Slashdot Mirror

← Back to Stories (view on slashdot.org)

Windows 10 Shares Your Wi-Fi Password With Contacts

Posted by samzenpus on from the do-not-share dept.

gsslay writes: The Register reports that Windows 10 will include, defaulted on, "Wi-Fi Sense" which shares wifi passwords with Outlook.com contacts, Skype contacts and, with an opt-in, Facebook friends. This involves Microsoft storing the wifi passwords entered into your laptop which can then be used by any other person suitably connected to you. If you don't want someone's Windows 10 passing on your password, Microsoft has two solutions; only share passwords using their Wi-Fi Sense service, or by adding "_optout" to your SSID.

72 of 487 comments (clear)

  1. if that's true, by unami · · Score: 5, Insightful

    no guests with windows laptops on my wifi - i'm not going to change my ssid, microsoft style. ugh. i guess this issue will resolve itself after a short shitstorm.

    1. Re:if that's true, by dinfinity · · Score: 4, Insightful

      It seems that there is room for convenient router functionality that asks you this: 'A device with MAC address x requests access to your network: GuestLAN. Allow?'

      Handing out passwords to untrusted parties instead of tokens is archaic anyway.

    2. Re:if that's true, by sd4f · · Score: 3, Insightful

      Yea i don't get this idea, it absolutely crazy. While I'm sure security experts are going to say why this is a bad idea from the start, at least make it an easy opt out, not some crazy way to not do it.

    3. Re:if that's true, by Anonymous Coward · · Score: 3, Insightful

      Opt-in would be better.

    4. Re:if that's true, by Anonymous Coward · · Score: 5, Informative

      The Slashdot summary is pure FUD. In the article itself you can see an image of the settings, with a large checkbox to enable/disable sharing with Outlook, Skype and Facebook independently and it also has a large slider above those where you can disable it entirely.

    5. Re:if that's true, by fuzzyfuzzyfungus · · Score: 4, Interesting

      What I would like to see explained in more detail is the claim that 'wifi sense doesn't reveal your plaintext password' during the sharing process.

      My understanding was that(except WPA2 with RADIUS and a suitably chosen EAP) there isn't any provision for authenticating to a password protected AP without knowing the password. The AP itself might be able to destroy the password after it has been set, saving only a hash, as is good practice to keep more important sets of usernames and passwords from being compromised; but the client requesting authentication needs the password. The non 'enterprise' cases were designed to be easy to use, not particularly clever; and MS has limited room to get creative without causing nasty breakage on large numbers of variously dysfunctional legacy APs.

      With a proper full WPA2 setup, or with one of the 'no authentication at the AP; but captive portal and/or VPN is the only way to access anything interesting' arrangements, you have more options; but how can you 'share' authentication to a WPA-PSK or WEP network without also sharing the key? Did they actually come up with something really clever, or does the UI just not show you the password, thus 'hiding' it?

    6. Re: if that's true, by TerryMathews · · Score: 4, Insightful

      Most people can't be bothered to look at what their computer is doing before clicking an UAC window, you really expect them to properly opt-out of SSID passkey sharing properly?

      --
      -- Terry
    7. Re:if that's true, by hawguy · · Score: 5, Insightful

      The Slashdot summary is pure FUD. In the article itself you can see an image of the settings, with a large checkbox to enable/disable sharing with Outlook, Skype and Facebook independently and it also has a large slider above those where you can disable it entirely.

      Did you read the box?

      Save on mobile data usage with Wifi Sense. Join in and get connected to WiFi. By using WiFi Sense, you agree that it can use your location.

      Who doesn't want to save on mobile data usage!? How many people will opt-out? Where does it say that by opting in that they are sharing their Wifi passphrase with everyone they share to? It may be obvious to you, but not to 99% of the people that will run Windows 10.

    8. Re:if that's true, by MightyMartian · · Score: 4, Informative

      I don't care about whether you can prevent sharing with your friends on FB it whatever, what I care about is me not having to alter my network settings so that if I give you access to my WiFi network, you sharing MY network information with the pwoe you're "friends" with.

