Law proposed to make open biz WiFi illegal
posted November 4th 2005 10:05AM
Westchester County Executive Andy Spano's got a new law, y'all, one "to protect the public from crimes such as
identity theft and other consumer fraud," by way of requiring all commercial WiFi hotspots be encrypted. Yes, the
argument can be made that unsuspecting users might find valuable personal information stolen on such open wireless
networks like at their local cafe, but truth be told, this risk rings true of any non-trusted network — wired,
wireless, encrypted or otherwise. And considering that WEP encryption is a total joke to crack, such a law seems more
like a gesture (and PR move) than a solution. Besides, pretty much everybody knows that you take your information into
your own hands when you connect to an untrusted network
of any kind, and we suspect it follows that those who aren't aware of this probably aren't aren't too knowledgeable
when it comes to encrypting their WiFi connection anyway.
[Via TechDirt]
When he says network encrypted he means the way of a inter-network VPN not WEP encryption.
If it is public how would WEP encryption stop someone already inside the network from stealing your data? it wouldn't. Which is why they want per client data encryption not packet.
WEP is a joke; WPA is not, and has yet to be cracked to my knowledge (this is after several years). What is the downside to requiring encryption? Some people may have trouble configuring it? That's largely been fixed with WPA as well, since it uses sane, human readable network names and keys; none of this hex crap as in common WEP implementations.
And Engadget, it's really disingenuous to say that this is the same as wired ethernet or what have you; the whole world has been over this before, and wireless security is completely different simply because you don't have to be in obvious physical contact to sniff packets or connect to the network.
Actually, encryption protocols like WPA2 / 802.11i, authentication techniques and even VPNs can be cracked, compromised, and circumvented.
For example, these protocols do not stop lost or stolen passwords and credentials, Rogue APs, Man-in-the Middle attacks or client devices like laptops from associating with outside connections.
But there is technology available to secure Wi-Fi networks in ways that encryption, authentication and even VPNs can not. Check out WiFi Watchdog from Newbury Networks in Boston. They even have a webinar secifically on this topic!
This makes as much sense as a law that makes garbage cans illegal.
Fraud is already illegal, why is there a need for new laws for technology that may only be around for a few decades at the very most?
I don't see how this protects the public?
I didn't say wireless and wired network security are the same, they're completely different. My point is merely that you take your data into your own hands when you're not on a trusted network, no matter which kind (which is generally irrefutable in the security world).
Best, Ryan
You're right -- wired-line and wireless networks security is different. Or at least is should be! Unfortunately, most wireless security is designed using assumptions that are only true in the wired-line world. Wireless security based on wired-line assumptions is not secure.
Sometimes people talk about Multi-Factor Authentication
- What you “know” (password, certificate)
- What you “have” (SecureID)
- Who you “are” (biometric)
But even this "multi-factors" approach to authentication is predicated on secure physical access to the network. And of course this isn’t true for wireless networks.
With wireless, all of the above are potentially spoofable – because there is no restriction of physical access to the shared radio frequency medium.
Of course the great thing about wireless is that the signals go through walls and doors and floors and ceilings. And of course that's the problem too.
What you want is the ability to stop people and devices outside the perimeter of your office, department, floor, building or campus gaining access to your wireless networks. A Boston-based company called Newbury Networks has software that does this.
Oh dear...
It is possible to protect yourself if you want, even on a public access point, in fact the access point has little or nothing to do with any of these problems. WEP only trys to buy you wire like security. The theory is anyone with the key is "on the wire". Of course that was broken when WEP was broken. Even if WEP was not broken you can still sniff packets on the net if you have the key (something a bunch of other users you don't know would have to have).
I'm willing to bet %90+ of the fishing and identity theft issues have nothing to do with open access points. Getting tricked into going to a fake site doesn't require an open ap, just badly written software and a non-diligent user.
Secure http (https) is not easy to man in the middle (you have to get a signed cert which is very hard to fake - need a lot fo cpu power). VPN's are likewise as hard, usualy harder because you have less data to try and crack with (each user uses a different Certificate Authority).
No, its not the protocols faults, when used properly they are very effective, its the problem that nobody has figured out a way to make them easy to use.
So what really is going on here? Perhaps WiFi ubiquity will finally put the kibosh on Spano's and Cablevision's Westchester Telecom project. Makes you wonder...
the only one beiong disingenuous is Andy Spano and all those that try to block community use of open WiFi. Verison has got state governments to outlaw open free WiFi that many cities had proposed and this is just another attempt to do the same thing. the protection has to be on the computer level and the network level but not on the wifi. All of this is to make more money for the providers and i think if you look at the situation you will see only the providers win. We were just in france and it seems that Wanadoo is setting up all the wifi routers WEP encrypted. even though it slows up the system.
this is not about protection of identity, if it was then these guys that break into systems or make viruses would get prison terms equal to the crime which means they would never see day light. but they just get a slap on the hand. This is about making more money for the providers.
I see one problem with the WPA encryption proposal - any older 802.11b card that I can think of does not support WPA, with RADIUS or PSK. Oops, I guess anyone with a three year old laptop will have to upgrade!
Another thing, regarding "protecting consumer rights" in general, why stop here? Why not mandate that all commercial phone conversations which involve sharing sensitive billing and identity information be encrypted too? I'm much more concerned that a low-wage phone operator will scribble down my credit card and SSN, than of some hacker stealing my identity at the local Starbucks.
I totally agree. WIFI stinks. Everyone in my neighborhood jokes about "seeing" other people's hard drives. Where's the JOKE in that??? Also, WIFI is an open book for terrorists as well. It allows them to connect wherever they want, freely, and send/receive their stinkin plans against the FREE SOCIETY THAT THEY NIPPLE OFF OF TO BEGIN WITH!
I would NEVER, EVER install wireless ANYTHING in my home - especially if it connects to my data. NEVER. No wireless phones, no wireless computers and no wireless video whenever that comes around. When its in the air, its MEANT to be stolen (I mean taken). I dont feel one bit of sorrow for the satellite tv providers who's signals are taken by hackers. Its in the air - then its free to all.
I will never understand the laziness. I guess its like those people who go to the DRIVE THRU at McDonalds when I have, 9/10 times, beaten those people out of their with my meal while they wait, fat, dumb and frustrated in that special parking spot for their order.
What are these lazy people thinking? Run the wires and be safe!
OK. So just in case people forget to lock their doors and cars, is Anthony Spano going to propose a law to outlaw going outside?
The world is full of idiots and the people who vote for them.
Well, there is a simple way to make enterprise wi-fi set-ups safe. Authenticate users based on their location -- so that if you are outside of a designated protected zone, you are not granted access. Likewise, cutting off any connections that associate with anything outside a designaed safe area. The Newbury Networks site explains moore about location-based wi-fi security if you're curious.
Mike,
Hi. This is the Reynolds Corporation. When we donated you a "lifetime supply" of our Reynolds Foil we did not anticipate the size of the aluminum foil hat you would be building for your extreme paranoia. We would like to formally withdraw our "lifetime supply" offer at this time.
Thank you.
While layer 2 encryption is very difficult to handle in open hotspot environments (posting a WEP key on a poster in the airport would not be very user friendly and would drive away business), clientless SSL VPN solutions make fit very well.
I have such a system in place already. The support is multiplatform, and is transparent to the user.
Reynolds,
Enjoy the ignorance! Must be interesting.