Windows 10 Shares Your Wi-Fi Password With Contacts

gsslay writes: The Register reports that Windows 10 will include, defaulted on, "Wi-Fi Sense" which shares wifi passwords with Outlook.com contacts, Skype contacts and, with an opt-in, Facebook friends. This involves Microsoft storing the wifi passwords entered into your laptop which can then be used by any other person suitably connected to you. If you don't want someone's Windows 10 passing on your password, Microsoft has two solutions; only share passwords using their Wi-Fi Sense service, or by adding "_optout" to your SSID.

if that's true,

[unami]

no guests with windows laptops on my wifi - i'm not going to change my ssid, microsoft style. ugh. i guess this issue will resolve itself after a short shitstorm.

Re:if that's true,

[dinfinity]

It seems that there is room for convenient router functionality that asks you this: 'A device with MAC address x requests access to your network: GuestLAN. Allow?'

Handing out passwords to untrusted parties instead of tokens is archaic anyway.

Re:if that's true,

[sd4f]

Yea i don't get this idea, it absolutely crazy. While I'm sure security experts are going to say why this is a bad idea from the start, at least make it an easy opt out, not some crazy way to not do it.

Re:if that's true,

Opt-in would be better.

Re:if that's true,

The Slashdot summary is pure FUD. In the article itself you can see an image of the settings, with a large checkbox to enable/disable sharing with Outlook, Skype and Facebook independently and it also has a large slider above those where you can disable it entirely.

Re:if that's true,

[fuzzyfuzzyfungus]

What I would like to see explained in more detail is the claim that 'wifi sense doesn't reveal your plaintext password' during the sharing process.

My understanding was that(except WPA2 with RADIUS and a suitably chosen EAP) there isn't any provision for authenticating to a password protected AP without knowing the password. The AP itself might be able to destroy the password after it has been set, saving only a hash, as is good practice to keep more important sets of usernames and passwords from being compromised; but the client requesting authentication needs the password. The non 'enterprise' cases were designed to be easy to use, not particularly clever; and MS has limited room to get creative without causing nasty breakage on large numbers of variously dysfunctional legacy APs.

With a proper full WPA2 setup, or with one of the 'no authentication at the AP; but captive portal and/or VPN is the only way to access anything interesting' arrangements, you have more options; but how can you 'share' authentication to a WPA-PSK or WEP network without also sharing the key? Did they actually come up with something really clever, or does the UI just not show you the password, thus 'hiding' it?

Re: if that's true,

[TerryMathews]

Most people can't be bothered to look at what their computer is doing before clicking an UAC window, you really expect them to properly opt-out of SSID passkey sharing properly?

Re:if that's true,

[hawguy]

The Slashdot summary is pure FUD. In the article itself you can see an image of the settings, with a large checkbox to enable/disable sharing with Outlook, Skype and Facebook independently and it also has a large slider above those where you can disable it entirely.

Did you read the box?

Save on mobile data usage with Wifi Sense. Join in and get connected to WiFi. By using WiFi Sense, you agree that it can use your location.

Who doesn't want to save on mobile data usage!? How many people will opt-out? Where does it say that by opting in that they are sharing their Wifi passphrase with everyone they share to? It may be obvious to you, but not to 99% of the people that will run Windows 10.

Re:if that's true,

[MightyMartian]

I don't care about whether you can prevent sharing with your friends on FB it whatever, what I care about is me not having to alter my network settings so that if I give you access to my WiFi network, you sharing MY network information with the pwoe you're "friends" with.

Re:if that's true,

Your password is stored and hashed on Microsoft's servers. The hash is sent to your contacts. When they try to connect, their computer sends the hash to yours, which then checks that hash against the one on Microsoft's servers. If they match, then access is granted.

Re:if that's true,

[hawguy]

Maybe it will change some more, but I just set up WiFi on a Windows 10 build today and it had an UNCHECKED check box for sharing the password. I would have had to check the box to allow it to share. How many people go around checking boxes?

Probably the same number of people that want to save on mobile data usage with Wifi Sense?

Re:if that's true,

If I remember how WPA-PSK works correctly, the AP and the client do not send the pre-shared key in either plaintext or ciphertext. They derive keys from the PSK and certain identifying information that each uses to prove to the other that it knows the PSK. I believe the radio keys are part of the derivation, although they may be encrypted and sent separately. (I once implemented WPA, but it's been a while, so I may be a bit fuzzy on some details.)

However, a lot of public access points run with WEP, WPA, and WPA2 completely turned off. The local switch/router is set up to keep a client from communicating with the Internet until it completes some authentication process such as Web authentication. Of necessity, WEP/WPA/WPA2 must be turned off (or the password at that level must be well-known), or the frames that the, e.g., Web authentication process needs will never make it up to the network management layer.

Re:if that's true,

Microsoft doesn't operate my wireless router. How do they grant access to it in this scenario?

Re:if that's true,

[maorb]

The problem is you can't enforce that you're friend didn't enable WiFi Sense without looking over his shoulder. He might end up accidentally distributing YOUR passphrase when he shouldn't be.

The only way to be sure that this doesn't happen is to add an ugly _optout line at the end of your SSID. Frankly Mr. Joe Person down the street shouldn't have to know about Microsoft's new feature to be confident that his passphrase isn't being passed around without his permission.

Re:if that's true,

[bondsbw]

The way I read it, they probably don't.

The FAQ seems to imply that it is only applicable to open routers:

What does Wi-Fi Sense do?

Wi-Fi Sense connects you to Wi-Fi networks around you to help you save cellular data. It can do these things for you to get you Internet access:

Automatically connect you to open Wi-Fi networks it knows about by crowdsourcing networks that other Windows Phone users have connected to. These are typically open Wi-Fi hotspots you see when you're out and about.

Still very questionable, but perhaps not nearly as pervasive. I'd think it would mostly apply to hotels, restaurants, and other places of business.

Re:if that's true,

By sharing the connection over your computer's wifi. I'm guessing you've never heard of an ad-hoc network.

Re:if that's true,

[maorb]

After looking at it further and reading some more comments her on /. I'm beginning to suspect that, although WiFi Sense is enabled by default on the system, it does not include new networks by default unless you select them when connecting for the first time. If so, then this issue is much less of a problem since it effectively becomes opt-in, but I still don't like having to look over my friends shoulders to be absolutely sure he/she didn't select the wrong setting my MY home network.

Re:if that's true,

[bondsbw]

And I didn't mean to downplay how big of a problem this may be for the many people who have a password-protected open network for guest access.

I'm just keeping in mind, though, that guest networks are typically isolated from the main network and the guest network would only be shared with friends-of-friends*... probably not an actual issue for the vast majority of people, so much as a theoretical one.

* Actually, come to think of it, would the password also go to friends-of-friends-of-friends? Friends-of-friends-of-friends-of-friends? How deep can this go? The whole six-degrees-of-separation thing comes to mind... could this end up pushing almost everyone's network passwords to the entire connected internet? Yeah, I'd like more info, and the sooner the better.

Re:if that's true,

[Zontar+The+Mindless]

I don't live in a basement. But I am concerned about being held liable for what others do with my connection.

Re:if that's true,

That doesn't make sense, though. If it's an open wi-fi network, why would I need to get credentials from someone on Outlook or Facebook or wherever?

I use open hotspots in a lot of businesses, even the haircut place and the tyre rotation shops have free wi-fi now. A lot of them are wide open in the sense that they have no password at all, just a captive portal you have to click "I agree" to. The ones that do require a password have it posted on the wall or at worst you just ask your server. Microsoft didn't build an entire feature into Windows and Outlook just for that.

Re:if that's true,

[retchdog]

then you should be for this. if enough people do it (and get in trouble thereby), there might be pressure to get rid of that liability.

as long as you don't use it personally, it's a win. just chill, have a drink, and let stupidity work in our favor for once.

Re:if that's true,

[Rutulian]

I was curious about this too. But the AC below gave a nice hint, so I went looking for a better explanation. Here is the blurb from the Wiki,

Also referred to as WPA-PSK (Pre-shared key) mode, this is designed for home and small office networks and doesn't require an authentication server.[9] Each wireless network device encrypts the network traffic using a 256 bit key. This key may be entered either as a string of 64 hexadecimal digits, or as a passphrase of 8 to 63 printable ASCII characters.[10] If ASCII characters are used, the 256 bit key is calculated by applying the PBKDF2 key derivation function to the passphrase, using the SSID as the salt and 4096 iterations of HMAC-SHA1.[11] WPA-Personal mode is available with both WPA and WPA2.

So it seems the PSK can be passed around without revealing the passphrase. But if I also remember correctly, the PSK is supposed to rotate (or maybe that's WPA2).

Re:if that's true,

[whoever57]

I think that you are mis-reading the FAQ, I found this in it

When you share Wi-Fi network access with Facebook friends, Outlook.com contacts, or Skype contacts, they'll be connected to the password-protected Wi-Fi networks that you choose to share and get Internet access when they're in range of the networks (if they use Wi-Fi Sense).

What is even more interesting is that it apparently automatically accepts any terms of use and provides passwords to web-based WiFi access logins, which could create some interesting legal situations (did you really accept the terms, and are you logging in with someone else's username/password)?

Re:if that's true,

[Namarrgon]

Here's the thing: You can leave your box unchecked - but if ANY of your friends have access to your wifi, and *their* box is checked, then all their Facebook friends will also get access to your wifi.

And the only way you can prevent this is to append "_optout" to your SSID.

Re:if that's true,

[blang]

So, now your local coffee shop or motel that offers free wifi to their customers now will be serving these same customers, and any members of their rolodex, and colleagues, and facebook friends. Sounds like steeling to me. What happened to asking before taking?

Re:if that's true,

[fufufang]

The problem is you can't enforce that you're friend didn't enable WiFi Sense without looking over his shoulder. He might end up accidentally distributing YOUR passphrase when he shouldn't be.

The only way to be sure that this doesn't happen is to add an ugly _optout line at the end of your SSID. Frankly Mr. Joe Person down the street shouldn't have to know about Microsoft's new feature to be confident that his passphrase isn't being passed around without his permission.

If you are that paranoid, you might want to implement some kind of RADIUS server. I have never looked into it myself though.

