Re: [WIRELESS-LAN] Wi-Fi Sense (Windows 10)
I think part of the issue was it was originally reported that "Share My Network" was checked by default, but that seems to have been reversed in the latest build as it is now unchecked by default. I see this as potential issue for enterprises and large organizations, but as Matt pointed out 802.1x is really a better choice for that environment. The part that gets me is that if you chose to use this feature your entire contact list gets your PSK. It would be slightly better if you could filter your contact list, or even better add and remove users from the sharing list. At that point I could see this a great feature for home users. So and so is coming over, give them access and remove it when they leave. Could even be a simple check box in your contact list. -- Heath Barnhart ITS Network Administrator Washburn University Topeka, KS On Tue, 2015-06-23 at 12:09 +, Williams, Matthew wrote: I never said that I would trust the network security to an end user. Just alluding to information that, though it is easy to turn on, it is not a “Default-On” feature as was suggested in earlier postings. Like many folks have already stated, 802.1X solves the problem. Respectfully, Matthew Williams IT Manager, Wireless Kent State University Office: (330) 672-7246 Mobile: (330) 469-0445 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Osborne, Bruce W (Network Services) Sent: Tuesday, June 23, 2015 7:31 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Wi-Fi Sense (Windows 10) Do you really want to trust your network security to some clueless user? I noticed that a student apparently got frustrated trying to use their email address to register on our Guest network rather than use the proper options. They ended up making this email address. imastudentandcantconnectdan...@dangit.com<mailto:imastudentandcantconnectdan...@dangit.com> I do not want to trust my security to someone who cannot even grasp the concept of a separate network for guests. Bruce Osborne Wireless Engineer IT Infrastructure & Media Solutions (434) 592-4229 LIBERTY UNIVERSITY Training Champions for Christ since 1971 From: Williams, Matthew [mailto:mwill...@kent.edu] Sent: Monday, June 22, 2015 8:37 AM Subject: Re: Wi-Fi Sense (Windows 10) Found this type of information on various sites: “When connecting to a password protected router you are given an UNCHECKED BY DEFAULT option to share the password with your friends. What this means is, the user can deliberately share the password they know. This is just as secure as any other system because once you give a user a password they could share it if they chose. Nothing here is "automatic" no data is being proliferated without user consent. If your employees leak your password this way, then it's the same as leaking passwords otherwise. Again this not an opt-in-by-default scenario. It requires a user knowing a password to actively choose to share for each router independently.” Ignoring the ridiculousness of the existence of the feature, it appears to at least require someone to intentionally turn it on. Respectfully, Matthew Williams IT Manager, Wireless Kent State University Office: (330) 672-7246 Mobile: (330) 469-0445 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Osborne, Bruce W (Network Services) Sent: Monday, June 22, 2015 7:34 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] Wi-Fi Sense (Windows 10) 802.1X can be quite user-friendly if you use an onboarding tool such as CloudPath XpressConnect Wizard. 802.1X was designed for large enterprise networks. The PSK was never designed to be used in this manner, hence the name WPA2-Personal. Bruce Osborne Wireless Engineer IT Infrastructure & Media Solutions (434) 592-4229 LIBERTY UNIVERSITY Training Champions for Christ since 1971 From: Joel Coehoorn [mailto:jcoeho...@york.edu] Sent: Sunday, June 21, 2015 4:48 PM Subject: Re: Wi-Fi Sense (Windows 10) I don't know. It seems like encryption and authorization are really two different things that wifi networks have historically conflated. For our network, I'd really like a better user-friendly (ie, not .1x) option that provides good encryption, but assumes you are authorized by default. Any authorization or policy enforcement should take place at a different level, so it can include wired connections, too. I haven't looked at the implementation details, but if done correctly, this has the potential to solve an issue with large PSK networks, such that I could use a Win10 machine to seed the key, without the normal weakness that anyone who knows the key can decrypt anyone el
Re: [WIRELESS-LAN] Wi-Fi Sense (Windows 10)