      --
      The world's burning. Moped Jesus spotted on I50. Details at 11.
    9. Re:if that's true, by Anonymous Coward · · Score: 5, Informative

      Your password is stored and hashed on Microsoft's servers. The hash is sent to your contacts. When they try to connect, their computer sends the hash to yours, which then checks that hash against the one on Microsoft's servers. If they match, then access is granted.

    10. Re:if that's true, by hawguy · · Score: 2

      Maybe it will change some more, but I just set up WiFi on a Windows 10 build today and it had an UNCHECKED check box for sharing the password. I would have had to check the box to allow it to share. How many people go around checking boxes?

      Probably the same number of people that want to save on mobile data usage with Wifi Sense?

    11. Re:if that's true, by maorb · · Score: 4, Insightful

      The problem is you can't enforce that you're friend didn't enable WiFi Sense without looking over his shoulder. He might end up accidentally distributing YOUR passphrase when he shouldn't be.

      The only way to be sure that this doesn't happen is to add an ugly _optout line at the end of your SSID. Frankly Mr. Joe Person down the street shouldn't have to know about Microsoft's new feature to be confident that his passphrase isn't being passed around without his permission.

    12. Re:if that's true, by bondsbw · · Score: 4, Informative

      The way I read it, they probably don't.

      The FAQ seems to imply that it is only applicable to open routers:

      What does Wi-Fi Sense do?

      Wi-Fi Sense connects you to Wi-Fi networks around you to help you save cellular data. It can do these things for you to get you Internet access:

      Automatically connect you to open Wi-Fi networks it knows about by crowdsourcing networks that other Windows Phone users have connected to. These are typically open Wi-Fi hotspots you see when you're out and about.

      Still very questionable, but perhaps not nearly as pervasive. I'd think it would mostly apply to hotels, restaurants, and other places of business.

      --
      All my liberal friends think I'm a conservative, all my conservative friends think I'm a liberal.
    13. Re:if that's true, by bondsbw · · Score: 3, Interesting

      And I didn't mean to downplay how big of a problem this may be for the many people who have a password-protected open network for guest access.

      I'm just keeping in mind, though, that guest networks are typically isolated from the main network and the guest network would only be shared with friends-of-friends*... probably not an actual issue for the vast majority of people, so much as a theoretical one.

      * Actually, come to think of it, would the password also go to friends-of-friends-of-friends? Friends-of-friends-of-friends-of-friends? How deep can this go? The whole six-degrees-of-separation thing comes to mind... could this end up pushing almost everyone's network passwords to the entire connected internet? Yeah, I'd like more info, and the sooner the better.

      --
      All my liberal friends think I'm a conservative, all my conservative friends think I'm a liberal.
    14. Re:if that's true, by Zontar+The+Mindless · · Score: 3, Insightful

      I don't live in a basement. But I am concerned about being held liable for what others do with my connection.

      --
      Il n'y a pas de Planet B.
    15. Re:if that's true, by Rutulian · · Score: 4, Informative

      I was curious about this too. But the AC below gave a nice hint, so I went looking for a better explanation. Here is the blurb from the Wiki,

      Also referred to as WPA-PSK (Pre-shared key) mode, this is designed for home and small office networks and doesn't require an authentication server.[9] Each wireless network device encrypts the network traffic using a 256 bit key. This key may be entered either as a string of 64 hexadecimal digits, or as a passphrase of 8 to 63 printable ASCII characters.[10] If ASCII characters are used, the 256 bit key is calculated by applying the PBKDF2 key derivation function to the passphrase, using the SSID as the salt and 4096 iterations of HMAC-SHA1.[11] WPA-Personal mode is available with both WPA and WPA2.

      So it seems the PSK can be passed around without revealing the passphrase. But if I also remember correctly, the PSK is supposed to rotate (or maybe that's WPA2).

    16. Re:if that's true, by whoever57 · · Score: 3, Interesting
      I think that you are mis-reading the FAQ, I found this in it

      When you share Wi-Fi network access with Facebook friends, Outlook.com contacts, or Skype contacts, they'll be connected to the password-protected Wi-Fi networks that you choose to share and get Internet access when they're in range of the networks (if they use Wi-Fi Sense).

