Slashdot Mirror
N.Y. County Mandates Wireless Security
Mynister writes "CNN has an article about Westchester County NY forcing small business to use basic security on their wireless networks. From the article "The law also requires that businesses offering Internet access -- coffeehouses and hotels, for example -- post signs warning that users should have firewalls or other security measures.""
Espescially client credit card info, home phone numberes, social security numbers, purchase history...
From the article:
The law requires each business to install a firewall or change the default SSID, the name that identifies a wireless network, if the personal information stored has not already been encrypted.
Umm...changing the SSID does nothing, in terms of security. If that's all that's required to satisfy this new law, I'm amazed.
Westchester County has outlawed all glass and china dishware, knives and pencils longer than 2 inches and water over the temperature of 120 degrees F.
"Eve of Destruction", it's not just for old hippies anymore...
Actually, it is super-enforceable.
They can do it on the cheap with a few fulltime inspectors walking around with laptops & their eyes open for the notification signs.
In addition, I imagine they'll make some noise in newspapers and whatnot to get computer nerds & other concerned citizens to report any violations of the law.
Stuff like this is very easy to enforce. A friend of mine's father was made an honorary postal inspector and given a card saying so... because he would constantly report on people who were illegaly parked around the local Post Office. They even gave him freebie phone cards & disposable cameras to sweeten the deal and allow him to document the parking violations. And before anyone says the guy had too much free time, he was an insurance appraiser & was in the Post Office twice a day, every day.
[Fuck Beta]
o0t!
I don't think they want to enforce it.
They're just making this law so that the courts can blame someone in case of damages
The old article was "they're trying to do this"
The new article says "they did it"
A lot of laws get drafted, proposed, and then rejected.
This one didn't. So how is it a dupe?
[Fuck Beta]
o0t!
Not a dupe, a continuation. You took all the time to search for the story but you didn't bother to read it. The first story was about the proposal. This story is about the enactment. The only dupes here are the comments about this story being a dupe.
Mr. Universe: "They can't stop the signal, Mal. They can never stop the signal."
It can't be hard to do and with the appropriate marketing might shift a few more devices.
The text of the law can be found here.
What?
Next step is to draft and enact a law making it a criminal offence not to lock your door. Won't take long 'till the whole family is gathered, together again, in prison/workcamp. It'll be fun!
"" How about taking the safety labels off everything, and let the stupidity-problem solve itself? """
There's a name for that kind of guy...
"Busybody"
And it's not a good name. I'd hate to be his neighbor. Are you suggesting that Westchester county ask for vigilante^H^H^H^H^H^H^H^H^H volunteer network scanners? How about we ask that your neighbors check to see if you're violating any of the "laws of nature" in your bedroom?
--
BMO
Please dont obey this law, unprotected wifi makes me using it easier.
But I just had to RTFA on this one, and it only applies to businesses where CC#s are stored on the network (which should be limited to Visa and Mastercard headquarters), not your average joe who couldn't be bothered to RTF huge notice duct-taped to his new router saying to enable wep/wpa/anything. Or that's how I read it anyways.
How are sites slashdotted when nobody reads TFAs?
I already have several calls from clients who want me to shut off open access in their places of business. Yes, they have firewalls and are protected, but the DA Jenine Pirro has come out and said how open wireless hotspots help pedophiles and stalkers and these business owners do not want to get involved with this political hot potatoe in any way whatsoever. Their feeling is that it simply is not worth the risk anymore.
Ummmm... pretty much every single enforcement agency (public or not, examples: the BSA, your local community board) has a mechanism for the public to report violations.
It really depends on how the enforcement agency feels about what you're reporting. If they don't care, you get ignored and called a busybody.
To put it in perspective: Would you make the same complaint about people who reported building or health code violations?
[Fuck Beta]
o0t!
