Schneier on Security
A blog covering security and security technology.
« Recovering Data from Cell Phones |
| The State of Surveillance »
September 5, 2006
Securing Wireless Networks with Stickers
Does anyone think this California almost-law (it's awaiting the governor's signature) will do any good at all?
From 1 October 2007, manufacturers must place warning labels on all equipment capable of receiving Wi-Fi signals, according to the new state law. These can take the form of box stickers, special notification in setup software, notification during the router setup, or through automatic securing of the connection. One warning sticker must be positioned so that it must be removed by a consumer before the product can be used.
Posted on September 5, 2006 at 1:56 PM
• 55 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
"By removing this sticker, you acknowledge this product does something you don't (and probably never will) understand."
Are you asking if warning labels or notification ever do any good?
"By leaving this sticker on, you are assured that no 'wifi' viruses will infect your device"
dd said: "By leaving this sticker on, you are assured that no 'wifi' viruses will infect your device"
You left off the second half:
"...But even if they do, we take no resposibility and you can't sue us."
I think it will do quite a bit of good--for the sticker makers. (roll eyes)
Ahhh California. Land of pointless warnings.
I was out there for a class a few months back. On the building where class was held was a permanent plaque that proclaimed that the construction involved uses of materials known by the state of Cal (does a state 'know' anything) to be carcinogenic... then had an incomplete list including tobacco, construction materials... etc.
I am so thankful they provided that information so I could take informed action.
I had planned to photograph it, but forgot (probably those evil chemicals clogged my mind)
@katre: Ah, you beat me to it. I was going to say, "It'll do good in helping wifi manufacturers avoid any claims of responsibility when someone's home network gets hacked!"
Will it also warn against clicking "Accept" before reading EULAs?
Yet another useless law, wasting taxpayer money, to control our society even more. When will the public stand up against misuse of our government by corporate interests?
What happens in the case of the carcinogenic warning, is that every public business (restaurant etc) will post the label to cover their legal butt... just in case. So with every building labelled, customers no longer can choose. The requirement is thus neutralised.
"Warning: This product will perform exactly as advertised."
Jayh, those signs are actually present somewhere in every single building in California, with the (possible) exception of private houses.
Like the warning labels on ladders warning you not to use the top two steps as steps? Since everyone heeds those warnings and no one ever falls off ladders anymore why do you sound unconvinced that these new stickers will do anything but lead to secure wireless networks in our homes and businesses?
aaaand.... why are they doing this, aside from wanting to make more stickers with those neat 'word' things on them?
"why do you sound unconvinced that these new stickers will do anything but lead to secure wireless networks in our homes and businesses?"
In the case of ladders, the information on the warning labels is (highly) actionable. In the case of wireless networking equipment, I think the average computer owner would be at a loss as to what to do to mitigate the risks, even after they are made aware of them.
The real issue is the liability factor. People can sue for anything, so you need a disclaimer. Look at every potato gun site on the web! People are ridiculous.
Why don't they just require the radio to be disabled by default? Then require the user to log into the web based management application which make the user run through a questionare to proove they read and understood all the warnings.
Hence, they will know that from the point they click OK they are infinitely liable for anything bad that happens to them or anybody else that happen to be within their future light cone.
I do kind of like this for one reason: it's a step toward shifting the assumption that an open, free hotspot's existence is accidental and using it is a crime, toward the possibility that the open hotspot is intentional. It isn't as good as requiring access points to ship with open access disabled by default, but it is a step toward making the broadcasting of SSIDs and absence of access protection mean something again. Of course these stickers won't only be advising securing access points, will be stuck on everything from new laptops to networkable DVD players, will probably just have generic useless information, and I doubt anyone is going to pay attention to them anyway, but the existence and awareness about this law provides support for steps decriminalising the use of open wifi.
From the article, the stickers must
"include guidance on keeping data secure on wireless connections.
...The warnings would have to contain information on how to secure files, folders, and connections. Wireless internet connections can be used by anyone with Wi-Fi capability within the range of the transmitter unless they are secured."