What is odd to me in this discussion is that the DOD Secure Technical Implementation Guidelines for Windows Phone 8.1, which currently has Wi-Fi Sense baked in, has no specific setting for this. Nor is it covered under any of the other 25 findings. So much for finding help there. http://www.stigviewer.com/stig/microsoft_windows_phone_8.1/ Dave Tevlin Network/ Systems Administrator Georgetown Visitation Prep School On Tue, Jun 23, 2015 at 7:30 AM, Osborne, Bruce W (Network Services) < bosbo...@liberty.edu> wrote: > Do you really want to trust your network security to some clueless user? > > > > I noticed that a student apparently got frustrated trying to use their > email address to register on our Guest network rather than use the proper > options. They ended up making this email address. > imastudentandcantconnectdan...@dangit.com > > > > I do not want to trust my security to someone who cannot even grasp the > concept of a separate network for guests. > > > > > > > > *Bruce Osborne* > > *Wireless Engineer* > > *IT Infrastructure & Media Solutions* > > > > *(434) 592-4229 <%28434%29%20592-4229>* > > > > *LIBERTY UNIVERSITY* > > *Training Champions for Christ since 1971* > > > > *From:* Williams, Matthew [mailto:mwill...@kent.edu] > *Sent:* Monday, June 22, 2015 8:37 AM > > *Subject:* Re: Wi-Fi Sense (Windows 10) > > > > Found this type of information on various sites: > > > > “When connecting to a password protected router you are given an > UNCHECKED BY DEFAULT option to share the password with your friends. What > this means is, the user can deliberately share the password they know. > > This is just as secure as any other system because once you give a user a > password they could share it if they chose. Nothing here is "automatic" no > data is being proliferated without user consent. If your employees leak > your password this way, then it's the same as leaking passwords otherwise. > > Again this not an opt-in-by-default scenario. It requires a user knowing a > password to actively choose to share for each router independently.” > > > > Ignoring the ridiculousness of the existence of the feature, it appears to > at least require someone to intentionally turn it on. > > > > Respectfully, > > > > Matthew Williams > > IT Manager, Wireless > > Kent State University > > Office: (330) 672-7246 > > Mobile: (330) 469-0445 > > > > *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [ > mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > ] *On Behalf Of *Osborne, Bruce W > (Network Services) > *Sent:* Monday, June 22, 2015 7:34 AM > *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > *Subject:* Re: [WIRELESS-LAN] Wi-Fi Sense (Windows 10) > > > > 802.1X can be quite user-friendly if you use an onboarding tool such as > CloudPath XpressConnect Wizard. > > > > 802.1X was designed for large enterprise networks. The PSK was never > designed to be used in this manner, hence the name WPA2-Personal. > > > > > > > > *Bruce Osborne* > > *Wireless Engineer* > > *IT Infrastructure & Media Solutions* > > > > *(434) 592-4229 <%28434%29%20592-4229>* > > > > *LIBERTY UNIVERSITY* > > *Training Champions for Christ since 1971* > > > > *From:* Joel Coehoorn [mailto:jcoeho...@york.edu ] > *Sent:* Sunday, June 21, 2015 4:48 PM > *Subject:* Re: Wi-Fi Sense (Windows 10) > > > > I don't know. It seems like encryption and authorization are really two > different things that wifi networks have historically conflated. > > For our network, I'd really like a better user-friendly (ie, not .1x) > option that provides good encryption, but assumes you are authorized by > default. Any authorization or policy enforcement should take place at a > different level, so it can include wired connections, too. > > I haven't looked at the implementation details, but if done correctly, > this has the potential to solve an issue with large PSK networks, such that > I could use a Win10 machine to seed the key, without the normal weakness > that anyone who knows the key can decrypt anyone else's traffic. > > Of course, the devil is in the details, and I found it unlikely that the > key sharing mechanism will be adequately secure, or even if it is, that > enough device types will support this fast enough to make it a reasonable > option. > -- > > *From: *Hunter Fuller > *Sent: *6/21/2015 3:08 PM > *To: *WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > *Subject: *Re: [WIRELESS-LAN] Wi-Fi Sense (Windows 10) &g
RE: Wi-Fi Sense (Windows 10)
I never said that I would trust the network security to an end user. Just alluding to information that, though it is easy to turn on, it is not a “Default-On” feature as was suggested in earlier postings. Like many folks have already stated, 802.1X solves the problem. Respectfully, Matthew Williams IT Manager, Wireless Kent State University Office: (330) 672-7246 Mobile: (330) 469-0445 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Osborne, Bruce W (Network Services) Sent: Tuesday, June 23, 2015 7:31 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Wi-Fi Sense (Windows 10) Do you really want to trust your network security to some clueless user? I noticed that a student apparently got frustrated trying to use their email address to register on our Guest network rather than use the proper options. They ended up making this email address. imastudentandcantconnectdan...@dangit.com<mailto:imastudentandcantconnectdan...@dangit.com> I do not want to trust my security to someone who cannot even grasp the concept of a separate network for guests. Bruce Osborne Wireless Engineer IT Infrastructure & Media Solutions (434) 592-4229 LIBERTY UNIVERSITY Training Champions for Christ since 1971 From: Williams, Matthew [mailto:mwill...