We live in an instant gratification-based society where a very large percentage of the population can't be bothered to do things like read instructions or even a slip of paper. If it doesn't work when it's plugged in and / or switched on, people assume it's broken and return it. And since the competing router comes with security switched off (and seems to "work" when powered up), the consumer translates that into well-thought Amazon reviews such as "WHAT A PIECE OF CRAP ... COULDNT GET TO WORK AFTER AND HOUR, TOOK IT BACK TO BESTBUY AND GOT THE LINKSYS NOUF SAID." That's really the only reason Linksys / Netgear / et al ship their stuff with security disabled.
After reading the article, this line is of interest:
"The law requires each business to install a firewall or change the default SSID, the name that identifies a wireless network, if the personal information stored has not already been encrypted. Penalties would range from a warning on first offense to a $500 fine on third offense."
How would any of this help with the security of a wireless network. I did not see anything regarding the use of encryption - unless I missed it.
They could probably mandate the signs and they have some authority over the operation of businesses, but if the place is offering free WiFi on (all together now) "unregulated spectrum", they can't do much about it. If your landlord, University, airport operator, etc. can't prevent someone from setting this up or doing it in a particular way, why the hell should Westchester? And, btw, the law doesn't just cover 802.11a/b/g - it would cover using a GSM/Edge/CDMA/whatever-based data service, the way I read it. It just refers to any company offering "wireless internet" as doing business in Westchester, and merely hooking up to the "internet" without cables as "wireless internet". Seems like that would cover Verizon, T-Mobile, AT&T/Cingular, etc.
The FCC regulates radio spectrum and the Internet, because both are Interstate services.
Local laws making bandwidth stealing a crime will also likely get overturned in federal court.There's something in this country called the SEPARATION OF POWERS. It gives the federal government the right to regulate: "Interstate Commerce". Since radio waves don't respect state boundaries, courts have determined they are INTERSTATE in nature!!
The Internet has also been defined as an Interstate service.Local Govts have NO RIGHT to regulate EITHER of these! Recently, Florida passed a law making the operation of a pirate radio station within the state a felony. It WILL be struck down by the first appeal of any conviction. Why? AGAIN, because the states DO NOT HAVE THE RIGHT to regulate Interstate Commerce!!
Unsecured RESIDENTIAL wireless networks have already been illegal in westchester county for about 6 months. These laws aren't made to be enforced, per se, they just raise awareness of wireless encryption for the average westchester county layman. Most non-technical people see encryption as an unnecessary hassle. This problem is even worse in Westchester, which is one of the wealthiest counties in the country, where people tend to not want to be bothered with things they deem too much of a bother. I set up networks all over the county and often hear "well I don't want to remember another 'password'" or "but then i'll have to call you when I buy another computer" or "why would anyone want to steal anything on my network?". It's a lot easier to reply with "Well it's county law" than to try to make the common sense/good practices/file-share liability arguments.
Second, if you offer Internet access to the public, you must post a sign suggesting that customers' personal machines implement a security measure. It's not necessarily the best way to protect customers, but a sign is a low-cost requirement and probably rarely burdensome.
The law doesn't forbid offering unrestricted Internet access to anyone within range. This is a good choice. A person or business should be allowed to share use of an Internet connection, provided they are willing to take the risk that someone might use this connection to do very bad things. For example, you might want to offer your Internet connection to the (semi-)anonymous public by running both an unprotected wireless hotspot and a Tor exit node.
Far be it from me to argue with someone so well-versed in the art of being louder than his opposition, but "separation of powers" refers to a model of government where the activities of the government are divided into multiple branches.
Besides that, local governments could argue that the usable range of a wifi signal is very short, occurring fully within their jurisdiction. They could also argue that they aren't regulating the physical communications layer (the radio signal), but rather the configuration of the data link layer, which doesn't necessarily depend on transmission via wireless signal (even though, in practice, that's the only way it's communicated). While there is the potential for a battle up into federal court, I don't see it as being nearly as cut-and-dried as you do... unless you have some legal precedents you'd like to share with us.