Re:if that's true,

[Namarrgon]

Every time you give a friend your password, you have to make certain they don't have their Wifi Sense option enabled, or the same situation arises. It's also possible for them to opt into Wifi Sense for your network details any time afterwards too, so you better remain on good terms with them.

There's a reason that Microsoft added the ludicrous option of opting out via your SSID - it's because there's simply no other way to be certain this doesn't happen to you.

Re:if that's true,

[mSparks43]

Much better plan imho is to just use a MAC address whitelist to "opt out"

I've been doing this for some time. "my" wifi, high bandwidth, load balancing, access to filesharing has the one whitelist.

If you aren't on that whitelist you get dropped into a virtual lan, with shared 150kBs max up/down bandwidth and a piratebox.

Re:if that's true,

[Dr.+Spork]

Agreed. As an opt-in feature, it's actually a good idea. I've written down passwords on stick-it notes for visiting friends, and that sort of opt-in password sharing is also not without security issues. My stick-it notes don't self-destruct. I think it also makes it more concrete who really is a friend - a person with whom you're willing to share your wifi password. I think that's actually a pretty good minimum standard for friendship.

Re:if that's true,

[houghi]

"typically", so they can be anything, including the person next to you on the metro or you for the person next to you in Starbucks where the router is down.

So suddenly they are surfing on your limited data bandwith and you don't even know it. Nice.

I would think that I say who has access to my network. This goes far beyond 'we own your hardware our software is running on" and even that is not debatable.

Re:if that's true,

[wimconradie]

Your password is stored and hashed on Microsoft's servers. The hash is sent to your contacts. When they try to connect, their computer sends the hash to yours, which then checks that hash against the one on Microsoft's servers. If they match, then access is granted.

So if I am trying to connect how would I be able to send any hash to any computer while I'm not connected?

Re:if that's true,

[bondsbw]

Well, I agree that it's a solution looking for a problem. Really the only time I could see that being useful is if you go to a restaurant or coffee shop and want to get on their Wi-Fi, and a friend has already been there before and logged in.

Re: if that's true,

[Stuarticus]

Just stop driving American cars and you don't even need to.

Re:if that's true,

[Bert64]

The PSK *is* the passphrase... The only thing the passphrase gives you is access to the network, and the key does that too.

Re:if that's true,

[TheRaven64]

A better solution would be a standard form of QR code for WiFi configuration info, so you just point your camera at something and now you have WiFi credentials.

Re:if that's true,

[jrumney]

You are the one who is "full of shit", since you are getting all of your information on the implementation of this feature on Windows 10 from an old article about Windows Phone 8.

Re:if that's true,

[Bert64]

Limiting sites and protocols just causes problems, people will have their devices setup to connect to all manner of things (vpns, email, im, voip etc), and restricting what they can access will invariably block some stuff and render the connection unusable, causing a denial of service if the handset automatically connects to the wifi and loses its cellular connection where everything was working.

Re:if that's true,

[dissy]

I think that's actually a pretty good minimum standard for friendship.

The new relationship standards:

A friend is someone you share wifi passwords with.
A best friend is someone that helps hide the bodies.
True love is when you merge your media collections.

Re:if that's true,

[AmiMoJo]

TFA has the wrong screenshot. This is the important one: http://cdn5.howtogeek.com/wp-c...

When you connect to the network there is a box that very clearly says "share network with my contacts". It could be a bit clearer, but it does at least make it obvious that the network details you are entering are going to be shared.

Re:if that's true,

[Pope+Raymond+Lama]

It looks like it is not /. editors who can't read things here, but you. This is the sitautionm - I own Wifi access point "A"; Friend "B" comes by, I physically pass A's password to B. Now "B" is the one with the option to share or not the passwords (and all of them) with all HIS contacts - not mine. And moreover, it will happen by default - if B has 2000 Outlook.com contacts, all those 2000 people will be automatically allowed to connect on my WiFi "A". And the ony means this not to happen is if `B` opt out __all__ his sharing (not just for WiFi "A") or if WiFi "A` SSID is formatted as dictated by Microsoft (i.e., ending in `_optout`).

This is so insanely ridiculous that there are no word to describe how ridiculous that is.

Re: if that's true,

[BorgDrone]

A MAC whitelist provides exactly 0 additional security. Worse, people like you think they are secure when in fact they are not, making it less secure in practice.

Re:if that's true,

[Ol+Olsoc]

Friends-of-friends-of-friends-of-friends? How deep can this go? The whole six-degrees-of-separation thing comes to mind... could this end up pushing almost everyone's network passwords to the entire connected internet? Yeah, I'd like more info, and the sooner the better.

Sounds like Kevin Bacon will have access to everything!

Re:if that's true,

[unixisc]

I think that you are mis-reading the FAQ, I found this in it

When you share Wi-Fi network access with Facebook friends, Outlook.com contacts, or Skype contacts, they'll be connected to the password-protected Wi-Fi networks that you choose to share and get Internet access when they're in range of the networks (if they use Wi-Fi Sense).

What is even more interesting is that it apparently automatically accepts any terms of use and provides passwords to web-based WiFi access logins, which could create some interesting legal situations (did you really accept the terms, and are you logging in with someone else's username/password)?

'You choose to share' is key here, so the headline is definitely misleading. I could choose to share my primary SSID, or I could choose to share just my guest SSID. If I did the latter, there shouldn't be a problem

Re: if that's true,

Is it? What if they see not adding "_optout" to the ssid as "choosing"?

Re:if that's true,

[ultranova]

What is even more interesting is that it apparently automatically accepts any terms of use and provides passwords to web-based WiFi access logins, which could create some interesting legal situations (did you really accept the terms, and are you logging in with someone else's username/password)?

Did you really accept the terms if you clicked past the legal boilerplate without reading it? Because in the digital world, that's how things work. In theory, you can read and consider the consequences of the terms of use of every single service and program you use, but in practice that's a far too onerous requirement. So if your question is actually meaningful - if those "terms of use" are legally binding on the user - then the legal system is going to implode.

Re: if that's true,

[TemporalBeing]

A MAC whitelist provides exactly 0 additional security. Worse, people like you think they are secure when in fact they are not, making it less secure in practice.

MAC whitelist is a good first step, but it's just a first step. You always have additional security after that, such as WPA2 and/or a Radius Authentication Server. And honestly, if you had a Radius Authentication Server it wouldn't matter if the WPA2 cred was shared...they would still have to authenticate and you just rotate the password on the guest account.

Re:if that's true,

[Rutulian]

Did you read my comment? The key is derived from the passphrase, it is not the passphrase itself. Neither the key nor the passphrase is ever transmitted. There is a handshake protocol where both the AP and the client demonstrate they both know the key and then a unique session key is generated from the key to encrypt traffic.

Re: if that's true,

[mSparks43]

that's not the only protection in that zone.
if they try that they are isolated from the entire network until the username/pass is entered for the network.

point is. if you aren't in the whitest you can connect to a low quality Internet access an file box for sharing movies and music. but anything "personal" is on a seperate network.

a bit like the cable companies do on their routers. only with file sharing.

lots of ways to do it. but my point is people should already be running at least two networks anyway. one for them and their devices and one for guests.

Re:if that's true,

[unixisc]

The Slashdot summary is pure FUD. In the article itself you can see an image of the settings, with a large checkbox to enable/disable sharing with Outlook, Skype and Facebook independently and it also has a large slider above those where you can disable it entirely.

I tried it out right now. In Windows 10, when you go into Settings and then 'Network & Internet' then under the list of WiFi WAPs, just under Properties, there is 'Manage Wi-Fi settings'. When you go there, there are 2 switches:

1. 1. Connect to Wi-Fi hotspots
2. 2. Exchange Wi-Fi network access with my contacts

You can disable the second item. Below it, there is a description that says 'You select the Wi-Fi networks you want to share with these contacts. They get internet access if they use Wi-Fi Sense, but they don't get to see the shared passwords. You'll also get Internet access through the networks they share

Regardless, I did a couple of things. So far, I had not been using the Guest network on the router, but I renamed it, gave it another password and enabled it. Most of my toys - my tablets, phones and this PC-BSD laptop that I am using are on my main WiFi network. I've put my Windows laptop and Winbook tablet on the guest network, and disabled the WiFi network access option. From now on, any guests I have would get access to the latter SSID, but I still am not sharing the network contents on my laptop. So I now have 2 networks - one for my Windows boxes, and the main one for everything else.

FWIW, Windows 8.1 too has the option of sharing network access, and they too make all the devices on that network visible on your computer.

If only people would see what the OS actually does, instead of spreading FUD just b'cos they loathe Microsoft (which today is a shadow of its former self)

Re: if that's true,

[unixisc]

My car is supposed to undergo a warranty service every 6000 miles: I do it at 5000. So I expect things to be fine as long as that happens. If it doesn't, Subaru would have to do some major warranty repairs.

Re:if that's true,

[unixisc]

The Slashdot summary is pure FUD. In the article itself you can see an image of the settings, with a large checkbox to enable/disable sharing with Outlook, Skype and Facebook independently and it also has a large slider above those where you can disable it entirely.

Did you read the box?

Save on mobile data usage with Wifi Sense. Join in and get connected to WiFi. By using WiFi Sense, you agree that it can use your location.

Who doesn't want to save on mobile data usage!? How many people will opt-out? Where does it say that by opting in that they are sharing their Wifi passphrase with everyone they share to? It may be obvious to you, but not to 99% of the people that will run Windows 10.

They are not changing the passphrase. The contacts would get Internet access, but would not get to see the passphrase. It says so clearly in Settings, under 'Network & Internet':

You select the Wi-Fi networks you want to share with these contacts. They get internet access if they use Wi-Fi Sense, but they don't get to see the shared passwords. You'll also get Internet access through the networks they share

Re: if that's true,

[unixisc]

The original cliche was 'The network is the computer', and that was a cliche of Sun, not Oracle.

Re:if that's true,

[retchdog]

i forgot no such thing. something is better than nothing.

by the principle of comparative advantage, stupid people can benefit the world by struggling and suffering through what should be minor annoyances for the more capable. and thus, there is equality.

Re:if that's true,

[Solandri]

I've always wondered why wifi networks only allow a single password. Why can't they allow multiple passwords? That way you can create a temporary one when a guest needs to access something on your LAN but you don't want to give them permanent access. Right now the only way to do that is an ethernet cable, or change your password to something else, give him access, then change it back when he leaves.