@kent.edu] Sent: Monday, June 22, 2015 8:37 AM Subject: Re: Wi-Fi Sense (Windows 10) Found this type of information on various sites: “When connecting to a password protected router you are given an UNCHECKED BY DEFAULT option to share the password with your friends. What this means is, the user can deliberately share the password they know. This is just as secure as any other system because once you give a user a password they could share it if they chose. Nothing here is "automatic" no data is being proliferated without user consent. If your employees leak your password this way, then it's the same as leaking passwords otherwise. Again this not an opt-in-by-default scenario. It requires a user knowing a password to actively choose to share for each router independently.” Ignoring the ridiculousness of the existence of the feature, it appears to at least require someone to intentionally turn it on. Respectfully, Matthew Williams IT Manager, Wireless Kent State University Office: (330) 672-7246 Mobile: (330) 469-0445 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Osborne, Bruce W (Network Services) Sent: Monday, June 22, 2015 7:34 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] Wi-Fi Sense (Windows 10) 802.1X can be quite user-friendly if you use an onboarding tool such as CloudPath XpressConnect Wizard. 802.1X was designed for large enterprise networks. The PSK was never designed to be used in this manner, hence the name WPA2-Personal. Bruce Osborne Wireless Engineer IT Infrastructure & Media Solutions (434) 592-4229 LIBERTY UNIVERSITY Training Champions for Christ since 1971 From: Joel Coehoorn [mailto:jcoeho...@york.edu] Sent: Sunday, June 21, 2015 4:48 PM Subject: Re: Wi-Fi Sense (Windows 10) I don't know. It seems like encryption and authorization are really two different things that wifi networks have historically conflated. For our network, I'd really like a better user-friendly (ie, not .1x) option that provides good encryption, but assumes you are authorized by default. Any authorization or policy enforcement should take place at a different level, so it can include wired connections, too. I haven't looked at the implementation details, but if done correctly, this has the potential to solve an issue with large PSK networks, such that I could use a Win10 machine to seed the key, without the normal weakness that anyone who knows the key can decrypt anyone else's traffic. Of course, the devil is in the details, and I found it unlikely that the key sharing mechanism will be adequately secure, or even if it is, that enough device types will support this fast enough to make it a reasonable option. From: Hunter Fuller<mailto:hf0...@uah.edu> Sent: 6/21/2015 3:08 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] Wi-Fi Sense (Windows 10) Totally unacceptable. It's like MS missed one of the main points of PSKs (as opposed to non-encrypted networks) - to keep people out. -- Hunter Fuller Network Engineer VBRH M-9B +1 256 824 5331 Office of Information Technology The University of Alabama in Huntsville Systems and Infrastructure I am part of the UAH Safe Zone LGBTQIA support network: http://www.uah.edu/student-affairs/safe-zone On Sun, Jun 21, 2015 at 9:45 AM, James Andrewartha mailto:jandrewar...@ccgs.wa.edu.au>> wr
RE: Wi-Fi Sense (Windows 10)
Do you really want to trust your network security to some clueless user? I noticed that a student apparently got frustrated trying to use their email address to register on our Guest network rather than use the proper options. They ended up making this email address. imastudentandcantconnectdan...@dangit.com<mailto:imastudentandcantconnectdan...@dangit.com> I do not want to trust my security to someone who cannot even grasp the concept of a separate network for guests. Bruce Osborne Wireless Engineer IT Infrastructure & Media Solutions (434) 592-4229 LIBERTY UNIVERSITY Training Champions for Christ since 1971 From: Williams, Matthew [mailto:mwill...@kent.edu] Sent: Monday, June 22, 2015 8:37 AM Subject: Re: Wi-Fi Sense (Windows 10) Found this type of information on various sites: “When connecting to a password protected router you are given an UNCHECKED BY DEFAULT option to share the password with your friends. What this means is, the user can deliberately share the password they know. This is just as secure as any other system because once you give a user a password they could share it if they chose. Nothing here is "automatic" no data is being proliferated without user consent. If your employees leak your password this way, then it's the same as leaking passwords otherwise. Again this not an opt-in-by-default scenario. It requires a user knowing a password to actively choose to share for each router independently.” Ignoring the ridiculousness of the existence of the feature, it appears to at least require someone to intentionally turn it on. Respectfully, Matthew Williams IT Manager, Wireless Kent State University Office: (330) 672-7246 Mobile: (330) 469-0445 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Osborne, Bruce W (Network Services) Sent: Monday, June 22, 2015 7:34 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] Wi-Fi Sense (Windows 10) 802.1X can be quite user-friendly if you use an onboarding tool such as CloudPath XpressConnect Wizard. 