Unsecured Wi-Fi to Become Illegal?

echucker writes "News.com is carrying a story for a draft proposal for law in Westchester County in New York state that would outlaw unsecured wi-fi connections. Public internet access would require a network gateway server with a firewall and also require home/business office users to install firewalls to protect personal info, even if their connection is encrypted. Violations would carry fines of $250-$500."

Wardriving Police Cars

I can see it now :)

This is absurd

[TFGeditor]

It is like fining somebody for leaving their door unlocked and they get burglarized.

This is the epitome of a YRO violation. Interesting it was posted under the Hardware banner.

Re:This is absurd

[remahl]

No, it's like fining somebody for leaving their door unlocked and _not_ getting burglarized.

Re:This is absurd

[Gulthek]

You might not think that when you discover that your mortgage office, which stores an obscene amount of personal info, has all of that personal information on desktop computers on an unsecured wireless network.

Yes, I have worked as a mortgage loan officer for such a place. Yes, I insisted on that being changed (to extremely computer clueless management). Yes, I eventually quit for these and other questionable practices.

Re:This is absurd

[roystgnr]

No, it's like fining somebody for leaving their door unlocked and _not_ getting burglarized.

No, it's like fining somebody for not having a fence around their property and not getting burglarized.

A locked door isn't like a firewall, it's like a secure password-protected service. Firewalls easily let you limit access to "all or nothing" - but hell, if that's as "fine-grained" as you need your security to be, you can get the same effect on a good OS just by turning off the services you want inaccessible. You can use a firewall to limit access by IP, but you could do that without a separate firewall by having clients do IP (or better, asymmetric encryption key) checks themselves. What you can't do is use a firewall to forward outside connections to an inside service and expect that service to become any more secure.

Does this have something to do with the push behind SP2? I can't imagine Microsoft wanting to widely advertise, "You need to upgrade for security reasons because pre-SP2 versions of our programs are swiss cheese!" but they did need to get the "You need to upgrade for security reasons" message out there - perhaps what got across to consumers and lawmakers was "You need to upgrade for security reasons because SP2 has the all-important magic of Firewall!"

Re:This is absurd

[Pendersempai]

This is why we need strict liability for having your customers' personal information stolen. This is not an argument for arresting/fining people with an unprotected WiFi.

Re:This is absurd

[GuyverDH]

"Negligence is a crime, and negligent computer users are quite responsible for the botnets/internet congestion/virus outbreaks which affect us all in some way (though some, but certainly not all, of that blame can be directed at vendors). We won't see any changes until we hold users responsible for their (in)actions."

BULLSHIT.

The writers of bots and viruses are responsible for those outbreaks!

The writers of the host operating systems that were *shipped* with obscene numbers of security holes are responsible for those outbreaks!

The users who are uninformed (ie - the box/manual doesn't say the software comes with security holes) are NOT responsible for the spread of malicious activity.

That's like saying the people who ride public transportation are responsible for the negligent amounts of polutants that city buses put into the air.

Let's start enforcing the laws we have.

Jail time for those who write viruses and bots.

Every time a new virus or bot hits the net, fine the company that sold the bug filled software that enabled the bot to run. Make the manufacturer responsible for the problems their incompetance (or negligence) caused.

If a car manufacturer sells vehicles that crash all the time, they are forced to do a recall.

If a hardware manufacturer sells computers / laptops that have a material defect that can cause harm or property damage, they are forced to recall.

If a software company releases software that causes (through bugs, incompetence, negligence) damage, financial harm, or physical harm (ie bad software controls for automatic equipment) they are somehow held NOT responsible?

If I write a piece of software designed to do a specific task, then state in the EULA that it may not be suitable for that purpose, and that in the end, it's the users responsibility to determine suitable (and in some cases, safe) functionality in that task, I get off with no responsibility or accountability?

I believe that any member of government who says that people in general should be fined because they take a product and use it by just plugging it in and running it as it was shipped by the manufacturer is, to put it bluntly, bull shit. It's just another ploy by less than intelligent, power hungry law makers blindly trying to find a culprit (in all the wrong places - as usual) and make some money off of it.

Re:This is absurd

[Viper168]

You're way off buddy, it's more like your forcefield fails, a cat sneaks onto your ship while you're making a sandwich, then you forget about the sandwich and still don't feed the cat. When the cat finally gets upset and leaves, you take a shower and then take a nap.

I don't see how you could have missed this from the start.

