from the we-are-really-security-conscious dept.
According to The Register Microsoft plans to enable their WIFI Sense feature on all versions of Windows 10 by default.
WIFI Sense has been lurking on Windows Phones since version 8.1.
A Windows 10 feature, Wi-Fi Sense, smells like a significant security risk: it shares access to password-protected Wi-Fi networks with the user's contacts. So giving a wireless password to one person grants access to everyone who knows them. That includes their Outlook.com (nee Hotmail) contacts, Skype contacts and, with an opt-in, their Facebook friends.
With every laptop running Windows 10 in the business radiating access, the security risk is significant. A second issue is that by giving Wi-Fi Sense access to your Facebook contacts, you are giving Microsoft a list of your Facebook friends, as well as your wireless passwords.
Microsoft offers a totally ridiculous workaround: you can simply add _optout to the SSID to prevent it from working with WiFi Sense.
Microsoft's page on WIFI Sense hasn't yet made it clear that every Windows 10 computer using WIFI will have the feature on by default. But that page does also include this little gem:
Wi-Fi Sense uses your location to identify open networks near you that it knows about by crowdsourcing.
Where are the lawyers when you need them?
Original Submission
(Score: 4, Interesting) by liquibyte on Wednesday July 01 2015, @09:24AM
I see them back-pedalling on this rather quickly once the lawyers do become involved. I'm fairly sure that this runs afoul of several laws. I don't run windows, never will. If I give someone access to my wifi that does and my key gets spread around and I see it in my logs, a lawsuit is going to happen.
(Score: 5, Insightful) by lentilla on Wednesday July 01 2015, @10:29AM
I'm fairly sure that this runs afoul of several laws.
Why does business always seem to be in such a race to the bottom? It shouldn't have to be laws stopping this, it should have been the people at Microsoft thinking to themselves: "hey, awesome idea, but not the smartest thing to actually implement".
In theory, it sounds like a Good Idea. Everyone wants their computers to "just work". It's up to the experts to reign that enthusiasm back in because quite often "easy" equates to "unsafe". It's the same way that adults have to explain to teenagers that skateboarding down an highway to save a couple of minutes is not appropriate. Nobody [should] like being the "no" guy but sometimes it has to be done.
This feature would be better implemented with a setting to temporarily turn your computer into a WiFi hotspot and temporarily share a particular folder with a displayed password. (Or something along those lines.) The whole "share with contacts" business is fraught with problems and is entirely unnecessary. It's as if somebody came up with the idea to easily share data, and the executives asked "but how can we make it ClouldReady?" (Or whatever the buzzword is.) So they tacked on the unnecessary part.
I'm all for sharing data easily. But it must be safe, it must not leak metadata, and it must be cross-platform.
I also wish large technology companies would not make a habit of making inherently insecure products. Microsoft already isn't my favourite company and this "idea" just makes me trust them less. It's hard to have even an ounce of trust in consumer technology when one of the world's biggest technology producers has entire teams of executives, programmers, marketing and legal experts working for months on a product that never should have left the brain-storming session.
(Score: 2) by Leebert on Wednesday July 01 2015, @11:28AM
...such as?
(Score: 4, Informative) by liquibyte on Wednesday July 01 2015, @11:48AM
https://en.wikipedia.org/wiki/Legality_of_piggybacking#United_States [wikipedia.org]
I'm not going to research statutes but I'm going to assume that if I give you access to my wifi and then the folks that wrote your operating system steal my key without my authorization and distribute it to others to use they have just circumvented my security measures. Hacking, pure and simple, even if it is from a privileged position. Game, set, match.
(Score: 0) by Anonymous Coward on Wednesday July 01 2015, @11:49AM
The same laws that were supposed to stop everybody else from leaking peoples passwords.
Laws should be the same whether its Microsoft doing it to the little guy, or the little guy doing it to e.g. the Playstation Network.
