California Passes Wi-Fi Guidance Law

MrNonchalant writes, "California's legislature has passed a law requiring Wi-Fi device manufacturers to include warnings about security. From the article: 'From 1 October 2007, manufacturers must place warning labels on all equipment capable of receiving Wi-Fi signals, according to the new state law. These can take the form of box stickers, special notification in setup software, notification during the router setup, or through automatic securing of the connection. One warning sticker must be positioned so that it must be removed by a consumer before the product can be used.'"

Considering. . .

Considering that most phones, PCs, and PDAs come with some sort of wireless networking, everything must now say "Hey idiot! You just bought a computer! It's networkable! (This DUH statement required by people's republik of kalifornia)

Let's hope the "warnings" are well written

[SachiCALaw]

A law like this is only as good as the warnings. If the warnings wind up being heavy on the legal boilerplate or tech jargon, not many of the people who really need them will be helped. But if they are written with the law's intended target in mind -- clueless Mom and Pop (or Ted Stevens) -- and use simple explanations and instructions for securing the WiFi connection, the law could be a good thing. That's said, I'm kind of pessimistic . . .

Re:Let's hope the "warnings" are well written

[elmarkitse]

This post sounds a lot like the programmers who bitch incessantly about reasonably adept computer users who nevertheless use GUI's.

"If someone really wants to use a computer they should at least be able to get in behind the little artsy GUI's and do something with the software, GUI's are for pansy's and if you can't code you lose the right to complain"

Isn't there some responsiblity on the part of the manufacturers who are advertising to these ignorant mom and pops to educate them? Isn't it the responsiblity of software desginers to make their GUI's actually work?

There's no correlation between not knowing how to enable WEP / WAP / etc on a wireless router and, for example, being able to survive as you put it. Where on Mazlow's hierarchy of human needs do we see the 'Good with tech gadgets' section? Conversely however, we do expect our corporations to be good citizens, and if they sell an ignorant end user something that doesn't secure itself and the customers data, shouldn't we place some blame on the company targeting people who aren't savvy enough to use their products?

Re:Let's hope the "warnings" are well written

[rm999]

I strongly disagree with you. The last couple wireless routers I installed did not intuitively inform me of the risks. They made it easy to setup, but without security enabled by default.

California

[dch24]

California has more warning stickers than just about any other state. WARNING: This post may cause reproductive harm, as it has been used on a website where counter-reproductive agents known to the State of California exist.

Re:California

[sfjoe]

California has more warning stickers than just about any other state.

Not to mention that it has one of the highest GDPs of any state and is the world's 7th largest economy in addition to being a leader in innovation. Too bad the rest of the states can't seem to learn from California's success.

Re:California

Isn't it funny how productive one can be when they're no longer worried that some corporation is poisoning them to make a quick buck?

Re:California

[inviolet]

Not to mention that [sticker-happy California] has one of the highest GDPs of any state and is the world's 7th largest economy in addition to being a leader in innovation. Too bad the rest of the states can't seem to learn from California's success.

Correllation != causation.

And another thing. The cost of warning stickers is inevitably reflected in the product's price. Therefore, the actual effect of this law is to force the consumer to purchase warning stickers that may or may not be necessary, useful, or effective.

Re:California

[QuasiEvil]

Personally, I can't wait for the day when they find that warning sticker glue is somehow very mildly carcinogenic. Then we'll get warning stickers on warning stickers on warning stickers on...

I advocate we go down to a single warning sticker on everything - "Please know what the fuck you're doing, or else return this product."

Re:California

If you took the population of CA and choose any equivelent area on the East coast, you would have the same if not larger economy. Imagine if the mid atlantic states like PA, DE, NJ and maybe even NY in one governmental drawn boundary line that made a single state. The physical size would probably be smaller then CA in size but have a much larger economy. CA is not an economic powerhouse because of some special business sense or because of some business advantage, it is because of the population due to its physical size.

The per capita personal income for CA was $33,403 as of 2003, ranking 12th in the nation.
Considering the large difference of ranking between GSP (Gross State Product which you incorrectly refered to as GDP) and the per capita personal income, CA seems to be a great place for business but not for the people as a whole. The GSP is not consistent with income levels of the people who live and work there. Consider the median income and not the average income and it looks even worse.

