Slashdot Mirror
N.Y. County Mandates Wireless Security
Mynister writes "CNN has an article about Westchester County NY forcing small business to use basic security on their wireless networks. From the article "The law also requires that businesses offering Internet access -- coffeehouses and hotels, for example -- post signs warning that users should have firewalls or other security measures.""
Sooooooo enforceable.
The dangers of knowledge trigger emotional distress in human beings.
Espescially client credit card info, home phone numberes, social security numbers, purchase history...
From the article:
The law requires each business to install a firewall or change the default SSID, the name that identifies a wireless network, if the personal information stored has not already been encrypted.
Umm...changing the SSID does nothing, in terms of security. If that's all that's required to satisfy this new law, I'm amazed.
Westchester County has outlawed all glass and china dishware, knives and pencils longer than 2 inches and water over the temperature of 120 degrees F.
"Eve of Destruction", it's not just for old hippies anymore...
Maybe they think if the dupes are spread out by a few months instead of a few weeks we'll forget about them. This story was covered in November. Maybe if the Slashdot search system was improved the editors could find this out themselves.
Is there no interest in geekland stories any more? Used to be dozen of replies to any story in minutes but now a story is lucky to get a dozen in an hour. What's up with that?
It can't be hard to do and with the appropriate marketing might shift a few more devices.
Forcing fellows to face fines for failing to follow fallacious fads? Fuck!
Preposterous postulations by porcine politicians pretending to protect the proletariat will proceed to provoke the passion of a pissed population, leading to lazy losers loquaciously loosing lamentations for civil sovereignty on slashdot.
The text of the law can be found here.
What?
Next step is to draft and enact a law making it a criminal offence not to lock your door. Won't take long 'till the whole family is gathered, together again, in prison/workcamp. It'll be fun!
"" How about taking the safety labels off everything, and let the stupidity-problem solve itself? """
If I'm not mistaken, Westchester was the town where Commodore set up its headquarters, in its heyday of the PET/VIC series. Would they be required to conform to this law, or would they not fall under the 'small business' provisions?
(Ignoring the fact that Commodore would probably implement their own wireless standards with lowest-cost components, to exempt themselves.)
xkcdsw: the unofficial archive of Making xkcd Slightly Worse
Please dont obey this law, unprotected wifi makes me using it easier.
This is all to protect private information that might be on the local area network of the entity providing wireless connectivity.
At work we put our wireless access on the back side of our WAN connection, and that goes through a proxy with ClamAV on it. They never even touch our internal network.
Sure we took reasonable steps. When I first got my new machine with wireless I saw at least 4 businesses with wide open networks. Went over, introduced myself and showed them how to secure the networks.
What I'd be more worried about is home networks that don't use at a minimum one of the three possible methods of preventing unauthorized access. All one has to do is spend five minutes looking at the documentation for your new wireless router/access point and figure out that they want to employ one of 6 or so combinations of features to secure their network.
I broadcast SSID, but enforce MAC address recognition and WPA key encryption. Bit me in the ass when I had to replace a mini-pci wireless adapter recently. Had to insert the new cards mac address but made sure I deleted the old one. I know how easy it is to spoof but it's just one more layer.
Why stop with mandatory firewalls? We need to put warnings on pants zippers. There have been many a case of men getting their penile tissue caught in such devices. Frankly, I think some of those zippers may even be terrorists, whose only goal in life is to destroy the freedom that American cocks enjoy. A big warning label on the front of pants could alert vulnerable men to the danger posed by these rogue, genital-hating zippers.
I already have several calls from clients who want me to shut off open access in their places of business. Yes, they have firewalls and are protected, but the DA Jenine Pirro has come out and said how open wireless hotspots help pedophiles and stalkers and these business owners do not want to get involved with this political hot potatoe in any way whatsoever. Their feeling is that it simply is not worth the risk anymore.
I'm posting this from an unsecured wifi network in Manhattan. In the past ten minutes I've lost connection three times. Why bother securing it when people using the access point can't even stay on the net to post a comment to slashdot?
It'll only stop seeming unlikely until it happens.
Some people want their system "insecure" by choice, knowing not everyone in their neighborhood/family can afford it yet. And no i do not see it as stealing or morally wrong to allow others on your wifi if you're paying your provider the bandwidth fees they ask for. Same as allowing someone else to sit at your computer.