Multiple passwords would also give you the ability to revoke passwords you consider to be compromised, without affecting the ability of others with "good" passwords to continue connecting. I used to give my parents and my sister my wifi password so they could connect when visiting. Then I learned my dad had given the password to a friend who came to visit with him once. I had to change the password, which meant entering the new password on all my devices plus all my sister's devices.

You could even give different privileges based on password. Internet-only. Internet-only at reduced bandwidth. Internet + LAN. LAN-only. Only one other device on the LAN. etc. Kinda like the guest network thing showing up on newer routers, except a lot more flexible.

Re:if that's true,

[ceoyoyo]

That seems silly. My phone is quite capable of finding open wifi hotspots all by itself. It's the ones where it doesn't know the password that are a problem.

Re:if that's true,

[StikyPad]

Spoiler alert: Kevin Bacon already has access to everything.

Re:if that's true,

[jakimfett]

This is the best explanation I've seen yet. Thank you, if I had mod points, you'd be getting an "informative".

Re:if that's true,

[bondsbw]

I'm talking about the open hotspots that are protected behind a password web page, such as many home guest networks, restaurants, and hotels.

Re: if that's true,

[geminidomino]

Might want to go easy on the self-righteousness there, MS Security Engineer AC. Just because the FUD is bullshit doesn't mean that the whole idea isn't a massive "painstakingly designed" misfeature that should never have seen the light of day.

Re:if that's true,

[hucker75]

Do we care? I hand my wifi password out to my neighbours. All they can do is get free internet, which is there anyway.

Re:if that's true,

[ceoyoyo]

Oh, gotcha. Like the ones you pay for by the minute. Awesome.

Re: if that's true,

[Evan+Langlois]

And we can count on Microsoft to make sure those phones are secure once the password reaches the destination. And no one can hack Microsoft's servers. But that's not the issue. It isn't Microsoft's right to share my passwords with Facebook. That is between me and an individual, not Microsoft, not all of that individual's Facebook friends. And this being a default means it will happen without most people knowing how to turn it off, or even knowing its happening. This will go to court. Watch how fast it gets turned off on the "Business Edition" of Windows! No company is going to let Windows X share the corporate security keys.

Re:if that's true,

[farble1670]

When's the last time you encountered an open wifi network that didn't have a web-based authentication scheme in place?
I must be missing something.

Re:if that's true,

[bondsbw]

Perhaps, I don't know how those work. I've only used pay-by-the-day at hotels.

Re: if that's true,

[KGIII]

Nope. They are getting free wifi from their neighbor thanks to this sharing option.

Re:if that's true,

[bondsbw]

What you mentioned is what I was talking about, that it would only apply to open Wi-Fi networks with web-based authentication (as opposed to encrypted connections).

Re:if that's true,

[lsatenstein]

my Linux based router allows (accommodates) mac-address filtering. But the interface chip address can be bypassed to allow your system to report any desired mac address.

Re:if that's true,

[Namarrgon]

No, it really isn't. ICS lets a user connect to a PC and access the internet through that PC. The PC becomes an access point.

WiFi Sense lets your friends connect directly to your router, by securely sharing its details with them. Your PC doesn't even have to be on.

This is how it's possible for your friends to share those router details with their friends. Win10 doesn't know it's your router and not theirs, it will let anyone with the password enable WiFi Sense sharing.

Re:if that's true,

[daedalus2097]

From the FAQs:

"If you decide to manually enter your password on someone's Windows Phone instead of sharing access through WiFi Sense, make sure they can't see what you're typing when you enter it, then untick the Share network with my contacts checkbox before you tap Done to connect."

It means guest devices connected using your password will think your network is their network, and can share access with their contacts unless you untick the box.

No thanks.

Re:if that's true,

[ceoyoyo]

There are some services where you can get an account and get charged by the minute. Skype Wifi does that, and Boingo I think.

I don't imagine the cell companies would be particularly pleased with people sharing their cell account wifi logins either though.

Re:if that's true,

[AK+Marc]

PSK is Pre-Shared Key. The "key" in that is the passphrase. You pre-share it by putting it in both devices before you try to pair them. The PSK isn't the session key. As you say, that's generated for the session.

And nobody was talking about what is "transmitted" so unclear what that has to do with whether the PSK you enter on the "passphrase" space on the router is a [PS]Key, or a passphrase. It's both. The terms are used interchangeably for that setting. And yes, that's confusing as "key" is used elsewhere for a different purpose. But that doesn't make your car-key not a key because it doesn't look like your house key.

Re:if that's true,

[AK+Marc]

MAC address filtering isn't very secure, but it's better than nothing. It's like the door chain. They are easily cut, can be kicked open easily, and don't really improve security, but it makes you feel better. Aside from brute force, the glaring hole is that someone can snoop your network and see all the valid MACs on it, even if encrypted. Then, when any of those devices are gone (like your cell phone on WiFi in range), clone the MAC of the missing device, and you are 100% in, if MAC filtering is your only authentication. At best, it will deter a casual snooper, but will only add a tiny delay to a targeted attack.

Re:if that's true,

[Rutulian]

Ok, since you are the second person to say this, I guess I was unclear. The way PSK works in WPA when you use a passphrase is:

(passphrase + SSID) * hash algorithm = pre-shared key (PSK)

The PSK is not the passphrase; it is a deterministic transformation of the passphrase, much like the way passwords on your local system are stored. Why is this distinction important? Well, for one the PSK is much less susceptible to dictionary-style brute-force attacks than the passphrase it is derived from. Second, if your key becomes compromised, you can do something as simple as changing the SSID, and that will generate a sufficiently different key without needing to change the passphrase.

So, the answer to the original question in this thread, "How do you securely share the wi-fi password with your contacts?" is "You don't, directly. You share the PSK, because that is all that is stored locally on your client." And the reason that works is because the way your computer authenticates locally with a password database is fundamentally different from the way your client authenticates with your AP.

Re:if that's true,

[AK+Marc]

You've missed. It's not about the technical definition. The "key" is the passphrase. The passphrase is pre-shared. The shared secret is the key, and that is the passphrase.

The crypto key is what you are describing, not the pre-shared key the user uses.

The failure to communicate isn't our misunderstanding of the technological terminology, but your inability to put the technical terminology aside and listen to others.

Re:if that's true,

[Rutulian]

Um, sure ok, if you want to think about it that way. I see what you are saying, but the question relevant to the discussion is "How do you share a passphrase when its only representation on the system is as a hashed key?" That is the question that started off the whole discussion. For example, if I steal your desktop's hashed password list, I can't use that to break into your system (not easily) because you need to know the actual passphrase (not just the hash) to authenticate. With WPA-PSK this is not the case, but it's the risk everyone accepts when they use it.

Re: if that's true,

[AK+Marc]

Brake fluid? Who needs brake fluid? Mechanically activated 4-wheel drum brakes works for me.

Re:if that's true,

[unixisc]

No, Microsoft specifically says that the connection is shared, but the password isn't. Anna can only share her own connection, if she has one, w/ Beatrice, not yours. Also, enabling that enables you to share Anna's connection, if she allows it

Re:if that's true,

[suutar]

Good to know, thank you for the pointers :)

Re:if that's true,

[TheRaven64]

No, I wasn't aware of this. A quick search shows a number of sites to generate them, but I can't find a spec of what they contain. It would be nice if this could be standardised.

Lol, what could go wrong.

I can't wait

No

ahhhh no, for networks you have SELECTED to share it can do it. Wifi sense being on doesn't suddenly expose all your wifi passwords. extremely inflammatory summary. still seems a stupid risky feature, just not as dumb as those writing the Slashdot summaries.

Re:No

[danomac]

However, just because I gave Person A access to my wifi, that doesn't mean I give everyone Person A knows access to my wifi. This could end up in legal hot water territory.

I guess that I just won't be giving any guests access to my network anymore. They can pony up and get their own mobile data plan for their devices.

Re:No

[MightyMartian]

Inflammatory Mode On: Why in the fuck would even want to opt-in to such a service? If it's private WiFi, it's likely to be at my home or my workplace, and in either case I absolutely do not ever want to share that over fucking Fuckbook, Twatter or whatever stupid lame-ass soshial neshworking crap site becomes the next biggest and greatest.

Rational Mode On: Now let's imagine that my organization has a private WiFi hotspot available for employees and a few others. I do not ever want to have those keys shared outside that group, nor should I have to change MY network with an "_optout" on the end of an SSID. I would consider that a breach of security. Sure, I'll probably be able to disable Windows devices that are domain members via GPO, but if they're not actually devices belonging to the organization, or "Pro" versions of Windows where it even knows what the hell Active Directory is, then MY network is being compromised by this service.

This is just a plain bad idea, whether you're being reasonable or inflammatory.

Re:No

[Harlequin80]

Serious question - who here is not running a guest wifi access point? I would never give full access to my network to an unknown device. So I run an open guest wifi which is on a different subnet and has its internet rate limited.

Re:No

[amicusNYCL]

Serious question - who here is not running a guest wifi access point?

I'm going to guess the vast majority of people running wifi at home. My office has a guest network, my house does not.

Re:No

if you told someone your wifi password you have already introduced a massive hole that you no longer control. the sharing through sense is no different to them emailing it out which they can also do.

Re: No

[danomac]

I do in the manner you mention but now I am not so worried about it anymore.

Re:No

[ewhac]

ahhhh no, for networks you have SELECTED to share it can do it. [ ... ]

ERROR: MISLEADING.

Wi-Fi Sense's default settings are to share everything, all the time. Indeed, Microsoft's rules for shipping Windows Phone 8.1 requires OEMs to turn this "killer feature" fully on. Expecting users to have the presence of mind to turn this off is willfully disingenuous.

Re:No

[Luthair]

From a security perspective you kind of do as Person A can give out the password to whomever. That said I agree, I don't like the idea of Microsoft automating it.

Re:No

[Balthisar]

I don't run an incubator in my house, so usually it's just friends' kids that want to connect their iPhones to my network, thus I have no reason to run a separate guest network, although Tomato on my AP's would make this trivial. The networked computers have passwords for VNC and keys for ssh, and I'm not overly concerned that my friends' kids will have compromised iPhones that want to brute-force anything.