802.1X was designed for large enterprise networks. The PSK was never designed to be used in this manner, hence the name WPA2-Personal. Bruce Osborne Wireless Engineer IT Infrastructure & Media Solutions (434) 592-4229 LIBERTY UNIVERSITY Training Champions for Christ since 1971 From: Joel Coehoorn [mailto:jcoeho...@york.edu] Sent: Sunday, June 21, 2015 4:48 PM Subject: Re: Wi-Fi Sense (Windows 10) I don't know. It seems like encryption and authorization are really two different things that wifi networks have historically conflated. For our network, I'd really like a better user-friendly (ie, not .1x) option that provides good encryption, but assumes you are authorized by default. Any authorization or policy enforcement should take place at a different level, so it can include wired connections, too. I haven't looked at the implementation details, but if done correctly, this has the potential to solve an issue with large PSK networks, such that I could use a Win10 machine to seed the key, without the normal weakness that anyone who knows the key can decrypt anyone else's traffic. Of course, the devil is in the details, and I found it unlikely that the key sharing mechanism will be adequately secure, or even if it is, that enough device types will support this fast enough to make it a reasonable option. From: Hunter Fuller<mailto:hf0...@uah.edu> Sent: 6/21/2015 3:08 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] Wi-Fi Sense (Windows 10) Totally unacceptable. It's like MS missed one of the main points of PSKs (as opposed to non-encrypted networks) - to keep people out. -- Hunter Fuller Network Engineer VBRH M-9B +1 256 824 5331 Office of Information Technology The University of Alabama in Huntsville Systems and Infrastructure I am part of the UAH Safe Zone LGBTQIA support network: http://www.uah.edu/student-affairs/safe-zone On Sun, Jun 21, 2015 at 9:45 AM, James Andrewartha mailto:jandrewar...@ccgs.wa.edu.au>> wrote: > Has anyone tried out Wi-Fi Sense in Windows 10 yet? It's a feature that lets > you share PSKs with your Facebook and Skype friends, although they don't get > to see it. The only way to opt-out as a network operator is to include > "_optout" in the SSID, or use 802.1x. > > > Given you can run netsh wlan show profile name="SSID" key=clear I wonder how > it will interact with Aerohive Private PSK and Ruckus Dynamic PSK which give > each user their own individual PSKs per-device. > > > http://www.reddit.com/r/sysadmin/comments/3aam8m/because_i_really_want_my_clients_wpa_keys_shared/ > > > -- &
Re: [WIRELESS-LAN] Wi-Fi Sense (Windows 10)
We are talking about students. At home you have to worry about your kids. You may know better than to turn it on, but others that are less security conscious will turn it on. Microsoft needs to change this to an opt in option for those that do not mind their PSKs to be shared. This idea that everyone should be opted in and those not wanting to be are required to change SSIDs is ridiculous. Everyone should be contacting Microsoft about how displeased they are with this security vulnerability. Kevin McCormick Western Illinois University On 6/22/2015 7:36 AM, Williams, Matthew wrote: Found this type of information on various sites: “When connecting to a password protected router you are given an UNCHECKED BY DEFAULT option to share the password with your friends. What this means is, the user can deliberately share the password they know. This is just as secure as any other system because once you give a user a password they could share it if they chose. Nothing here is "automatic" no data is being proliferated without user consent. If your employees leak your password this way, then it's the same as leaking passwords otherwise. Again this not an opt-in-by-default scenario. It requires a user knowing a password to actively choose to share for each router independently.” Ignoring the ridiculousness of the existence of the feature, it appears to at least require someone to intentionally turn it on. Respectfully, Matthew Williams IT Manager, Wireless Kent State University Office: (330) 672-7246 Mobile: (330) 469-0445 *From:*The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Osborne, Bruce W (Network Services) *Sent:* Monday, June 22, 2015 7:34 AM *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU *Subject:* Re: [WIRELESS-LAN] Wi-Fi Sense (Windows 10) 802.1X can be quite user-friendly if you use an onboarding tool such as CloudPath XpressConnect Wizard. 802.1X was designed for large enterprise networks. The PSK was never designed to be used in this manner, hence the name WPA2-Personal. *Bruce Osborne* /Wireless Engineer/ *IT Infrastructure & Media Solutions* *(434) 592-4229* *LIBERTY UNIVERSITY* /Training Champions for Christ since 1971/ *From:*Joel Coehoorn [mailto:jcoeho...@york.edu] *Sent:* Sunday, June 21, 2015 4:48 PM *Subject:* Re: Wi-Fi Sense (Windows 10) I don't know. It seems like encryption and authorization are really two different things that wifi networks have historically conflated. For our network, I'd really like a better user-friendly (ie, not .1x) option that provides good encryption, but assumes you are authorized by default. Any authorization or policy enforcement should take place at a different level, so it can include wired connections, too. I haven't looked at the implementation details, but if done correctly, this has the potential to solve an issue with large PSK networks, such that I could use a Win10 machine to seed the key, without the normal weakness that anyone who knows the key can decrypt anyone else's traffic. Of course, the devil is in the details, and I found it unlikely that the key sharing mechanism will be adequately secure, or even if it is, that enough device types will support this fast enough to make it a reasonable option. *From: *Hunter Fuller <mailto:hf0...