Forgot your password?
typodupeerror

N.Y. County Mandates Wireless Security 213

Posted by CmdrTaco
from the also-coffee-is-hot dept.
Mynister writes "CNN has an article about Westchester County NY forcing small business to use basic security on their wireless networks. From the article "The law also requires that businesses offering Internet access -- coffeehouses and hotels, for example -- post signs warning that users should have firewalls or other security measures.""
This discussion has been archived. No new comments can be posted.

N.Y. County Mandates Wireless Security

Comments Filter:
  • by needacoolnickname (716083) on Sunday April 23, 2006 @11:04AM (#15184985)
    Espescially client credit card info, home phone numberes, social security numbers, purchase history...
  • by flooey (695860) on Sunday April 23, 2006 @11:09AM (#15185012)
    From the article:

    The law requires each business to install a firewall or change the default SSID, the name that identifies a wireless network, if the personal information stored has not already been encrypted.

    Umm...changing the SSID does nothing, in terms of security. If that's all that's required to satisfy this new law, I'm amazed.
    • Yeah, probably they mean to enforce changing the default admin login on routers.
      • I always wondered why wireless routers allow the wireless network to access the admin login by default at all? It should be limited to the wired network by default.
    • I just changed my SSID to "MBNA_Client_Accounts". Now my wireless domain is safer from hackers!
    • by kryzx (178628) *
      Let's also require that all vehicles have a red blinking light on the dashboard any time the owner is not in the car. But it's your choice on whether to lock the doors or leave the keys in the ignition.
    • by Peyna (14792) on Sunday April 23, 2006 @11:33AM (#15185132) Homepage
      "Minimum security measures" shall include, but not be limited to: (a) installing a network firewall; (b) changing the system's default SSID (network name); or (c) disabling SSID broadcasting.

      Any commercial business that stores, utilizes or otherwise maintains personal information electronically shall be required to take minimum security measures as defined herein to secure and prevent unauthorized access to all such information.

      So it does look like just changing the SSID would be enough to fulfill the requirements of the law; however, the real purpose of the law was just to bring wireless security to the attention of these businesses. If it inspires a few of them to take a minute to evaluate their wireless security and then do something about it, chances are they will do more than just change the SSID. The fines available aren't severe enough to compel anyone into compliance.
      • by twitter (104583)
        the real purpose of the law was just to bring wireless security to the attention of these businesses. If it inspires a few of them to take a minute to evaluate their wireless security and then do something about it, chances are they will do more than just change the SSID.

        All they are going to do is push a button or tell their IT dude to do the same. Most people don't have time to wade through the vendor BS to learn anyting.

        It does nothing for real data security. The easiest way to get data is not to dr

      • by Abcd1234 (188840) on Sunday April 23, 2006 @12:18PM (#15185329) Homepage
        So why pass a law in the first place?? Just start a public information campaign. Send fliers, broadcast commercials, that sort of thing. Laws should be our *last* resort when trying to deal with any sort of issue, and that includes technical ones.
        • Laws should be our *last* resort when trying to deal with any sort of issue, and that includes technical ones.

          Oddly enough, the legislators don't see it that way. Fancy that!

          It reminds me of how I see people discussing the whole abortion issue. Whether you are for or against it, I will not get into that one. But just the way the question is framed: "The question is, does the Constitution give the people the right to have an abortion?" This is bullshit. The appropriate question is, "Does the Const

          • Once you make the basics like murder and theft and fraud illegal, what else is there for a full-time legislature to do but fight over the budget and assume that all of the world needs their "help"?

            Uh, without wanting to open this can of worms any further, you do realize that the folks who want to ban abortion want to do so because they think it is murder?

            Unfortunately, this debate is rightly one which government should take an interest in. Now, you can question whether in fact embryo's are covered by "life
            • Murder, like anything else, is allowed by default. The only reason it's illegal is because a specific law was passed against it. It seems like the specific wording of the law(s) against murder doesn't cover abortion (on the basis that there have been no murder trials due to abortions). Therefore, abortion will be allowed until a law is made against it.