Sounds actionable to me.
'Does anyone think this California almost-law (it's awaiting the governor's signature) will do any good at all?'
Depends on who the judge is.
The general rule of thumb is that any public law is not good for the public.
"In the case of ladders, the information on the warning labels is (highly) actionable. In the case of wireless networking equipment, I think the average computer owner would be at a loss as to what to do to mitigate the risks, even after they are made aware of them."
So if the sticker pointed to a website with an easy to understand explanation of what wifi is and the risks involved, and easy step by step instructions on how to set up wifi security, then the sticker law would not receive quite so much ridicule? Or maybe if it said "for more information turn to page 20 of the user manual"?
I can't be quite so cynical about this as other people seem to be. Warning labels are an extremely common way for the word to get out to people who just don't know anything about it at all. If even a handful of people say "you know, I never knew this about wifi, maybe I should make sure I set this up right" then it could have some benefit.
I guess the question is, other than having wifi be off by default, does anyone have any better suggestion?
It seems like it might do *some* good for a (very) limited number of people by raising awareness, although I fear they'll either be too vague or too full of technical jargon.
If they really wanted to do it right, they (hopefully not the government, but maybe some association like the EFF) would set up a website with basic "secure yourself" information and the sticker would have a basic warning AND a link to the URL for more information. Sure, there will be plenty of people who still ignore it, but there are also bound to be a good number of people who otherwise never would have thought about security and would be thankful for the benefit of a quick online lesson.
> does a state 'know' anything
A parliamentary assembly (the CA legislature, a board of directors, etc) can "know" something by including the "knowledge" in its minutes (which in turn requires that a majority of those present agree that the organization "knows"). Additionally, such an organization can designate additional methods, often including the designation of a repository which serves as the memory location. Consequently, "knowing" something does not require that it be true, only that it be recorded.
Unfortunatly, the lack of understanding by members of the general public about what such "institutional knowledge" is means that they don't know how to handle the knowledge by the state of California that sand is a known carcinogen. Which leads some people to believe eroneous information, and some to disbelieve accurate information.
Which (back to the topic at hand) leads me to believe that the efficacy of the WiFi warning label will be directly related to the extent to which that label is lost in the noise of other labels.
Ok, how about
"Warning: Attackers on wireless may be closer than they seem."
Actually, yes, I think it's a good idea. Because sooner or later stuff will be doing wireless where you wouldn't expect it at first glance.
(Will that law include RFID tags? Now THAT'd be great)
At least it's something. It's not a panacea but it's something. If you read the whole article, and as it has already been mentioned, it's not as simple as just a sticker. What did you expect? To introduce a law that would actually force you to secure your WiFi?
Trust me, there are lots of people out there that don't even realise that out of the box WiFis are not secure. I think that this measure will at least make them think about it a bit more.
Cellphones now have wi-fi, so where are they going to put the sticker such that it can't be used before removal?
It is easily seen that the weakest link is always the thoughtless person.
Yet education at every level is a valuable tool and sometimes we can under estimate the impact of it.
Clearly not a solution in itself, but maybe this could be another piece of wood that builds strength into the wall.
Must be a glass half full day!
what it will do is allow riaa to sue people who have previously used 'my wireless network was not secure' as an excuse for downloading illegal music.
Considering that the later generation mobile phones also contain wi-fi interfaces, a warning might really be necessary. Even if it does nothing except tell the owner that there's something inside he might want to turn off.
Don't most people buy the wi-fi enabled product *because* it has wi-fi access?
And don't most wi-fi products have "WI-FI" blazed across the packaging as part of the marketing stategy?
>> The warnings would have to contain information on how to secure files, folders, and connections.
Um, how much could you possible stick on a warning label?
And aren't users notorious for discarding all slips of paper that accompany a product without reading them?
Good intentions, poor means. Not the CA legislature's finest moment.
Everyone was a noob once.
you guys aren't getting it.
this move is more then likely being pushed by the riaa & friends to shut down a loophole in their suings.