@uah.edu> *Sent: *6/21/2015 3:08 PM *To: *WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> *Subject: *Re: [WIRELESS-LAN] Wi-Fi Sense (Windows 10) Totally unacceptable. It's like MS missed one of the main points of PSKs (as opposed to non-encrypted networks) - to keep people out. -- Hunter Fuller Network Engineer VBRH M-9B +1 256 824 5331 Office of Information Technology The University of Alabama in Huntsville Systems and Infrastructure I am part of the UAH Safe Zone LGBTQIA support network: http://www.uah.edu/student-affairs/safe-zone On Sun, Jun 21, 2015 at 9:45 AM, James Andrewartha mailto:jandrewar...@ccgs.wa.edu.au>> wrote: > Has anyone tried out Wi-Fi Sense in Windows 10 yet? It's a feature that lets > you share PSKs with your Facebook and Skype friends, although they don't get > to see it. The only way to opt-out as a network operator is to include > "_optout" in the SSID, or use 802.1x. > > > Given you can run netsh wlan show profile name="SSID" key=clear I wonder how > it will interact with Aerohive Private PSK and Ruckus Dynamic PSK which give > each user their own individual PSKs per-device. > > > http://www.reddit.com/r/sysadmin/comments/3aam8m/because_i_really_want_my_clients_wpa_keys_shared/ > > > -- > > James Andrewartha > Network & Projects Engineer > Christ Church Grammar School > Claremo
RE: Wi-Fi Sense (Windows 10)
I agree. I can’t imagine a more user friendly option than 802.1X, aside from a simple, wide open network. Pete Morrissey From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Osborne, Bruce W (Network Services) Sent: Monday, June 22, 2015 7:34 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Wi-Fi Sense (Windows 10) 802.1X can be quite user-friendly if you use an onboarding tool such as CloudPath XpressConnect Wizard. 802.1X was designed for large enterprise networks. The PSK was never designed to be used in this manner, hence the name WPA2-Personal. Bruce Osborne Wireless Engineer IT Infrastructure & Media Solutions (434) 592-4229 LIBERTY UNIVERSITY Training Champions for Christ since 1971 From: Joel Coehoorn [mailto:jcoeho...@york.edu] Sent: Sunday, June 21, 2015 4:48 PM Subject: Re: Wi-Fi Sense (Windows 10) I don't know. It seems like encryption and authorization are really two different things that wifi networks have historically conflated. For our network, I'd really like a better user-friendly (ie, not .1x) option that provides good encryption, but assumes you are authorized by default. Any authorization or policy enforcement should take place at a different level, so it can include wired connections, too. I haven't looked at the implementation details, but if done correctly, this has the potential to solve an issue with large PSK networks, such that I could use a Win10 machine to seed the key, without the normal weakness that anyone who knows the key can decrypt anyone else's traffic. Of course, the devil is in the details, and I found it unlikely that the key sharing mechanism will be adequately secure, or even if it is, that enough device types will support this fast enough to make it a reasonable option. From: Hunter Fuller<mailto:hf0...@uah.edu> Sent: 6/21/2015 3:08 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] Wi-Fi Sense (Windows 10) Totally unacceptable. It's like MS missed one of the main points of PSKs (as opposed to non-encrypted networks) - to keep people out. -- Hunter Fuller Network Engineer VBRH M-9B +1 256 824 5331 Office of Information Technology The University of Alabama in Huntsville Systems and Infrastructure I am part of the UAH Safe Zone LGBTQIA support network: http://www.uah.edu/student-affairs/safe-zone On Sun, Jun 21, 2015 at 9:45 AM, James Andrewartha mailto:jandrewar...@ccgs.wa.edu.au>> wrote: > Has anyone tried out Wi-Fi Sense in Windows 10 yet? It's a feature that lets > you share PSKs with your Facebook and Skype friends, although they don't get > to see it. The only way to opt-out as a network operator is to include > "_optout" in the SSID, or use 802.1x. > > > Given you can run netsh wlan show profile name="SSID" key=clear I wonder how > it will interact with Aerohive Private PSK and Ruckus Dynamic PSK which give > each user their own individual PSKs per-device. > > > http://www.reddit.com/r/sysadmin/comments/3aam8m/because_i_really_want_my_clients_wpa_keys_shared/ > > > -- > > James Andrewartha > Network & Projects Engineer > Christ Church Grammar School > Claremont, Western Australia > Ph. (08) 9442 1757 > Mob. 0424 160 877 > ** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: Wi-Fi Sense (Windows 10)
