SoylentNews is people
SoylentNews
from the we-are-really-security-conscious dept.
According to The Register Microsoft plans to enable their WIFI Sense feature on all versions of Windows 10 by default.
WIFI Sense has been lurking on Windows Phones since version 8.1.
A Windows 10 feature, Wi-Fi Sense, smells like a significant security risk: it shares access to password-protected Wi-Fi networks with the user's contacts. So giving a wireless password to one person grants access to everyone who knows them. That includes their Outlook.com (nee Hotmail) contacts, Skype contacts and, with an opt-in, their Facebook friends.
With every laptop running Windows 10 in the business radiating access, the security risk is significant. A second issue is that by giving Wi-Fi Sense access to your Facebook contacts, you are giving Microsoft a list of your Facebook friends, as well as your wireless passwords.
Microsoft offers a totally ridiculous workaround: you can simply add _optout to the SSID to prevent it from working with WiFi Sense.
Microsoft's page on WIFI Sense hasn't yet made it clear that every Windows 10 computer using WIFI will have the feature on by default. But that page does also include this little gem:
Wi-Fi Sense uses your location to identify open networks near you that it knows about by crowdsourcing.
Where are the lawyers when you need them?
Original Submission
(Score: 4, Interesting) by liquibyte on Wednesday July 01 2015, @09:24AM
I see them back-pedalling on this rather quickly once the lawyers do become involved. I'm fairly sure that this runs afoul of several laws. I don't run windows, never will. If I give someone access to my wifi that does and my key gets spread around and I see it in my logs, a lawsuit is going to happen.
(Score: 5, Insightful) by lentilla on Wednesday July 01 2015, @10:29AM
I'm fairly sure that this runs afoul of several laws.
Why does business always seem to be in such a race to the bottom? It shouldn't have to be laws stopping this, it should have been the people at Microsoft thinking to themselves: "hey, awesome idea, but not the smartest thing to actually implement".
In theory, it sounds like a Good Idea. Everyone wants their computers to "just work". It's up to the experts to reign that enthusiasm back in because quite often "easy" equates to "unsafe". It's the same way that adults have to explain to teenagers that skateboarding down an highway to save a couple of minutes is not appropriate. Nobody [should] like being the "no" guy but sometimes it has to be done.
This feature would be better implemented with a setting to temporarily turn your computer into a WiFi hotspot and temporarily share a particular folder with a displayed password. (Or something along those lines.) The whole "share with contacts" business is fraught with problems and is entirely unnecessary. It's as if somebody came up with the idea to easily share data, and the executives asked "but how can we make it ClouldReady?" (Or whatever the buzzword is.) So they tacked on the unnecessary part.
I'm all for sharing data easily. But it must be safe, it must not leak metadata, and it must be cross-platform.
I also wish large technology companies would not make a habit of making inherently insecure products. Microsoft already isn't my favourite company and this "idea" just makes me trust them less. It's hard to have even an ounce of trust in consumer technology when one of the world's biggest technology producers has entire teams of executives, programmers, marketing and legal experts working for months on a product that never should have left the brain-storming session.
(Score: 2) by Leebert on Wednesday July 01 2015, @11:28AM
...such as?
(Score: 4, Informative) by liquibyte on Wednesday July 01 2015, @11:48AM
https://en.wikipedia.org/wiki/Legality_of_piggybacking#United_States [wikipedia.org]
I'm not going to research statutes but I'm going to assume that if I give you access to my wifi and then the folks that wrote your operating system steal my key without my authorization and distribute it to others to use they have just circumvented my security measures. Hacking, pure and simple, even if it is from a privileged position. Game, set, match.
(Score: 0) by Anonymous Coward on Wednesday July 01 2015, @11:49AM
The same laws that were supposed to stop everybody else from leaking peoples passwords.
Laws should be the same whether its Microsoft doing it to the little guy, or the little guy doing it to e.g. the Playstation Network.
(Score: 4, Informative) by liquibyte on Wednesday July 01 2015, @12:03PM
Here ya go: https://en.wikipedia.org/wiki/Computer_Fraud_and_Abuse_Act#Criminal_offenses_under_the_Act [wikipedia.org]
(a) Whoever—
(1) having knowingly accessed a computer without authorization or exceeding authorized access, and by means of such conduct having obtained information that has been determined by the United States Government pursuant to an Executive order or statute to require protection against unauthorized disclosure for reasons of national defense or foreign relations, or any restricted data, as defined in paragraph y. of section 11 of the Atomic Energy Act of 1954, with reason to believe that such information so obtained could be used to the injury of the United States, or to the advantage of any foreign nation willfully communicates, delivers, transmits, or causes to be communicated, delivered, or transmitted, or attempts to communicate, deliver, transmit or cause to be communicated, delivered, or transmitted the same to any person not entitled to receive it, or willfully retains the same and fails to deliver it to the officer or employee of the United States entitled to receive it;
(2) intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains—
(A) information contained in a financial record of a financial institution, or of a card issuer as defined in section 1602 (n) [1] of title 15, or contained in a file of a consumer reporting agency on a consumer, as such terms are defined in the Fair Credit Reporting Act (15 U.S.C. 1681 et seq.);
(B) information from any department or agency of the United States; or
(C) information from any protected computer;
(3) intentionally, without authorization to access any nonpublic computer of a department or agency of the United States, accesses such a computer of that department or agency that is exclusively for the use of the Government of the United States or, in the case of a computer not exclusively for such use, is used by or for the Government of the United States and such conduct affects that use by or for the Government of the United States;
(4) knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period;
(5)
(A) knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer;
(B) intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage; or
(C) intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage and loss.