(Score: 4, Informative) by liquibyte on Wednesday July 01 2015, @12:03PM
Here ya go: https://en.wikipedia.org/wiki/Computer_Fraud_and_Abuse_Act#Criminal_offenses_under_the_Act [wikipedia.org]
(a) Whoever—
(1) having knowingly accessed a computer without authorization or exceeding authorized access, and by means of such conduct having obtained information that has been determined by the United States Government pursuant to an Executive order or statute to require protection against unauthorized disclosure for reasons of national defense or foreign relations, or any restricted data, as defined in paragraph y. of section 11 of the Atomic Energy Act of 1954, with reason to believe that such information so obtained could be used to the injury of the United States, or to the advantage of any foreign nation willfully communicates, delivers, transmits, or causes to be communicated, delivered, or transmitted, or attempts to communicate, deliver, transmit or cause to be communicated, delivered, or transmitted the same to any person not entitled to receive it, or willfully retains the same and fails to deliver it to the officer or employee of the United States entitled to receive it;
(2) intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains—
(A) information contained in a financial record of a financial institution, or of a card issuer as defined in section 1602 (n) [1] of title 15, or contained in a file of a consumer reporting agency on a consumer, as such terms are defined in the Fair Credit Reporting Act (15 U.S.C. 1681 et seq.);
(B) information from any department or agency of the United States; or
(C) information from any protected computer;
(3) intentionally, without authorization to access any nonpublic computer of a department or agency of the United States, accesses such a computer of that department or agency that is exclusively for the use of the Government of the United States or, in the case of a computer not exclusively for such use, is used by or for the Government of the United States and such conduct affects that use by or for the Government of the United States;
(4) knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period;
(5)
(A) knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer;
(B) intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage; or
(C) intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage and loss.
(6) knowingly and with intent to defraud traffics (as defined in section 1029) in any password or similar information through which a computer may be accessed without authorization, if—
(A) such trafficking affects interstate or foreign commerce; or
(B) such computer is used by or for the Government of the United States;
(7) with intent to extort from any person any money or other thing of value, transmits in interstate or foreign commerce any communication containing any—
(A) threat to cause damage to a protected computer;
(B) threat to obtain information from a protected computer without authorization or in excess of authorization or to impair the confidentiality of information obtained from a protected computer without authorization or by exceeding authorized access; or
(C) demand or request for money or other thing of value in relation to damage to a protected computer, where such damage was caused to facilitate the extortion[6]
(Score: 2, Interesting) by Leebert on Wednesday July 01 2015, @12:14PM
I'm well aware of the Computer Fraud and Abuse Act. How does Microsoft violate it with this?
(Score: 1) by liquibyte on Wednesday July 01 2015, @02:16PM
(2) intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains—
(C) information from any protected computer;
(Score: 3, Insightful) by Leebert on Wednesday July 01 2015, @02:52PM
So, Microsoft accessed a computer without authorization by implementing this feature? Sorry, I don't see that flying.
(Score: 2, Interesting) by RedGreen on Wednesday July 01 2015, @03:57PM
"So, Microsoft accessed a computer without authorization by implementing this feature? Sorry, I don't see that flying."
There are none so blind as those who will not see. - John Heywood (1546) still applies nearly five centuries later...
"I modded down, down, down, and the flames went higher." -- Sven Olsen
(Score: 2) by Leebert on Wednesday July 01 2015, @06:58PM
I'm trying to understand how one could legitimately claim that Microsoft committed a crime by including this feature. For one thing, Microsoft did not access anything. They provided you software that has a feature that shares data you provide it in a way that is by all superficial appearances insecure and is certainly not expected software behavior by most people. No argument there. But I'm having a hard time seeing a CRIME.
Suppose I developed an app that controlled garage doors, and that app automatically allowed anyone in your contact list to open your garage door. Did I as the app author commit trespass or breaking and entering or other such crime? Nope. They might have done something stupid, maybe even dickish. But not criminal. At least, not as far as I can tell. Especially since consent is probably buried in a license agreement somewhere. Hence my original question: What law are they violating by doing this? Because I can't see it being the Computer Fraud and Abuse Act.
Maybe I'm wrong, but please convince me with actual facts and not a cutesy quote.
(Score: 1, Informative) by Anonymous Coward on Wednesday July 01 2015, @07:29PM
I'm trying to understand how one could legitimately claim that Microsoft committed a crime by including this feature.
It's not including the feature that's the violation; it's providing your WiFi key to someone without your authorization that will be the violation.
(Score: 2) by RedGreen on Wednesday July 01 2015, @07:37PM
As the AC points out providing your wifi key to world + dog is if you or I do it the crime, MS on the other hand with the litany of crimes they have committed and bought their way out of in the past probably will get nothing but at most slap on wrist for doing it.
"I modded down, down, down, and the flames went higher." -- Sven Olsen
(Score: 2) by frojack on Wednesday July 01 2015, @08:56PM
Nevermind PROVIDING....