Re:No

[Chris+Mattern]

Me--because my wifi router is entirely private. Only I use it.

Re:No

[fuzzyfuzzyfungus]

Just as they say, in the context of backups, that 'if it isn't automated it won't happen'; there is likely to be a considerable difference in the rate of unintended leakage between a 'yeah, I guess I did tell Bob the password, he could pass it on' and 'the password spreads through your entire social group like a bad chain email'.

This sort of 'friend/acquaintance' attack attack is also exactly where slightly-too-automatic automation makes it really easy to bypass what limited good sense about security humans do have.

If, say, Alice and Bob have just had a messy breakup; it would be fairly obvious to any mutual friend of the two that sharing one's wifi password with the other, or a known friend/agent of the other, is something that they wouldn't like. They might do it anyway; because people are assholes like that sometimes; but it would be deliberate. Social-engineering somebody in that situation into telling you the password might be vaguely tricky. Social-engineering them into making you enough of a contact/friend/whatever on the services that this 'wifi sense' system uses to receive the password should be absolutely trivial; quite possibly already done.

I suspect that it isn't for nothing that this 'feature' first appeared on Windows Phone; carriers adore the idea of getting the filthy customers off the cell data networks they pay for and onto wifi as often as they can, and don't much care about a bit of collateral damage inflicted by dumb implementations.

Re:No

[MightyMartian]

There's a doodad on my AP that let's me disable a feature on a connecting WiFi client?

Re:No

My house has a guest network, so does my parent's house. Wireless routers these days almost invariably let you setup multiple SSIDs and let you specify whether devices on the guest one can see devices on the normal SSID. I know a lot of people run very old routers - yeah, those can't do it, but all of the modern ones can.

Re:No

[the_B0fh]

OP is asking a very pointed question to which you have no answer, so you are avoiding the answer instead of owning up to it.

If you really don't understand OP's point, go read it again.

Re:No

[I'm+New+Around+Here]

If you don't get the AC's and MM's point, you can shove that facepalm up your ass.

The person running the router doesn't always have control of the devices connecting to the router. Even if that person was able to turn off the email-secret-password-to-the-world feature while the device is in the office, there is no way to ensure it doesn't get re-enabled two hours later.

Re:No

[tepples]

Yes. It's called rotating the WPA2 key.

Re:No

Each and every fucking device now needs to have its own/dedicated account -- block Win10 devices across the board, and ban devices that attempt to connect using the same credentials.

Re:No

[Harlequin80]

Most newer routers come with guest wifi as an easy to setup option.. To me it is just one of those things you setup by default.

Re:No

[i.r.id10t]

After setting up the new device adn being prompted "Do you want to share your connection" how many users are gonna think to themselves "Well, yeah, I want to share this with my iDevice and tablet and the $housemate and ... " and click "Yes" ?

Re:No

[Harlequin80]

What do you mean by incubator? I have images of 100s of baby chickens running around....

I have NFS shares which share media between a freenas box and multiple kodi front ends. Also stored on that is all the digital photos and camcorders that we have taken over the past 10 years. I am less concerned about people being able to access them then having someone delete something. Yes I could change permissions and everything like that but given my wife uses a windows box that gets painful fast. So Samba has read & write privileges which means someone with a phone could be an arse. (And yes it's backed up but I still don't want the hassle)

I realise that it is probably overly paranoid but I just prefer to not give anyone access that I don't need to.

Re:No

[Balthisar]

By incubator I meant having 20 computer nerds living in my house while I foster their startup ideas. I would certainly give more thought to internal security controls in this or similar situations. On the other hand with physical access to the network hardware, there's probably not much I could do if they wanted to be malicious.

Re:No

[viperidaenz]

If you give Person A access to your wifi and they share it with Wi-Fi Sense, how is that any different than them emailing their friends your wifi password?

Re:No

[viperidaenz]

WiFi client already has your password. Nothing is stopping them sharing the password in plain-text via IM, Email or a post-it note.

Re:No

[Harlequin80]

Lol fair enough. If you have that situation you need to run Kerberos but setting that up just makes my head hurt trying to understand it.

Re:No

[Barlo_Mung_42]

I never really have guests so I just leave it off. Some may think that sounds sad but I'm happy and it's working okay for me.

Re: No

[firewrought]

How often do your friends immediately email the Wi-Fi password you just gave them to their entire contact list? The correct answer (unless you have really shitty friends) is never. Now all of your friends will do this by default, unless they are technically literate enough to disable the option. (And even if your friends are literate enough, your roommate/boyfriend/girlfriend/spouse's friends won't be.) It's very aggravating that Microsoft has chosen to so promiscuously share the secrets its users have entrusted to the OS. A Wi-Fi password that might have previously been shared with a handful of friends is now automatically spread to a network of hundreds, and exposed to possible interception by enterprise, underground, and state-sponsored hackers. One really has to question the legality of this feature, unless the wording is very clear and the user opts-in every time.

Re:No

[suutar]

if by "little doodad" you mean the "enable wifi sense" checkbox, you're making the assumption that he has access to it. In his stated scenario he does not; the checkbox is on a device that he does not own but does wish to allow access to wifi that he does own.

At present the only method he appears to have is to modify his ssid, which is (a) clunky and (b) similar to the "do not track" flag in that the observer has to choose to do the right thing, and that's not guaranteed.

Re:No

[SuricouRaven]

I have a device on mine - a WDTV box. Thing beneath the TV that plays media. When I connected it up, I discovered that it's search for network shares is quite aggressive: It actually portscanned the entire subnet range in search of NFS an SMB shares. All very well, except that I have some rather embarrassing media shared on NFS - as no-one else in the house uses linux, I hadn't seen reason to secure it in any way. An incident was narrowly avoided.

Re:No

[Demonoid-Penguin]

I meant to talk to you about that. Can you please stop downloading so much porn? It's getting in the way of me downloading torrents through your network.

- Your neighbor

Can Johhny Droptables come out to play?

Re:No

[Kirth]

I've set a different WPA2 passphrase for every MAC-address that's allowed to connect. So unless you start MAC spoofing, knowing the passphrase won't help.

Re:No

[vux984]

. So I run an open guest wifi which is on a different subnet and has its internet rate limited.

Even my guest network is password protected. Its for my guests not for everybody. If I wanted it for everybody, there wouldn't be a password on it, and people wouldn't need a windows feature to shared with their contacts.

Many of my neighbors also have guest networks... none of them are wide open.

This feature is probably the worst/dumbest thing I've seen in Windows 10 so far. Actually no... the inability to disable bing searching the web when you use the search in the start menu is the dumbest hting I've seen in windows 10... if that shit isn't fixed by release nobody should upgrade. NOBODY.

(And the sad thing is I actually over all like windows 10... but its just stuffed with bloat I don't want. At least most of it I can shut off... live tiles, cortana, using microsoft accounts, etc... but its becoming more and more work to set the settings up right.

I'm looking forward to a windows 10 de-crapifier powertool shortly after release... hell I'm tempted to write one.

Re:No

[Hognoxious]

Except that they'd have to, you know, actually physically manually do that. As opposed to it just happening automagically.

Re:No

[TheRaven64]

The access point that my cableco gave me can do this. Of course, the router crashes after about 10 minutes of use if you actually enable it...

Re:No

[Stuarticus]

MAC address filtering is common on wired networks, on wireless you generally trust the client to look after their credentials that way you don't have to worry about maintaining a potentially huge list of every user's devices. I don't know if this would share radius credentials, if it does someone should be looking at the sack in Microsoft.

Re:No

[I'm+New+Around+Here]

Again, shove that ignorant attitude up your ass. I'm talking about the devices that are 'router' and 'wireless access point' all in one unit. Like the one most home users have, and most small businesses have. Do you think I have a separate router, firewall, switch, and WAP all sitting next to my cable modem?

If you can't figure out references to basic standard hardware, turn off the 'box' that has 'blinking lights' on it before you contaminate us with more drivel. But of course, first pick up your coffee and make the 'cup holder' slide back into the 'box', so it doesn't get hurt.

Re:No

[pfleming]

It's like asking how to keep people you didn't invite out of your house. Really, you are unqualified to admin any network.

It's more like asking how do I keep people out of my house when they all have a copy of the key that I gave to one person.

Re:No

[pfleming]

But we want to control it at the router, by setting a password. Maybe it's indirect, but anytime someone gets close they get the password if some other person clicked (or left checked) the box sharing the password.

Re:No

[SuseLover]

Unless you're a Comcast Xfinity customer, which by default their WiFi routers have public wifi connection running. The end user can't even log in to disable it themselves, it takes a call to Comcast to have it disabled.

I had to call to disable it so it wouldn't interfere with my own wifi router(s) running DD-WRT.

Re:No

[Pyramid]

MAC spoofing is trivially easy.

Re:No

[viperidaenz]

You mean, as opposed to having to manually enable sharing on your particular network.

Re: No

[viperidaenz]

No they won't.
The service is enabled by default so you can automatically connect to other networks shared with you, but each network you want to share must be shared explicitly.

Re: No

[KGIII]

Except it is not the default behavior as has been shown, mentioned, linked, and linked again and again in this very thread. Why be dishonest?

Re:No

[Harlequin80]

I have physical security where I live in that I am too far away from the road for 99% of devices to see my network and my neighbours are further away than the road. So in my usage case an open network is easy and I'm extremely unlikely to have a random leach on my network.

I haven't played with Windows 10 yet but all the things you have listed are all things I would want to remove as well. If only Linux Mint was able to run all my games and photoshop.

Re:No

[Harlequin80]

The second you talk about tor routing you are stepping outside of off the shelf consumer grade routers. If you want that you will need to roll your own.

Re:No

[Harlequin80]

That is just too funny. Just be thankful you were the one plugging it into the network.

Re:No

[I'm+New+Around+Here]

Oh, excuse me then. I thought you were simply too stupid to understand common hardware. You claim you do have that basic level of intelligence. You simply lack all ability to actually convey your knowledge to others.

No fucking shit, Sherlock. But that has nothing to do with WiFi Sense. Ever hear of internet connection sharing and ad-hoc networking? That's how WiFi Sense works, stupid little shit.

I just read the explanation on http://www.windowsphone.com/en... , and it doesn't sound like internet connection sharing at all. It sounds like credentials are being sent to people so they can join a network without the consent or agreement of the network owner/administrator.

