California Passes Wi-Fi Guidance Law

MrNonchalant writes, "California's legislature has passed a law requiring Wi-Fi device manufacturers to include warnings about security. From the article: 'From 1 October 2007, manufacturers must place warning labels on all equipment capable of receiving Wi-Fi signals, according to the new state law. These can take the form of box stickers, special notification in setup software, notification during the router setup, or through automatic securing of the connection. One warning sticker must be positioned so that it must be removed by a consumer before the product can be used.'"

Let's hope the "warnings" are well written

[SachiCALaw]

A law like this is only as good as the warnings. If the warnings wind up being heavy on the legal boilerplate or tech jargon, not many of the people who really need them will be helped. But if they are written with the law's intended target in mind -- clueless Mom and Pop (or Ted Stevens) -- and use simple explanations and instructions for securing the WiFi connection, the law could be a good thing. That's said, I'm kind of pessimistic . . .

Re:Let's hope the "warnings" are well written

[elmarkitse]

This post sounds a lot like the programmers who bitch incessantly about reasonably adept computer users who nevertheless use GUI's.

"If someone really wants to use a computer they should at least be able to get in behind the little artsy GUI's and do something with the software, GUI's are for pansy's and if you can't code you lose the right to complain"

Isn't there some responsiblity on the part of the manufacturers who are advertising to these ignorant mom and pops to educate them? Isn't it the responsiblity of software desginers to make their GUI's actually work?

There's no correlation between not knowing how to enable WEP / WAP / etc on a wireless router and, for example, being able to survive as you put it. Where on Mazlow's hierarchy of human needs do we see the 'Good with tech gadgets' section? Conversely however, we do expect our corporations to be good citizens, and if they sell an ignorant end user something that doesn't secure itself and the customers data, shouldn't we place some blame on the company targeting people who aren't savvy enough to use their products?

Bad Idea.

I hope this doesn't lead to criminalizing open access points by brainwashing peole into thinking access points should be locked down and encrypted.. I provide free wireless to one of the coffee shops at the end of my block; and a friend of mine does to the other one. Of course our own computers are safely firealled off from the wireless access point which is in a sort of DMZ/outside our firewall.

This idea that people should not share wireless (even when their ISP allows it) is just one more step in wrecking the freedom of the internet.

Re:Bad Idea.

[GalacticCmdr]

Actually a better approach would be to completely lock down the access points that are sold. Then someone who wants to share can make the change to share. Those that simply want to plop down some wireless to connect their home laptop should have it easy. This makes this easy as a toaster for the technologically-challenged, but gives those that want to do something the ease to do it. What we currently have is crappy Windows-like security - what we want to get to is better BSD-style of security.

Re:Bad Idea.

[LordLucless]

Not quite; the manufacturer would then need to provide the encryption keys written down somewhere, and the consumer would have to configure their computer to use those keys. Security will *always* require a bit more effort on the part of the users. Unfortunately, people in general still aren't confident enough with computers to handle configuring some simple stuff like wireless encryption keys. If a company did this, you can bet they'd have an upswing in irate customers complaining the product didn't work, simply because the node was locking the customer's own computer out because they hadn't given it the keys. I'm sure if it didn't otherwise cause problems, most companies would do as you suggest - it would be of benefit to them, after all, having a reputably secure product - but it seems they've decided that having to deal with idiots costs more than the benefit of having a secure-by-default access point. Having dealt with a fair number of idiots myself, I can't really blame them.

And...

[Future+Man+3000]

For the cost of all these stickers (physical materials, labor, employee time spent in proper implementation meetings, enforcement), will consumers be one jot safer?

Well intentioned as this might be, it's probably worse than doing nothing at all. If you don't know what wi-fi does you shouldn't be buying it, and a five page manual (even with a cautionary sticker) is hardly going to cover the fundamentals of wireless encryption and firewalling a user needs to approach the security of a wired connection.

Re:And...

[SeaFox]

For the cost of all these stickers (physical materials, labor, employee time spent in proper implementation meetings, enforcement), will consumers be one jot safer?

Many routers already have a bunch of stickers applied to them that aren't really needed. When I bought my Linksys router, it had stickers on box flaps, the antistatic bag, and on the router itself covering the Ethernet ports that said to make sure to install the software before plugging in the router. I don't know why. The router did not have a USB port and therefore did not need USB drivers, and the Ethernet portion isn't going to require anything.

I didn't want some dumb software changing network settings or adding registry junk or spyware, so I didn't even take the CD out of the packaging. I hooked up the router, it worked unsecured with DHCP, then I logged into it and changed the admin password, set up the encryption, ect...

All linksys would have to do is change the printing on the sticker it already applies to the Ethernet ports to say that the user needs to secure their wireless network and they would be compliant, no extra labor needed.

Ignorance

[Mr+EdgEy]

Of course, these stickers will still be ignored just like EULA's, software manuals, etc.

Instructions

"Instructions on how to pour piss from a boot shall be written upon the heel of said boot."

Here's your sign.

Manufacturers can solve this problem easily

[thesandbender]

Telling people how to do it is not going to solve the problem. When I headed up the IT department for my old company I established a program where people could fedex in their routers and we would secure them and fedex them back... at no cost to them (I successfully argued that the cost of next day air was less than the cost of a potential breach). One person out of a company of 300 took advantage of it. As much as I hate big government/big brother there are times when you have to overcome apathy but legislation. It sucks but it's true... and there is a simple solution to this problem. Almost every piece of commercial software you buy today includes a key that is, for practical purposes, unique. The technology to create, assign and distribute these keys exists and can be done at a price point low enough to pass on to the consumer without them caring (e.g. $5 a router, most of which pays for support and not the actual technology to do it). The legislation should not mandate that users are told *how* to secure the router. It should mandate that the routers are *shipped* secured, with a pseudo-random key pre-program and stuck on the outside of the router with a label. Just like the keys you get if you buy Windows. The problem is the support costs... but good documentation can take care of must of that, along with a little $ tacked onto the cost of the router.