I most certainly did read both articles. Really, there's nothing new other than the law has now been passed. The rest is just a rehash. The fact that the Slashdot article summary doesn't point out this was discussed before and the only new information is the law is not in effect makes it a dupe as far as I'm concerned. As others have mentioned, this belongs in slashback or should clearly be marked as a continuation of an old story. This is a dupe.
IMO if someone goes around turning people in for stupid things they are total scum of the earth. Maybe instead of looking at other peoples faults they should look at their own. I think the only time one should report people is when it is something that is gravely immoral (i.e, murder, rape, etc.) or dangerous to others, etc.
IMO if someone goes around turning people in for stupid things they are total scum of the earth. Maybe instead of looking at other peoples faults they should look at their own.
The trouble is, a "stupid thing" to one person (usually the person doing the activity, oddly enough) is a major annoyance to another, and/or in some cases, against the law - noise issues are a good example.
I'm sure the pothead I used to live under a couple years ago thought I was "total scum of the earth" after I called the police on his numerous violations of a town noise ordinance, and eventually got him evicted.
People think the laws against silly things like noise pollution, parking in fire lanes, etc. are optional, but hey...Not liking a law doesn't excuse you from following it.
Nicely put. And in the example given up-thread, we're talking about jerks who were parked in places they shouldn't have been, spots that were presumably necessary for the orderly flow of a [mostly] government agency - our government agency. We'd probably be irritated if the government spent money adding a salaried employee whose only job was to check that parking laws around post offices were being followed, but we should be happy when someone is willing to take a little unpaid time to help fix things that need fixing.
One wonders if the GP feels that neighborhood watch groups are the "scum of the earth" because they're trying to keep their houses, and those of their neighbors, safe.
Just last night, there was a party across the street that started going wrong (a lot of people - more than 20 - screaming at each other outside). It was only about 10:00 at night on a Saturday but should I have felt bad because I called 9-1-1 to inform them that something very loud and concerning was going on in my neighborhood, even though I wasn't sure that any laws were being broken? Maybe I should have also felt bad that I called the police on my next-door neighbors when they were screaming and breaking things. Personally, I don't think so. I prefer to think that I might have averted something much worse by getting Portland's Finest out to check out what was going on. Or, maybe, I'm the "scum of the earth" because I'm getting involved in someone else's business...
The problem with WEP 40/64bit is that the key is only 40bit and can be quickly attacked with brute force. The problem with WEP 128bit is that the standard implemented RC4 encryption poorly and known weak IVs, initialization vectors, are used. To crack WEP an attacker needs to collect a large number of packets that use the weak IVs. The time it takes to collect these packets depends on the ammount of traffic and can take days or months. Some access points and wireless cards have a driver option to disable weak IVs.
WPA is much stronger and WPA2 is even better. WPA is vulnerable to weak keys. This is more a problem for pre-shared keys (the common home setup) then for certificate based authentication. The authentication mechanism uses 4 packets. Those 4 packets can be captured and attacked using brute force offline. IIRC the attack is not that fast and typically uses dictionary based attacks.
Use WPA with a strong passphrase and you should be safe. A passphrase with 16+ chars and numerals should be good. Some access points have buggy webbased management and can't accept other puctuation or special chars.
Ofcourse this won't stop a well financed (state sponsored) attacker. It will stop the neighbour's script-kiddie teenager.
One wonders if the GP feels that neighborhood watch groups are the "scum of the earth" because they're trying to keep their houses, and those of their neighbors, safe.
Well they sound nice in theory and I would hope/expect if my neighbor saw someone shooting me or beaking into my house to call the police. If that is what they are doing then great they are being good neighbors.
Just last night, there was a party across the street that started going wrong (a lot of people - more than 20 - screaming at each other outside). It was only about 10:00 at night on a Saturday but should I have felt bad because I called 9-1-1 to inform them that something very loud and concerning was going on in my neighborhood, even though I wasn't sure that any laws were being broken?