Too bad the rest of the states can't seem to learn from California's success.
We have different ideas of who should be successful, the state or the people that live in the state.

Re:California

[Darth+Liberus]

With the glaring exception of Prop. 65 warnings (THIS AREA CONTAINS CHEMICALS BLAH BLAH BLAH) we're actually pretty low on the "stupid warning nanny state" scale.

Personally I think we just did the entire English-speaking world a favor... I highly doubt companies will only put on the sticker and include directions on how to secure wireless routers destined for California, they'll just slap them on everything.

Next maybe we'll clean up the video game rating system... trust me, you'd MUCH rather have us do that instead of the US Congress ;)

Re:California

[soft_guy]

Too bad the rest of the states can't seem to learn from California's success.

Yeah, those idiots in Nevada should get a whole bunch of ocean coastline.

Re:California

[evilviper]

California has more warning stickers than just about any other state.

Don't you hate it when there's a sticker or sign that warns you of life-threatening risks?

I mean, sure, now I know that the wood sold by my local hardware store may cause cancer, but avoiding cancer surely isn't worth having to pull little stickers off of a small percentage of the things you buy.

Re:California

[Bing+Tsher+E]

Eventually, with any luck, they will.

Re:California

[evilviper]

Except that damn near everything causes cancer. Therefore everything must have a prop 65 warning.

I've heard others say that too, but I don't see it.

Wood was a surprise to me. The only other place I tend to see it is on signs around junkyards, garbage dumps, packages of engine oil, grease, etc.

So far, I've never seen one entering any restaurants, supermarkets, electronics stores, etc. No Prop 65 warning on my TVs, shoes, DVDs, etc., etc.

What are you doing, and what are you buying, that you're seeing these warnings all over the place?

Re:California

[MasterOfDisaster]

There's a Prop 65 warning on the door of my appartment. It doesn't get any more everywhere than that. And it's not like I live in a garbage dump that became an appartment complex. It's a nice upscale facility. (that, according to the state of california, may cause cancer).

Re:California

[Sillygates]

It's about time there are warnings on wireless devices, many consumers set up wireless networks with weak or no security at all, and they dont realize the legal trouble they can get into these days (with the riaa, mpaa, etc).

Re:California

[ericartman]

Do you live in California? The stickers are everywhere, maybe you just missed them but every Safeway, Mervyns, Fast food joint, well heck they are everywhere! Maybe like all warning stickers, if you see often enough, they just don 't register anymore. Your right though I don't remember them on end products, just every business establishment I can think of.

Bad Idea.

I hope this doesn't lead to criminalizing open access points by brainwashing peole into thinking access points should be locked down and encrypted.. I provide free wireless to one of the coffee shops at the end of my block; and a friend of mine does to the other one. Of course our own computers are safely firealled off from the wireless access point which is in a sort of DMZ/outside our firewall.

This idea that people should not share wireless (even when their ISP allows it) is just one more step in wrecking the freedom of the internet.

Re:Bad Idea.

[GalacticCmdr]

Actually a better approach would be to completely lock down the access points that are sold. Then someone who wants to share can make the change to share. Those that simply want to plop down some wireless to connect their home laptop should have it easy. This makes this easy as a toaster for the technologically-challenged, but gives those that want to do something the ease to do it. What we currently have is crappy Windows-like security - what we want to get to is better BSD-style of security.

Re:Bad Idea.

[Firehed]

They're not against free wireless. They're trying to stop Linksys being the biggest and cheapest ISP around. If you WANT to give away bits, great - I would assume that the goal of this law is to make sure that the people who are doing so are doing so intentionally. I secure my AP just so people don't go sniffing my packets, but I'll happily tell anyone the AP name and key if they want to use it (in fact, I'm sure I've posted it in slashdot threads at least twice). AFAIK, there's no great way to have an encrypted connection without a password (though even something as simple as using your MAC address as a passcode would give me a bit of peace of mind), which is what I'd ideally have.

