[jsnell]

If you're going to dismiss an argument as "horseshit", you should perhaps offer a compelling alternative. Because your idea of what is going on is frankly ridiculous.

It's easy to see the user-experience story for this. Upgrade your phone, buy a tablet, etc, and as by magic all 10 wifi networks you use work without any configuration. No need to type that 32-character nuisance of a WPA2 password again, etc. How lovely!

Your conspiracy theory hinges on the idea that Google wants your precious wifi password for themselves, not for your convenience. That seems unlikely. Google doesn't care about your network. They might care about your web usage patterns insofar it makes it easier to provide better search results and improve ad targeting. Your network is worthless for that. Using the passwords to actually access these wifi networks would also be a massive legal and PR nightmare.

So on one side you have delighting users. On the other side you have a malicious attempt to gather useless data at massive risk. How can there even be a question of which explanation makes more sense?

[brudgers]

Encrypt the data on the device. Backup encrypted version in the cloud. Download encrypted backup to new device. Unencrypt on new device. Merge versions on the device.

No need for plaintext on Google servers. No way for monetization by Google.

Or to put my alternative another way, how much is a data set mapping WiFi passwords to networks for the city of Bejing worth to a foreign intelligence agency or other state-level actor? An answer in terms of dollars or 1000 clicks is equally acceptable.

As an alternative, how much is such a data set for Redmond worth to Google?

For extra credit, determine the value of each data set if includes historic data on password changes, changes to the individual password repositories of each user, and changes to the densities of WiFi networks at specific locations.

In the end, it comes down to money in Google's bank account, not delighting users (see Reader). Since Google does not directly profit from the sale of nearly all Android devices, the burden for the thesis of delight is to show an alternative mechanism by which Google directly profits from the plain text storage of passwords.

[jsnell]

You're providing innuendo and "exercises for the reader", not an argument. That's pretty weak.

What would such a data set of Redmond be worth to Google? Nothing. Because accessing those networks for industrial espionage (if I read your innuendo right) would be illegal and immoral. It would drag Google's name in the mud, lose them customers, credibility, and most likely a decent chunk of talented employees. The liabilities would be massive. And what's the gain? I don't know what you think it would be, but it'd have to be pretty damn valuable to outweigh the potential costs.

As for monetization... Android is a moat. The way things are going, whoever controls the client operating system controls the default web browser and the default web search. This is an existential threat to Google. Microsoft winning the mobile OS war would soon make Bing the leading search engine. Apple conclusively winning would allow them to charge monopoly rents on access to the users.

It's like Google Toolbar back in the day. It's possible it provided some information about user behavior. But the real value came in that it added a visible Google search box into IE.

[brudgers]

I look at the money.

Google made $10 billion last year.

In a cyber-war, how much would the Kremlin pay to disrupt every Chinese WiFi network to which an Android device has a current password?

In a shooting war, how much would the US pay? Keep in mind that the modern battlefield increasingly uses ordinary data devices particularly in counter-insurgency operations.

Jim McDonnell, Donald Douglas, Jack Northrup and Leroy Grumman did not start out as defense contractors. They diversified their corporations when voluntarily seizing the opportunity was a good alternative to the threat of compulsion during the Second World War.

This may in fact be the one time that the rules are different. But there's very little historical precedent upon which to premise such a belief. GM produces military vehicles. Westinghouse and GE produce powerplants for ballistic missile submarines.

[edit] The question of how plaintext leads directly to Google profits remains unaddressed. It is not as if Android users can recover their passwords by calling up Google customer service. On the other hand, storing passwords in plain text is usually a decision made to facilitate requests from a company's customers. Asking who constitutes Google's customers is a reasonable place to start when inferring motives.[/edit]

[mik3y]

  I look at the money.

  In a cyber-war, how much would the Kremlin pay to
  disrupt every Chinese WiFi network to which an Android 
  device has a current password?

Do you think Larry Page can be bought?

I'm serious: You need to consider the way Google is run before deciding if any of these theories are plausible.

This is a company which has a history of spurning money-making opportunities in favor of some higher ideal (often times to the chagrin of business-minded types within the company). To give a few examples: Licensing Android, complying with China, accepting paid placements, etc.

You can argue each of those decisions was actually more profitable for Google in the end. And that's the point: Google would not make $10B next year if they sold out their users to the Kremlin this year.

[brudgers]

My opinion about Larry Page's price is that it depends upon who is buying and what they are offering. An offer similar to one from the Kremlin which is easy to refuse might be one he cannot refuse from Fort Meade.

But lest my meaning is misunderstood, an offer from Fort Meade might be one Mr. Page gladly accepts as a US national - I certainly have no more reason to question his patriotism than to believe it to be partisan in the extreme.

Even removing patriotism from the equation, developing and maintaining good relations with governments and their agencies involved across national borders probably makes sound business sense for a company of Google's size. And I have little doubt that Mr. Page places substantial value on international business opportunities.

[mullingitover]

> Do you think Larry Page can be bought?

Absolutely. His price is letting him remain a billionaire. I'm of the opinion that most billionaires would sell their own mothers to organ harvesters if failure to do so would result in them becoming poor.

[baq]

...but the NSA most likely has access to this data right now, for free.

