When connecting to a password protected router you are given an UNCHECKED BY DEFAULT option to share the password with your friends. What this means is, the user can deliberately share the password they know.

This is just as secure as any other system because once you give a user a password they could share it if they chose. Nothing here is "automatic" no data is being proliferated without user consent. If your employees leak your password this way, then it's the same as leaking passwords otherwise.

Again this not an opt-in-by-default scenario. It requires a user knowing a password to actively choose to share for each router independently.

I don't see why this kind of automatic sharing should be a 'feature' or frankly should exist at all. I would wager it helps almost no-one (given WP8's miniscule adoption numbers) and just serves to stir up controversy like this that makes MS look bad.

I would wager it helps the windows phone users and doesn't hurt other people. Also it's coming to windows 10 I believe.

What happens when a jealous ex or stalker that's still a mutual friend suddenly gets access to your wifi network? What about the security implications of MS' servers storing the passwords, and do they disclose whether those passwords can be subpoenaed by law enforcement? This seems like a hornet's nest of nasty privacy and policy issues. It boggles my mind why they think this would be worth doing.

Why is this such a difficult task that it even needs to be solved?

And if someone thinks it is a pain to always be asking, then they are free to use cellular connectivity or maybe even, sit and talk without damned devices in their hands.

A little bit off-topic, but:

What would be nice is if NFC tags with the WiFi datatype/field would actually work out of the box.

I bought a bunch of NFC stickers online they're pretty cool (and real cheap, 25-50 cents a piece depending on how many you get). You can easily write data into them with an app called "NFC Tagwriter" (by a company called NXP)[0].

You can put roughly the same fields into an NFC tag as you can put into QR-codes: plain text, URL, email address, contact info, etc. But the cool thing is that I haven't seen any phone that came with a QR-scanner app pre-installed (which is I think one of a couple of big reasons why QR-codes aren't really taking off). However, it turns out that any phone with NFC capability can read NFC-tags without any additional software, you just need to enable it in the settings (like Bluetooth or WiFi, except that NFC hardly uses any battery at all because it's so close range).

A curious thing about using NFC is that when enabled, in many cases it does its "thing" without any prompt or confirmation. Plain text immediately pops up a message (that you can't copypaste, share or save, only dismiss). An URL immediately opens your default browser and goes there!! Only prompt you may get (on some phones) is to ask which browser to use (but it often seems to just pick Firefox, for some reason).

So far, best uses I came up with are silly pranks (but that may just be me).

Except the WiFi-network datatype. That one seemed really quite useful (as well as hilarious, like sticking the tag into a bible or such, "to get my WiFi password, put your phone on the bible and swear to not abuse my network").

... if it weren't for the fact that, out of all types of field that just seem to work reasonably well, the WiFi datatype just pops up a message with a MIMEtype-like string, no password, nothing. I tried a whole bunch of my friends' phones (mainly Android, though), and only a single Sony phone seemed to get it, while a very similar but slightly newer Sony phone did not.

On my own phone I can use the NFC Tagwriter app and configure the NFC settings to do the right thing with the WiFi datatype tags, but that puts you in the same place as QR-codes, having to get an app, and even change the settings. It would have been so cool if the WiFi datatype would work as frictionless as NFC tags with plaintext or URL fields on them.

Ah well, maybe next year's technology :)

[0] Sidenote/tip: my Samsung S4 phone is rooted, running Cyanogenmod. A few months ago the NFC Writer app autoupdated and told me it couldn't run on a rooted phone (not the app's fault, but the NFC library it uses). This was easily remedied with the Xposed framework and the "Rootcloak" module. After all I am root, which means I can also tell the app that I am not.

California is an awesome place! I'm always happy to visit my friends over there. Manage to do it once or twice every year. So far, wifi password never stayed saved in my phone for one reason or other. Failing to enter it correctly several times and asking for help has been a consistently awkward experience.

So I perfectly understand why this would be a nice feature. The drawbacks? Someone using your access point for something shady? How would they do that, parking on someone else's driveway in a residential district? That's too suspicious and would probably attract more unwanted attention than doing that from your own access point at home.

