or OS's with KNOWN, UNPATCHED security holes. They cause all those net problems!
2) Fine people who don't lock their car doors at night. They're letting car thieves make a living!
3) Fine people who purchase something without collecting a reciept - they're enabling tax fraud, and employees ripping off corporations!
4) Fine people who plug in electronic equipment without surge protectors in place. They're tempting God to wreak havok with his lightning bolts!

When did it become acceptable to penalize the victims rather than the criminals?

(/rant)

Do the same here...

[bogaboga]

We in the country do not lock our homes when we leave. Nothing has ever happened. I guess I am speaking for myself and the few friends I know here.

Our politicians should do what matters for the ordinary folks like fixing health-care and other services, then legislate on matters like these. Is that too much to ask for?

Phone Companies Must Be Behind This

[diakka]

Looks like they want to cut off all the free wirless access so they can charge you for it. Aren't you glad they care about making your internet safe?

Seriously though, one poster asked jokingly why they aren't banning insecure OS's and it sounded funny, but it does point out a problem with the bill. Certainly people running insecure OSs are just as bad for spam, and illegal activities as are free wireless, yet nobody is proposing a bill to fine those users. Naturally, if someone proposed this, MS would throw a shit fit.

Internet Traffic Ticket

[canuck57]

Violations would carry fines of $250-$500."

About time. I figure the only way law enforcement is going to enforce internet good practices is if it becomes like traffic tickets. Get caught, pay the fine. This is a good idea unless you want your access point open.

Industry Regulation

[jpl166]

While it sounds like this particular proposal was written by people who just don't understand, maybe it will give people with a bit more clue (and authority) an idea.
People were talking about this being like getting fined for leaving your door unlocked. How about fining a landlord who doesn't provide locks on the doors? With the prevalence of wireless "internet router" units, many of which include basic firewall functionality, it wouldn't take much of an upgrade to make this work well. Anything that provides 802.11[bg...] should have a firewall built in and come with a VPN client - anything on the airwaves is then firewalled AND encrypted. How much would this really cost the industry? How much would it benefit the public?

Simple solution.

[polyp2000]

Enable encryption on the access point and then make the encryption key publically available.

are they also going to make it illegal to

[darth_linux]

keep doors and windows unlocked in your home?

ah, local politicing

[E8086]

It's either they really care about the security of the resident's home wireless networks or they're planning some municipal "Wi-Fi" subscription service and they want to eliminate the free competition and have a monopoly for themselves. If they really cared, instead of fines, they'd create a free guide on securing a wireless connection and distribute it at the town hall and/or in the local paper. I'll go with 'eliminate the competition' it's all politicing, there has to a reason other than "for the public good" for why they want close down all the open networks. Hatch is owned by the **AA, maybe they've been bought out by Verizon broadband wireless.

1) take down all open wireless networks (sources of free Internets)
2) install municipal subscription service at $9.99-$59.99/mo
3) PROFIT

Except...

[msauve]

for this little thing called the US Constitution, which provides free speech guarantees, and which this law certainly infringes. IP is just another form of communications.

Re:Equivalent of seatbelt laws?

[syukton]

You know, I get the feeling that you're an inconsiderate moron.

Suppose you've got a person who was just in a car wreck and you've got a child who was just pulled from a burning building who is in serious need of medical attention. The county only has one free ambulance at this point in time, who do they go get? Well if the guy in the car wreck had worn his seatbelt and not been thrown through the windshield, they could just go get the kid. But since the guy in the car was thinking only of himself and didn't even bother to consider that his actions could affect others, he wasn't wearing his seatbelt and now a 911 dispatcher needs to choose between who lives and dies. Most people who don't wear seatbelts don't consider this at all, that by their being a negligent jackass they're depriving others of services they deserve because they aren't selfish, ignorant, negligent jackasses.

So you see, seatbelt laws aren't there to protect just the driver, they're there to protect the rest of society from those drivers' innate ignorance, selfishness, and negligence.

This proposed law is nothing like a seatbelt law, at all.

Unenforceable

[HermanAB]

Sure, they can pass such a regulation, but any communications limiting regulations are unenforceable in most states. In Canada, only the Federal Government can regulate communications. So, yeah, nothing to see here, move along...

Law written by the telco's lawyers

[webweave]

This is an attempt to stop free internet access from competing with big telco. It's all about the bucks, don't you know?