Found this type of information on various sites: “When connecting to a password protected router you are given an UNCHECKED BY DEFAULT option to share the password with your friends. What this means is, the user can deliberately share the password they know. This is just as secure as any other system because once you give a user a password they could share it if they chose. Nothing here is "automatic" no data is being proliferated without user consent. If your employees leak your password this way, then it's the same as leaking passwords otherwise. Again this not an opt-in-by-default scenario. It requires a user knowing a password to actively choose to share for each router independently.” Ignoring the ridiculousness of the existence of the feature, it appears to at least require someone to intentionally turn it on. Respectfully, Matthew Williams IT Manager, Wireless Kent State University Office: (330) 672-7246 Mobile: (330) 469-0445 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Osborne, Bruce W (Network Services) Sent: Monday, June 22, 2015 7:34 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Wi-Fi Sense (Windows 10) 802.1X can be quite user-friendly if you use an onboarding tool such as CloudPath XpressConnect Wizard. 802.1X was designed for large enterprise networks. The PSK was never designed to be used in this manner, hence the name WPA2-Personal. Bruce Osborne Wireless Engineer IT Infrastructure & Media Solutions (434) 592-4229 LIBERTY UNIVERSITY Training Champions for Christ since 1971 From: Joel Coehoorn [mailto:jcoeho...@york.edu] Sent: Sunday, June 21, 2015 4:48 PM Subject: Re: Wi-Fi Sense (Windows 10) I don't know. It seems like encryption and authorization are really two different things that wifi networks have historically conflated. For our network, I'd really like a better user-friendly (ie, not .1x) option that provides good encryption, but assumes you are authorized by default. Any authorization or policy enforcement should take place at a different level, so it can include wired connections, too. I haven't looked at the implementation details, but if done correctly, this has the potential to solve an issue with large PSK networks, such that I could use a Win10 machine to seed the key, without the normal weakness that anyone who knows the key can decrypt anyone else's traffic. Of course, the devil is in the details, and I found it unlikely that the key sharing mechanism will be adequately secure, or even if it is, that enough device types will support this fast enough to make it a reasonable option. From: Hunter Fuller<mailto:hf0...@uah.edu> Sent: 6/21/2015 3:08 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] Wi-Fi Sense (Windows 10) Totally unacceptable. It's like MS missed one of the main points of PSKs (as opposed to non-encrypted networks) - to keep people out. -- Hunter Fuller Network Engineer VBRH M-9B +1 256 824 5331 Office of Information Technology The University of Alabama in Huntsville Systems and Infrastructure I am part of the UAH Safe Zone LGBTQIA support network: http://www.uah.edu/student-affairs/safe-zone On Sun, Jun 21, 2015 at 9:45 AM, James Andrewartha mailto:jandrewar...@ccgs.wa.edu.au>> wrote: > Has anyone tried out Wi-Fi Sense in Windows 10 yet? It's a feature that lets > you share PSKs with your Facebook and Skype friends, although they don't get > to see it. The only way to opt-out as a network operator is to include > "_optout" in the SSID, or use 802.1x. > > > Given you can run netsh wlan show profile name="SSID" key=clear I wonder how > it will interact with Aerohive Private PSK and Ruckus Dynamic PSK which give > each user their own individual PSKs per-device. > > > http://www.reddit.com/r/sysadmin/comments/3aam8m/because_i_really_want_my_clients_wpa_keys_shared/ > > > -- > > James Andrewartha > Network & Projects Engineer > Christ Church Grammar School > Claremont, Western Australia > Ph. (08) 9442 1757 > Mob. 0424 160 877 > ** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: Wi-Fi Sense (Windows 10)
802.1X can be quite user-friendly if you use an onboarding tool such as CloudPath XpressConnect Wizard. 802.1X was designed for large enterprise networks. The PSK was never designed to be used in this manner, hence the name WPA2-Personal. Bruce Osborne Wireless Engineer IT Infrastructure & Media Solutions (434) 592-4229 LIBERTY UNIVERSITY Training Champions for Christ since 1971 From: Joel Coehoorn [mailto:jcoeho...@york.edu] Sent: Sunday, June 21, 2015 4:48 PM Subject: Re: Wi-Fi Sense (Windows 10) I don't know. It seems like encryption and authorization are really two different things that wifi networks have historically conflated. For our network, I'd really like a better user-friendly (ie, not .1x) option that provides good encryption, but assumes you are authorized by default. Any authorization or policy enforcement should take place at a different level, so it can include wired connections, too. I haven't looked at the implementation details, but if done correctly, this has the potential to solve an issue with large PSK networks, such that I could use a Win10 machine to seed the key, without the normal weakness that anyone who knows the key can decrypt anyone else's traffic. Of course, the devil is in the details, and I found it unlikely that the key sharing mechanism will be adequately secure, or even if it is, that enough device types will support this fast enough to make it a reasonable option. From: Hunter Fuller<mailto:hf0...