- Sharing is binary, it's all of the contacts or none. This is not what people really expect when thinking about a feature like this.

- The password really only has to be typed once. I don't have thousands of people coming over and even if I did, they put in the password the first time and it's saved locally. The benefit in skipping those few seconds in exchange for sharing with everyone else doesn't make sense.

- The FAQ also states that any public wifi spots that have been shared will be automatically connected to, including accepting the terms and even sharing some personal info like name, email, etc.

- The way it's worded is dangerous, mainstream users who don't know how this works will just go ahead and click this thinking its so much more convenient (and it is) but it doesnt properly reveal what's happening.

If this features truly works as stated, it is an incredibly arrogant thing for MS to do.

1) Wi-fi access point owner is absent from that decision about sharing the password or not, other than the SSID name (thus, I suggested that Microsoft should have made this ins option basis. This way, at least that it would show that the owner of the AP is WILLING to participate in that.)

2) People do very stupid things. They may not even see a single implication before they "check" it. I've seen a lot of people enabled certain feature "because it sounds useful" without seeing further implication. Especially when they are not that tech-inclined, they may flip that switch "because everyone else's doing it," "that's the way I do in my home," or "I didn't know that's what it meant." I'd know if he/she is sharing my wi-fi password on Facebook by that person writing on their timeline (which I'll pick up my phone and start screaming at that person) but this seems to be much more discreet than that.

Again, it doesn't really matter if that checkbox is checked or not. It's a bit of a different story if they had to drill down to several layers of menu (which I wouldn't change my opinion that it is still a bad idea) -- but it sounds like this option is presented right in their face everytime they are connecting to new networks.

>... WiFi Sense can do a lot of things for you to get you connected to the Internet using WiFi, so you don't have to do them on your own. These include:...

> - Accepting a WiFi network's terms of use on your behalf...

That doesn't seem appropriate.

Apple deals with this somewhat by opening a Webkit view of apple.com (unsecured) and displaying it the user if it's not in fact apple.com. But an even further level of automation would be great.

Let's be honest, no one reads these things anyway. If you're one of the handful of people in the world who would decide not to use a WiFi network because you didn't like its TOS, then you're 1) probably not running Windows anyway and 2) could turn this feature off.

Time and again courts have upheld click-through TOS and EULAs. Ignorance is rarely an excuse. So if something clicks through a captive portal for you, the defense of "I didn't know..." isn't going to hold much water.

The only defense might be that Microsoft accepted the terms and they should accept responsibility for any violations on their behalf. But good luck getting them to voluntarily indemnify you.

If there was no reasonable way for you to even know the terms were there at all, I don't think any court is going to consider them to be binding. That's why these places show them to you when you try to use their network, instead of just hiding them in the freezer.

It's quite possible that using the Microsoft software to bypass a captive portal without agreeing to the terms will land you in jail for a felony.

Is Microsoft going to indemnify you against being the trial case of that legal theory?

How do you define "quite possible"? I'd estimate that this is exceedingly unlikely to happen.

In the US perhaps. Most other places have consumer protection laws that require a much higher standard for contracts to be legally binding.

It isn't as though anyone actually reads the terms of use anyway.

Probably the best feature of Wi-Fi Sense.

I'd love this feature - connecting to all the open wifi connections around downtown and then letting my phone/laptop log me in through their terms of use acceptance pages (looking at you Tim Horton's) seamlessly.

Automation like this is dangerous, I'm not sure saving 10 seconds is worth this kind of massive trust and security breach. When I give someone my wifi password, I know they can just post it on Facebook but at least that's a conscious decision. Same with accepting EULA, at least that was a choice, even if I didn't read it. Doing either thing automatically though is just ridiculous in terms of privacy, security and potential legality so how does a giant company with lots of smart developers and lawyers decide this is a good idea?

Google requires you to have "_nomap" at the end of SSIDs to "opt out" of certain services...

COMCAST56B4_nomap_output_security_reinforce_superhappy_wifienable_security_ALLOW-P^[A-Za-z0-9\.]+$-_DISALLOW-P^[pet][0-9]$

Edit1: Also, previous connections are by default not shared automatically either, you have to go to manage known networks and select them and press share before it gets shared.