        • Because if people start to have secure networks, that means that people can't get online for free, and then they have to start paying companies.
        • "So why pass a law in the first place??"

          Because I don't want my credit card info stolen due to negligence from a company that's supposed to be holding my data securely.

          "Laws should be our *last* resort when trying to deal with any sort of issue, and that includes technical ones."

          Normally I would agree, but not this time. If my cc company were broken into because they had an insecure wireless router, I'd want to nail their asses to the wall as well as the person who stole in the first place. We're talking
      • This could actually be a bad thing. One thing I have noticed is that most businesses do change their SSID's. They tend to change them to relfect which business owns the AP. So, if it's a targeted attack, this law makes the security worse by making it easier to figure out which AP belongs to which business.
      • >If it inspires a few of them to take a minute to evaluate their wireless security and then do something about it, chances are they will do more than just change the SSID.

        Err, thats a big IF. Weigh the cost of passing and enforcing this law say versus a public information campaign. You're essentially using flawed reasoning of "if we could save just one life this whole thing would be worth it" which ignores opportunity cost and the reality of limited funds.
      • by MikeFM (12491)
        What about the number of busineeses brilliant enough to put network ports in places that are open to the public? I've been able to jack in my laptop in hallwalls, waiting areas, and even outside of many businesses and government offices. What about fully wired PC's running Windows that get infected, hacked, or otherwise owned?

        It seems to me that busybody laws about specific technical choices aren't a good thing. Better to just make a general law about liability of businesses for leaked personal or financial
    • So, will I get fined if I change my Netgear router's default SSID of "Wireless" to instead read "linksys"?
    • Well, if you also turn off SSID broadcasting, people won't see your router from the list of available ones; if some WiFi troll comes along looking for routers that don't broadcast their SSID, 'default' would be a pretty obvious one to try, if not using special tools designed to look for such networks (you may be able to see the SSID in WiFi packets, although I have no idea for sure)

      Plus, anyone who has a network profile for a router called 'default' may inadvertantly connect to it if they wander into the sa
    • Short Story (Score:2, Interesting)

      by skidde (670293)
      I went to the Westchester County Student Legislative Day a few weeks back, and the WiFi law was actually one of the subjects of the "mock legislative session."

      I played the role of a member of the press, which basically enabled me to engage in some level of dialogue with my fellow student representatives. I asked them how changing what the network is called when it pops up in Windows is at all conducive to creating a secure network, at which point they tried to convince me that businesses would have to insta
    • "Sir, this router was open and accessible for all to see, and that man stole your credit card number. I am going to have to fine you $500 for this offense."

      "But officer, I had changed the SSID! It was "lynksys" now it is "my house.""

      "Oh, I see. This isn't such a terrible crime after all, well, go along then."
  • by HotNeedleOfInquiry (598897) on Sunday April 23, 2006 @11:12AM (#15185022)
    Westchester County has outlawed all glass and china dishware, knives and pencils longer than 2 inches and water over the temperature of 120 degrees F.
    • by twitter (104583)
      You might not have noticed that they just made free software use more difficult. You will, at the minimum get Kwifi going if you have more than one wireless network you want to use. That won't always work, because of all the different little "standards" used by equipment makers. Windoze users, of course, will have a harder time too, but they expect and travel less to begin with.

      It's not funny. Mandating "security" without mandating it be implemented with accepted and published standards is counterprodu

  • Secure by default (Score:5, Insightful)

    by DrXym (126579) on Sunday April 23, 2006 @11:25AM (#15185094)
    The Netgears of this world should ship their devices secure by default. The device should be set up to use encryption by default, using a random key (printed on the unit underside and a slip of paper) and the appropriate instructions to let the user figure the rest out.

    It can't be hard to do and with the appropriate marketing might shift a few more devices.

    • Re:Secure by default (Score:2, Interesting)

      by UnderDark (869922)
      So, what if you're blind you insensitive clod!