      What is even more interesting is that it apparently automatically accepts any terms of use and provides passwords to web-based WiFi access logins, which could create some interesting legal situations (did you really accept the terms, and are you logging in with someone else's username/password)?

      --
      The real "Libtards" are the Libertarians!
    17. Re:if that's true, by Namarrgon · · Score: 4, Informative

      Here's the thing: You can leave your box unchecked - but if ANY of your friends have access to your wifi, and *their* box is checked, then all their Facebook friends will also get access to your wifi.

      And the only way you can prevent this is to append "_optout" to your SSID.

      --
      Why would anyone engrave "Elbereth"?
    18. Re:if that's true, by Dr.+Spork · · Score: 2

      Agreed. As an opt-in feature, it's actually a good idea. I've written down passwords on stick-it notes for visiting friends, and that sort of opt-in password sharing is also not without security issues. My stick-it notes don't self-destruct. I think it also makes it more concrete who really is a friend - a person with whom you're willing to share your wifi password. I think that's actually a pretty good minimum standard for friendship.

    19. Re:if that's true, by wimconradie · · Score: 3, Insightful

      Your password is stored and hashed on Microsoft's servers. The hash is sent to your contacts. When they try to connect, their computer sends the hash to yours, which then checks that hash against the one on Microsoft's servers. If they match, then access is granted.

      So if I am trying to connect how would I be able to send any hash to any computer while I'm not connected?

    20. Re:if that's true, by TheRaven64 · · Score: 2

      A better solution would be a standard form of QR code for WiFi configuration info, so you just point your camera at something and now you have WiFi credentials.

      --
      I am TheRaven on Soylent News
    21. Re:if that's true, by jrumney · · Score: 2

      You are the one who is "full of shit", since you are getting all of your information on the implementation of this feature on Windows 10 from an old article about Windows Phone 8.

    22. Re:if that's true, by Pope+Raymond+Lama · · Score: 3, Informative

      It looks like it is not /. editors who can't read things here, but you. This is the sitautionm - I own Wifi access point "A"; Friend "B" comes by, I physically pass A's password to B. Now "B" is the one with the option to share or not the passwords (and all of them) with all HIS contacts - not mine. And moreover, it will happen by default - if B has 2000 Outlook.com contacts, all those 2000 people will be automatically allowed to connect on my WiFi "A". And the ony means this not to happen is if `B` opt out __all__ his sharing (not just for WiFi "A") or if WiFi "A` SSID is formatted as dictated by Microsoft (i.e., ending in `_optout`).

      This is so insanely ridiculous that there are no word to describe how ridiculous that is.

      --
      -><- no .sig is good sig.
    23. Re:if that's true, by Ol+Olsoc · · Score: 4, Funny

      Friends-of-friends-of-friends-of-friends? How deep can this go? The whole six-degrees-of-separation thing comes to mind... could this end up pushing almost everyone's network passwords to the entire connected internet? Yeah, I'd like more info, and the sooner the better.

      Sounds like Kevin Bacon will have access to everything!

      --
      The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
    24. Re:if that's true, by unixisc · · Score: 3, Interesting

      I think that you are mis-reading the FAQ, I found this in it

      When you share Wi-Fi network access with Facebook friends, Outlook.com contacts, or Skype contacts, they'll be connected to the password-protected Wi-Fi networks that you choose to share and get Internet access when they're in range of the networks (if they use Wi-Fi Sense).

      What is even more interesting is that it apparently automatically accepts any terms of use and provides passwords to web-based WiFi access logins, which could create some interesting legal situations (did you really accept the terms, and are you logging in with someone else's username/password)?

      'You choose to share' is key here, so the headline is definitely misleading. I could choose to share my primary SSID, or I could choose to share just my guest SSID. If I did the latter, there shouldn't be a problem

    25. Re:if that's true, by Rutulian · · Score: 2

      Did you read my comment? The key is derived from the passphrase, it is not the passphrase itself. Neither the key nor the passphrase is ever transmitted. There is a handshake protocol where both the AP and the client demonstrate they both know the key and then a unique session key is generated from the key to encrypt traffic.

    26. Re:if that's true, by StikyPad · · Score: 4, Funny

      Spoiler alert: Kevin Bacon already has access to everything.

