Windows 10 -Wifi Sense - TURN IT OFF !

Fightsback

bsod wrote: »

It's an invitation to hackers, virus writers, industrial espionage.

Let's say you want an in to a corporate network somewhere with 3000 employees, all you need is to become a contact with one of them who has attached to the internal network sometime, not too difficult to achieve, one chink in the wall and the whole place is open.

Nice one, :T

Someone around here gets it. Beware neighbours suddenly wanting to be your facebook friend.

gjchester

Fightsback wrote: »

Nice one, :T

Someone around here gets it. Beware neighbours suddenly wanting to be your facebook friend.

And again rather than taking the "Sky is Falling" attitude, do the research. It only shares WPA/WPA2 passwords that you choose to.

If you do not share it, others cannot see it, nor does it share 802.1x password, and no it does not help if you need additional authentication as in most corporations.

If you choose to not share it with your Facebook friends, then guess what, they don't get to see it.

WPA2-PERSONAL was designed for home networks, Personal, the clue is in the name. WPA2-1x is wht enterprises should use and needs to authenticate against a radius server, and WiFi sense will not share that. Any place that cares about security will already have those in place, possibly with a token code generator the user needs to log on and a link to the AD to ensure only known users can log on.

There may be places that use WPA2 hence the simple _optout suffix.

I'm not sure if you are missing the point (or ignoring it) that even if you turn it off, anyone who you give your key to (family/ friends/ whoever) can turn it on, and without the _OPTOUT on the router you will not be able to prevent that sharing.

It is no different from the Wifi key written behind the reception desk, or you telling a mate your password, once revealed it is known to anyone else who asks, in fact its better they don't see the real password only get to connect....

RumRat

Oh the lectures, from self appointed guardians of our privacy...It wouldn't be so bad, but, the Holier than thou attitude really grates. Of course unless you do as they do, apparently you are really stupid.
They and they alone, have the perfect solution and whatever you are doing, it is wrong. Oh yes, and your choice of hardware is also wrong......

Either just turn it off, if you have been worried by the over the top alarmist rants, or....Well read this..http://arstechnica.co.uk/gadgets/2015/07/wi-fi-sense-in-windows-10-yes-it-shares-your-passkeys-no-you-shouldnt-be-scared/
I wouldn't want to lecture....;)

bsod

back in the real world, company security is generally very weak, and this has just made it weaker, how many businesses do you think have a radius server, how many change their router passwords when a phone or laptop is stolen/lost/sold/handed on/disposed?

It's a feature a committee of 12 year olds might have come up with to make their life just that little bit easier, without any regard to the potential consequences.

the suffix is a fudge to appease the critics, nothing more, why should anyone have to change their ssid because a new operating system has been released or because google, mozilla or anyone else wants to spy on their router location to provide advertising to anyone in the vicinity, they probably suck up all that info into a database regardless of any suffix.

The customer should be running the show, having someone as an email contact should not in any circumstances give them access to any router you may have connected to in the past.

What next, banking passwords, site passwords, it's ok, it will only be released to everyone in your contact list if you share it doesn't cut the mustard.

some routers (eg talk talk d-link) as supplied by large uk isp's don't allow underscores, so they can't optout, many don't allow multiple ssid's

gjchester

bsod wrote: »

back in the real world, company security is generally very weak, and this has just made it weaker, how many businesses do you thing have a radius server, how many change their router passwords when a phone or laptop is stolen/lost/sold/handed on/disposed?

Thats a different problem, you can only try and apply security on people that will listen. If anyone (be that personal or a company ) uses easy to guess passwords for anything , or put them in prominent places, or even leaves them at a default value they are at risk. nothing will change that.

Companies *should* have a plan in place to dispose of old hardware, similarly change password if there is a risk, many don't because its often "some one elses"job.

Again I'll point out you have to choose to turn the feature on, it does not share passwords by default.

Let me put another case, if someone leaves say an employee (or even on a personal level a partner) and has the password how do you make them forget it, Yes you should change the password but most people don't because it a lot of hassle.
At least this way once you remove them as a contact they lose access to the encrypted key, and lose access, everyone else keeps working as before. Normally you've told them the clear text key and all is lost, short of a full reset.

bsod wrote: »

It's a feature a committee of 12 year olds might have come up with to make their life just that little bit easier, without any regard to the potential consequences.

Yes it makes life easier, but its far better than having your WIFI password written down in clear text as I've said you can choose to opt out.

We live on an always on world, a lot of people do not want a mobile mast near them, but then they generate a fuss if an area has no signal at all. This is one potential way to help them.