The aim of this law is (or, should be) to distinguish the metaphorical door as either being open with a big 'free stuff inside' sign hanging over it, or closed but you forgot to lock it, which still indicates that guests aren't to enter without permission. We all know how poorly the metaphor tends to translate (locks? hardly enough to stop someone with a plasma cutter, so obviously you don't care if THEY get in), but you get the vague idea here. If we make it clear that peoples' intention to give out bits, it really firms up the boundaries of cyber-tresspassing (and clearly indicating that it's the owner's responsibility to take appropriate precautions).

Re:Bad Idea.

[LordLucless]

Not quite; the manufacturer would then need to provide the encryption keys written down somewhere, and the consumer would have to configure their computer to use those keys. Security will *always* require a bit more effort on the part of the users. Unfortunately, people in general still aren't confident enough with computers to handle configuring some simple stuff like wireless encryption keys. If a company did this, you can bet they'd have an upswing in irate customers complaining the product didn't work, simply because the node was locking the customer's own computer out because they hadn't given it the keys. I'm sure if it didn't otherwise cause problems, most companies would do as you suggest - it would be of benefit to them, after all, having a reputably secure product - but it seems they've decided that having to deal with idiots costs more than the benefit of having a secure-by-default access point. Having dealt with a fair number of idiots myself, I can't really blame them.

Freaking California

[h_jurvanen]

I wonder how many trees have been killed in the name of all those idiotic "This item contains substances known by the State of California to..." labels and stickers.

Re:Freaking California

[mctk]

It's a wonder they haven't demanded that each warning sticker come with its own warning sticker.

And...

[Future+Man+3000]

For the cost of all these stickers (physical materials, labor, employee time spent in proper implementation meetings, enforcement), will consumers be one jot safer?

Well intentioned as this might be, it's probably worse than doing nothing at all. If you don't know what wi-fi does you shouldn't be buying it, and a five page manual (even with a cautionary sticker) is hardly going to cover the fundamentals of wireless encryption and firewalling a user needs to approach the security of a wired connection.

Re:And...

[SeaFox]

For the cost of all these stickers (physical materials, labor, employee time spent in proper implementation meetings, enforcement), will consumers be one jot safer?

Many routers already have a bunch of stickers applied to them that aren't really needed. When I bought my Linksys router, it had stickers on box flaps, the antistatic bag, and on the router itself covering the Ethernet ports that said to make sure to install the software before plugging in the router. I don't know why. The router did not have a USB port and therefore did not need USB drivers, and the Ethernet portion isn't going to require anything.

I didn't want some dumb software changing network settings or adding registry junk or spyware, so I didn't even take the CD out of the packaging. I hooked up the router, it worked unsecured with DHCP, then I logged into it and changed the admin password, set up the encryption, ect...

All linksys would have to do is change the printing on the sticker it already applies to the Ethernet ports to say that the user needs to secure their wireless network and they would be compliant, no extra labor needed.

Receive?

[dougmc]

Lots of gear can `receive' WiFI signals. I've got a cordless phone that uses 2.4 GHz -- it cannot decode WiFi signals, but it certainly can receive the signal. Same goes for a little low power video receiver I've got -- WiFi looks like noise on the screen, but it's clearly receiving the signal. `Receive' certainly is not the proper word.

The law seems like a good idea (or at least the idea is good, even if the fact that it's a law really isn't good), but having laws regarding technology made by people who don't really know the technology involved seems like a bad idea.

Ignorance

[Mr+EdgEy]

Of course, these stickers will still be ignored just like EULA's, software manuals, etc.

Re:Ignorance

[truthsearch]

Actually these stickers will be re-peeled.

(Sorry.)

Well..

[FunWithKnives]

I commend the effort to increase consumer awareness regarding wireless security, but am I the only one that thinks this won't make one iota of difference? I'm willing to bet that the majority of these warnings will end up in the trashcan without even a cursory glance; And as for including the warning in router setup, the majority will probably do the same thing they do with EULAs: click 'Accept/I Agree' without reading any of it, and promptly go on about their day. Nice attempt, though..