Re:Manufacturers can solve this problem easily

[thegrassyknowl]

Mod Parent Up.

Just shipping all routers with a pseudo-random long WPA-PSK pre-loaded into each router and a sticker in the user guide telling what the PSK is will go a long way to securing routers.

Anyone who wants to change from WPA-PSK to something else should have the experience to understand the implications of doing that, and if they don't then well... let them suffer the consequences of their actions.

Re:California

Isn't it funny how productive one can be when they're no longer worried that some corporation is poisoning them to make a quick buck?

Re:California

[inviolet]

Not to mention that [sticker-happy California] has one of the highest GDPs of any state and is the world's 7th largest economy in addition to being a leader in innovation. Too bad the rest of the states can't seem to learn from California's success.

Correllation != causation.

And another thing. The cost of warning stickers is inevitably reflected in the product's price. Therefore, the actual effect of this law is to force the consumer to purchase warning stickers that may or may not be necessary, useful, or effective.

Re:Warnings? Make WEP default option

[PsychoSlashDot]

Canadian ISP Sympatico actually distributes 802.11g routers to its customers who request them. Those routers run a customized firmware that steps the user through some basic settings. (Ie. what is your account name... what is your password...) It also mandatorily activates WEP during this process, so once you're done and the router goes fully live, you either must be using a wired connection or using the WEP key the router randomly assigns you. You can web in to the router's admin screens and disable WEP afterwards if you really desire to do so.

The intent of course is to protect against undesired casual use. Stop the punk next door from using 99% of your bandwidth doing bittorrent transfers day in and day out. I commend Sympatico for this effort. Sure, if someone REALLY wants in, they can get in. But there's no reason to make it any easier than you, the customer, intend it to be within the limits of the available technology.

This is a bit more sinister...

[khair]

As noted in a previous article http://www.darkreading.com/document.asp?doc_id=102 624 This is not being done to educate; it is done to control. There are two groups this shafts: 1) The ignorant "sharer" who does not understand security and gets penalized by the government after "warnings" are done away with by the penal system 2) The intentional sharer who believes in free Interent access for all. Why this needs to be legislated? Who knows... Sad state of affairs when the government tells people who is allowed to come over for supper...

Re:Is it going to be like the solder warnings?

[soft_guy]

Both political parties do stupid things. When the democrats do stupid things, it is often things like this.

The stupid things republicans do are typically a little different.

Re:California

[Darth+Liberus]

With the glaring exception of Prop. 65 warnings (THIS AREA CONTAINS CHEMICALS BLAH BLAH BLAH) we're actually pretty low on the "stupid warning nanny state" scale.

Personally I think we just did the entire English-speaking world a favor... I highly doubt companies will only put on the sticker and include directions on how to secure wireless routers destined for California, they'll just slap them on everything.

Next maybe we'll clean up the video game rating system... trust me, you'd MUCH rather have us do that instead of the US Congress ;)

Re:Caveat emptor, my friend.

[elmarkitse]

I think part of my post got interpreted as some kind of socialist wishful thinking, the 'isn't is part of their responsiblity...

in fact the point I'm going towards is that the companies are going after the ignorant consumers, not the saavy ones. These products are in best buys and walmarts, not just techie computer stores / websites. For example, I have had a few linksys routers. They all come with some crappy 'wizard' software that tries to make everything work for me, but they do a terrible job and don't ultimately make my experience more secure.

If they're already droppping, say, somewhere between 20 and 100 thousand bucks on a fancy autorun installer / wizard application (i've build large scale distro cd-roms so I can vouch for that as a pretty solid entry level price) that has a bunch of talking heads, why not actually make it useful and have it configure things properly.

The us govt has gone so far as to mandate corporate responsibility beyond the 'throw them to the wolves buyer beware' free market 'if my product is too tough people will buy something else' mentality through things like the americans with disabilites act and other consumer warranty styled laws that require manufacturers to go beyond just the minimum.

Why again is this different? Why can't we expect our corporate citizens to take the same degree of responsibility towards educating their customers as you're suggesting be requisite of the customers themselves?

Further, as a shareholder of some of these companies, I would want to think that an extra 10 - 20k now during the development might save my investment in the company hundreds of thousands in unnecessary customer support time or other troubleshooting, and or possible litigation.

Just my several cents.

Impact on torts

[Infonaut]

In the long run this will benefit the tech industry. It is much more difficult to sue a manufacturer for a defect in the equipment or how the equipment functions if there is adequate warning. As long as the mythical "reasonable person" would see the warning and read it before using the equipment, nimwits whose unsecured wifi networks get hacked will not be able to sue.

Anticipating responses:

1. Yes, laywers will attempt to weasel around this, but it will be much more difficult.
2. Yes, it costs money to create and affix labels to equipment, but it's not going to spell the end of the computer industry any more than warning label requirements on microwave ovens have brought home appliance manufacturers to their knees.
3. Yes, people will ignore the labels, but over time it will seep into the larger population; just as we stopped hearing about cats in the microwave, unsecured private networks will become less prevalent.
4. Yes, it is absurd that the legislature had to weigh in on something like this, but just because Slashdotters have more tech affinity than most people doesn't mean that the population at large is retarded.
5. Yes, I'm a pompous ass.

Re:California

[Sillygates]

It's about time there are warnings on wireless devices, many consumers set up wireless networks with weak or no security at all, and they dont realize the legal trouble they can get into these days (with the riaa, mpaa, etc).