Edit2: If people connect through your shared network, then it shouldn't allow their friends to connect as well. (To my knowledge of this)

That said, I think Microsoft made a serious blunder here; it's inherently flawed and I can't immediately think of a way for them to fix it without getting rid of its entire raison d'être.

Edit1: tho i can see the downsides of this, add you neighbor on Facebook and get free access to their WiFi xD

Edit2: You can select whether, you want to share network with Outlook, Skype and Facebook friends, so what i wrote in Edit1 could be invalid if you simply uncheck Facebook.

I don't use Windows, so I cannot use this system at all.

"add you neighbor on Facebook and get free access to their WiFi"

That's missing the much bigger downside. Give your neighbor your Wi-Fi password and they can share it with hundreds of their friends automatically.

Microsoft claims users will not be able to find the password and that users will only be able to access the Internet, but that assumes there are no security holes. I'm not comfortable putting my network security in the hands of a company I did not choose to associate with.

You don't even need a "security hole": the machine needs to know the key to connect. From there, it's your machine -- you will be able to read it out of memory. Now, this is probably out of reach for most "average users", but for even a moderately capable attacker it provides little protection (and tools automating this will likely become available).

At best, if the Wifi network is using a passphrase it'll only send you the key (which is calculated by applying the PBKDF2-HMAC-SHA1 function to the passphrase using the SSID as a salt for 4,096 iterations), but this still lets the user get on the network and decrypt traffic.

Give your neighbor your Wi-Fi password, and they can trumpet it on the streets, distribute on pamplets, post it on HN, and update their Facebook status with it.

I am a little shocked at the HN reaction here. I've had a Windows Phone since January and I've thought the feature was not only useful, but a great idea. The only benefit for me has been the automatic TOS acceptance though since nobody else I know has a Windows Phone.

If you're running a "secure" wireless network and don't want anyone else to use it, well, don't give anybody you don't trust the password, and make sure they're not running services like Wi-Fi Sense. Generally speaking, the common man is going to want any of his friends he lets into his house onto his Wi-Fi anyway.

I don't believe Wi-Fi Sense is on at all by default (I am pretty sure I had to turn it on), and it explicitly shares only Wi-Fi networks you select, not all of them. You have to go in to your saved Wi-Fi networks and share each one individually. You also have to individually check each list of contacts (Outlook, Skype, Facebook, etc.)

It is absolutely not sharing all your networks automatically with all your Facebook friends.

Here are screenshots (note I'm 99% sure I turned on Wi-Fi Sense):

http://i.imgur.com/bzaK2aT.png http://i.imgur.com/vnbDkdj.png

I suppose it's ironic the FUD is directed against Microsoft now.

It could also require buying new hardware. Once again, I would know to look for a Wi-Fi Sense-proof router, but my friends would not.

I also don't think we should be expected to solve problems that Microsoft caused. Why should the industry adapt to Windows rather than the other way around?

> Your contacts don't see your WiFi network password.

> When you share network access, your contacts get Internet access only.

How can they ensure these two?

Most likely they mean "we disable the show password option".

The password is not stored on the devices of the people you share with. It's stored on Microsoft servers. When the device someone you have shared with notices that a network you've shared is available, it gets the key to connect, then presumably forgets it.

I wonder if it is possible to do better? The idea would be that when setting up the connection (so, setting up session keys and authenticating) the device could pass these packet through to Microsoft's server. Microsoft's server could then calculate the response packets and give them to the device to relay to the access point. When the connection set up is all done, Microsoft's server could pass the session key to the device, and subsequent packets would be handled entirely on the device.

There are two (at least) things that could torpedo this kind of approach. (1) the protocols might work in such a way that you cannot hand off the setup/authentication, or they might require frequent enough re-keying that spotty cell access could prevent keeping wifi working, and (2) the connection setup and authentication might be handled in firmware that does not provide a low enough level interface to do the fiddling needed.

So you still need minimal internet connectivity in the first place In order to ask MS' servers? Suddenly sounds less useful for things that aren't phones.

Also this entire thing seems dumb. If you need to connect to Microsofts server before you have wifi then you already have data.