Manufacturers can solve this problem easily

[thesandbender]

Telling people how to do it is not going to solve the problem. When I headed up the IT department for my old company I established a program where people could fedex in their routers and we would secure them and fedex them back... at no cost to them (I successfully argued that the cost of next day air was less than the cost of a potential breach). One person out of a company of 300 took advantage of it. As much as I hate big government/big brother there are times when you have to overcome apathy but legislation. It sucks but it's true... and there is a simple solution to this problem. Almost every piece of commercial software you buy today includes a key that is, for practical purposes, unique. The technology to create, assign and distribute these keys exists and can be done at a price point low enough to pass on to the consumer without them caring (e.g. $5 a router, most of which pays for support and not the actual technology to do it). The legislation should not mandate that users are told *how* to secure the router. It should mandate that the routers are *shipped* secured, with a pseudo-random key pre-program and stuck on the outside of the router with a label. Just like the keys you get if you buy Windows. The problem is the support costs... but good documentation can take care of must of that, along with a little $ tacked onto the cost of the router.

Re:Manufacturers can solve this problem easily

[thegrassyknowl]

Mod Parent Up.

Just shipping all routers with a pseudo-random long WPA-PSK pre-loaded into each router and a sticker in the user guide telling what the PSK is will go a long way to securing routers.

Anyone who wants to change from WPA-PSK to something else should have the experience to understand the implications of doing that, and if they don't then well... let them suffer the consequences of their actions.

Tha Nanny State

[mrsam]

The US is quickly turning into the Nanny State. We live in a dangeous world, folks, but -- have no fear -- the mighty government is here to protect you from yourself.

Next thing you know, they'll be telling you how much water you legally can use to flush your crap down the toilet. Oh, wait...

Re:Tha Nanny State

[evilviper]

Next thing you know, they'll be telling you how much water you legally can use to flush your crap down the toilet.

Yeah. The government sure is awful... Making rules about how much of a limited resource people can use. Or more specifically, making rules about the device which is the #1 consumer of a limited natural resource.

Next they'll be telling me I can't put as much toxic smoke into the air as I want to. Oh wait...

Re:Tha Nanny State

[evilviper]

Water isn't a limited resource as it is fully recyclable and have oceans and oceans of it.

Fresh water, is a limited resource.

The cost of desalination are extremely high, and therefore impractical. Give me enough energy, and I can make unlimited ammounts of petroleum too...

While low flow toilets make sense in Las Vegas, they make no sense in Seattle.

Instead of Washington, let me swap Colorado in there, for a more relevant example.

While CO may appear to have a significant supply of water, while NV does not, the situation isn't nearly as simple. Colorado, Nevada, and California all draw water from the Colorado River, in equal quantities. So, while Colorado may seem to have limitless water, it really doesn't have (or rather, isn't allowed to use) significantly more than Nevada. The issues is a bit more complicated by per-capita issues, but that's not important here.

But if it costs you $5 more a month to use the "high flow" toilet, you might consider replacing it to save money, or water the lawn less, or other conservation practices.

We have water meters here (CA), and you know something, economics isn't a big motivator... The cost of water is so low that buying a new toilet would take many, many years to pay off. What's more, raising the price for a gallon of water to alter the economics, to something that would impact those regularly flooding their lawns, would make water devastatingly expensive to those who aren't being wasteful.

Water is just the kind of limited resource that is incredibly cheap... right up until you run out of it. It, like gasoline, electricity, and many other limited resources, works infinitely better on an enforced ration system, than a supply/demand system.

Moo

[Chacham]

Candidates for the new warnings.

SURGEON GENERAL'S WARNING: Internet Usage Causes Predators, And May Cause Pregnancy.
SURGEON GENERAL'S WARNING: Quitting Internet Usage Now Greatly Reduces Serious Risks to Your Privacy.
SURGEON GENERAL'S WARNING: Internet Usage By Women May Result in Fatal Injury and Unexpected Birth.
SURGEON GENERAL'S WARNING: Internet Usage Contains things Harmful To Minors.

Re:Receive? No!

[SmoothTom]

As you said,

...having laws regarding technology made by people who don't really know the technology involved seems like a bad idea.

From the ariicle:

'From 1 October 2007, manufacturers must place warning labels on all equipment capable of receiving Wi-Fi signals, according to the new state law.'

This also shows how having articles made by people who don't really know the technology involved seems like a bad idea.

The actual law (link to the law text attached to the article) this has no statement that even hints at that. Instead, it clearly and plainly defines those items that will require the warning, and those definitions are not only correct, but quite adequate.

Nice to know that the writers of the law did a better job than the writers of the article.