I disagree. This will likely decrease the number of open hotspots for the very reason these stickers are there - to place liability on the internet traffic going through the AP onto the owner of that AP.
If I ran an open AP in CA I'd either:
a) Babysit people who hopped onto my open AP
b) Block all P2P ports and implement some sort of "nanny" filter to block illegal content, or
c) Turn on encryption and forget about it
Ah yes, the California carcinogenic chemical warnings ... I remember Lockheed had those on the doors and I was reassured that the notices referred to the whiteboard markers to be found in every office.
You have a point. Anyone know whether the author, who is from LA, is working with/for the RIAA?
Perhaps the label should say:
"Warning: RIAA lawyers may be closer than they seem."
It doesn't specify whether the warning should be pro or con, right? In other words "may be accessible by an unauthorized user" and "how to protect his or her wireless network connection from unauthorized access" could be written as:
"Warning: this device may be accessible by people you do not know, do not want to know, and that you do not mind using without your express approval. You may enable wireless encryption or other controls to prevent some people from accessing your network but it is not guaranteed and we are not required to tell you how to find out if someone has bypassed these controls. So, the choice is yours: let people do what they will on your wifi and be free, or be held responsible for any/all actions traced back to your wireless devices, even if someone has hacked them and you can't tell. Enjoy."
Sorry for the long post. I did some more research on this amendment on my blog:
For example, I noted the author(s) original version was quite different and perhaps more revealing of intent:
"A person or entity that sells wireless technology to a computer user in this state shall not sell that technology unless it contains encryption software or a similar encryption device, which shall be set as the default mode at the time of sale."
Will there be room for this sticker now that all equipment is full of other warning stickers already?
You are not accountable for what other people do via your Access Point. That's it. It does not matter, whether it is left open deliberately or by chance.
Do they really have to wait until Schwarzenegger learns (reading and) writing?
Is that yr. opinion or are you paraphrasing a case or cases?
The only legal opinion I take in this forum is that of another_bruce.
A parliamentary assembly (the CA legislature, a board of directors, etc) can "know" something by including the "knowledge" in its minutes (which in turn requires that a majority of those present agree that the organization "knows"). Additionally, such an organization can designate additional methods, often including the designation of a repository which serves as the memory location. Consequently, "knowing" something does not require that it be true, only that it be recorded. >
Damn looks like I need a tongue in cheek icon.
Let's see... Who will benefit the most from this...
1) Sticker makers. (lots of big stickers to be made for holding all that warning label info)
2) Geek Squad type services. (all those hapless consumers that will be scared by the implications of these warning labels will likely chose to just pay someone to setup their WAP)
3) RIAA and others like them. (Warning labels are great for shifting liabilities, in this case onto the consumer)
Clearly, there is little benefit for consumers from having a warning label.
Consumers would benefit most by having all WIFI devices default in a secure mode, with a simple configuration to complete a secure setup.
"This chemical, or compounds of this chemical, are known to the State of California to cause cancer, birth defects, or other reproductive harm" - approximate warning lable on a cylinder of oxygen I bought.
I was at a store, and overheard two women discussing buying a Disney lamp for one of their kids. They saw the warning sticker about lead, and were somewhat concerned. I assured them that the lead was in the solder inside the power cable, and that it was _not_ actually painted with leaded paint.
Another time, I was looking at the "Random things from around the world" section of Target. They had bowls and such from different countries. They also had warning labels on some of them.
One of the warning labels basically said, "this isn't for food. Don't eat out of it." It wasn't clear whether you, or the bowl, would be damaged. However, some of them had a warning label that clearly indicated that eating out of that bowl would harm you. I _think_ the word "poison" was used, but I don't recall the text.
The Target warning labels were specific, variable in strength, and appeared quite well targetted. The California Cancer warnings are just meaningless.
yes, it will do good. for the RIAA.
i'm not aware of any precedent for an open hotspot operator being held liable for others doing copyright infringement through his system - but it could happen. liability is imposed either by statute or common law. there may be enough in the dmca for this, a hotspot operator is analogous to a mini-isp offering service to passers-by, but potentially outside the safe harbors for "service providers" written into the dmca.
i was a business/real estate/divorce/general civil lit guy until i bailed out of the justice industry in 1995. issues like hotspot operator liability are fascinating, but i claim no special expertise in them.