It is supposed to be impossible to RE the code for anything useful - the keys are encrypted using the public key of the secure enclave. You'd need to break the chip itself to win, and since Intel knows this, we can assume they'll make it incredibly hard.

Of course, since MS wants this to work on current hardware, not "shipping sometime in the future" we can assume they aren't using Intel SGX. But in theory it's fairly strong DRM.

https://software.intel.com/en-us/blogs/2013/09/26/protecting...

https://www.windowsphone.com/en-gb/how-to/wp8/connectivity/w... - Section: "I'm concerned about sharing WiFi networks. Can you tell me a little more?"

RouterOS ships with one. But RouterOS/Mikrotik offers some pretty incredible functionality at a sub-$35 price point. It is very atypical of anything (even in the SMB space).

However RouterOS isn't a "consumer" system by design. In fact you better have solid network knowledge or you'll struggle even as a power user.

By using WPA-Enterprise, this wifi sense feature will likely do nothing.

https://www.windowsphone.com/en-gb/how-to/wp8/connectivity/w...

And of course, all this data is open to .gov subpoena, yes?

EDIT:

Oh boy!

Some WiFi hotspots ask you to accept the terms of use in a web browser, provide additional information or do both before you can connect. WiFi Sense can do these things on your behalf to get you connected quickly.

Yeah, this isn't a fucking trap at all.

Does all the collected WiFi data go to Microsoft HQ?

Bear in mind though that Google probably knows your wifi password if you or a friend syncs their phone's authentication data.

(Google's legal troubles were a separate issue btw)

Have every Win10 installation generate a public/private key pair. Share the public key with MS.

When you share a password with all your contacts, MS can send all of their public keys to you, where you then encrypt the password with them and send the results back to MS. MS can then send the encrypted passwords to the contacts, who can then retrieve the password with their private key.

Something tells me they probably didn't do it this way, but it doesn't sound like a particularly hard goal to achieve if one thought it was important.

I agree that it must be do-able, it's just tricky to make it work transparently and simply so every user benefits.

http://technode.com/2014/11/17/wifi-hotspot-sharing-skeleton...

* just friend my business on Facebook

Someone has to realize how dangerous this is. How would ANY corporation EVER allow a single Windows 10 machine to connect to their wifi, let alone contractors, or...

Do they not realize how paranoid network admins are to begin with? Windows XP forever, I guess.

My idea was simply a way to accelerate the spread of a worm through consumer wifi gear by using the set of fake profiles to always be friends-of-friends with the owner of the network (and thus friends with someone who has connected, thus allowing you to connect).

The process would be something like this:

1. Find a vulnerability in consumer wifi gear, such that insecure default allow the default config to accept new code from only inside the LAN. (These types of vulnerabilities with default passowords are common; however, remote access is often disabled.)

2. Upload code to one router.

3. Infected routers look for neighbors who they can connect to the network of, then upload the attack code once they're masquerading as a device on the LAN.

4. Repeat 3.

Normally, the reason that this attack doesn't really work is that there are simply too few open or insecure LANs of the same hardware type for the attack to have an effective spread rate, thus it's only a thin weak network and breaks quickly in the face of customers fixing, upgrading, or simply turning off their gear.

However, in allowing friends-of-friends to get access to a LAN, Microsoft has removed this barrier to worms spreading across consumer networking gear for anyone that can amass a stock set of profiles with decent geographical coverage, making it a viable way to accelerate the spread of a worm through networking gear.

Ed: Of course, once the routers themselves are infected, and you have good geographical coverage, the infected routers can be used as a platform to launch attacks. Again, the reason that we don't see this in practice is that it's too hard to get access to all of those LANs because of even the weak security that exists. Microsoft removed that, making the attack viable if people can infiltrate the Facebook social graph.

I'd be less uncomfortable if you had to deliberately choose which friends to share a certain network with. "Share with this person", or something.

https://www.schneier.com/blog/archives/2008/01/my_open_wirel...

(This was 3 years before that. In some ways, it's a bit sad that we've closed ourselves off in order to avoid what might actually bit pretty small risks...)