      --
      https://www.eff.org/https-everywhere
  2. Lol, what could go wrong. by Anonymous Coward · · Score: 2

    I can't wait

  3. No by Anonymous Coward · · Score: 5, Informative

    ahhhh no, for networks you have SELECTED to share it can do it. Wifi sense being on doesn't suddenly expose all your wifi passwords. extremely inflammatory summary. still seems a stupid risky feature, just not as dumb as those writing the Slashdot summaries.

    1. Re:No by danomac · · Score: 4, Insightful

      However, just because I gave Person A access to my wifi, that doesn't mean I give everyone Person A knows access to my wifi. This could end up in legal hot water territory.

      I guess that I just won't be giving any guests access to my network anymore. They can pony up and get their own mobile data plan for their devices.

    2. Re:No by MightyMartian · · Score: 4, Informative

      Inflammatory Mode On: Why in the fuck would even want to opt-in to such a service? If it's private WiFi, it's likely to be at my home or my workplace, and in either case I absolutely do not ever want to share that over fucking Fuckbook, Twatter or whatever stupid lame-ass soshial neshworking crap site becomes the next biggest and greatest.

      Rational Mode On: Now let's imagine that my organization has a private WiFi hotspot available for employees and a few others. I do not ever want to have those keys shared outside that group, nor should I have to change MY network with an "_optout" on the end of an SSID. I would consider that a breach of security. Sure, I'll probably be able to disable Windows devices that are domain members via GPO, but if they're not actually devices belonging to the organization, or "Pro" versions of Windows where it even knows what the hell Active Directory is, then MY network is being compromised by this service.

      This is just a plain bad idea, whether you're being reasonable or inflammatory.

      --
      The world's burning. Moped Jesus spotted on I50. Details at 11.
    3. Re:No by Harlequin80 · · Score: 2, Interesting

      Serious question - who here is not running a guest wifi access point? I would never give full access to my network to an unknown device. So I run an open guest wifi which is on a different subnet and has its internet rate limited.

    4. Re:No by amicusNYCL · · Score: 5, Insightful

      Serious question - who here is not running a guest wifi access point?

      I'm going to guess the vast majority of people running wifi at home. My office has a guest network, my house does not.

      --
      "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
    5. Re:No by ewhac · · Score: 5, Informative

      ahhhh no, for networks you have SELECTED to share it can do it. [ ... ]

      ERROR: MISLEADING.

      Wi-Fi Sense's default settings are to share everything, all the time. Indeed, Microsoft's rules for shipping Windows Phone 8.1 requires OEMs to turn this "killer feature" fully on. Expecting users to have the presence of mind to turn this off is willfully disingenuous.

      --
      Editor, A1-AAA AmeriCaptions
    6. Re:No by Balthisar · · Score: 2

      I don't run an incubator in my house, so usually it's just friends' kids that want to connect their iPhones to my network, thus I have no reason to run a separate guest network, although Tomato on my AP's would make this trivial. The networked computers have passwords for VNC and keys for ssh, and I'm not overly concerned that my friends' kids will have compromised iPhones that want to brute-force anything.

      --
      --Jim (me)
    7. Re:No by fuzzyfuzzyfungus · · Score: 2

      Just as they say, in the context of backups, that 'if it isn't automated it won't happen'; there is likely to be a considerable difference in the rate of unintended leakage between a 'yeah, I guess I did tell Bob the password, he could pass it on' and 'the password spreads through your entire social group like a bad chain email'.

      This sort of 'friend/acquaintance' attack attack is also exactly where slightly-too-automatic automation makes it really easy to bypass what limited good sense about security humans do have.

      If, say, Alice and Bob have just had a messy breakup; it would be fairly obvious to any mutual friend of the two that sharing one's wifi password with the other, or a known friend/agent of the other, is something that they wouldn't like. They might do it anyway; because people are assholes like that sometimes; but it would be deliberate. Social-engineering somebody in that situation into telling you the password might be vaguely tricky. Social-engineering them into making you enough of a contact/friend/whatever on the services that this 'wifi sense' system uses to receive the password should be absolutely trivial; quite possibly already done.