      But really, if it uses encryption out of the box, people are going to get angry when there system can't connect to it because people don't read documentation: they just plug it in and let it rip most of the time.
    • What encryption should be enabled? WEP is pathetic all the way around and WPA-PSK complicates things and isn't supported everywhere(i.e. Nintendo DS).

      Anyhoo, encrypting public access points is stupid. It's impossible to make sure someone isn't snarfing your traffic(rogue access points) so any confidential information needs to be encrypted at each end with something like SSL w/ 1024bit RSA.
      • Anyhoo, encrypting public access points is stupid. It's impossible to make sure someone isn't snarfing your traffic(rogue access points) so any confidential information needs to be encrypted at each end with something like SSL w/ 1024bit RSA.

        The point about encryption between the start and end points should apply to any public network as one rogue router is all it takes. Nevertheless, there's no reason why public access points cannot be encrypted — use something like EAP-TLS WPA but without the authe

      • WPA-PSK "complicates" things? The standard setup, which you're likely to see in home use, is like WEP, except you don't have to worry about bullshit like "why is this giving me four different slots for the key?" and "what's a hex?". All the information I need to provide to connect to my network is SSID, and PSK (an ordinary string, which gets securely hashed, the same way mind you, into a key on all of my devices).

        Support is a little more of an issue, but actually not relevant for situations like TFA. If y
    • by mapkinase (958129)
      How about: first connected node gets a wizard in its face obliging him/her to enter a secure mode?
    • Not gonna happen (Score:3, Insightful)

      by PeeAitchPee (712652)
      We live in an instant gratification-based society where a very large percentage of the population can't be bothered to do things like read instructions or even a slip of paper. If it doesn't work when it's plugged in and / or switched on, people assume it's broken and return it. And since the competing router comes with security switched off (and seems to "work" when powered up), the consumer translates that into well-thought Amazon reviews such as "WHAT A PIECE OF CRAP ... COULDNT GET TO WORK AFTER AND H
    • FWIW 2Wire's routers come this way, at least the ones that SBC sends out to customers. And in my experience networks with the 2WIRE* SSID are much more likely to be WEP secured than the average, suggesting that customers don't bother to go into the control panel and disable it.
    • Actually, I was a CompUSA recently and I saw a display for a Linksys AP/router with a button which was labeled that it auto-configured with default secure settings. I am not sure exactly what it did, but if something like that is standard on one brand, other brands will be forced to follow suit or appear unsecure (even though they probably all support essientially the same security features).
    • By Microsoft! They used to sell wireless hardware with security on by default, and offered a way to copy security settings from one box to another so they could interoperate.

      Buffalo came up with a one-button security approach called AOSS.
  • Text of the law (Score:5, Informative)

    by Peyna (14792) on Sunday April 23, 2006 @11:29AM (#15185112) Homepage
    The text of the law can be found here [westchestergov.com].
  • Stupidity. (Score:4, Insightful)

    by hyfe (641811) on Sunday April 23, 2006 @11:34AM (#15185136)
    Next step is to draft and enact a law making it a criminal offence not to lock your door. Won't take long 'till the whole family is gathered, together again, in prison/workcamp. It'll be fun!
    • It'll only stop seeming unlikely until it happens.