Back to the original post I replied to;

*facepalm*

If you're asking this question, you shouldn't be trying to admin a corporate network.

At the very least (assuming that AC is you), you either are too stupid to understand the meaning of the post you replied to, or, as stated above, you are too stupid to make a coherent argument.

From prior experience, anyone who uses *facepalm* as their argument usually falls into the second category.

Re:No

[tezbobobo]

I don't really care what MS does - I filter mac addresses.

Re:No

[Harlequin80]

That seems like a seriously annoying way to deal with guest devices. Perhaps it is because I get too many through the house with kids friends and kids of friends but a guest network just seemed easiest.

Beyond Stupid

[Mikkeles]

This is so moronic on so many levels.

Re:Beyond Stupid

[I'm+New+Around+Here]

I think you just gave yourself big tits and a dildo.

Not that there's anything wrong with that. ;^)

There goes my SSID :(

[MAXOMENOS]

FBI Surveillance Van #1_optout just looks dreadful.

Re:There goes my SSID :(

[Gizan]

HAHA mines named FBI Surveillance Van #4, it used to be "Adult Toys_R_Us" till the neighbors complained

Re:There goes my SSID :(

[PoopMonkey]

Why'd you cave? If they complained, you should've renamed it to Anal Fisting Funhouse.

Re:There goes my SSID :(

[AmiMoJo]

How did the neighbours know it was you? You didn't leave Adult Toys R Us bags in your trash did you?

Uh, no

[reboot246]

no fucking way. Somebody needs to be fired at Microsoft.

We all know how to handle this "feature", but most people won't have a clue.

This is right up there with their leaving file extensions hidden by default.

Re:Uh, no

[amicusNYCL]

This is right up there with their leaving file extensions hidden by default.

It kind of is, yeah, except it's actually nothing like that. You see, one of them is hiding file extensions, and the other one is giving out your password.

Re:Uh, no

[Pharmboy]

The problem is they are advertising a "free" upgrade to everyone with Win 7+ right now. Who doesn't want a FREE upgrade? Obvioously /. readers but most consumers think they are saving money with a free upgrade to an OS that is in fact pwning them.

Re:Uh, no

[gstoddart]

No, someone needs to be shot.

This is the most idiotic thing I've heard of in a long time.

Microsoft has said "fuck security", and once again have decided to "innovate" something which stupidly becomes a gaping security/privacy hole.

What shithead thought of this?

These passwords aren't Microsoft's to share, and decreeing that anybody who hasn't changed their SSID to opt out has consented.

Fuck that.

How bout we charge Microsoft with hacking and enabling unauthorized access to computer networks?

Fucking idiots.

Re:Uh, no

[gstoddart]

They're doing more than advertising it.

In Windows 8.1 they pushed out an update which put an icon in the task tray which said "upgrade to Windows 10, now or later?"

They're not pushing it as optional. They're installing stuff which is going to do it to you, and isn't giving you a way to decline. You end up needing to uninstall an update (KB 3035538).

I'm sure they'll do it again.

Microsoft seems to have decided they own the computers, and the networks they're attached to. Which is completely bullshit.

And, don't forget, once they have all those juicy passwords they can pass 'em off to law enforcement.

Microsoft have always been assholes, but this takes the cake.

Basically Windows Phone and Windows 10 are gaping security holes, and Outlook.com is now acting as malware.

Re: Uh, no

[I'm+New+Around+Here]

Dude, you fucked up an insult. How fucking brain damaged are you? You are the "After" example in the pamphlet about meth, aren't you?

Re:Uh, no

[Zontar+The+Mindless]

Oh, well, that makes it perfectly okay, then. *eyeroll*

Re:Uh, no

[JaredOfEuropa]

They did no such thing. The Windows 10 upgrade thingy makes it crystal clear, several times, that the upgrade is optional. You can decline by not "reserving your copy", and even if you accept, you still get the option to not download and install the upgrade when it's there.

With that said, I agree that sharing WiFi passwords with your contacts is a monumentally stupid idea.

Re:Uh, no

[JaredOfEuropa]

These passwords aren't Microsoft's to share

Exactly. They are no one's to share but the owner of the access point, and when you give your house wifi password to a guest, most of them do understand that it's not ok to give that password to others. That changes when sharing passwords becomes a built-in or even automatic feature; if there's a button to share, it'll give the impression that it is safe and acceptable to do so.

Re:Uh, no

[gstoddart]

Horseshit.

When the tray icon appears, there is no dismiss. There is no "piss off and go away".

There "upgrade now" and "reserve your copy". There is no description of WTF not reserving my copy does, there is no dismiss. There is "I am going to sit here reminding you to upgrade to Windows 10 until you do".

The average user is going to read that and think "Oh, I guess I have to do this". It took me 20 minutes to identify the source and figure out what I had to remove.

When that crap is presented to you, there is NO indication it is optional, that you can cancel it, that you can choose not to do it .. in effect it presents itself with two choices "now or later".

And it means Microsoft is acting like they own the machine, and it's up to them to decide when to make changes to it.

Bad Summary, Only new part is the sharing option

[slacklinejoe]

First, we're only talking Windows 10 PHONE Secondly, it's only available on networks you choose to allow this on. Third, yes, your wifi passwords are being backed up to make it easier when you migrate devices - Apple, Google and Microsoft all do this on your mobile devices. This isn't new! I can't imagine that this won't be opt in only by the time it RTMs (or whatever the equivalent is).

Re:who tha fu..

[Moheeheeko]

Probably the same guy who thought "no used games on xbox one" was a great idea.

No worries

[msobkow]

No worries here. I always disable the WiFi on my routers. I prefer hardwired connections that don't give the router fits trying to perform encryption with their underpowered chips.

Re:No worries

Because everyone has the ability to do hardwired connections throughout their homes, rented apartments, and don't have portable devices without Ethernet jacks built-in.

Seriously, get off that pedestal.

(Someone who has a wired home, but still uses WiFi all the time.)

Re:No worries

[msobkow]

Bozo, it's not a pedestal. It's a complaint about the pathetic CPU power on the typical home router and the fact that they choke traffic with even one device trying to use a reasonable amount of bandwidth.

WiFi is useless by design for anything but the most casual of surfing.

Re:No worries

[SinShiva]

AES acceleration has been integrated into the wireless chipsets for quite a while.

Re:No worries

[adolf]

AFAICT, the hardware encryption thing was solved eons ago.

Or at least, none of my routers suffer from high CPU utilization when doing Wifi things.

Re:No worries

[drinkypoo]

No worries here. I always disable the WiFi on my routers. I prefer hardwired connections that don't give the router fits trying to perform encryption with their underpowered chips.

If you're worried about that, you can firewall off all non-IPSEC traffic... and still enjoy WiFi

a matter of days

[daniel23]

That feature will have a half life time in the range of days.
MS is so focussed to make 10 a winner they will flip the default faster than we can get really upset about it.

Thats okay

[coolmoe2]

I will download the upgrade but im not going to install it until I see a patch that disables this idiotic feature. I really don't fancy having to redo my wireless network because I do not want to share my wpa key.

third solution the MS doesn't want to mention

[frovingslosh]

If you don't want someone's Windows 10 passing on your password, Microsoft has two solutions;

Not a problem for me, they missed the obvious third solution. Never ever use Outlook, Don't use Skype and don't use Facebook. Problem solved without having to change my SSID. And, of course, there is a fourth solution but that involves using Linux.

Re:third solution the MS doesn't want to mention

[ewhac]

ERROR: INCOMPLETE SOLUTION

There is no provision in this "killer feature" that establishes whether the person doing the sharing is the network administrator, i.e. the person who grants authorization to use their network. So if you share your WAP credentials with a friend, and that friend uses Windows 10 with Wi-Fi Sense enabled, than that friend has just compromised your WAP.

Re:third solution the MS doesn't want to mention

[frovingslosh]

Well, duh. If you give away your SSID to a 3rd party, YOU have compromised your security, not MS. That's why my guest room has a cat5 ethernet connection. And for special cases I do have an access point that I normally keep off but could turn on if someone shows up with a wifi only device such as a tablet. But the obvious solution for most users is simply be aware of this issue and never give your SSID password to a Windows 10 user. I have no problem explaining why if someone has Windows 10 they will not get access to my system wirelessly, if you do then go ahead and compromise your system.

Re:third solution the MS doesn't want to mention

[Jake+Griffin]

The OP already said he is not on Facebook. Thus he doesn't have any friends. Problem solved.

Re:third solution the MS doesn't want to mention

[RichMan]

Then that friend has just compromised your WAP. But what about friends of friends? Now that friend has the Wifi Password, does it get passed onto their friends, and then their friends and ...

That's great news!

[Demonoid-Penguin]

I'm now revising my opinion of Outlook - especially in light of the recently passed Oz laws about pirating. In fact I'm about to order an external antennae for a laptop (trivial) hardware hack shortly.

There are times when M$'s drive to put stupid in the sysadmin seat make me very happy - this may be one of them.

No - I don't run Windows as my OS of choice. It's fine for some, in some situations (seriously). But rarely do I celebrate M$ stupid - and this "sounds" like both M$ stupid (I know - they really are catering to many of their "users" needs), and cause for celebration. I've always wondered whether Dallas Buyers Club was worth watching...

Thank you for your entry

in the contest for the most braindead security 'feature' for the year.

Sadly you have serious competition, especially in the US govt.

Re:Thank you for your entry

[MightyMartian]

This is from the company that thought having users run as root user using a browser that would automatically install unsigned executables and libraries from the Internet was just the bestest idea ever.

I have another way

[Trailer+Trash]

Microsoft has two solutions; only share passwords using their Wi-Fi Sense service, or by adding "_optout" to your SSID.

Or, just don't use windows 10. I think I may have found the answer there.

Re:I have another way

[swillden]

Microsoft has two solutions; only share passwords using their Wi-Fi Sense service, or by adding "_optout" to your SSID.

Or, just don't use windows 10. I think I may have found the answer there.

Also, don't give your SSID to anyone who does or might in the future use Windows 10, or have a Windows phone.

Re:I have another way

[swillden]

Also, don't give your SSID

I meant password, of course. Sorry, not fully awake.

Every SSD WIFI Password ?

