Núñez (wireless) Network Security Amendment

Some comments on Scheier’s blog suggest that the new amendment to the existing California Consumer Protection Against Computer Spyware Act (SB 1436) might actually be the work of the RIAA. Anyone know who lobbied for this bill?

The Register story, which Schneier cites, does in fact mention an infamous case where a woman defended herself by claiming a lack of security:

Tammie Marson was accused by record labels Virgin, Sony BMG, Arista, Universal and Warner Brothers of illegally sharing copyrighted music files. She argued that because anyone in the vicinity of her house could have used her connection, the record labels could not rely on the fact that her connection was used, but would have to prove that she was the one actually performing the actions.

Marson’s lawyer, Seyamack Kouretchian of Coast Law Group, told OUT-LAW Radio that evidence that Marson’s connection was used was not enough. “The best that they could do, the absolute best, was prove that the music was on a computer that had accessed the internet through her internet connection,” he said. “You had neighbours who would have had access to her internet connection over a wireless router so it could have been anybody.”

However, a little reading of the text of the amendment itself suggests that it was not a reaction to the Marson case. First of all, it was introduced by Núñez (Los Angeles) and co-authored by Leno (San Francisco). They don’t seem like the type to be in the pocket of the RIAA, but anything is possible and I have not yet looked into it. Second, their intro language in the final version complains more about users who are unaware of the option of security, rather than a need to require them to use security. Could a RIAA lawyer argue that you agreed to secure your wifi when you opened the packaging? It is not clear what the warnings will say.

Earlier revisions of the amendment shed some more light on what Núñez was trying to do. They also show how far it came along. I can only imagine the reaction if he had kept lines like this one:

(b) “Encryption” means any process whereby a wireless connection to a wireless local area network (WLAN) is secured and is accessible only by the user of the wireless technology.

Encryption means secured. Clear? Note that the first draft also had a rather vague requirement:

A person or entity that sells wireless technology to a computer user in this state shall not sell that technology unless it contains encryption software or a similar encryption device, which shall be set as the default mode at the time of sale.

Eeek. That’s like fingernails on the chalkboard bad. Encryption software or similar encryption device? Could someone define encryption, or at least throw in a “reasonable” in front of it for good measure. Er, imagine if you used encryption=secured — “secured software or a similar secured device”?

Anyway, not to beat a dead draft version, the final version has its own problems. For example:

Enabled security avoids this problem by preventing all but the most determined attempts to tap into a consumer’s network.

Great. Enabled security sounds like a good thing. I’m a little wary of who gets to define “determined attempts” and how, but I’ll leave that one alone for now. So, what’s the problem it is trying to solve?

Consumers are generally unaware when an unauthorized user is using their broadband network connection

Ahem. Who gets to be the person to tell the California Senate that their solution has nothing to do with solving the problem? Neither warning labels nor encryption make users aware of unauthorized use of a wifi network. Wasn’t that the goal? Sure, there is a small chance that users might be able to prevent unauthorized use if they know what to do, but if the problem is that they are unaware or otherwise unable to detect unauthorized use…I’m just saying.

So despite all the problems brought forward for consideration the solution they ultimately settled on seems to suggest little more than user education. I think it is interesting that in the final version there is no requirement for default enable on devices, just a gentle prod to be aware that security exists. At least that is how I would interpret this “advise and make them affirm” language:

(3) Provide other protection on the device that does all of the following :
(A) Advises the consumer that his or her wireless network connection may be accessible by an unauthorized user.
(B) Advises the consumer how to protect his or her wireless network connection from unauthorized access.
(C) Requires an affirmative action by the consumer prior to allowing use of the product.

I guess I am ok with that. Advising the consumer about their option for security is just plain old education (POE), although I am not convinced that this is the right way to give and incentive to companies to offer better security or make it more user friendly. Ranum and Schneier gave their positions on the effectiveness of user education here. In a nutshell, Ranum says hard-knocks and breaches are the form of education people can relate to and Schneier contends that security should be easy enough to use that people will adopt it naturally. But rather than rehash that debate the government of CA has sort of clearly said they want users to be educated.