      I suspect that it isn't for nothing that this 'feature' first appeared on Windows Phone; carriers adore the idea of getting the filthy customers off the cell data networks they pay for and onto wifi as often as they can, and don't much care about a bit of collateral damage inflicted by dumb implementations.

    8. Re:No by MightyMartian · · Score: 2

      There's a doodad on my AP that let's me disable a feature on a connecting WiFi client?

      --
      The world's burning. Moped Jesus spotted on I50. Details at 11.
    9. Re:No by the_B0fh · · Score: 2

      OP is asking a very pointed question to which you have no answer, so you are avoiding the answer instead of owning up to it.

      If you really don't understand OP's point, go read it again.

    10. Re:No by i.r.id10t · · Score: 2

      After setting up the new device adn being prompted "Do you want to share your connection" how many users are gonna think to themselves "Well, yeah, I want to share this with my iDevice and tablet and the $housemate and ... " and click "Yes" ?

      --
      Don't blame me, I voted for Kodos
    11. Re: No by firewrought · · Score: 4, Insightful

      How often do your friends immediately email the Wi-Fi password you just gave them to their entire contact list? The correct answer (unless you have really shitty friends) is never. Now all of your friends will do this by default, unless they are technically literate enough to disable the option. (And even if your friends are literate enough, your roommate/boyfriend/girlfriend/spouse's friends won't be.) It's very aggravating that Microsoft has chosen to so promiscuously share the secrets its users have entrusted to the OS. A Wi-Fi password that might have previously been shared with a handful of friends is now automatically spread to a network of hundreds, and exposed to possible interception by enterprise, underground, and state-sponsored hackers. One really has to question the legality of this feature, unless the wording is very clear and the user opts-in every time.

      --
      -1, Too Many Layers Of Abstraction
    12. Re:No by vux984 · · Score: 3, Interesting

      . So I run an open guest wifi which is on a different subnet and has its internet rate limited.

      Even my guest network is password protected. Its for my guests not for everybody. If I wanted it for everybody, there wouldn't be a password on it, and people wouldn't need a windows feature to shared with their contacts.

      Many of my neighbors also have guest networks... none of them are wide open.

      This feature is probably the worst/dumbest thing I've seen in Windows 10 so far. Actually no... the inability to disable bing searching the web when you use the search in the start menu is the dumbest hting I've seen in windows 10... if that shit isn't fixed by release nobody should upgrade. NOBODY.

      (And the sad thing is I actually over all like windows 10... but its just stuffed with bloat I don't want. At least most of it I can shut off... live tiles, cortana, using microsoft accounts, etc... but its becoming more and more work to set the settings up right.

      I'm looking forward to a windows 10 de-crapifier powertool shortly after release... hell I'm tempted to write one.

    13. Re:No by Harlequin80 · · Score: 2

      The second you talk about tor routing you are stepping outside of off the shelf consumer grade routers. If you want that you will need to roll your own.

  4. Beyond Stupid by Mikkeles · · Score: 2, Informative

    This is so moronic on so many levels.

    --
    Great minds think alike; fools seldom differ.
  5. There goes my SSID :( by MAXOMENOS · · Score: 3, Funny

    FBI Surveillance Van #1_optout just looks dreadful.

    --
    Finding God in a Dog
    1. Re:There goes my SSID :( by PoopMonkey · · Score: 3, Funny

      Why'd you cave? If they complained, you should've renamed it to Anal Fisting Funhouse.

  6. Uh, no by reboot246 · · Score: 4, Insightful

    no fucking way. Somebody needs to be fired at Microsoft.

    We all know how to handle this "feature", but most people won't have a clue.

    This is right up there with their leaving file extensions hidden by default.

    1. Re:Uh, no by gstoddart · · Score: 2

      No, someone needs to be shot.

      This is the most idiotic thing I've heard of in a long time.

      Microsoft has said "fuck security", and once again have decided to "innovate" something which stupidly becomes a gaping security/privacy hole.

      What shithead thought of this?

      These passwords aren't Microsoft's to share, and decreeing that anybody who hasn't changed their SSID to opt out has consented.

      Fuck that.

      How bout we charge Microsoft with hacking and enabling unauthorized access to computer networks?

      Fucking idiots.