What about just TAKING your WIFI Password?
Even if they have no intent to use it (they are after all several thousand miles away from most users), mere possession might constitute a crime.
Note: the federal statute quoted up-thread may not apply unless the computer was a "protected computer", and when you study the statute deeply enough to find out what constitutes a "protected computer" it usually has to be a federal computer, or banking system computer, etc.
No, you are mistaken. I've always had this sig.
(Score: 2) by DECbot on Wednesday July 01 2015, @04:15PM
Bob visits Alice's house. Since Bob is in Alice's contacts and Bob and Alice both use Microsoft products, Bob now has access to Alice's WiFi--whether she explicitly shared it to him or not (remember, it's opt-out, not opt-in). Martin is Bob's bar friend, and so he is in Bob's contacts to coordinate drinking nights. Unknown to Bob, Martin does questionable things with the internet. Since Alice's WiFi password is in Bob's computer and Martin is in Bob's contacts, Alice's WiFi password gets shared to Martin. Now Martin uses Alice's WiFi to attract the Fed's attention and Alice get a unwelcome notice from the Fed.
cats~$ sudo chown -R us /home/base
(Score: 3, Interesting) by frojack on Wednesday July 01 2015, @05:22PM
And you totally missed the part of the bar buddy living one floor up from Alice, and therefore having free wifi for life at Alice's expense, and access to her shared music and video collection on her NAS box Public folder. And bar buddy doesn't even have to know Alice/
This is totally different than Comcast's sharing part of your wifi using a separate Vlan to any other Comcast customer, because theoretically all it takes is a tiny bit of extra electricity, and exposes none of your data. (allegedly).
Microsoft's plan just plops you on to other people's WIFI subnet, where you can run up anyone's bill downloading porn, shooting out spam, or hacking the WIFI owner's other computers from the next apartment.
No, you are mistaken. I've always had this sig.
(Score: 2) by Leebert on Wednesday July 01 2015, @07:05PM
Is the transitive relationship unlimited? I don't know how it works, but if I were implementing something like this, I'd limit the sharing to one degree of separation from the person who actually entered the key. Otherwise, Kevin Bacon would have all of our Wifi pre-shared keys by the end of the week.
(Score: 3, Informative) by captain normal on Wednesday July 01 2015, @05:41PM
"...without authorization or exceeds authorized access...."
Did you actually read the TOS for Win10?
Everyone is entitled to his own opinion, but not to his own facts"- --Daniel Patrick Moynihan--
(Score: 0) by Anonymous Coward on Wednesday July 01 2015, @08:18PM
If Microsoft has the key then NSA has the key.
(Score: 3, Interesting) by drussell on Wednesday July 01 2015, @09:26AM
Wi-Fi Sense uses your location to identify open networks near you that it knows about by crowdsourcing.
Wow... That is a interesting way to define and use the term "crowdsourcing" !!??? :)
(Score: 3, Insightful) by Anonymous Coward on Wednesday July 01 2015, @09:28AM
Don't let Windows 10 machines connect to your WiFi until Microsoft reverses that decision.
(Score: 3, Insightful) by jimshatt on Wednesday July 01 2015, @10:42AM
(Score: 2) by skater on Wednesday July 01 2015, @11:12AM
Yikes. At work, our network password is also required to log into the Wifi, and it's saved in the settings on the device (I'm not sure what the setup is we use to log in, because I haven't done it in a while, but it's not simple WPA or anything like that - we need our network username and password). So with this sharing, someone would have my network password (if I used Windows 10/8.1 for mobile). Please backpedal on this, Microsoft, before Security decides we need yet another different 12 character password.
(Score: 2) by Freeman on Wednesday July 01 2015, @07:40PM
You password is only 12 characters long?
Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
(Score: 2) by skater on Wednesday July 01 2015, @11:22PM
What does your question have to do with the article? If Microsoft does this, it won't matter how long anyone's password is.
(Score: 3, Interesting) by bootsy on Wednesday July 01 2015, @11:56AM
Very sound advice.
Does anyone know how MS plan on doing the automated upgrades from 8.1 as, depending on how it is done, you could suddenly find yourself running Win 10 and connecting to your Wi-Fi network without much say in the matter?
One side of MS must have some clue about security as Windows Authentication is basically Kereberos and LDAP and it works really well but then you get stupid things like this article and the fact you cannot have a read only RDP login to a server running Windows. Unlike Unix you cannot login to check a server without having the ability to wreck it.