All they are going to do is push a button or tell their IT dude to do the same. Most people don't have time to wade through the vendor BS to learn anyting.
It does nothing for real data security. The easiest way to get data is not to drive, it's to bomb your target's IE or Outlook, at home or at work. Your ISP gives you access to the world and the world access to you. Your WAP gives access to the portion of the world within 100m of your WAP. There are considerably more bad guys in range of your network through one than the other.
Friends don't help friends install M$ junk.
We live in an instant gratification-based society where a very large percentage of the population can't be bothered to do things like read instructions or even a slip of paper. If it doesn't work when it's plugged in and / or switched on, people assume it's broken and return it. And since the competing router comes with security switched off (and seems to "work" when powered up), the consumer translates that into well-thought Amazon reviews such as "WHAT A PIECE OF CRAP ... COULDNT GET TO WORK AFTER AND HOUR, TOOK IT BACK TO BESTBUY AND GOT THE LINKSYS NOUF SAID." That's really the only reason Linksys / Netgear / et al ship their stuff with security disabled.
What if they're trying to offer free, open wireless access? I guess they can just change the SSID to comply, but really...
After reading the article, this line is of interest:
"The law requires each business to install a firewall or change the default SSID, the name that identifies a wireless network, if the personal information stored has not already been encrypted. Penalties would range from a warning on first offense to a $500 fine on third offense."
How would any of this help with the security of a wireless network. I did not see anything regarding the use of encryption - unless I missed it.
They could probably mandate the signs and they have some authority over the operation of businesses, but if the place is offering free WiFi on (all together now) "unregulated spectrum", they can't do much about it. If your landlord, University, airport operator, etc. can't prevent someone from setting this up or doing it in a particular way, why the hell should Westchester? And, btw, the law doesn't just cover 802.11a/b/g - it would cover using a GSM/Edge/CDMA/whatever-based data service, the way I read it. It just refers to any company offering "wireless internet" as doing business in Westchester, and merely hooking up to the "internet" without cables as "wireless internet". Seems like that would cover Verizon, T-Mobile, AT&T/Cingular, etc.
The FCC regulates radio spectrum and the Internet, because both are Interstate services.
Local laws making bandwidth stealing a crime will also likely get overturned in federal court.There's something in this country called the SEPARATION OF POWERS. It gives the federal government the right to regulate: "Interstate Commerce". Since radio waves don't respect state boundaries, courts have determined they are INTERSTATE in nature!!
The Internet has also been defined as an Interstate service.Local Govts have NO RIGHT to regulate EITHER of these! Recently, Florida passed a law making the operation of a pirate radio station within the state a felony. It WILL be struck down by the first appeal of any conviction. Why? AGAIN, because the states DO NOT HAVE THE RIGHT to regulate Interstate Commerce!!
One has to wonder how these nanny apes think putting a firewall in front of and/or behind a wireless access point--or on the PC for that matter--helps anything. The whole point of sniffing on wireless networks is to sniff traffic that (gasp!) is going through a radio signal, last I heard. And people, ummm, connect directly to it. It's like putting a pack of ninjas in front of a radio tower to keep people from picking up the signal.
Besides, anyone idiotic enough to send personal info in a phukin email or unsecured web site should be flogged in front of their parents. My mother knows not to do that and she can barely get past turning a computer on. Meanwhile, businesses there have to incur extra expense and create frustration with their customers to not be in violation of this ordinance. Positively brilliant. Aren't there a couple potholes in Westchester County, NY that need attention?
Unsecured RESIDENTIAL wireless networks have already been illegal in westchester county for about 6 months. These laws aren't made to be enforced, per se, they just raise awareness of wireless encryption for the average westchester county layman. Most non-technical people see encryption as an unnecessary hassle. This problem is even worse in Westchester, which is one of the wealthiest counties in the country, where people tend to not want to be bothered with things they deem too much of a bother. I set up networks all over the county and often hear "well I don't want to remember another 'password'" or "but then i'll have to call you when I buy another computer" or "why would anyone want to steal anything on my network?". It's a lot easier to reply with "Well it's county law" than to try to make the common sense/good practices/file-share liability arguments.
I was under the impression that the US wireless spectrum and wireless devices were regulated exclusivly by the FCC. Have they given locals the authority to do this?
"Laws should be our *last* resort when trying to deal with any sort of issue, and that includes technical ones."
