[somat]

You are not wrong and I agree with you that this sort of bullshit is laughably unacceptable.

Unfortunately nothing opt in ever gets wide adoption. So I expect to keep seeing these sort of infernal acts as people get bright but misguided ideas that require broad adoption to work. for example googles wifi cataloging does not work at all if to get cataloged you have to put "_cataloged" in your ssid.

[riiii]

> Unfortunately nothing opt in ever gets wide adoption

Sharing your host's WiFi password with all your contacts should never get a wide adoption. It should never be an option anyway.

It shows Microsoft's astonishing ignorance of security.

[dijit]

Well, actually Apple is doing something similar, and it's opt-in.

If you have a contact, they are in their settings, and they're nearby and they can see your wifi network, a prompt will appear on your phone which asks if you would like to share wifi credentials with them.

There's some foolery going on to stop it popping up if you're using the device normally, like you have to be in settings or the home screen - or recently unlock your phone or something... But it's very explicitly: opt-in.

[verandaguy]

It's opt in for the person with the option to share network credentials.

It's not opt-in for the owner of the network, who should really have a say in the matter.

I do use this feature from time to time, but it's typically on networks where either I'm the owner, or the owner's given me permission to share the creds.

This also opens up an attack surface (which I got to experience firsthand on a burner device at DEF CON 31), where someone spoofs an Apple device requesting network creds. The attack itself involves spamming share requests and catching you off guard, causing you to hit OK, or you just hit OK out of notification fatigue.

[nlawalker]

> It's not opt-in for the owner of the network, who should really have a say in the matter.

Why? It’s literally just a shortcut for asking for the password from someone who already has it and then having it read it out loud or texted. If the owner of the network doesn’t want that happening they need to explain that in either case.

[fireflash38]

It reminds me a bit of how Waze or Google Maps would end up using access roads as shortcuts with navigation. You let a couple of people use it because you know them. They might tell a few others. Then big tech just sees it as "other people use it, so I'll use it". And now you have no control over your road anymore.

[verandaguy]

It’s a shortcut that deprives the network owner of agency. As the person running the network, should you not have some degree of control over who gets to join your network, be it fully open, fully closed, or anywhere in between?

[nlawalker]

> It’s a shortcut that deprives the network owner of agency.

It doesn’t, they have exactly as much agency as they would if the shortcut didn’t exist.

> As the person running the network, should you not have some degree of control over who gets to join your network, be it fully open, fully closed, or anywhere in between?

If you want more control than a shareable password provides, it’s on you to implement something other than a shareable password. A feature that merely helps people share passwords doesn’t change that.

[kalleboo]

If you need control over who joins your network, implement 802.1x or a captive portal or something. If you just use a WPA key, people will always share them, you can't stop them, there are literally crowdsourced online databases of "free internet" WiFi keys

[throwaway3306a]

Use RADIUS then. If you told someone the password, they can share it

[ClassyJacket]

The guests could already simply tell each other the password

[sussmannbaka]

You have that control: allowlist individual devices

[austhrow743]

How does it change the network owners ability to decide who gets to join their network?

[vladvasiliu]

> where someone spoofs an Apple device requesting network creds

How does this work? Isn't there any verification done through iCloud or something? I don't expect my phone to know about all my contacts' iphone identifiers.

I just tried this the other day with my cousin's wife whose phone number I don't have stored in my contacts and it didn't offer to share the wifi password until we both added each other's number.

[Zambyte]

> Unfortunately nothing opt in ever gets wide adoption.

Computers were opt in.

[TeMPOraL]

Until they weren't.

[anonymousab]

Yeah, widespread adoption will do that to things.

[nkrisc]

> Unfortunately nothing opt in ever gets wide adoption.

Too fucking bad for them. This opt-out bullshit for everything like this, marketing emails, etc. is bullshit. I’m sick of it.

[acka]

Don't forget the website cookie popup tomfoolery, where you must study each and every popup carefully lest you click the wrong button to opt out.

[lifestyleguru]

...and they NEVER remember your preferences, well except your shopping preferences which will stick to you across networks and devices.