Windows 10 -Wifi Sense - TURN IT OFF !

bsod

gjchester,

Research and new equipment won't be necessary. You are either unintentionally or deliberately missing the point, and really scraping the argument barrel by equating the word password with router admin password when the context is clearly about wifi access and wifi password.

This is a clear security risk, a breach of trust between an end user and the provider of the software which runs on pc's and phones, pc's and phones you may not even own.

The password belongs to the end user, the access it enables should be under the total control of the end user, if they happen to inadvertently hit share, or give the password to one person with a 1000 contacts, and they happen to give it to one other person with 500 contacts, say a neighbour, a schoolfriend, an idiot, it opens a network up to potentially 1500 people (unknown to the owner of the router) in an instant. Suddenly your home network may be open to everyone in the street without your knowledge. Any cobbled together assurances about network discovery being turned off so your data is safe are meaningless, because someone will come up with a scanner to sniff what's there. This is not about what tech savvy users or corporations do, it's about what everyone else does, there aren't any nomaps around.

Previously, the risk of loose lips was one or two accessing your network, now it's 100's, a clear difference in scale and risk, and miles away from the idea of trustworthy computing.

The idea that a contact list has any correlation with the list of people someone wishes to have access to their router or home network is ridiculous, the world is not solely occupied by teenagers.

Additionally, this database is being collected and held and secured outside everyone's control

The last decade the world has gone from unsecured networks, to wep, to wpa and beyond, and now this has come along to undo all that progress.

tavernman

One question I have is for gjchester, what happens with using your phone or your tablet or mifi as a wifi hotspot?
Have you researched that ?

RumRat

It won't share anything you don't want it to. Whenever you connect to a new Wi-Fi network, it asks if you want to share it with other people. If it's your home network, or another you don't wish to share, you just tell it no. You can even edit the permissions later should you change your mind.
Either that or turn it off.

Fightsback

RumRat wrote: »

turn it off.

See thread title

gjchester

Fightsback wrote: »

How many facebook and outlook accounts have you seen hacked ? Only takes your friends account to be hacked and you're hacked.

Your right. But how is this any different to the "Log on with Facebook" or "Logon with Google" buttons many people use.

People want convenience so you need to opt your router out, turning the feature off on your PC alone is not the answer.

And most studies show the initial breech in attacks comes from phishing or social engineering, knowing the Wi-Fi password will make very little difference to that way in.

bsod wrote: »

The password belongs to the end user, the access it enables should be under the total control of the end user, if they happen to inadvertently hit share, or give the password to one person with a 1000 contacts, and they happen to give it to one other person with 500 contacts, say a neighbour, a schoolfriend, an idiot, it opens a network up to potentially 1500 people (unknown to the owner of the router) in an instant. Suddenly your home network may be open to everyone in the street without your knowledge.Previously, the risk of loose lips was one or two accessing your network, now it's 100's, a clear difference in scale and risk, and miles away from the idea of trustworthy computing.

It IS under the control of the user.

Again you have to turn the sharing on as you connect to a WIFI network, it does not simply read your PC settings an email all password in a file to everyone you know, only the ones you choose to share. Others don't get the password you get an encrypted hash. Your friends NEVER see the actual password so cannot pass it on, not can they share it with their friends . It opens the network to your contacts and friends not the world at large.
Tell vocally the password to a friend and they can repeat it to anyone.

The scenario you propose DOES NOT EXIST. The only way you can share it with 1500 people is if you turn the sharing on for a given network and , tell Wi-Fi Sense to share with your contacts, it only works with your contacts not friends of friends.

Fightsback wrote: »

See thread title

Not really that's a Daily Mail type scaremongering title that is only half true..

If you turn Wi-Fi sharing off on your PC, but then give the password to a friend who has the feature turned on then your networks still compromised, regardless of the state of the setting on your PC.

As I said earlier it should be opt in but it isn't. So you need to opt your router out but simply turning it of on your PC does not help.

gjchester

tavernman wrote: »

One question I have is for gjchester, what happens with using your phone or your tablet or mifi as a wifi hotspot?
Have you researched that ?

RumRats totally correct.

Remember its granular to the network, and you have to choose to opt in as you put in the SSID password , so you may choose to share your home lan but not the tethering connection.

Fightsback

gjchester wrote: »

Not really that's a Daily Mail type scaremongering title that is only half true..

If you turn Wi-Fi sharing off on your PC, but then give the password to a friend who has the feature turned on then your networks still compromised, regardless of the state of the setting on your PC.

As I said earlier it should be opt in but it isn't. So you need to opt your router out but simply turning it of on your PC does not help.

It's not Daily Mail scaremongering, please do not ever associate me with that sorry excuse for a newspaper which isn't fit to be used as toilet paper as it puts more on than takes off

It's a genuine security concern of your Wifi passwords being lifted by Microsoft and stored in the cloud.

I'm glad you agree with me that it should be opt-in, that has been my stance all along and it's extremely foolish on Microsoft's part to have this as an on by default setting.

Security 101 - the principle of least privilege.

RumRat

Fightsback wrote: »

See thread title

You mean the one, where you shout at everyone, then inflict your paranoia onto all and sundry with some silly sensationalism. Along, of course, with the general insult to those using Windows phones.
If you want to be taken seriously you really need to brush up your social skills.
I think that your dislike/mistrust of all things Microsoft affects the way you rail against them (However, well intentioned).
You obviously have some technical ability that will benefit forum members, but, you are coming across as plain arrogant at the moment.
Oh and that Avatar of Kim Dotcom just makes the whole experience worse........Just saying.

Jivesinger

gjchester wrote: »

And once again I'll say do the research.

If you turn Wifi Sense on, and you don't opt out, and your SELECTED contacts can if they have a W10 laptop with Wifi sense also turned on and at your house then yes they can get an encrypted hash of your WIFI password that W10 can use to log on to your wifi.

Does it store an encrypted hash of the WIFI password, or store an encrypted version of the full password?

I don't see how it could work with just a hash, as my Wifi would presumably only allow access to someone with the full password.

RumRat

Should you need it....

If you run a Wi-Fi network and you want to prevent Windows 10 (or Windows Phone) users from sharing the passkey via Wi-Fi Sense, you can add _optout to the end of the network SSID. Microsoft notes that, even if you opt out in this way, "It can take several days for your network to be added to the opted-out list for Wi-Fi Sense."