Well first I think using 911 for anything other than a major emergency is an abuse of the 911 service. You really should have just contacted the police via thier non-emergency number. Now I personally think what you did was wrong and unnecessary though I think you heart was in the right place. If you had heard screams for help, gun shots, etc. then you should of course have called the police but if all you heard was some verbal fighting then I really do not see the point in wasting the police's time on a trival matter.
Maybe I should have also felt bad that I called the police on my next-door neighbors when they were screaming and breaking things. Personally, I don't think so. I prefer to think that I might have averted something much worse by getting Portland's Finest out to check out what was going on. Or, maybe, I'm the "scum of the earth" because I'm getting involved in someone else's business...
Well I would not have called the police. Couples fight and they sometimes throw things that is there business not yours. If one of them is really in trouble they can call the police themselves or run to a neighbor, etc. they do not need a neighbor watching them to keep them safe. Of course if you knew that the husband had a history of wife abuse, etc. then I could see you being more concerned/justified in your actions but I doubt that was the case from what you have said. Unless you really witness a crime you should not be calling the police and especially not 911!
Wow. Your definition of appropriate 9-1-1 use is pretty limited. Had I called the "non-emergency" number, perhaps there would have been more than a short fight (a fight did break out last night between the time I called and the police showed up) before someone got to me and eventually sent out a cruiser.
As for husbands and wives fighting, again, what's the advantage of waiting until you hear a scream for help? Is it that perhaps the police officer who would eventaully come has a few more minutes to pull over somebody with a broken tail-light or going 45 in a 35 zone? Further, if you think that husbands and wives throwing and breaking things in their house during an argument is normal behavior, then I feel bad for your family. That sort of behavior is violent and I'd much rather have an officer arrive before someone gets a shiner (or much worse) than after. If the couple doesn't like that, then they're living in the wrong neighborhood. Perhaps moving next door to someone like you would be a good option...
r. I would hope before calling the police you had the courtesy of asking you neighbor to be more quite/considerate of your needs, etc. and if that failed followed that up with you landlord. Really that should have been sufficient but if he was really obstinate than I could understand you need to call the police if it was effecting your sleep, work, etc.
That I did - I think I spoke to him 3 times about the noise, and stuff like throwing junk over his balcony onto the patio, etc. First time we were civil, second time he was pissed but still shut the music off, third time we got into a shouting match at 3 AM and I called the cops afterwards, fourth time he was having a lovely party with blaring music and his buddies slamming the floor with (I hope) impromptu wrestling matches...That was it. About a month after the last time I had to call the police, I got a sudden email from the property manager saying he was moving out a couple months before his lease was supposed to end.
I am assuming from you comment that you probably did try to resolve the issue on your own but I think must people would not especially the busybody types of the world and that is what really upsets me.
Yeah, it's hard to say. I think my wife and I are more patient than most, but I can definately see how other people wouldn't even try talking first, especially someone older - and especially if the law in question doesn't require asking nicely first.
I went to the Westchester County Student Legislative Day a few weeks back, and the WiFi law was actually one of the subjects of the "mock legislative session."
I played the role of a member of the press, which basically enabled me to engage in some level of dialogue with my fellow student representatives. I asked them how changing what the network is called when it pops up in Windows is at all conducive to creating a secure network, at which point they tried to convince me that businesses would have to install a firewall. It went something like this:
Him: "I'd like to call your attention to this section, where it specifically mentions a 'network firewall'."
Me: "I'd like to call your attention to the word 'or'."
The one kid I was arguing with told me he thought his copy of the law was different, but it wasn't. So they dealt with it:
Him: "Okay, to appease this reporter, I'd like to propose an amendment, and change the word 'or' to 'and'."
It passed, by the way. Kinda scary.
For every karma whore there are four more people with mod points to kill.