Also nice to know that my little 'Canary' WiFi detector will continue to be quite legit, and not covered by the law, at all.

--
Tomas

Warning sticker to be posted a WiFi hotspots

[sjonke]

WARNING: If a stranger asks you to plug their USB WiFi adapter into your MacBook, tell them, "no", and immediately contact the authorities, especially if they are saying, "Mac? Fuck! Fuck Mac! Mac Fuck! Fuck! Fuck! Fuck!"

Sticker ideas...

[Saeger]

Let us count thee ways that a notification sticker MUST be removed before the router can be used:

1. Print a EULA on the sticker that reads: "By removing (or even not removing) this sticker, you agree to provide your neighbors with free wifi because you're a nice person; not because you're stupid."
2. Make the sticker conductive and place it over a waste-of-money-one-time-use-short-circuit.
3. Make it from a faraday cage-type material that's in the shape of a tube and initially installed over the antenna; market it as a security feature for tinfoil hat wearers.
   
4. or... the boring alternative: place it over the DC power input and ethernet ports (if any)

My money's on #1. :)

Re:Is it going to be like the solder warnings?

[sfjoe]

I love California to death, really. I wish to live their someday. But I think it's illegal to be Conservative(R) in public there...

We're going to build a wall and have volunteer Minutemen to keep conservatives out.

Unlicensed spectrum?

[gsfprez]

How do state mandated warning stickers, people going to jail, and other government intrusions = unlicensed and open spectrum?

Lord save us all the day that 2.4 GHz becomes licensed and regulated.

Warning: This Router May Contain Peanuts

[CheeseburgerBrown]

This is a good thing. This law is not intended to protect the consumer -- it is intended to arm mild-mannered nerds such has ourselves when confronting people who claim nobody ever told them open meant open.

It is, in short, a reasonable excuse to handle oopsy-daisy! security victims with a socially acceptible level of contempt. "You say you just tore the sticker off without even reading it, ha? Well. Well, well, well."

This empowers geeks. It is a license to be snooty.

Re:Warning: This Router May Contain Peanuts

[Gryle]

This empowers geeks. It is a license to be snooty.

Since when have we needed a licence?

WARNING!!!

The State of California advises you that posting on Slashdot is irreversible, and might result in undesirable flames, and posts from people who disagree with you. After clicking SUBMIT it is impossible to revert a post, regardless of how stupid it is. In order to avoid loss of KARMA POINTS as a result of moderation, the State of California advises you to click PREVIEW prior to clicking SUBMIT in order to preview the message, to verify that it will encourage desirable responses. Also, it might be advisable to select the CHECKBOX next to the text Post Anonymously in order to completly disavow the post. It is known to the State of California that posting on Slashdot may cause stress, anger, and loss in productivity.

Re:Warnings? Make WEP default option

[PsychoSlashDot]

Canadian ISP Sympatico actually distributes 802.11g routers to its customers who request them. Those routers run a customized firmware that steps the user through some basic settings. (Ie. what is your account name... what is your password...) It also mandatorily activates WEP during this process, so once you're done and the router goes fully live, you either must be using a wired connection or using the WEP key the router randomly assigns you. You can web in to the router's admin screens and disable WEP afterwards if you really desire to do so.

The intent of course is to protect against undesired casual use. Stop the punk next door from using 99% of your bandwidth doing bittorrent transfers day in and day out. I commend Sympatico for this effort. Sure, if someone REALLY wants in, they can get in. But there's no reason to make it any easier than you, the customer, intend it to be within the limits of the available technology.

Are unsecured networks that bad?

[iammaxus]

Is it really so bad for home users to have unsecured wireless networks? Personally, I intentionally leave my network unsecured to allow neighbors and passerbys to share. Do unto others as you would have them do unto you, no? Perhaps I'm missing something, but aren't the security risks of having an unsecured wireless network about the same as a computer directly connected to the network (not through a router)? You should be running a firewall on each computer. As for the threat of someone using your connection to do illegal things, that is valid, but I don't think the likelihood of that is great, and if it does happen, would I really get in trouble? I find it hard to believe that I could be thrown in jail for computer fraud or something that I absolutely did not commit.