Given MS's biggest Market is corporate IT on desktops and servers, it still bases its designs around the rapidly dying home desktop market. I am frequently amazed at how bad Windows is in a coporate setup and the workarounds that have to be done to get it secure. I am told from colleagues who have visited Redmond that they use very different machines to test that Windows will work on many configurations and types of hardware but in a big Corporate most people will have the same hardware installed from a fixed image.
(Score: 2) by Gaaark on Thursday July 02 2015, @01:33AM
Don't use Windows anything to do anything...
--- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
(Score: 2) by fnj on Thursday July 02 2015, @01:47AM
And ... we have a winner.
(Score: 4, Interesting) by VLM on Wednesday July 01 2015, @11:32AM
This is an interesting strategy. If you want to do something unpopular, do something so ridiculous it looks like parody. I can't even complain about it, this sounds so bizarre and insane. I mean, where do I even start, other than "flush the whole idea"?
Step two of course is to roll back perhaps 10% to 50% of the insanity, get the journalists and blogs to report everything is saved and fixed, and still get 90% to 50% of the insanity they originally wanted. I'm guessing shortly after the holiday the news will be released that they finally found a way to enforce market segmentation and only "home edition" will share all your security info with random people and "business edition" will not and of course cost X times as much and aren't we just the nicest corporation on the planet and everyone should love MS because they care and they feel our pain.
One interesting sci fi-like theory is maybe MS, late to the party as always, is planning on releasing a social network of its own. Now consider that my wife exclusively accesses facebook on her phone, so anything done to a windows PC is irrelevant to her (aside from the whole having a mac mini instead of a PC thing). Also work PCs are theoretically for work, but in practice all those 16 hour per day losers spend about 12 hours per day on FB and twitter and only 6 hrs/day actually working but they get credit for 16 hrs butts in seats. Now those losers will see FB blocked at corporate to prevent corporate WIFI from being powned. But no worries Microsoft Network for Business will be released, probably something like a bad clone of myspace from 2006 for theoretically business purposes. Like a linkedin but unlike Linkedin people actually use it, for fun even. And MSNB or whatever it'll be called will of course not share wifi passwords. So pretty much all facebook users with jobs (what, maybe 1/3 the countries population?) will have to move to MSNB at least while they're sitting at work. Note that I'm describing a plausible semi-interesting possible alternative future, not peering into my crystal ball and insisting this IS exactly how the future will roll.
(Score: 1, Funny) by Anonymous Coward on Wednesday July 01 2015, @11:35AM
I mean, where do I even start, other than "flush the whole idea"?
If you load Windows 10 on your Zune you can 'squirt' the whole idea to your friends without needing WiFi (No) Sense.
(Score: 3, Insightful) by AndyTheAbsurd on Wednesday July 01 2015, @12:10PM
Oh, MSNB will share wifi passwords - provided your company's MSNB account administrators have set up sharing with their company. This will enable synergy when businesses collaborate on....oh I feel dirty already, I can't finish that joke. Anyway, the MSNB corporate account will probably be connected to Active Directory just like Office 360 and Lync - I mean "Skype for Business" - is today, so you'll automatically get desktop notifications and shit about it.
And then some enterprising hacker will set up a FB/MSNB bridge system and the whole thing will be pointless.
Please note my username before responding. You may have been trolled.
(Score: 1, Informative) by Anonymous Coward on Wednesday July 01 2015, @12:29PM
Well in Windows Phone, there is an option to turn this on or off, so I imagine Windows 10 will also have an on/off feature. And what it exactly does, is it sends the wifi password to your contacts, but it doesn't let them see it or know what it is. Its more for visitors/friends coming around and instead of logging on to your wifi every time, you can share the password with them and bam!, all good.
In theory.
(Score: 3, Insightful) by urza9814 on Wednesday July 01 2015, @05:49PM
Right...an option that's probably on by default, and which 99.99% of Windows users won't know exists.
So now you give your wifi password to the friend visiting for the weekend...and now a thousand random strangers have your wifi password. Including all the shady spammer fake profiles they've accepted requests from. Yeah, that sounds like a *fantastic* idea...
Anyone know a simple way to blacklist ALL Windows devices on an OpenWRT router? I don't own any, and I'm sure as hell not giving my password to anyone who does.
(Score: 1, Insightful) by Anonymous Coward on Thursday July 02 2015, @05:46AM
A password that I cannot view, but I can freely use is pretty much just as good.