(6) knowingly and with intent to defraud traffics (as defined in section 1029) in any password or similar information through which a computer may be accessed without authorization, if—
(A) such trafficking affects interstate or foreign commerce; or
(B) such computer is used by or for the Government of the United States;
(7) with intent to extort from any person any money or other thing of value, transmits in interstate or foreign commerce any communication containing any—
(A) threat to cause damage to a protected computer;
(B) threat to obtain information from a protected computer without authorization or in excess of authorization or to impair the confidentiality of information obtained from a protected computer without authorization or by exceeding authorized access; or
(C) demand or request for money or other thing of value in relation to damage to a protected computer, where such damage was caused to facilitate the extortion[6]
(Score: 2, Interesting) by Leebert on Wednesday July 01 2015, @12:14PM
I'm well aware of the Computer Fraud and Abuse Act. How does Microsoft violate it with this?
(Score: 1) by liquibyte on Wednesday July 01 2015, @02:16PM
(2) intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains—
(C) information from any protected computer;
(Score: 3, Insightful) by Leebert on Wednesday July 01 2015, @02:52PM
So, Microsoft accessed a computer without authorization by implementing this feature? Sorry, I don't see that flying.
(Score: 2, Interesting) by RedGreen on Wednesday July 01 2015, @03:57PM
"So, Microsoft accessed a computer without authorization by implementing this feature? Sorry, I don't see that flying."
There are none so blind as those who will not see. - John Heywood (1546) still applies nearly five centuries later...
"I modded down, down, down, and the flames went higher." -- Sven Olsen
(Score: 2) by Leebert on Wednesday July 01 2015, @06:58PM
I'm trying to understand how one could legitimately claim that Microsoft committed a crime by including this feature. For one thing, Microsoft did not access anything. They provided you software that has a feature that shares data you provide it in a way that is by all superficial appearances insecure and is certainly not expected software behavior by most people. No argument there. But I'm having a hard time seeing a CRIME.
Suppose I developed an app that controlled garage doors, and that app automatically allowed anyone in your contact list to open your garage door. Did I as the app author commit trespass or breaking and entering or other such crime? Nope. They might have done something stupid, maybe even dickish. But not criminal. At least, not as far as I can tell. Especially since consent is probably buried in a license agreement somewhere. Hence my original question: What law are they violating by doing this? Because I can't see it being the Computer Fraud and Abuse Act.
Maybe I'm wrong, but please convince me with actual facts and not a cutesy quote.
(Score: 1, Informative) by Anonymous Coward on Wednesday July 01 2015, @07:29PM
I'm trying to understand how one could legitimately claim that Microsoft committed a crime by including this feature.
It's not including the feature that's the violation; it's providing your WiFi key to someone without your authorization that will be the violation.
(Score: 2) by RedGreen on Wednesday July 01 2015, @07:37PM
As the AC points out providing your wifi key to world + dog is if you or I do it the crime, MS on the other hand with the litany of crimes they have committed and bought their way out of in the past probably will get nothing but at most slap on wrist for doing it.
"I modded down, down, down, and the flames went higher." -- Sven Olsen
(Score: 2) by frojack on Wednesday July 01 2015, @08:56PM
Nevermind PROVIDING....
What about just TAKING your WIFI Password?
Even if they have no intent to use it (they are after all several thousand miles away from most users), mere possession might constitute a crime.
Note: the federal statute quoted up-thread may not apply unless the computer was a "protected computer", and when you study the statute deeply enough to find out what constitutes a "protected computer" it usually has to be a federal computer, or banking system computer, etc.
No, you are mistaken. I've always had this sig.
(Score: 2) by DECbot on Wednesday July 01 2015, @04:15PM
Bob visits Alice's house. Since Bob is in Alice's contacts and Bob and Alice both use Microsoft products, Bob now has access to Alice's WiFi--whether she explicitly shared it to him or not (remember, it's opt-out, not opt-in). Martin is Bob's bar friend, and so he is in Bob's contacts to coordinate drinking nights. Unknown to Bob, Martin does questionable things with the internet. Since Alice's WiFi password is in Bob's computer and Martin is in Bob's contacts, Alice's WiFi password gets shared to Martin. Now Martin uses Alice's WiFi to attract the Fed's attention and Alice get a unwelcome notice from the Fed.
cats~$ sudo chown -R us /home/base
(Score: 3, Interesting) by frojack on Wednesday July 01 2015, @05:22PM
And you totally missed the part of the bar buddy living one floor up from Alice, and therefore having free wifi for life at Alice's expense, and access to her shared music and video collection on her NAS box Public folder. And bar buddy doesn't even have to know Alice/
This is totally different than Comcast's sharing part of your wifi using a separate Vlan to any other Comcast customer, because theoretically all it takes is a tiny bit of extra electricity, and exposes none of your data. (allegedly).
Microsoft's plan just plops you on to other people's WIFI subnet, where you can run up anyone's bill downloading porn, shooting out spam, or hacking the WIFI owner's other computers from the next apartment.
No, you are mistaken. I've always had this sig.
(Score: 2) by Leebert on Wednesday July 01 2015, @07:05PM
Is the transitive relationship unlimited? I don't know how it works, but if I were implementing something like this, I'd limit the sharing to one degree of separation from the person who actually entered the key. Otherwise, Kevin Bacon would have all of our Wifi pre-shared keys by the end of the week.
(Score: 3, Informative) by captain normal on Wednesday July 01 2015, @05:41PM
"...without authorization or exceeds authorized access...."
Did you actually read the TOS for Win10?
"It is easier to fool someone than it is to convince them that they have been fooled" Mark Twain
(Score: 0) by Anonymous Coward on Wednesday July 01 2015, @08:18PM
If Microsoft has the key then NSA has the key.