Reprinted from an article at NIST.org with permission.
I use the term "ignorant" quite mercifully. Some of our politicians are just down right stupid. I define "stupid" as ignorant people that really have no interest in learning or trying to over come their ignorance. The politicians in this MSNBC story must actually be stupid and the CIO doesn't seem any better.
I'm not even going to argue the merits of a law requiring wireless encryption, which is what I think they're wanting. They discuss hackers "grabbing data traveling through the air" and the goal is to prevent people from monitoring credit card information. Their solution? "The law requires each business to install a firewall or change the default SSID, the name that identifies a wireless network, if the personal information stored has not already been encrypted." What is a firewall or changing the SSID going to do? Nothing! You can still see the SSID, you can still associate with the access point, you can still sniff the network. And just because the data is "stored" encrypted doesn't mean its encrypted going through the air. What a joke.
Ok, I thought maybe I, or the story's author, misunderstood them. But the story goes on to say "Jacknis" the county's chief information officer "said easily available firewalls would protect credit card transactions, for example, from being detected by a hacker posted outside a dry cleaner that uses a wireless network." Ok, tell us how? He goes on to say "At most, he said, installing firewall protection — or just turning on the encryption and other security measures available — would take an hour of a consultant's time." Ok, now you're getting warm. Maybe that encryption thing would be a good idea. And rather than requiring the firewall on the router maybe require it on PC or server. At least this way once the hackers associated to the access point they might have a harder time breaking in to the computer and stealing the data.
I thought things were bad enough with incompetent CIO's at the helm of businesses and government agencies (those CIO's that know me; I'm not talking about you :-) But having them assisting in writing law is very scary. I would rather have no law at all than totally inept law.
Can someone living in Westchester County NY please talk to these folks before they make laughing stocks of themselves (ok yea, too late for that).