Like DRM, and Littering.
Second, if you offer Internet access to the public, you must post a sign suggesting that customers' personal machines implement a security measure. It's not necessarily the best way to protect customers, but a sign is a low-cost requirement and probably rarely burdensome.
The law doesn't forbid offering unrestricted Internet access to anyone within range. This is a good choice. A person or business should be allowed to share use of an Internet connection, provided they are willing to take the risk that someone might use this connection to do very bad things. For example, you might want to offer your Internet connection to the (semi-)anonymous public by running both an unprotected wireless hotspot and a Tor exit node.
Far be it from me to argue with someone so well-versed in the art of being louder than his opposition, but "separation of powers" refers to a model of government where the activities of the government are divided into multiple branches.
Besides that, local governments could argue that the usable range of a wifi signal is very short, occurring fully within their jurisdiction. They could also argue that they aren't regulating the physical communications layer (the radio signal), but rather the configuration of the data link layer, which doesn't necessarily depend on transmission via wireless signal (even though, in practice, that's the only way it's communicated). While there is the potential for a battle up into federal court, I don't see it as being nearly as cut-and-dried as you do... unless you have some legal precedents you'd like to share with us.
If you read the article the networks must be encrypted if the business stores credit card or financial information of it's customers on it's network.
I don't know about you, but I think this is a very good thing. It is quite possible that it is within the jurisdiction of the local government as the business' which are licensed by the local government must conform to local business laws.
Personally I think the FCC should consider enacting similar regulation such that if it CAN be challenged on the grounds the FCC regulates it that they give the authority for that to the local community, or fully enact it themselves.
The number of business which employ wireless networks will only go up over the next few years, and any reduction in methods of easily obtaining credit card numbers is a good thing. I don't actually think these steps are sufficient though.
Wired connectivity ONLY on networks that pass information about credit cards around. That shit has no business being on a WiFi network. I will *not* do anything on a wireless network that requires sensitive data being thrown around.
All WiFi networks, even those with WEP (Ha! It is to laugh! Wired Equivalent Privacy my ass!) or WPA, should be dealt with as *untrusted* networks. As in be careful what you do on them and don't give out any personal info on them.
I was horrified when I was working at this one place that sold computer media online. This was about three years ago. The computer I was using for order entry was connected via WiFi to their network. Any dumbass with a sniffer could have had a lot of fun with the info that was being thrown around in the clear. I complained about this and told them they should have my computer on a wired link. They fired me for insubordination. Fuckers. I bet they still have that same in-the-clear WiFi link to that same computer, and they still use it for mail order entry.
Knowledge is power. Knowledge shared is power multiplied.
All AUP issues with my ISP aside, what if i want to give away part of my business's bandwidth? im NOT a 'coffee house' or other such 'hotspot', Im just a nice guy.
That mean i get fined if they manage to find me?
---- Booth was a patriot ----
Once again, we have proof that inept politicians don't understand technology. Why do we elect these baboons? We could get better laws from baboons. I don't get it. Why aren't people laughing at them in public? If I created such a law, I'd be ashamed to leave the house.
"if the personal information isn't already encrypted" is a HUGE way out of this whole thing. If you don't keep personal info available by wi-fi, then this law is a non-issue. There are so many holes in this law, it's basically worthless.
I really like the fact that businesses have to put up signs. Where? Out on the street? How about on the roof? How about in the business across the street? What are the limits of sign posting liability?
Poorly thought, poorly planned, and probably poorly enforced. So what did they accomplish? It's wide open for the courts. Do we need stuff like this tying up the courts' time?
I guess we're too stupid to regulate ourselves. We need more regulation. Let's look at Sweden, Denmark, France, and the other socialist countries where regulations KILL their economies, create LARGE numbers of unemployed, and generally wreak havoc on society. Kudos to NY County. Hopefully, the rest of the planet sits back and holds a wait-and-see attitude to see what effect this legislation has.
Everyone's at church/temple.
"Eve of Destruction", it's not just for old hippies anymore...
Jacknis said easily available firewalls would protect credit card transactions, for example, from being detected by a hacker posted outside a dry cleaner that uses a wireless network.
.........
Please, God, tell me that that's shitty reporting, and not the considered opinion of somebody who's passing laws
Yup, you are about the only person with a clue here, but why the Nigerian capitals? "This router uses FOUR MILLION BITS encryption!" ;)
Oh well, what the hell...