@uah.edu> Sent: 6/21/2015 3:08 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] Wi-Fi Sense (Windows 10) Totally unacceptable. It's like MS missed one of the main points of PSKs (as opposed to non-encrypted networks) - to keep people out. -- Hunter Fuller Network Engineer VBRH M-9B +1 256 824 5331 Office of Information Technology The University of Alabama in Huntsville Systems and Infrastructure I am part of the UAH Safe Zone LGBTQIA support network: http://www.uah.edu/student-affairs/safe-zone On Sun, Jun 21, 2015 at 9:45 AM, James Andrewartha mailto:jandrewar...@ccgs.wa.edu.au>> wrote: > Has anyone tried out Wi-Fi Sense in Windows 10 yet? It's a feature that lets > you share PSKs with your Facebook and Skype friends, although they don't get > to see it. The only way to opt-out as a network operator is to include > "_optout" in the SSID, or use 802.1x. > > > Given you can run netsh wlan show profile name="SSID" key=clear I wonder how > it will interact with Aerohive Private PSK and Ruckus Dynamic PSK which give > each user their own individual PSKs per-device. > > > http://www.reddit.com/r/sysadmin/comments/3aam8m/because_i_really_want_my_clients_wpa_keys_shared/ > > > -- > > James Andrewartha > Network & Projects Engineer > Christ Church Grammar School > Claremont, Western Australia > Ph. (08) 9442 1757 > Mob. 0424 160 877 > ** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Wi-Fi Sense (Windows 10)
They should not be forcing everyone to add "_optout" to their SSIDs, but instead if you want to share your network's PSK then you should add "_optin" to your SSID. Kevin McCormick Network Engineer Western Illinois University On 6/21/2015 9:45 AM, James Andrewartha wrote: Has anyone tried out Wi-Fi Sense in Windows 10 yet? It's a feature that lets you share PSKs with your Facebook and Skype friends, although they don't get to see it. The only way to opt-out as a network operator is to include "_optout" in the SSID, or use 802.1x. Given you can run |netsh wlan show profile name="SSID" key=clear| I wonder how it will interact with Aerohive Private PSK and Ruckus Dynamic PSK which give each user their own individual PSKs per-device. http://www.reddit.com/r/sysadmin/comments/3aam8m/because_i_really_want_my_clients_wpa_keys_shared/ -- James Andrewartha Network & Projects Engineer Christ Church Grammar School Claremont, Western Australia Ph. (08) 9442 1757 Mob. 0424 160 877 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Wi-Fi Sense (Windows 10)
Our student/faculty/staff network keys are not for authorization; however, we have some one-off event networks and such with PSKs that we would rather not be publicly known as soon as we set them. I just hope we can move to dot1x/guest accounts for those purposes fast enough to avoid this. We are planning on doing dot1x over wired and wireless connections, so that will be our solution that will work in both places. -- Hunter Fuller Network Engineer VBRH M-9B +1 256 824 5331 Office of Information Technology The University of Alabama in Huntsville Systems and Infrastructure I am part of the UAH Safe Zone LGBTQIA support network: http://www.uah.edu/student-affairs/safe-zone On Sun, Jun 21, 2015 at 3:48 PM, Joel Coehoorn wrote: > I don't know. It seems like encryption and authorization are really two > different things that wifi networks have historically conflated. > > For our network, I'd really like a better user-friendly (ie, not .1x) option > that provides good encryption, but assumes you are authorized by default. > Any authorization or policy enforcement should take place at a different > level, so it can include wired connections, too. > > I haven't looked at the implementation details, but if done correctly, this > has the potential to solve an issue with large PSK networks, such that I > could use a Win10 machine to seed the key, without the normal weakness that > anyone who knows the key can decrypt anyone else's traffic. > > Of course, the devil is in the details, and I found it unlikely that the key > sharing mechanism will be adequately secure, or even if it is, that enough > device types will support this fast enough to make it a reasonable option. > > From: Hunter Fuller > Sent: 6/21/2015 3:08 PM > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > Subject: Re: [WIRELESS-LAN] Wi-Fi Sense (Windows 10) > > Totally unacceptable. > > It's like MS missed one of the main points of PSKs (as opposed to > non-encrypted networks) - to keep people out. > > -- > Hunter Fuller > Network Engineer > VBRH M-9B > +1 256 824 5331 > > Office of Information Technology > The University of Alabama in Huntsville > Systems and Infrastructure > > I am part of the UAH Safe Zone LGBTQIA support network: > http://www.uah.edu/student-affairs/safe-zone > > > On Sun, Jun 21, 2015 at 9:45 AM, James Andrewartha > wrote: >> Has anyone tried out Wi-Fi Sense in Windows 10 yet? It's a feature that >> lets >> you share PSKs with your Facebook and Skype friends, although they don't >> get >> to see it. The only way to opt-out as a network operator is to include >> "_optout" in the SSID, or use 802.1x. >> >> >> Given you can run netsh wlan show profile name="SSID" key=clear