[denisbergeron]

Including the one at my jobs ? University ? My City subscription ?

I can't change the name of the SSD where I paid for the service ???!!!!

Re:Every SSD WIFI Password ?

[MightyMartian]

Thank you for being a friend,
And sharing WiFi passwords there and back again.
You're giving me the WiFi key of your favorite restaurant.

And if they came to your dorm,
Invited everyone you knew,
You would see the ugly guy at the back downloading kiddie porn,
And the FBI would raid you singing "Thank you for filling our jail!"

Re:Bad Summary, Only new part is the sharing optio

[ArmoredDragon]

And if you give your wifi credentials to a guest who needs access to your network, they can opt you in without your permission or even your knowledge.

The only way then to prevent unknown people from having your wifi password is to forbid Windows 10 mobile users from accessing your network.

The password must be stored centrally by Microsoft

i suspect that this is just another attempt by the TLAs to get corporations to do their bidding.... this time by compiling wireless network passwords in a central database that they, no doubt, will have full and unfettered access to

Re:Bad Summary, Only new part is the sharing optio

[sexconker]

And if you give your wifi credentials to a guest who needs access to your network, they can opt you in without your permission or even your knowledge.

They could also shout it from a mountaintop. There's no _optout option for that.

Not Exactly....

[nate_in_ME]

I've been running pretty much every build of Win10 since the preview first came out, and this isn't accurate at all....Yes, the Wi-Fi sense option is there, but when you connect to a new network, there's a "share with my contacts" checkbox that you have to turn ON for this network to be shared. The Wi-Fi Sense "master switch" may be on by default, but you have to specifically allow each individual network to be shared.

Re:Not Exactly....

[MightyMartian]

That isn't the issue. The issue is YOU being able to share MY WiFi key because I was dumb enough to let a Windows 10 user on my WiFi network. This is akin to me giving you the keys to my house so you can housesit, and you getting a hundred copies cut and distributing them to a bunch of people you know.

Re:Not Exactly....

[nate_in_ME]

Fair enough....I haven't tested the "other side" of this (using a shared key to access a network) because I don't use FB, Skype, or Outlook, but I would hope that the option I mentioned earlier (that "share this network with my contacts" switch) isn't an option for networks that you got the key for through Wifi Share. Maybe someone who's actually used the new feature can weigh in on that part of it

Re:Not Exactly....

[ewhac]

...when you connect to a new network, there's a "share with my contacts" checkbox that you have to turn ON for this network to be shared.

If true, this would be a departure from the Windows Phone 8.1 OEM requirements, which requires OEMs to fully enable this, "killer feature:" https://msdn.microsoft.com/en-...

Re:Not Exactly....

[fisted]

Android

does the same, you pimply-faced fanboy.

Settings -> "Backup and Reset" -> "Back up my data" (Back up app data, Wi-Fi Passwords, and other settings to Google servers)

Yes, of course it's enabled by default, why do you ask?

Re:Not Exactly....

[davidleelambert]

And that MSDN page says exactly that the "master switch" must be turned on except in certain countries where it must be turned off. It doesn't say that the "share with my contacts" checkbox has to be checked by default. I have a coworker who owned a Windows phone (recently switched to Android), he notes "For XfiniityWifi, it would not work as it would require more credentials (i.e. Comcast Account Information)."

Re:Not Exactly....

[benjymouse]

That isn't the issue. The issue is YOU being able to share MY WiFi key because I was dumb enough to let a Windows 10 user on my WiFi network. This is akin to me giving you the keys to my house so you can housesit, and you getting a hundred copies cut and distributing them to a bunch of people you know.

So wrong.

If you *tell* someone your WiFi password *then* there's nothing stopping them from sharing it with whomever they want. So do not do that. Not if he brings OS X or Linux or Windows.

If you want to allow some friend onto your network but not allow him to share your network with others, then *you* tap in the password at his computer when it connects. On OS X or Linux or Windows. That what you would do today, and that's what you would do when your friends brings a Windows 10. On Windows 10 simply DO NOT CHECK the "share" checkbox. It is off by default. Your network will not be shared.

Nothing has changed. Neither your network nor your password will be shared with anyone. Your friend cannot go into settings and share the network after the fact - it has to be done when connecting.

But if *you* connect to some network which you would like to share with your friends, you can check the "share" checkbox. When you do that, your password will be stored encrypted in Microsofts servers. When one of your friends (if you share with - say - Facebook friends) is in range of that network, his Windows 10 computer can engage the network. The network will issue a challenge with must be hashed using the password as salt, and the hash returned. Modern password auth works like that to avoid sending passwords in cleartext. This means that the *actual* password hash is a one-time hash computed from the challenge.

The computation of the hash is performed on Microsofts servers, and your actual password is NEVER available on your friends computer - not even in encrypted form - only the challenge response hash. Your friends computer must obtain the response to the challenge from Microsofts servers - and when doing so it must prove that it belongs to a friend of yours.

Furthermore, Windows 10 which connects to a network in this way will *not* allow access to other devices on the network except for the internet gateway. I.e. it can only be used for Internet access - nor for local file or media sharing.

Re:Not Exactly....

[MightyMartian]

I get how it works. I disagree completely that any access to a third party WiFi network should be up to any permissions model put out by Microsoft, or that I should have to basically implement the kludge so that the network is excluded.

It's a shitty idea, pure and simple.

Re:Not Exactly....

[fisted]

Let's see, slashdot-2 million-user-#-whatever named fisted initiates an acne debate. [some more gibbering giving away that you had serious acne problems in your youth]

Way to start with an ad-hominem.

You defend windows

No, I didn't. Please learn basic logic and practice reading comprehension.

[completely ridiculous and incoherent gibberish]

Yes, your age is showing indeed.

I run Mac, Windows, Linux, BSD.

Congratulations. I run just BSD, and Linux only when I get paid for it. I wonder what point you're trying to make here. If it was your goal to make yourself look like a complete idiot, I'd say you've reached it.

Have a nice evening, dear red-faced mouth-breathing AC

Re:Not Exactly....

[fisted]

does the same, you pimply-faced fanboy.

[tl;dr]
Way to start with an ad-hominem.
[tl;dr]

That, my dear confused friend, was an insult, not an ad-hominem. Please inform yourself about the words you're using lest you risk looking like a compl -- oh wait, you already did that. Nevermind.

Re:Not Exactly....

[fisted]

Yawn.

Re:Amazingly stupid but funny for now.

[sexconker]

There's not a chance in hell that "myhouse_optout_nomap" would work.
You can either do "myhouse_optout" OR "myhouse_nomap". And they'll still ignore your preference.

What is the actual point of this?

[fahrbot-bot]

...which shares wifi passwords with Outlook.com contacts, Skype contacts and, with an opt-in, Facebook friends.

How many of those people will ever be in close enough physical proximity to your access point to actually need your WiFi password? Seriously? Unless I'm missing something, this has to win "Stupidest Idea of the Year".

Re:What is the actual point of this?

[Zontar+The+Mindless]

"The good news is, the school bully can steal your lunch money only once today."

Re:who tha fu..

[Known+Nutter]

Now you can squirt your wi-fi passwords...

So "_optout" of what?

[fahrbot-bot]

If you don't want someone's Windows 10 passing on your password, Microsoft has two solutions; only share passwords using their Wi-Fi Sense service, or by adding "_optout" to your SSID.

Does adding this also prevent Microsoft from storing said WiFi password on their servers, or just instruct them to not share it out?

I have a better solution.

[Lumpy]

Dont use the craptastic poorly designed outlook for email.

Just hope....

[idji]

..that no-one in your contact lists is a secret pedophile or selling stuff on silknet....

Re:Just hope....

[fisted]

Hahahahahahah.

90 Days Late

[Anna+Merikin]

Is there now a Fools' Day every three months?

I refuse to believe this.

OK, I'll add the _optout on my SSIDs

[Bryan+Bytehead]

although since I run open APs, I don't think that it's going to matter.

Re:Bad Summary, Only new part is the sharing optio

[ewhac]

First, we're only talking Windows 10 PHONE

ERROR: INCORRECT

First: This is in Windows 10 desktop, as detailed here, complete with screenshots: http://www.howtogeek.com/21970...

Second: Even if this were only confined to Windows Phone 10, it would still be monumentally stupid.

Re: But if you don't use Facebook...

I Facebook, therefore I am

Re:Alarmist headline is alarmist

[MightyMartian]

So, instead of posting multiple times hire they article misrepresents the feature, quit being a shill and explain how exactly it works.

Re:who tha fu..

[fuzzyfuzzyfungus]

The 'feature' occurred on Windows Phone first, not sure exactly what version. I assume that it made a great pitch to prospective carriers, since they all love offloading customers onto anything that isn't their data network as often as possible, and typing passwords into your phone is a pain, so automating it likely increases network offload considerably.

Re:sigh...

[ewhac]

stop_stealing_my_shit_kents_optout_nomap

ERROR: SSID TOO LONG

You did know SSIDs were limited to 32 characters, didn't you?

This will stick it up to the Movie Companies

[rebootaus]

This will stick it up to the Movie Companies. Now how are they going to do you for downloading there movies. Everyone (with 6 Deg of separation) will have your key and can use your link. Imagine them trying to blame you with this on by default. Thanks Microsoft. I never thought i would ever say that. Anyone could be using your wifi to download and you will never know.

Re:Bad Summary, Only new part is the sharing optio

[BitZtream]

Apple backs up my passwords with an encryption key which is also protected by a separate password.

Apple CAN NOT read my passwords, so they can not share them.

Not sure about Google, but I hope it does the same.

Microsoft is uploading passwords clear text or in some other equally dangerous form thats decryptable so they can be shared.

Re:Bad Summary, Only new part is the sharing optio

So then don't enable it. You have explicitly grant access, it's not enabled by default.

It's like you're whining that there is piss in your beer when you're the one who pissed in it.

Re:Bad Summary, Only new part is the sharing optio

[flink]

Secondly, it's only available on networks you choose to allow this on.

I don't have any choice. If I give my friend my WiFi password, and he happens to be running a Windows 10 phone, suddenly my WiFi password is shared with all of his contacts. So now every time someone is over my house and asks for the WiFi I'll have to ask them if they currently own, or ever intend to own a windows phone. And then, assuming they understand the question, I have to sound like a paranoid asshole and say "no" if they answer in the affirmative. My other option is to rename mySSID to end in _optout and update all of my devices because Microsoft chose to implement a ludicrous, criminally insecure, "feature"?