      --
      Lost at C:>. Found at C.
    2. Re:Uh, no by gstoddart · · Score: 3, Insightful

      They're doing more than advertising it.

      In Windows 8.1 they pushed out an update which put an icon in the task tray which said "upgrade to Windows 10, now or later?"

      They're not pushing it as optional. They're installing stuff which is going to do it to you, and isn't giving you a way to decline. You end up needing to uninstall an update (KB 3035538).

      I'm sure they'll do it again.

      Microsoft seems to have decided they own the computers, and the networks they're attached to. Which is completely bullshit.

      And, don't forget, once they have all those juicy passwords they can pass 'em off to law enforcement.

      Microsoft have always been assholes, but this takes the cake.

      Basically Windows Phone and Windows 10 are gaping security holes, and Outlook.com is now acting as malware.

      --
      Lost at C:>. Found at C.
    3. Re:Uh, no by JaredOfEuropa · · Score: 2

      These passwords aren't Microsoft's to share

      Exactly. They are no one's to share but the owner of the access point, and when you give your house wifi password to a guest, most of them do understand that it's not ok to give that password to others. That changes when sharing passwords becomes a built-in or even automatic feature; if there's a button to share, it'll give the impression that it is safe and acceptable to do so.

      --
      If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...
  7. Bad Summary, Only new part is the sharing option by slacklinejoe · · Score: 2, Informative

    First, we're only talking Windows 10 PHONE Secondly, it's only available on networks you choose to allow this on. Third, yes, your wifi passwords are being backed up to make it easier when you migrate devices - Apple, Google and Microsoft all do this on your mobile devices. This isn't new! I can't imagine that this won't be opt in only by the time it RTMs (or whatever the equivalent is).

  8. third solution the MS doesn't want to mention by frovingslosh · · Score: 2

    If you don't want someone's Windows 10 passing on your password, Microsoft has two solutions;

    Not a problem for me, they missed the obvious third solution. Never ever use Outlook, Don't use Skype and don't use Facebook. Problem solved without having to change my SSID. And, of course, there is a fourth solution but that involves using Linux.

    --
    I'm an American. I love this country and the freedoms that we used to have.
    1. Re:third solution the MS doesn't want to mention by ewhac · · Score: 3, Insightful

      ERROR: INCOMPLETE SOLUTION

      There is no provision in this "killer feature" that establishes whether the person doing the sharing is the network administrator, i.e. the person who grants authorization to use their network. So if you share your WAP credentials with a friend, and that friend uses Windows 10 with Wi-Fi Sense enabled, than that friend has just compromised your WAP.

      --
      Editor, A1-AAA AmeriCaptions
    2. Re:third solution the MS doesn't want to mention by frovingslosh · · Score: 2

      Well, duh. If you give away your SSID to a 3rd party, YOU have compromised your security, not MS. That's why my guest room has a cat5 ethernet connection. And for special cases I do have an access point that I normally keep off but could turn on if someone shows up with a wifi only device such as a tablet. But the obvious solution for most users is simply be aware of this issue and never give your SSID password to a Windows 10 user. I have no problem explaining why if someone has Windows 10 they will not get access to my system wirelessly, if you do then go ahead and compromise your system.

      --
      I'm an American. I love this country and the freedoms that we used to have.
  9. I have another way by Trailer+Trash · · Score: 3, Insightful

    Microsoft has two solutions; only share passwords using their Wi-Fi Sense service, or by adding "_optout" to your SSID.

    Or, just don't use windows 10. I think I may have found the answer there.

    --
    Do you have ESP?
  10. Re:Bad Summary, Only new part is the sharing optio by ArmoredDragon · · Score: 4, Insightful

    And if you give your wifi credentials to a guest who needs access to your network, they can opt you in without your permission or even your knowledge.

    The only way then to prevent unknown people from having your wifi password is to forbid Windows 10 mobile users from accessing your network.

  11. Re:Every SSD WIFI Password ? by MightyMartian · · Score: 2

    Thank you for being a friend,
    And sharing WiFi passwords there and back again.
    You're giving me the WiFi key of your favorite restaurant.

    And if they came to your dorm,
    Invited everyone you knew,
    You would see the ugly guy at the back downloading kiddie porn,
    And the FBI would raid you singing "Thank you for filling our jail!"