Theres a medical term (Nomaphobia I recall), you may ask if that a real phobia or not and that's another matter, but sufferers feel ill if out of contact through no signal or a flat battery. We cannot even now travel in a train or tube (and even a coach) without Wifi, Many Many people will use this and love it as it makes their life easier.

bsod wrote: »

the suffix is a fudge to appease the critics, nothing more, why should anyone have to change their ssid because a new operating system has been released or because google wants to spy on their router location to provide advertising to anyone in the vicinity, they probably suck up all that info into a database regardless of any suffix. The customer should be running the show.

Google did in the past, the Street view cars snarfed a lot of data, Android handsets used that (and contributed more) to help with mapping accuracy. That was back in 2011but I suspect many poeple have forgot about it by now.

It may be a fudge but at least the opt out option exists.

The customer IS running the show. If you tell Microsoft not to share the password, and don't tell it anyone the password that it. You can also choose to buy Apple, or go Linux, or at least till they play catch up and add the feature.

bsod wrote: »

What next, banking passwords, site passwords, it's ok, it will only be released to everyone in your contact list if you share it doesn't cut the mustard.

Given many people use Autocomplete for such things I don't see how it makes it any more insecure than it already is.

bsod wrote: »

some routers as supplied by large uk isp's don't allow underscores, so they can't optout.

Then buy one that can, If you mean Sky who won't let you change the router theirs nothing stopping you putting in other access point in place and disabling the routers wifi.

If you care about your security do the research and if need be spend the money.

AJXX

OP are you on some sort of potty pilgrimage against Microsoft?

Your post came across as nothing but up your own **** and holier than thou.

Fightsback

AJXX wrote: »

OP are you on some sort of potty pilgrimage against Microsoft?

Your post came across as nothing but up your own **** and holier than thou.

I'm not travelling to a place of worship (pilgrimage) but if you mean a crusade to blindingly obvious security blunders then yes I am.

Sigh, Microsoft even still insist on making the default user full admin even when their own figures show running as a standard user mitigates 90% of remote code execution vulnerabilities.

Next you'll be defending what a wonderful idea autorun was and how convenient it is for the user, nothing could possibly go wrong with that ?

bsod

how often do people wake and think - what I really need to do today to make my life better, is to email my router password to every single person in my contact list, just in case they want to pop around to my gaff some day for a surf, and maybe they can in turn forward it on to everyone in their contact list.

Someone somewhere thought this problem of shouting a password across a room is so time consuming and pervasive, and that to automatically share it via microsoft, is so innovative, that it must go on the feature list of Windows 10. A cynic might perhaps conclude that the user experience is not the only consideration that comes into play when deciding what information to suck up into offshore databases, having everyone's password in one place is very useful if you like to know everything about everyone.

Unless someone lives alone, the consent thing is a red herring, as soon as one extra person is told the password, all sharing control is lost, and not at word of mouth speed.

The sharing terminology used in recent versions of windows confuses me, someone with a lot of IT experience, so I doubt the average user has any idea what they are agreeing to when they click ok, or any comprehension of what exactly they are sharing to whom.

Anyway, I suspect someday it will be compromised, backfire spectacularly, fall foul of data protection legislation, or cause too many criminal proceedings to collapse, and they will come to their senses and do a rewrite.

https://en.wikipedia.org/wiki/Trustworthy_computing

gjchester

bsod wrote: »

how often do people wake and think - what I really need to do today to make my life better, is to email my router password to every single person in my contact list, just in case they want to pop around to my gaff some day for a surf, and maybe they can in turn forward it on to everyone in their contact list

And once again I'll say do the research.

If you turn Wifi Sense on, and you don't opt out, and your SELECTED contacts can if they have a W10 laptop with Wifi sense also turned on and at your house then yes they can get an encrypted hash of your WIFI password that W10 can use to log on to your wifi. Not the router password, the Wifi SSID password. If they don't have Wi-Fi sense on they don't get to use your Wifi either, its a two way sharing thing.

They DO NOT get the password in way they can pass on, and their friends cannot get access to your wifi unless they are also on your contact list.

You probably already give them access, at least this way if you fall out with them its as simple as deleting them from your contact book.

Fightsback

gjchester wrote: »

W10 can use to log on to your wifi. Not the router password, the Wifi SSID password. If they don't have Wi-Fi sense on they don't get to use your Wifi either, its a two way sharing thing.

Access is enough of a toe hold, once you are on the network all bets are on. I'm no cracker but there sure are some extremely talented people out there who will leverage it.

How many facebook and outlook accounts have you seen hacked ? Only takes your friends account to be hacked and you're hacked.