Third, yes, your wifi passwords are being backed up to make it easier when you migrate devices - Apple, Google and Microsoft all do this on your mobile devices. This isn't new!

Apple's encryption is end-to-end. They do not hold the encryption keys and thus can't share your passwords with anyone: Even if some brain dead middle manager had the idea to clone this feature, it would be impossible for them to implement without totally changing their security model.

Microsoft is widely misunderstood.

What I would like to see explained in more detail

Explanation: Microsoft is widely misunderstood. People think that Microsoft is a software company that does evil. That's not true. Microsoft's main purpose is delivering evil. The software is just a means of doing that. (My opinion, shared with others.)

Re:Microsoft is widely misunderstood.

What I would like to see explained in more detail

Explanation: Microsoft is widely misunderstood. People think that Microsoft is a software company that does evil. That's not true. Microsoft's main purpose is delivering evil. The software is just a means of doing that. (My opinion, shared with others.)

So you mean evil as a service, rather than evil as a platform?

Re:Microsoft is widely misunderstood.

[Darinbob]

Evil as a user experience.

Re:Microsoft is widely misunderstood.

[MightyMartian]

iEvil? Or perhaps in this case XEvil One, the perfect gift for someone stll using XEvil 360.

Re:Microsoft is widely misunderstood.

[chipschap]

Evil as a touch-screen app, of course.

Re:Microsoft is widely misunderstood.

[willworkforbeer]

I'm waiting for the release of the Evil SaaS model

Re:Microsoft is widely misunderstood.

[camperdave]

Evil as a touch-screen app, of course.

I thought Windows 10 was getting rid of Metro.

Re: Microsoft is widely misunderstood.

[drunk_punk]

You mean to say I can switch Evil providers?! I doubt Verizon would be game.

Re:Microsoft is widely misunderstood.

[chilenexus]

IE 11 really stands for Internet Evil ^11

Re:Microsoft is widely misunderstood.

[ahodgson]

Well, they have PaaS covered with Azure.

Re:Microsoft is widely misunderstood.

[KGIII]

EITC - Evil In The Cloud. We used to call it "the network" or "the mainframe." We accessed it with dumb terminals. Today we are doing the same thing only claiming it is new. So instead of a BOFH we have EITC. It is new and you will like it. Also, get off my lawn. (Not really, you can chill on my lawn. It would be cooler if you came inside though. My lawn has not been as much fun since I gave someone my set of lawn jarts.)

Holy fuck ...

[gstoddart]

So Microsoft has taken it upon themselves to share the network credentials with anybody it sees fit?

Fuck you, Microsoft. How about you help us make networks more secure and not less?

Not only will I stick with my Windows 8.1 install, but no Windows 10 device will ever get my network credentials.

This has to be one of the stupidest things I've heard of. And, of course, since Microsoft will centrally store your passwords, law enforcement can subpoena them.

Microsoft are too fucking incompetent at security to be trusted with this. And then to have the nerve to suggest we have to change our network names to opt out of their shit?

Fuck you, Microsoft. Fuck you very much.

Re:Bad Summary, Only new part is the sharing optio

[ArmoredDragon]

And if they're doing it in public, you'll probably be aware enough to change your password.

Not only that, but I don't want my passwords being stored on Microsoft's servers.

Oh wait a minute, you're that moron who thinks layer 3 switches are merely "bad routers." Go back to whatever high school you dropped out of, and for the good of the world NEVER go into IT or anything else besides janitorial work.

Re:Google gets a free pass?

[mark-t]

There's kind of a difference between storing passwords in clear text on a device that you still need to have physical access to in order to learn what those passwords are and actually broadcasting such passwords to absolutely everyone who happens to have a particular social network connection to you

Re:Bad Summary, Only new part is the sharing optio

[sexconker]

Mad cuz bad? Yeah, mad cuz bad.
Fuck off retard.

Re:DMCA violation?

[viperidaenz]

It would be your friends fault, for selecting your network to be shared.
WiFi Sense may be enabled by default, but you need to specifically share each network.

Third Option:

[steevo.com]

OPTOUT of Windows 10.

Re:Third Option:

[slacklinejoe]

Or just ask them to change the defaults on a checkbox: http://windows.microsoft.com/e...

Re:Third Option:

[slashways]

Taking into account the new absurd secureboot policy - Opt out Microsoft is the right way.

Where is the password ?

[RichMan]

Either Microsoft will have a database of all users and all Wifi passwords.
Or some automatic process will slurp it from your machine when needed.

I can't quite figure out which is worse.

Re:Bad Summary, Only new part is the sharing optio

[abhi_beckert]

Which explains why I don't have to re-enter passwords after restoring from backup. You moron.

You do have to re-enter your passwords after restoring from a backup with Apple devices.

I just had to go through it earlier this week.

Lawsuit

[grahamtriggs]

If Microsoft are stupid enough to ship this "feature" - and have it turned on by default - what are the chances that they will be hit with a massive lawsuit?

No doubt there will at least be group policies - if not it disabled entirely - on professional editions of Windows, because corporate customers are going to run a mile from having external guests authenticating on to protected networks with confidential material, just because they happen to be a contact of the person they are visiting.

Easier steps

[slashmydots]

1. set up an offline account by not connecting to a network while setting up Windows
That's actually the only step. It avoids all that Outlook.com bullshit.

Re:Bad Summary, Only new part is the sharing optio

[ArmoredDragon]

if you are giving guests your wifi password then you have already opted in to whatever that guest decides to do with it, they could publish it on facebook, email all their other friends. once you hand out access you have already lost control regardless of the device they are using.

Yes because having it stored in reversible crypto on Microsoft's publi facing servers is so much better.

It just means that the only safe and sane thing to do is to forbid Windows 10 devices from joining your network.

Re:Bad Summary, Only new part is the sharing optio

[Namarrgon]

The problem is, if I let any of my friends near my beer, they could easily end up inviting all their Facebook friends to whizz in my ale. And the only way to scare them off is to write "_OPTOUT" in large letters on my favourite beer mug.

Re:Holy fuck ...

[freeze128]

Look at it this way: At least when Windows 10 is finally released, they won't be able to say "It's the most secure windows ever".

Re:Problem Solved

[freeze128]

I'm sure it's just another service that you can simply disable. You don't have to sacrifice your Halo 15 or whatever. Just go into services and turn it off.

Re:DMCA violation?

[suutar]

for now. I can see this being quickly targeted as something to hack, so that "share this network" defaults to true, or even so that "share this network" and even "activate wifi sense" is treated as true regardless of actual user setting.

Re:Bad Summary, Only new part is the sharing optio

[WaffleMonster]

First, we're only talking Windows 10 PHONE Secondly, it's only available on networks you choose to allow this on.

Quoting TFA:

", and access to password-protected networks are shared with contacts unless the user remembers to uncheck a box when they first connect."

Is this saying that choosing to allow requires users to take a non-default action to uncheck a box or is there something missing or being intentionally distorted?

If you have to uncheck a box to prevent sharing as TFA implies then that's crap.

Third, yes, your wifi passwords are being backed up to make it easier when you migrate devices - Apple, Google and Microsoft all do this on your mobile devices. This isn't new!

So? What does it matter who else is doing it or how long it has been done?

Assumption is I trust all my contacts equally

[n0ano]

Do I understand this `feature` correctly? If I enable it then all of my contacts now have access to my wifi credentials. I can imagine that I might want this feature for my wife and kids but there is no way in hell I would want to do this for every contact in my list. My wife I trust but the friend of a friend that I just added to my contact list - not so much (although thinking about it maybe that should be reversed).

If that is truly the way this thing works then this is one of the more brain dead ideas some clueless program manager came up with (ranks right up there with the idiot that decided that email messages should be HTML formatted and should contain active content).

Re:Assumption is I trust all my contacts equally

[Chelloveck]

No, you misunderstand. You're right that it goes to all contacts indiscriminately. You don't get to pick and choose who. But it's so much better than that. You don't enable it. You don't even have to have any equipment that runs Windows 10. Say you have a guest that you give access to. If they have a Windows 10 machine with this "feature" enabled, the password is shared to all of their contacts. Brilliant!

Re:Google gets a free pass?

[mark-t]

FTA:

it shares Wi-Fi passwords with the user's contacts.... Those contacts include their Outlook.com (nee Hotmail) contacts, Skype contacts and, with an opt-in, their Facebook friends

So it seems that it *DOES* send out your wifi password... and I see this as less of a problem for myself, since I am neither a windows user nor do I have a large online social network, than it is for me to let specific people use my wifi while they are visiting my place, since if they have not set their own security settings appropriately, something which I cannot administrate, my wifi password would end up getting propagated to everyone on *THEIR* contacts lists. While they may only be able to use it if they are nearby, that is entirely beside the point.... these would still be people that I did *NOT* authorize to use my network.

Re:Holy fuck ...

[houghi]

Have you been in a coma for 15 years? Let me give ypu a short history lesson:
Some idiots flew into the twin towers on purpose. Afganistan was invaded to kill the terrorrists.
Irak was invaded to kill the same terrorists, but it was really about weapons of mass distruction, but actually about oil.
We have always been at war with Terrorism.
For our own safety; subpoenas do not excist anymore.
War is peace, freedom is slavery, ignorance is strength.

Just waiting for hackers to exploit and even ....

[MxMatrix]

I think this might even facilitate wardriving on a huge scale. And M$ to blame for it. Storing a password via outlook on a M$ server? Even hashed it's just a matter of time and GCPU power before its cracked. Using cheap 2n hand Titan cards and some nifty written piece of cuda software ...

Or is this the new NSA backdoor?

Re:Bad Summary, Only new part is the sharing optio

[Namarrgon]

And making sure nobody who has access to your wifi ever enables it either. Best of luck!

Re:Apparently nobody can read

[grahamm]

This service only shares OPEN WIFI -- i.e. routers that had no passwords on them to begin with.

So what is it sharing? If the connection is open, then there are no credentials for it to share? In the case of open WiFi, the only thing I can think of that it could share is the list of Open SSIDs to which the user has connected?