      Some people want their system "insecure" by choice, knowing not everyone in their neighborhood/family can afford it yet. And no i do not see it as stealing or morally wrong to allow others on your wifi if you're paying your provider the bandwidth fees they ask for. Same as allowing someone else to sit at your computer.
    • The scenario you paint isn't similar. They are requiring (certain) business -- which, by the way, require licenses from the government to operate -- to secure their networks; although I do not agree that the steps the law outlines is anywhere being close to secure, that isn't the point of this post. Making it a criminal offense to not lock your door is not the same as making it a criminal offense not to secure your wireless network. Does leaving your door unlocked allow multiple people to use your house
  • by nickfrommaryland (793020) on Sunday April 23, 2006 @11:36AM (#15185145) Homepage
    From the article:
    Some of the unprotected networks were at cafes, hotels or other establishments that offer wireless hot spots to patrons. Other networks, like those at Starbucks, were protected.
    The last time I checked, T-Mobile's service is not any more encrypted than a Netgear router taken right out of the box. Likewise, a sign will probably not protect you from much, unless you're a business. Then you can use the sign to protect yourself from liability.
    • They do not use encryption, but the routers do provide a firewall - meaning that they will not allow unrequested incoming connections to the patrons. So there is some basic client protection. For that matter, even the worst linksys/netgear/whatever routers do that.
    • It's "secure" by the standards of this law, which only requires things like firewalls and (cough) changed SSIDs. The law has as little to do with real security as -- as -- help me, BadAnalogyGuy!
  • by 9mm Censor (705379) * on Sunday April 23, 2006 @11:36AM (#15185146) Homepage
    Please dont obey this law, unprotected wifi makes me using it easier.
  • This is all to protect private information that might be on the local area network of the entity providing wireless connectivity.

    At work we put our wireless access on the back side of our WAN connection, and that goes through a proxy with ClamAV on it. They never even touch our internal network.

    Sure we took reasonable steps. When I first got my new machine with wireless I saw at least 4 businesses with wide open networks. Went over, introduced myself and showed them how to secure the networks.

    What
  • Shutting off Wi-Fi (Score:5, Interesting)

    by HPNpilot (735362) on Sunday April 23, 2006 @11:57AM (#15185227) Homepage
    I already have several calls from clients who want me to shut off open access in their places of business. Yes, they have firewalls and are protected, but the DA Jenine Pirro has come out and said how open wireless hotspots help pedophiles and stalkers and these business owners do not want to get involved with this political hot potatoe in any way whatsoever. Their feeling is that it simply is not worth the risk anymore.
  • What if they're trying to offer free, open wireless access? I guess they can just change the SSID to comply, but really...
  • They could probably mandate the signs and they have some authority over the operation of businesses, but if the place is offering free WiFi on (all together now) "unregulated spectrum", they can't do much about it. If your landlord, University, airport operator, etc. can't prevent someone from setting this up or doing it in a particular way, why the hell should Westchester? And, btw, the law doesn't just cover 802.11a/b/g - it would cover using a GSM/Edge/CDMA/whatever-based data service, the way I read it.
  • by Newer Guy (520108) on Sunday April 23, 2006 @01:05PM (#15185550)
    THIS IS NOT WITHIN A LOCAL GOVERNMENT'S JURISDICTION!!

    The FCC regulates radio spectrum and the Internet, because both are Interstate services.

    Local laws making bandwidth stealing a crime will also likely get overturned in federal court.

    There's something in this country called the SEPARATION OF POWERS. It gives the federal government the right to regulate: "Interstate Commerce". Since radio waves don't respect state boundaries, courts have determined they are INTERSTATE in nature!!

    The Internet has also been defined as an Interstate service.

    Local Govts have NO RIGHT to regulate EITHER of these! Recently, Florida passed a law making the operation of a pirate radio station within the state a felony. It WILL be struck down by the first appeal of any conviction. Why? AGAIN, because the states DO NOT HAVE THE RIGHT to regulate Interstate Commerce!!

    • Far be it from me to argue with someone so well-versed in the art of being louder than his opposition, but "separation of powers" refers to a model of government where the activities of the government are divided into multiple branches [wikipedia.org].

      Besides that, local governments could argue that the usable range of a wifi signal is very short, occurring fully within their jurisdiction. They could also argue that they aren't regulating the physical communications layer (the radio signal), but rather the configuration o
    • "The FCC regulates radio spectrum and the Internet, because both are Interstate services."

      I'd rather have a local government trying to save me from unsecured WiFi than a national government trying to save me from stray boobies, thanks. Especially when I don't live in that local government's jurisdiction.

      "It gives the federal government the right to regulate: "Interstate Commerce"."

      Unless you set up your WAP at the state line, 802.11b/g/a seems pretty intrastate to me.