Requiring businesses to secure their wireless networks is analogous to requiring businesses to lock their doors. Locking your door is based on knowledge of ease of entry and possibly the intent of people in the area. There should be no mandate or law which states that a business should secure their network. This is the responsibility of the company to be aware how and why to secure their network. Furthermore, establishing a requirement for securing wireless networks puts government quarely in the middle of recommending standards which constantly change and are regularly exploited. If anything... vendors offering equipment should be required to state that the device a person has purchased is unsecured and data on their network may be accessible by unintended parties. Similar text can be used at coffee shops and other WiFi locations. BeDammit!
I'm pretty sure this is how Linksys ones are set up by default. I know that you cannot administer them remotely (from the WAN side) by default, it seems like they ought to set them up so that you can't administer them wirelessly without first changing from defaults (or at least checking a box somewhere, like the WAN option) also.
I'd check, but my WRT54GL doesn't have the default firmware on it anymore. (And obviously it's not using the default password.)
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
It is unsecured in the fact that you can use it. It is also unsecured in the fact that someone could have stolen your online banking info or any other personal information you did on the internet.
What sort of bad crack are you smoking? Have you ever heard of SSL? Looked at the bottom corner of your web browser for that little "Lock/Unlock" security thingy?
The only way you'd be giving up any security by using a public WiFi access point to do online banking or shopping is if you were sending your information over the network unsecured, and in that case you pretty much deserve to see charges for massage parlors in Fiji on your next American Express bill.*
If you're not using encryption, it's insecure by default, I don't care whose network you're sending it over. The Internet is insecure by design -- deal with it.
*(This is assuming you haven't frequented any Fijian massage parlors lately.)
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
The scenario you paint isn't similar. They are requiring (certain) business -- which, by the way, require licenses from the government to operate -- to secure their networks; although I do not agree that the steps the law outlines is anywhere being close to secure, that isn't the point of this post. Making it a criminal offense to not lock your door is not the same as making it a criminal offense not to secure your wireless network. Does leaving your door unlocked allow multiple people to use your house to commit crimes? Yes, you could argue that someone could do this, but it wouldn't be very long before they were caught and arrested.
Business who run wireless networks need to secure them; I say, leave the broadcast and default SSID on, but require instead for a key to be used to get on the wireless network. Problem solved.
By Microsoft! They used to sell wireless hardware with security on by default, and offered a way to copy security settings from one box to another so they could interoperate.
Buffalo came up with a one-button security approach called AOSS.
What if they're trying to offer free, open wireless access?
Then they're communists and should be thrown in jail.
The problem with WEP 40/64bit is that the key is only 40bit and can be quickly attacked with brute force. The problem with WEP 128bit is that the standard implemented RC4 encryption poorly and known weak IVs, initialization vectors, are used. To crack WEP an attacker needs to collect a large number of packets that use the weak IVs. The time it takes to collect these packets depends on the ammount of traffic and can take days or months. Some access points and wireless cards have a driver option to disable weak IVs.
WPA is much stronger and WPA2 is even better. WPA is vulnerable to weak keys. This is more a problem for pre-shared keys (the common home setup) then for certificate based authentication. The authentication mechanism uses 4 packets. Those 4 packets can be captured and attacked using brute force offline. IIRC the attack is not that fast and typically uses dictionary based attacks.
Use WPA with a strong passphrase and you should be safe. A passphrase with 16+ chars and numerals should be good. Some access points have buggy webbased management and can't accept other puctuation or special chars.
Ofcourse this won't stop a well financed (state sponsored) attacker. It will stop the neighbour's script-kiddie teenager.
this is what it means.
It might be illegal to go on a fishing expedition like that for law enforcement purposes. But maybe not, they are broadcasting the signals.
But what will you do when you're halfway down the street and you see six access points, all named Linksys, and none indicates what business it's from?
Then you need radio direction finding equipment. Crude RDF things are cheap. Reliable direction finding in an urban environment (diffraction, reflections, multiple reflections) takes so much skill that's it's an organized sport.
Or asleep.
Interestingly enough, the CAPTCHA for this post is "sleeps".
After this, the State will just have to outlaw speeding, smoking pot, and underage drinking, and enact single-payer healthcare, and we'll all live happily ever after!
I want to delete my account but Slashdot doesn't allow it.