So when you look at the amendment’s solution, the real question becomes whether people are being denied the opportunity to protect their wifi (and related) security because they simply do not know about their security options. That is what the amendment appears to cover. Is this really something the government can effectively promote, especially if consumers actually want/need controls from manufacturers like real-time monitoring instead of just some legal disclaimers on a piece of packing tape?

I don’t know if there is still time for revision but I would suggest they try to find a way to incent wifi device manufacturers to make security more reliable and accessible, and that does not necessarily mean direct regulations. A mere warning about the option to use a complex and faulty system (to combine the positions of Ranum and Schneier) does not generate the heat necessary to make security seem like a good trade-off to the average consumer.

Will there be real justice for virtual crimes?

The Guardian tells yet another story of gamers duped online:

Inside Eve, one player set up what was called the Eve Intergalactic Bank, offering to let players store their virtual cash in the game currency known as the Inter Stellar Kredit, or ISK. The banker, known as Cally, gave others the chance to deposit their money with the bank and earn a few percent interest – a handy option when the ISK was rapidly depreciating.

Many took Cally up on the offer and deposited their virtual money with the bank, before discovering that it was all an elaborate ruse. Instead of safeguarding the billions invested, Cally made off with the cash – believed to be in excess of 100bn ISK – and is now thought to be living the Eve high life, while hundreds of disgruntled players shake their virtual fists in fury.

Is trust going to become weaker as virtual threats cross into real life? Certainly easy to see how the “billions disappearing” would translate into real people getting really mad. So is it a lesson learned, as part of the virtual risks, or a cause for alarm and for justice to be served? If nothing else it shows how some people have the worst intentions when dealing in an open market, and it makes me wonder how Cally was able to convincingly represent him/herself as a Bank.

Ethanol kills boat engines

On a test ride in a Toyota Camry hybrid a few weeks ago I asked the salesman when the diesel-hybrid is coming. “Haven’t heard about that one yet” he said, “but I can tell you for sure that Toyota says that they are not a fan of ethanol — bad for the engines.” Alas it seems the etha-hype has continued and now engines are literally being destroyed by people who do not have the right equipment and are not made sufficiently aware of the risks:

Complaints are coming in from disgruntled captains from East Coast harbours to Hawaii in the Pacific Ocean – that boats are mysteriously puttering to a standstill and the suspected cause in each case is ethanol.

“The engine damage appears to be a tar-like substance – possibly from the chemical reaction between the resin and ethanol – causing hard black deposits that damage intake valves and pushrods, destroying the engine,” Boat US wrote. For some owners this may mean their engines are wrecked. Others are looking for ways to cut out their fibreglass tanks and replace them with aluminium ones.

One man who knows all about the ethanol blight is Ale Tolentino, who captains a Dolphin tour boat in Hawaii. “It just melted things that was in the tank that’s been in the boat since it’s been built, sent it right through the fuel lines and the fuel lines were melting – and sending stuff in liquid form right through the engine and into the injectors,” he said. “It came down to the ethanol doing the damage, it just killed us.”

Another problem is that ethanol attracts water. In a car, where the tank and fuel lines are sealed, water is not an issue, but that is hardly the case when you are water-born, particularly if your boat sits for weeks at a time not being used.

Ooops. Dont’ get me wrong, ethanol is great stuff provided it is used to make biodiesel or used in engines specifically made to overcome its lack of power and efficiency (e.g. don’t be surprised when a Chevy Tahoe running on ethanol gets less than 10 mpg). But you will never hear these sorts of complaints from boat owners with diesel engines who run biodiesel or even convert to pure vegetable oil. The very worst that can happen with diesel is the hoses or seals might go bad, or a change in viscosity of the fuel might make it harder to turn the engine over. Small potatoes compared to killing the engine, especially when you are miles from shore.