      "Since radio waves don't respect state
      • I'd rather have a local government trying to save me from unsecured WiFi than a national government trying to save me from stray boobies, thanks. Especially when I don't live in that local government's jurisdiction.

        This isn't something that the government has any business getting into. Using unsecured WiFi is a choice I make, and if I am dumb enough to a)transmit sensative data over that connection or b)make purchases where I have to input my credit card over said connection, then that is my choice. T
    • Yup, you are about the only person with a clue here, but why the Nigerian capitals? "This router uses FOUR MILLION BITS encryption!" ;)
  • hold on.. (Score:2, Insightful)

    by eeeeee (970226)
    Unsecured RESIDENTIAL wireless networks have already been illegal in westchester county for about 6 months. These laws aren't made to be enforced, per se, they just raise awareness of wireless encryption for the average westchester county layman. Most non-technical people see encryption as an unnecessary hassle. This problem is even worse in Westchester, which is one of the wealthiest counties in the country, where people tend to not want to be bothered with things they deem too much of a bother. I set up
    • >> Most non-technical people see encryption as an unnecessary hassle.

      because wep is insecure, and wpa isn't universally supported.
      encryption should be used in protocols(e.g. https).
      YACA
      you are no more liable for your internet pipe, then you are for accidents if your car gets stolen.
  • The law in question [westchestergov.com] has two distinct parts. First, if you're a business that stores personal information on a networked machine, and you have a wireless access point on this network, you must implement a security measure. The county's choices of security measures probably aren't the best, but the concept of requiring a security measure in this situation is reasonable.

    Second, if you offer Internet access to the public, you must post a sign suggesting that customers' personal machines implement a security m


  • If you read the article the networks must be encrypted if the business stores credit card or financial information of it's customers on it's network.

    I don't know about you, but I think this is a very good thing. It is quite possible that it is within the jurisdiction of the local government as the business' which are licensed by the local government must conform to local business laws.

    Personally I think the FCC should consider enacting similar regulation such that if it CAN be challenged on the grounds the
    • Why would anybody store customer information on the same network that they are giving free-for-all wireless information on. Are businesses becoming that cheap that they can't even get 2 different routers, to suffice for the two different network, or are they just stupid? I can understand Joe sixpack not wanting to secure his home network, but if you own a business and are generating revenue from the use of your network, then you should take the time to set it up correctly.
  • Wired connectivity ONLY on networks that pass information about credit cards around. That shit has no business being on a WiFi network. I will *not* do anything on a wireless network that requires sensitive data being thrown around.

    All WiFi networks, even those with WEP (Ha! It is to laugh! Wired Equivalent Privacy my ass!) or WPA, should be dealt with as *untrusted* networks. As in be careful what you do on them and don't give out any personal info on them.

    I was horrified when I was working at this one pla
    • In order to crack your wireless network's WEP key (which I understand is easy to do over a course of an hour or two, considering how weak that encryption is) does someone have to also know your router's SSID in advance, or do they just need a radio signal to incercept and nothing else? I live in an apartment with my parents, and since HomePNA products are no longer on the market, wireless is the only other way we can get multiple computers in different rooms on the same network that doesn't involve drillin
      • by Bishop (4500)
        The problem with WEP 40/64bit is that the key is only 40bit and can be quickly attacked with brute force. The problem with WEP 128bit is that the standard implemented RC4 encryption poorly and known weak IVs, initialization vectors, are used. To crack WEP an attacker needs to collect a large number of packets that use the weak IVs. The time it takes to collect these packets depends on the ammount of traffic and can take days or months. Some access points and wireless cards have a driver option to disable we
  • All AUP issues with my ISP aside, what if i want to give away part of my business's bandwidth? im NOT a 'coffee house' or other such 'hotspot', Im just a nice guy.

    That mean i get fined if they manage to find me?
  • After this, the State will just have to outlaw speeding, smoking pot, and underage drinking, and enact single-payer healthcare, and we'll all live happily ever after!

For every bloke who makes his mark, there's half a dozen waiting to rub it out. -- Andy Capp

Working...