I went to the Westchester County Student Legislative Day a few weeks back, and the WiFi law was actually one of the subjects of the "mock legislative session."
I played the role of a member of the press, which basically enabled me to engage in some level of dialogue with my fellow student representatives. I asked them how changing what the network is called when it pops up in Windows is at all conducive to creating a secure network, at which point they tried to convince me that businesses would have to install a firewall. It went something like this:
Him: "I'd like to call your attention to this section, where it specifically mentions a 'network firewall'."
Me: "I'd like to call your attention to the word 'or'."
The one kid I was arguing with told me he thought his copy of the law was different, but it wasn't. So they dealt with it:
Him: "Okay, to appease this reporter, I'd like to propose an amendment, and change the word 'or' to 'and'."
It passed, by the way. Kinda scary.
For every karma whore there are four more people with mod points to kill.
The intent of the law is not to protect your precious data but to ensure that the bells and thier ilk gain unrestricted access to paying customers. If everyone put thier wifi routers outside of thier firewalls then the data on your home machines would be protected to the same level as they are protected from the internet. Do you really think this government cares about your security?
My bet is that this law was written by a lobyist for the telecomm industry and delivered to the law makers with a big fat cheque. On second thought, that never happens... Hey do your own search!
But toll roads receive no federal $$ whatsoever.
Not true, there are many roads in the Interstate highway system that have tolls and also get federal funding. I-95 is a good example. Between Philadelphia and NYC (Lets say the NY-CT state line) you'll have to pay at least 3 tolls.
This country over funds its highway system as is, if we put 10% of the annual road budget into alternative modes of transportation we would drastically reduce air and road congestion.
http://abcnews.go.com/GMA/story?id=1253920
Spend every halloween at our the "meeting" or get a visit from the police, isn't this presuming guilt? Especially for level 1, "low risk" offenders who have done their time and are not on probation.
http://www.thejournalnews.com/apps/pbcs.dll/artic
Rounding up non-citizen (but greencard holding) sex offenders with the backing of Homeland Security's "Operation Predator" program. Then deporting them.
http://www.westchestergov.com/currentnews/2005pr/
Forcing sex offenders to take polygraphs as a condition of probation. Now polygraphs have been invalidated by the scientific community, but hey, the county executive used the results to say that for 100 sex offenders put under polygraph examinations, they came up with 5000 incidents that went unreported. That is 50 per person! How long did they interview each person?
There is a lot of interest here in reducing "potential" crimes. Not just sex crimes, I chose that because that is what is being pushed at the moment, but this is happening general and is representative of the mentality that these politicians have. Westchester is filled with lots of anal retentive, sheltered suburbanites who when fear mongered will elect politicians at the drop of a hat. Few people stop to think whether the county's limited resources could be used more effectively.
This wifi regulation is just one among many bad ones in Westchester. Any time a potential problem crops up, the dipshits in office find the quickest way to pre-empt the problem from occuring all together, despite the cost and the unintended consequences of casting an overly wide net. Sort of like banning p2p to stop copyright violations or the distribution of child porn.
The only body that can regulate any aspect of wireless communications in the US is the FCC. Nobody else has that authority. I doubt that this silly rule will stick. I wonder how many millions of county dollars those idiots will spend to figure that out?
Fascism trolls keeping me up every night. When I starts a preachin', he HITS ME WITH HIS REICH!
you could program a linksys wrt54g to do that. the crude and moderately secure way would be to dnat all http traffic to an internal webserver and drop all other traffic by default. then make that web server add and remove entries to bypass the dnat/drop.
someone could still steal an existing ip but that would require fairly advanced knowlage.
note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
Just recently I did a little "war-driving,"
although I would more correctly call it snore-driving, because it's not hard at all to still find loads of unsecured wireless networks.I totally agree that wireless equipment manufacturers should do more than make it real easy to set up a wireless network - maybe there should be an annoying pop-up reminding you to change the password and lock down the network - this could be built-into the configuration software and would pop-up every time you booted up or clicked on a web site
I can dream, can't I?/p
"Let us raise a standard to which the wise and honest can repair" - George Washington
Maybe the whole Drug War was just an opening shot in the Abortion War, to ease citizens into the idea that there's no 10th Amendment. ;-)
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
Something you might check out
http://freewlan.org/ The Open WiFi AP wiki.