I don't mind this law much. At worst, its misleading. I think the government is mostly concerned with the last issue with unsecured networks that I mentioned. They don't want to be wrongly accusing John Taxpayer of download child pornography.

This is a bit more sinister...

[khair]

As noted in a previous article http://www.darkreading.com/document.asp?doc_id=102 624 This is not being done to educate; it is done to control. There are two groups this shafts: 1) The ignorant "sharer" who does not understand security and gets penalized by the government after "warnings" are done away with by the penal system 2) The intentional sharer who believes in free Interent access for all. Why this needs to be legislated? Who knows... Sad state of affairs when the government tells people who is allowed to come over for supper...

Coming to a milk carton near you...

[epp_b]

Lost: Common Sense.

He has been lost for about three years to date, but a few people are still maintaining hope. Police are continuing to investigate his kidnapping by Clueless Politicians and Thoughtless Laws. He was last seen in captivity in a few various places in the U.S., but has virtually vanished from North America. Some say that his attackers have taken him across the ocean to other continents, but sightings have still been becoming continually scarce.

If you know anything of his whereabouts, please spread the word to neighbors, friends and family. Citizens are asked to contact their political representitives if they have any information on Common Sense's kidnapping.

Idiot-proof security:

[megaditto]

I believe some newer linksys routers have a synch button you push to add a new device. They call it Secure Easy Setup and that sounds quite useful for customers (never tried that myself): http://www.infoworld.com/article/05/07/25/HNlinksy swlan_1.html

Re:Is it going to be like the solder warnings?

[soft_guy]

Both political parties do stupid things. When the democrats do stupid things, it is often things like this.

The stupid things republicans do are typically a little different.

Re:Caveat emptor, my friend.

[elmarkitse]

I think part of my post got interpreted as some kind of socialist wishful thinking, the 'isn't is part of their responsiblity...

in fact the point I'm going towards is that the companies are going after the ignorant consumers, not the saavy ones. These products are in best buys and walmarts, not just techie computer stores / websites. For example, I have had a few linksys routers. They all come with some crappy 'wizard' software that tries to make everything work for me, but they do a terrible job and don't ultimately make my experience more secure.

If they're already droppping, say, somewhere between 20 and 100 thousand bucks on a fancy autorun installer / wizard application (i've build large scale distro cd-roms so I can vouch for that as a pretty solid entry level price) that has a bunch of talking heads, why not actually make it useful and have it configure things properly.

The us govt has gone so far as to mandate corporate responsibility beyond the 'throw them to the wolves buyer beware' free market 'if my product is too tough people will buy something else' mentality through things like the americans with disabilites act and other consumer warranty styled laws that require manufacturers to go beyond just the minimum.

Why again is this different? Why can't we expect our corporate citizens to take the same degree of responsibility towards educating their customers as you're suggesting be requisite of the customers themselves?

Further, as a shareholder of some of these companies, I would want to think that an extra 10 - 20k now during the development might save my investment in the company hundreds of thousands in unnecessary customer support time or other troubleshooting, and or possible litigation.

Just my several cents.

Impact on torts

[Infonaut]

In the long run this will benefit the tech industry. It is much more difficult to sue a manufacturer for a defect in the equipment or how the equipment functions if there is adequate warning. As long as the mythical "reasonable person" would see the warning and read it before using the equipment, nimwits whose unsecured wifi networks get hacked will not be able to sue.

Anticipating responses:

1. Yes, laywers will attempt to weasel around this, but it will be much more difficult.
2. Yes, it costs money to create and affix labels to equipment, but it's not going to spell the end of the computer industry any more than warning label requirements on microwave ovens have brought home appliance manufacturers to their knees.
3. Yes, people will ignore the labels, but over time it will seep into the larger population; just as we stopped hearing about cats in the microwave, unsecured private networks will become less prevalent.
4. Yes, it is absurd that the legislature had to weigh in on something like this, but just because Slashdotters have more tech affinity than most people doesn't mean that the population at large is retarded.
5. Yes, I'm a pompous ass.

Best Warning Label Evar

[Baloo+Ursidae]

WARNING: California contains people and ideas known to the State of Oregon to cause extreme stupidity, indecisiveness, selfishness and the inability to accept consequences for your own actions. Contact with California and it's inhabitants should be limited or eliminated if at all possible.