Re:This is absurd

[bhtooefr]

It's like being fined for parking your (locked) car in your driveway, instead of in your garage.

There, car analogy.

Is this because of the telco's?

[koan]

Is this a response to the Google plans and various other implimentations of free wireless?
These legislators have gotten downright dangerous, I also wonder, how uesful is an open network for hacking?
If you were up to no good is an open AP the way to do it?

Luckily it is just a proposal.

[Nichotin]

This law would be impossible to enforce anyway. You would have to send a task around to track down all unsecured access points, then bust in the doors of a whole lot of white middle class people.

Re:Luckily it is just a proposal.

[l3prador]

Actually, from the article it seems to only apply to businesses, or home offices, not just any homeowner. Their intention seems to be to prevent theft of credit card information from customers of the business.

Speeding also illegal, as is cheating on taxes

[Gothmolly]

Um, just making something illegal doesn't stop it. Try doing the speed limit, in Westchester county of all places.
To me, this sounds like one of those "I'm protecting your children from Teh Internets" moves that politicians do periodically when they have to remind the masses that its time to vote.
How about holding someone responsible (gasp) for any malicious activity that originates FROM their network?

Right. That'll work.

[Morky]

If being an idiot were illegal, most of my company would be in prison.

Will they also require we lock our front doors?

[tinrobot]

What ever happened to personal choice?

If I want to leave my data connection open for any number of reasons, that's my business. If I want to leave my front door open or not lock my car, that's my business too...

Ridiculous.

stupid stupid stupid

[Matey-O]

We've got a public access wifi point in the building for visiting salsefolks and people from other government departments.

Open you laptop and you'll get 'do you want to attach to PublicWifi?'

It's firewalled off, URL filtered, and aside from http(s), DHCP, DNS, SSH and VPN, nothing else can get through. Further, those ports will only attach to outside IPs. All traffic is monitored, and there are notices in all meeting rooms that Your security is Your problem.

This is a solution that protects OUR network, has zero admin overhead, and still permits the resource...So that's now illegal?

So who gets to enforce it?

[mrmaster]

When I read this article I was thinking that I wouldn't mind having the job of enforcing this. Then I realized I would have to have the mindset of a parking enforcer to do something like this. Hell, let the parking enforcers take care of this as well. They love a good power trip. Parking enforcer: "Ma'am, your wireless access point is not running a firewall." Some old lady: "My what isn't on fire?" Parking enforcer: "your internet. It is against the law to allow others to use your internet for free" Some Old lady: "Oh, my 10 yr old grandson got that internet thing to work? Isn't he wonderful? He is so smart." Parking enforcer: "Ma'am, here is a ticket for running an unsecure access point. Don't let it happen again." Some Old lady: "How dare you come to my house and threaten me with this! I've been living here for 30 years and have never been treated like this! Parking enforcer: "Ma'am, have a nice day" Slow day at work. I apologize

Here's the Big Brother part...

any business or home office that stores personal information also must install such a firewall-outfitted server even if its wireless connection is encrypted and not open to the public. All such businesses would be required to register with the county within 90 days.

I wonder who is really behind creating THAT database?

Ok.. I just turned on WPA....

[cowmix]

The passkey is 'passkey'. Am I legal now?

Re:allowing an unlocked house & meth lab

[Angostura]

So let's be clear. You are in favour of strict penalties for anyone who leaves their house with a door unlocked on the grounds that the premises may be used for illegal behaviour?

In that case, I would like to propose compulsory content analysis and blocking on all backbone routers. Because you never know when someone somewhere might use the Internet for something distasteful.

I suspect that the proposed legislation has zero chance of getting anywhere.

Which might be a good reason to leave it open

[SuperKendall]

All those nice things that if done from their own isp connection would get them kicked off by their ISP or have the police visit. Guess who gets the blame? All traces stop with the person who owns the internet connection.

So when the P2P police come calling if I'd had an open wireless connection it provides an element of doubt that I am guiltiy, which is pretty handy (if you're into P2P). If I used P2P a lot I'd do it from a box that operated only through my wireless connection - then any records don't even show the MAC address of your primary computer and you could ditch the box quickly if you got The Letter.

Re:Great idea!

[h4rm0ny]

Although depending on the wording of the law, this could be used to hinder anonymous internet access. Example - if you are providing a public internet access then unsecured could be interpreted as allowing access without identity verification.

And another bit of privacy is lost.