    --
    The world's burning. Moped Jesus spotted on I50. Details at 11.
  12. Re:Thank you for your entry by MightyMartian · · Score: 2

    This is from the company that thought having users run as root user using a browser that would automatically install unsigned executables and libraries from the Internet was just the bestest idea ever.

    --
    The world's burning. Moped Jesus spotted on I50. Details at 11.
  13. Not Exactly.... by nate_in_ME · · Score: 5, Informative

    I've been running pretty much every build of Win10 since the preview first came out, and this isn't accurate at all....Yes, the Wi-Fi sense option is there, but when you connect to a new network, there's a "share with my contacts" checkbox that you have to turn ON for this network to be shared. The Wi-Fi Sense "master switch" may be on by default, but you have to specifically allow each individual network to be shared.

    1. Re:Not Exactly.... by MightyMartian · · Score: 5, Insightful

      That isn't the issue. The issue is YOU being able to share MY WiFi key because I was dumb enough to let a Windows 10 user on my WiFi network. This is akin to me giving you the keys to my house so you can housesit, and you getting a hundred copies cut and distributing them to a bunch of people you know.

      --
      The world's burning. Moped Jesus spotted on I50. Details at 11.
    2. Re:Not Exactly.... by ewhac · · Score: 2

      ...when you connect to a new network, there's a "share with my contacts" checkbox that you have to turn ON for this network to be shared.

      If true, this would be a departure from the Windows Phone 8.1 OEM requirements, which requires OEMs to fully enable this, "killer feature:" https://msdn.microsoft.com/en-...

      --
      Editor, A1-AAA AmeriCaptions
    3. Re:Not Exactly.... by benjymouse · · Score: 2

      That isn't the issue. The issue is YOU being able to share MY WiFi key because I was dumb enough to let a Windows 10 user on my WiFi network. This is akin to me giving you the keys to my house so you can housesit, and you getting a hundred copies cut and distributing them to a bunch of people you know.

      So wrong.

      If you *tell* someone your WiFi password *then* there's nothing stopping them from sharing it with whomever they want. So do not do that. Not if he brings OS X or Linux or Windows.

      If you want to allow some friend onto your network but not allow him to share your network with others, then *you* tap in the password at his computer when it connects. On OS X or Linux or Windows. That what you would do today, and that's what you would do when your friends brings a Windows 10. On Windows 10 simply DO NOT CHECK the "share" checkbox. It is off by default. Your network will not be shared.

      Nothing has changed. Neither your network nor your password will be shared with anyone. Your friend cannot go into settings and share the network after the fact - it has to be done when connecting.

      But if *you* connect to some network which you would like to share with your friends, you can check the "share" checkbox. When you do that, your password will be stored encrypted in Microsofts servers. When one of your friends (if you share with - say - Facebook friends) is in range of that network, his Windows 10 computer can engage the network. The network will issue a challenge with must be hashed using the password as salt, and the hash returned. Modern password auth works like that to avoid sending passwords in cleartext. This means that the *actual* password hash is a one-time hash computed from the challenge.

      The computation of the hash is performed on Microsofts servers, and your actual password is NEVER available on your friends computer - not even in encrypted form - only the challenge response hash. Your friends computer must obtain the response to the challenge from Microsofts servers - and when doing so it must prove that it belongs to a friend of yours.

      Furthermore, Windows 10 which connects to a network in this way will *not* allow access to other devices on the network except for the internet gateway. I.e. it can only be used for Internet access - nor for local file or media sharing.

      --
      Reading slashdot one-liner: (irm http://rss.slashdot.org/Slashdot/slashdot).rdf.item | fl title,desc*
  14. Re:Bad Summary, Only new part is the sharing optio by ewhac · · Score: 5, Interesting

    First, we're only talking Windows 10 PHONE

    ERROR: INCORRECT

    First: This is in Windows 10 desktop, as detailed here, complete with screenshots: http://www.howtogeek.com/21970...

    Second: Even if this were only confined to Windows Phone 10, it would still be monumentally stupid.