Options

[verd02]

So available options include:

* Per the Wifi-sence FAQs, 802.1x networks will not be included. So we can enable WPA2-Enterprise security, for which a Radius auth server is required. Evidently easy enough to do with dd-wrt or the like but much more work to allow guests in.
* MAC address filtering? Won't prevent the password hash from being stored on servers and passed around to contacts, but will prevent non-registered devices from authenticating. More work than previous option.
* Use the _optout thing. Not a lot of work but sort of offensive.
* Not give out password to any guests, because even if they're using their Android phone one day, they might pass on the password to their Windows-phone-using buddy.

I guess option #1 it is. At least it lends some nerd cred? This is annoying.

Re:Options

[Bert64]

MAC filtering will stop random users from connecting automatically, but won't stop someone who is intentionally trying to gain access... Changing your MAC is trivial.

Agreed that _optout is offensive, why should i have to change the name of *my* network to cope with this crap, and where would it end? I shouldn't have to explicitly opt out of things i never have any intention of using and might not even be aware of.

The only real solution is a dedicated (isolated) guest network, with regularly changing keys... I don't have guests visiting all the time so i could easily generate a new key each time...

Re:Bad Summary, Only new part is the sharing optio

[rseuhs]

The point is that with Windows 10 this will happen automatically without them knowing it.

So when I invite a Win10 user and give him/her the password, that password may be shared to anybody that Win10 user is connected to - without that Win10 user knowing or realizing it.

And of course a lot of people use the same password for their WIFI as for other stuff, so Win10 seems to be a quite nice password sniffer.

That is the problem. People screaming passwords from mountaintops isn't.

Re:Bad Summary, Only new part is the sharing optio

[rseuhs]

So when I invite Win10-users I have to debug and reconfigure their devices on the doorstep? Are you serious?

Re:Google gets a free pass?

[Bert64]

Any device that connects to wifi has to store the passwords either in the clear or in a retrievable form...

If you compromise the device, you can extract the keys (and a lot of other stuff too). Other devices just obfuscate the keys, but they are still retrievable (e.g. try wirelesskeyview or gsecdump for windows).

That's why virtually all platforms offer device encryption these days to lessen the chances of the device being compromised at all.

Contacts

[DanJ_UK]

Make sure you don't have any contacts in your Outlook address book.

Re:Bad Summary, Only new part is the sharing optio

[slacklinejoe]

You're friends (acquaintances) with someone who uses Windows PHONE?

Re:Bad Summary, Only new part is the sharing optio

[slacklinejoe]

The sync my Password to Microsoft has been part of Windows 8 and newer from day one. It's just this poorly implemented guest access that's stupid.

Re:Bad Summary, Only new part is the sharing optio

[slacklinejoe]

Eh? I didn't. I demo mobile device management and nuke my demo iPad daily. I've never had to re-enter my corp wifi. Way back both Google and Apple had breaches about some users' wifi passwords being lost, but I think it was only a tiny subset of users. Maybe they have changed practices.

Re:Bad Summary, Only new part is the sharing optio

[slacklinejoe]

Why thanks! It's always nice to be recognized... No, just a MS consultant that works in the systems management space. I'm paid to clean up MS's mess, so I'm usually pretty busy :)

Re:Bad Summary, Only new part is the sharing optio

[slacklinejoe]

Thanks for the correction! Seems the product teams weren't talking internally, I got bad intel from Redmond. It's still opt-in though, so I don't see the controversy. The save to server isn't new, only applies to MS accounts - not local only, and I had to be stupid enough to click a checkbox to share it before this works.

Re:The password must be stored centrally by Micros

[slacklinejoe]

Not saying it's not used for that, but the users I support complain constantly about having to re-enter wifi credentials. When I spot to MS over Win 8, the idea was to make it easier to support wiping devices and device migration. MS was in the middle of moving to the whole user model where my data is the same on phone, laptop, desktop regardless of where I go - isn't entirely there yet, but that's the framework they want to have in place. Still, it only applies if you bothered to link your account to a MS account.

Re:Bad Summary, Only new part is the sharing optio

[slacklinejoe]

Looks like I was wrong about this being PHONE only, that said, I think changing the checkbox to default unchecked would be sufficent. How about letting MS know your thoughts: http://windows.microsoft.com/e...

Re:Bad Summary, Only new part is the sharing optio

[Superdarion]

I wonder, though, if you give your pass to a guest who is using win10 (unbeknownst to you) and your router is set to not allow win10 devices (is this possible? I'm not techie enough), would their win10 machine still save the pass and share it?

If so, you would need to do the banning personally. If your guest asks for your pass, you will need to personally check that they're not going to use it with a win10 device before you hand it over.

lolwut?!?

[Dekonega]

This Microsoft Wi-Fi Sense thing is a joke, right?

Re:Okay....

[slacklinejoe]

Let 'em know: http://windows.microsoft.com/e...

Re:Problem Solved

[Bert64]

Until games start requiring it...

Re:Apparently nobody can read

[oh_my_080980980]

Because you didn't read the article. Try again Zippy.

give phone numbers to idiots spreading passwords?

[bingoUV]

WHAT ??? Sign up with "insider", which must know your phone number? So share my phone number with the idiots who thought sharing passwords is a great idea?

You must be a moron.

Overly complicated, utterly insecure.

[Charcharodon]

Or you just look at the post it note on my wall by the door with the guest logon Wi-Fi password. You can connect to the internet, but you still have no access to my network..

So sick of this crap

[gregroush]

This is an old sentiment, but I am SO sick of software companies having the arrogance to think that because I've installed their software I want them to mess with my environment.  They try to change my default browser, add tool bars or other software, change my settings, and now, I guess, share my wi-fi.  HOW ABOUT YOU JUST DO THE THING I AM INSTALLING YOU TO DO?!  Not more, not less.

Any changes to my environment beyond "your software is now on my computer" should require clear and explicit OPT-IN from me.  It should not be hidden in a EULA, nor sneaked through as an opt-out in a dialog box.  All that garbage does is tell me I should not trust you as a software company, and I should immediately research alternatives.

It's OK to ask if I want to do it, if you explain in plain English what exactly you want permission to do, how it may benefit me, and what the potential risks are.  I can see how some of these things may be beneficial, but it should be my (informed) decision.

both solutions are unacceptable

[NonSenseAgency]

This is one of the most lame-brained ideas I have ever heard. Even the two solutions offered by Microsoft are unacceptable. It needs to either default to "OFF" or be removed from Windows. This is an epic privacy and security failure in the making. I cannot believe a sane engineer came up with this it had to be a marketing drone with zero clues.

Holy shit

[steveo777]

Microsoft also adds that Wi-Fi Sense will only provide internet access, and block connections to other things on the wireless LAN

So I'm reasonably certain all this will do is block access to your subnet and only allow traffic to your gateway. Which in any corporate environment is a massive security risk because if they're doing it right, employees are sitting on different subnets (RFC1918 or otherwise). So, yes, random guy who happens to be a contact in Outlook.com (which literally BEGS to let you make every you ever emailed a contact) now has access to every normally permissible network node as long as he's not interested in the wifi subnet.

Yes, most corporations should be using per-employ authentication, and hopefully Sense engineers are dumb enough to share out AD/LDAP credentials (well, maybe they're not smart or interested enough to go into *nix authentication). But that's not always the case.

Can't wait until this is called "Wifigate"

Sounds a lot like theft

[JDWilsonJr]

Hmmm ... Microsoft does not own my wireless access point, nor my router, nor pay my ISP bill. Sounds like this will eventually be resolved with criminal charges for theft and/or tresspass. I wonder whether it will be a class action suite or some lucky plaintiff is able to set it in motion and keep all the money.

Hidden SSIDs and MAC addressing?

[Lawrence_Bird]

Clearly MAC address blocking can prevent most unwanted access but is a pain to setup every time you have a guest. Wonder how this "feature" handles hidden SSIDs? normally you need to check an extra box to connect to a hidden network. That wouldn't prevent those determined to get acces but might stop the random casual use by neighbors.

So that's how you want to play?

[The+Eight-Bit+Link]

Set up your router so any unauthorized MACs are monitored via MITM. Strip away SSL, kill any SSH pipe or VPNs, log all traffic. Be sure to put up a warning in the middle saying what is happening and why. Something along the lines of "One of you rbuddies gave you my password. Therefore, I am going to record and save all data transmitted across this connection. If you do not consent to this, please opt-out by disconnecting." To be honest, someone's going to find a clever way to prevent this.

Re:Bad Summary, Only new part is the sharing optio

[sexconker]

LOOOOOOOOOOOOL
You're SO MAD!

Re:Bad Summary, Only new part is the sharing optio

[Namarrgon]

Because if your friends can connect to your network, and they have WiFi Sense enabled, then access to your network is shared with all of their Facebook friends.

So you have no control over who now get access to your network. Is that clear enough yet?

This is total bullshit.

[Kickasso]

If I can successfully connect to a hotspot, this doesn't mean I own that hotspot or have any right to grant access to it to third parties. Someone's being an idiot, and this time, for a change, I suspect it's not Microsoft.

Re:Bad Summary, Only new part is the sharing optio

[ArmoredDragon]

I wonder, though, if you give your pass to a guest who is using win10 (unbeknownst to you) and your router is set to not allow win10 devices (is this possible? I'm not techie enough), would their win10 machine still save the pass and share it?

I don't know of any AP's that support this feature, but I'm sure you could have the router issue deauth packets to any MAC address that you've identified as belonging to a windows 10 device, that way it isn't able to communicate with any other devices on the node (e.g. for hacking purposes.) I suspect such an AP would exist, because I know that Marriot was using the same attack to prevent people from using their own private APs near their hotel.

As for how you might identify a windows 10 device to begin with, I wouldn't be at all surprised if any of its 802.11 frames included any bits that could be uniquely linked to that OS version. One way I could think of would be to look for MAC OUIs that are used on Lumia devices. It seems this feature is only for Windows 10 mobile devices, so that alone would keep out at least 90% of them.

Friends of friends do *not* get automatic access

[partofthepuzzle]

From the MS Windows Phone Wi-Fi Sense FAQ:

"You share with your contacts, but not their contacts. The networks you share aren't shared with your contacts' contacts. If your contacts want to share one of your networks with their contacts, they'd need to know your actual password and type it in to share the network."