I wonder >> how >> it will interact with Aerohive Private PSK and Ruckus Dynamic PSK which >> give >> each user their own individual PSKs per-device. >> >> >> >> http://www.reddit.com/r/sysadmin/comments/3aam8m/because_i_really_want_my_clients_wpa_keys_shared/ >> >> >> -- >> >> James Andrewartha >> Network & Projects Engineer >> Christ Church Grammar School >> Claremont, Western Australia >> Ph. (08) 9442 1757 >> Mob. 0424 160 877 >> ** Participation and subscription information for this EDUCAUSE >> Constituent Group discussion list can be found at >> http://www.educause.edu/groups/. > > ** > Participation and subscription information for this EDUCAUSE Constituent > Group discussion list can be found at http://www.educause.edu/groups/. > ** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Wi-Fi Sense (Windows 10)
I don't know. It seems like encryption and authorization are really two different things that wifi networks have historically conflated. For our network, I'd really like a better user-friendly (ie, not .1x) option that provides good encryption, but assumes you are authorized by default. Any authorization or policy enforcement should take place at a different level, so it can include wired connections, too. I haven't looked at the implementation details, but if done correctly, this has the potential to solve an issue with large PSK networks, such that I could use a Win10 machine to seed the key, without the normal weakness that anyone who knows the key can decrypt anyone else's traffic. Of course, the devil is in the details, and I found it unlikely that the key sharing mechanism will be adequately secure, or even if it is, that enough device types will support this fast enough to make it a reasonable option. -Original Message- From: "Hunter Fuller" Sent: 6/21/2015 3:08 PM To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" Subject: Re: [WIRELESS-LAN] Wi-Fi Sense (Windows 10) Totally unacceptable. It's like MS missed one of the main points of PSKs (as opposed to non-encrypted networks) - to keep people out. -- Hunter Fuller Network Engineer VBRH M-9B +1 256 824 5331 Office of Information Technology The University of Alabama in Huntsville Systems and Infrastructure I am part of the UAH Safe Zone LGBTQIA support network: http://www.uah.edu/student-affairs/safe-zone On Sun, Jun 21, 2015 at 9:45 AM, James Andrewartha wrote: > Has anyone tried out Wi-Fi Sense in Windows 10 yet? It's a feature that lets > you share PSKs with your Facebook and Skype friends, although they don't get > to see it. The only way to opt-out as a network operator is to include > "_optout" in the SSID, or use 802.1x. > > > Given you can run netsh wlan show profile name="SSID" key=clear I wonder how > it will interact with Aerohive Private PSK and Ruckus Dynamic PSK which give > each user their own individual PSKs per-device. > > > http://www.reddit.com/r/sysadmin/comments/3aam8m/because_i_really_want_my_clients_wpa_keys_shared/ > > > -- > > James Andrewartha > Network & Projects Engineer > Christ Church Grammar School > Claremont, Western Australia > Ph. (08) 9442 1757 > Mob. 0424 160 877 > ** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Wi-Fi Sense (Windows 10)
Totally unacceptable. It's like MS missed one of the main points of PSKs (as opposed to non-encrypted networks) - to keep people out. -- Hunter Fuller Network Engineer VBRH M-9B +1 256 824 5331 Office of Information Technology The University of Alabama in Huntsville Systems and Infrastructure I am part of the UAH Safe Zone LGBTQIA support network: http://www.uah.edu/student-affairs/safe-zone On Sun, Jun 21, 2015 at 9:45 AM, James Andrewartha wrote: > Has anyone tried out Wi-Fi Sense in Windows 10 yet? It's a feature that lets > you share PSKs with your Facebook and Skype friends, although they don't get > to see it. The only way to opt-out as a network operator is to include > "_optout" in the SSID, or use 802.1x. > > > Given you can run netsh wlan show profile name="SSID" key=clear I wonder how > it will interact with Aerohive Private PSK and Ruckus Dynamic PSK which give > each user their own individual PSKs per-device. > > > http://www.reddit.com/r/sysadmin/comments/3aam8m/because_i_really_want_my_clients_wpa_keys_shared/ > > > -- > > James Andrewartha > Network & Projects Engineer > Christ Church Grammar School > Claremont, Western Australia > Ph. (08) 9442 1757 > Mob. 0424 160 877 > ** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Wi-Fi Sense (Windows 10)
Has anyone tried out Wi-Fi Sense in Windows 10 yet? It's a feature that lets you share PSKs with your Facebook and Skype friends, although they don't get to see it. The only way to opt-out as a network operator is to include "_optout" in the SSID, or use 802.1x. Given you can run netsh wlan show profile name="SSID" key=clear I wonder how it will interact with Aerohive Private PSK and Ruckus Dynamic PSK which give each user their own individual PSKs per-device. http://www.reddit.com/r/sysadmin/comments/3aam8m/because_i_really_want_my_clients_wpa_keys_shared/ -- James Andrewartha Network & Projects Engineer Christ Church Grammar School Claremont, Western Australia Ph. (08) 9442 1757 Mob. 0424 160 877 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.