    --
    Editor, A1-AAA AmeriCaptions
  15. Microsoft is widely misunderstood. by Anonymous Coward · · Score: 4, Funny

    What I would like to see explained in more detail

    Explanation: Microsoft is widely misunderstood. People think that Microsoft is a software company that does evil. That's not true. Microsoft's main purpose is delivering evil. The software is just a means of doing that. (My opinion, shared with others.)

    1. Re:Microsoft is widely misunderstood. by Anonymous Coward · · Score: 5, Funny

      What I would like to see explained in more detail

      Explanation: Microsoft is widely misunderstood. People think that Microsoft is a software company that does evil. That's not true. Microsoft's main purpose is delivering evil. The software is just a means of doing that. (My opinion, shared with others.)

      So you mean evil as a service, rather than evil as a platform?

    2. Re:Microsoft is widely misunderstood. by Darinbob · · Score: 4, Funny

      Evil as a user experience.

  16. Holy fuck ... by gstoddart · · Score: 3, Insightful

    So Microsoft has taken it upon themselves to share the network credentials with anybody it sees fit?

    Fuck you, Microsoft. How about you help us make networks more secure and not less?

    Not only will I stick with my Windows 8.1 install, but no Windows 10 device will ever get my network credentials.

    This has to be one of the stupidest things I've heard of. And, of course, since Microsoft will centrally store your passwords, law enforcement can subpoena them.

    Microsoft are too fucking incompetent at security to be trusted with this. And then to have the nerve to suggest we have to change our network names to opt out of their shit?

    Fuck you, Microsoft. Fuck you very much.

    --
    Lost at C:>. Found at C.
  17. Re:DMCA violation? by viperidaenz · · Score: 2

    It would be your friends fault, for selecting your network to be shared.
    WiFi Sense may be enabled by default, but you need to specifically share each network.

  18. Third Option: by steevo.com · · Score: 2

    OPTOUT of Windows 10.

  19. Lawsuit by grahamtriggs · · Score: 2

    If Microsoft are stupid enough to ship this "feature" - and have it turned on by default - what are the chances that they will be hit with a massive lawsuit?

    No doubt there will at least be group policies - if not it disabled entirely - on professional editions of Windows, because corporate customers are going to run a mile from having external guests authenticating on to protected networks with confidential material, just because they happen to be a contact of the person they are visiting.

  20. Assumption is I trust all my contacts equally by n0ano · · Score: 2

    Do I understand this `feature` correctly? If I enable it then all of my contacts now have access to my wifi credentials. I can imagine that I might want this feature for my wife and kids but there is no way in hell I would want to do this for every contact in my list. My wife I trust but the friend of a friend that I just added to my contact list - not so much (although thinking about it maybe that should be reversed).

    If that is truly the way this thing works then this is one of the more brain dead ideas some clueless program manager came up with (ranks right up there with the idiot that decided that email messages should be HTML formatted and should contain active content).

    --
    Don Dugger
    "Censeo Toto nos in Kansa esse decisse." - D. Gale
  21. Re:Holy fuck ... by houghi · · Score: 2

    Have you been in a coma for 15 years? Let me give ypu a short history lesson:
    Some idiots flew into the twin towers on purpose. Afganistan was invaded to kill the terrorrists.
    Irak was invaded to kill the same terrorists, but it was really about weapons of mass distruction, but actually about oil.
    We have always been at war with Terrorism.
    For our own safety; subpoenas do not excist anymore.
    War is peace, freedom is slavery, ignorance is strength.

    --
    Don't fight for your country, if your country does not fight for you.
  22. Options by verd02 · · Score: 2

    So available options include:

    * Per the Wifi-sence FAQs, 802.1x networks will not be included. So we can enable WPA2-Enterprise security, for which a Radius auth server is required. Evidently easy enough to do with dd-wrt or the like but much more work to allow guests in.
    * MAC address filtering? Won't prevent the password hash from being stored on servers and passed around to contacts, but will prevent non-registered devices from authenticating. More work than previous option.
    * Use the _optout thing. Not a lot of work but sort of offensive.
    * Not give out password to any guests, because even if they're using their Android phone one day, they might pass on the password to their Windows-phone-using buddy.

    I guess option #1 it is. At least it lends some nerd cred? This is annoying.