(Score: 0) by Anonymous Coward on Wednesday July 01 2015, @01:29PM
'We live in a vacuum of stupid'
(Score: 0) by Anonymous Coward on Wednesday July 01 2015, @02:04PM
A vacuum is defined as a space where there is nothing. So a vacuum of stupid is a space where there is nothing stupid. Sounds like a great place to be!
(Score: 3, Insightful) by Jiro on Wednesday July 01 2015, @02:18PM
A vacuum of stupid means a vacuum that is part of stupidity. This is a perfectly reasonable English usage of the term "of" even though it doesn't let you be incorrectly pedantic.
(Score: 1, Funny) by Anonymous Coward on Wednesday July 01 2015, @02:49PM
Well, you're clearly living in a vacuum, or else you would have heard a loud whoosh sound as that joke went straight over your head.
(Score: 1) by seeprime on Wednesday July 01 2015, @03:51PM
I'm glad I read this article. I plan on turning off location services on any Windows 10 computer that our business works on. This should stop the madness. If customers want to use this feature, and I suspect few to none know it exists, I'll turn it back on when we're finished servicing their Windows 10 computers. This is just one more annoyance that Microsoft is injecting into Windows.
(Score: 4, Informative) by skullz on Wednesday July 01 2015, @03:58PM
From the WP FAQ: http://www.windowsphone.com/en-in/how-to/wp8/connectivity/wi-fi-sense-faq [windowsphone.com] "Do I have to share all networks?", 3rd from the bottom:
"No, you determine which password-protected networks you want to share. If you don't want to share a particular network, just untick the Share network with my contacts checkbox when you first connect to that network."
So you can selectively disable sharing for networks or turn the thing off entirely. After that it just becomes a matter of trusting the OS vendor. How much do you trust Google with your info? How much do you trust Apple?
On my WP sharing is disabled by default when I add a new network. I have to manually go in there and turn it on per network. The docs mention that WiFi keys are encrypted when shared but I can't find out what this actually means. Are they sent over to your Facebook contacts encrypted and then decrypted before signing in? Are they sent to the access point hashed? No idea. But for residential networks this would be handy when your family comes over and can't seem to reliably type in that several dozen char hex string.
(Score: 4, Insightful) by urza9814 on Wednesday July 01 2015, @05:55PM
Also note that it's enabled by default. Most users won't have a clue what it means, but since it's on by default, they'll assume it should be kept on.
I mean christ, we wouldn't accept that for *sending an email* -- imagine a company saying "Well, you haven't come to our website and registered to opt-out, therefore we can send you as much email as we want!" No reputable company would do that. It's completely insane. We would never accept that for just sending someone a message, so what kind imbecile thought it was acceptable for *sharing security credentials*??
Of course...this could just be Microsoft's way of saying all wifi should be open and that an IP address is not an identity....there could be a silver lining there...
(Score: 0) by Anonymous Coward on Wednesday July 01 2015, @05:48PM
So if a friend comes over with a windows 10 device and I tell them my wifi password, it will then tell that wifi password to everyone classified as a "contact" on that device?
Essentially you cannot let anyone using windows 10 connect to your network without letting everyone in range do so. All passwords will quickly spread from device to device rendering them meaningless. Think seven degrees of separation.
(Score: 0) by Anonymous Coward on Wednesday July 01 2015, @05:51PM
crap!
now i have to have nmap scan every wifi client first and if it find windows 10 running hardware add the MAC to the "no-legal-fees.txt" list and route all future traffic to 127.0.0.1 .. or something.
it is always wonderfull to see a commercial OS that HIDES stuff from the user .. customer, doesn't consider the user as the real grown-up owner ...
put in functionality (get encrypted wifi passphrase) but remotely controlled, thus like with this DRM shit, the computer owner isn't in control of the system at all.
(Score: 2) by MichaelDavidCrawford on Wednesday July 01 2015, @05:58PM
... find me.
Just last nightbI noticed that gmail asked me if I could narrow my location down to something more specific than Eugene, Oregon. Look if you're going to stalk me you could at least be discreet about it rather than leaving your business card in my underwear drawer.
Many of my contacts are not my friends. Commonly they are recruiters that I have interviewed with but havent bothered to delete them.
So if I were offered that NSA cryptologist position that I have always dreamed about, all the folks at Manpower Professional can hunt for candidates from Ft Meade?
Yes I Have No Bananas. [gofundme.com]