Warning labels should be printed on voting ballets as well:
"warning, by voting yes your tax money may go to politicians who will misuse it and then make up for it later by cutting services and higher prices/taxes. You may then be told to conserve water/electricity while rates are hiked and old people die because they can't afford air conditioning, heating, etc."
This amounts to an increase in security awareness and that is always a good thing, right?
However, by the time the wording gets through corporate PR, legal and any other departments involved the warning is unlikely to contribute to security awareness in any meanigful way.
Actually they should ship each router with a different WPA key on by default and put the sticker w/key on the router. A simple but effective way to get near 100% WPA compliance.
Agree with what Mr. Programmer suggested, although there's already increased awareness to secure their wireless networks.
"they should ship each router with a different WPA key on by default "
What is the betting they would make it the same as the product serial number...
Then as most people don't change default passwords etc how difficult would it be for a "cracker" to find the range of numbers to search.
Good security needs good random number production, and few Software/Hardware engineers can get random number generation right at the best of times.
Regarding... "One warning sticker must be positioned so that it must be removed by a consumer before the product can be used.
I find this hilarious. I work in phone tech support for a company that makes printers. On every single one of our newer printers, there's a sticker over the USB port that the customer has to remove to use it. The sticker says "DO NOT PLUG THE USB CABLE INTO THE PRINTER BEFORE INSTALLING THE SOFTWARE INCLUDED" ...and you can guess how often we get calls where people have done this.
Great article. Shows the lack of understanding about wireless.
@josh: "I find this hilarious. I work in phone tech support for a company that makes printers. On every single one of our newer printers, there's a sticker over the USB port that the customer has to remove to use it. The sticker says "DO NOT PLUG THE USB CABLE INTO THE PRINTER BEFORE INSTALLING THE SOFTWARE INCLUDED" ...and you can guess how often we get calls where people have done this."
My heart just bleeds for you and your employers, it really, really does.
Heaven forefend that you guys might revert to selling printers that talk to computers through an adequate, open interface protocol, so that the things can be plugged in and will just work under any recent OS without tens of megabytes of buggy, OS specific custom drivers having to be installed.
Of course, that would reduce all of the opportunities for lock-in, planned obsolescence and all of the other stuff that you and your employers feel you absolutely must have to earn a living, wouldn't it?
It is precisely the shit that you've described above, but applied instead to the world of wireless IP routers, that has led to most of the problems raised in this thread - the various protocols intended for securing wireless devices have been largely stillborn because of numerous corporate and national vested interests shitting en masse on the development and implementation of the same, and thus on their customers, too.
And what do we see? Pillocks like you who get paid to offer "Tech support" for the "stick a label over it" type kludges and who find it "hillarious".
Sheesh, what an asshat you are.
In this area, Verizon DSL has been giving out DSL modems that also happen to be open Wi-Fi access points without even informing the customer. The people receiving them may have no Wi-Fi knowledge or equipment (as in the case I saw), so they would never know the access point existed, much less how to secure it.
It gets worse from there. I called Verizon, and even they don't know how to secure it. They said they don't support turning off the wireless portion of the device or reconfiguring it, and they have no directions they can give out to do so. When pressed, they said that the owner could look for a nameplate on the device, then search the web for that name, and there may be some software to download on the corresponding site. This was for a DSL installation package that came directly from Verizon.
I told the Verizon rep that having an open network could compromise customers' privacy. He said it didn't. I asked what would happen if someone with wireless card parked outside on the street, joined the network, and maybe tried to listen in on net traffic. He said he wasn't worried, since it wasn't a realistic scenario, as there would be no way to know before driving there that the customer would have a wireless access point.
The more people there are signed up for the service, of course, the likelier that scenario becomes.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.