[philsnow]

> Setting up a password for an Android device only needs to be done once for each device->network pairing.

So you want _yet another_ password between the user and his magical experience or whatever ?

I see myself as a "privacy enthusiast", and even I recognize that wanting to encrypt wifi passwords in this way would only appeal to ~0.01% of android users.

You could argue that google could make this an option hidden under the three dots / context menu / whatever that thing is called, but there's probably much lower-hanging fruit than this.

[w0utert]

>> So you want _yet another_ password between the user and his magical experience or whatever ?

I find this a pretty weak objection. Do you really want to trade all your stored passwords for the convenience of not having to enter 1 additional password ('my Android backup password') once every one or two years when you activate a new or additional device?? I wonder how this objection rhymes with having logins on 20+ different websites?

While I don't believe that Google wants to harvest your WiFi passwords (but also don't rule it out), I also don't think it's all that paranoid to assume that Google deliberately chose to not encrypt backups by default, so they can extract useful information from Android device backups. Or do you still believe Android is 'free' because Google is a charity?

[philsnow]

You missed the central part of my argument, so I'll reiterate it here: users don't care about this stuff, and passwords are user-hostile. Google chose to implement this a certain way that works for 99.99% of people.

Now, in the 0.01% case, your counter argument still doesn't hold, in my opinion:

> Do you really want to trade all your stored passwords for the convenience of not having to enter 1 additional password ('my Android backup password')

Yes.

Even strong wifi passwords can be brute-forced within minutes from the curb by anybody with an unmarked van and a measly few GPUs. At this point in the technology race, wifi passwords are really just keeping the honest people out. If you want something stronger, you're going to have to go to machine certificates on each laptop / mobile device.

> once every one or two years when you activate a new or additional device??

Even worse, passwords that aren't used often exit my fingers' memory and are thus lost to time (unless I write them down and store them in my safe deposit box or keepassdroid or whatever, but "hardly anybody" does this, so Google would get phone calls from users every year or two saying "can you give me the password that I'm supposed to be using to keep from giving you my passwords? kthx").

[jordanthoms]

Can you give a source for that - I thought WPA2 AES was still quite secure, assuming you use a long random password?

[philsnow]

Ah, you're quite right, thanks for making me look this up.

I found some Toms Hardware article that goes into "a few GPUs in a desktop" all the way through "renting 20 machines with GPUs from EC2 for a while for <$20 USD", and it seems like a password that is long (>=12 characters for now), doesn't have dictionary words, and uses more than just [a-zA-Z0-9] will be safe from undedicated adversaries for a number of years (probably the life of whatever router you're using).

[archivator]

You could in theory salt the primary account password with a new salt, derive a key from it and use that to encrypt the password list (sending the salt alongside it). This of course implies that the plaintext password never hits Google's servers, which it probably does.

In general, I'm not sure this is a valid threat model. If you're not trusting Bob with your Wi-Fi passwords, why are you trusting him with everything else? If anyone compromises Google, there's far more valuable data on your account than the Wi-Fi list. Even if that's all they gain access to, it's pretty hard to exploit remotely. If someone is targeting you at this scale, you have bigger problems to worry about.

[HNaTTY]

Well I don't agree that there's far more valuable data than the ability to access my internal network. If my wifi network wasn't segregated from my wired network, by getting my wifi password you have bypassed my firewall, giving you access to my/my company's servers.

[archivator]

If someone has the resources to obtain your Wi-Fi password from Google and is determined enough to get within range of your network, you're being targeted by a very dedicated adversary. Things like physical security, TEMPEST and listening devices become valid concerns. This is a highly unlikely adversary for the majority of internet users.

Note that non-targeted attacks (the type that leak password lists) are not a serious threat here.

[kbenson]

That's not necessarily true. I imagine the data would most likely be targeted by a third party that's disinterested in you, but very interested in your adversary's money. I wonder what the going rate rate for all the WiFi passwords on my block would be. Or neighborhood. Or zip code.

[Groxx]

Decrypt encrypted backup on the new device how? What password / key would you use, and how would that be backed up / made known to the user, which it does not do now?

If it's a device password, enjoy re-encrypting if they change it. Or handling two device passwords.

If it's a user password, then how do you change encryption everywhere when they change their password? Only option there is to have Google decrypt and re-encrypt it and push it to every device, since otherwise you losing connection means corrupting your backup, at which point they have it in plaintext, no difference.

[flipperypokery]

Most people really have 10 different WiFi networks? I have two. Home and work. Who has 10?

Apple solved this by supporting local backups. My phone backs up to my computer. When I restore to a new device, the backup goes with it.

When I set up a completely new device -- which happens only once every couple of years -- I set up WiFi again. I've never, ever, ever thought "oh wow, setting up WiFi is just So Hard! I wish Apple would store my private WiFI password on their servers by default without telling me first!".

iCloud backup does store your data on Apple's servers, but it's opt-in, and it makes it quite clear what will be stored.

[300bps]

>Most people really have 10 different WiFi networks? I have two. Home and work. Who has 10?

Home, work, the office where I do side work, my in-law's house at the beach, my parent's house in another state, multiple friend's houses that I frequent, my doctor's office, local restaurants, etc. Some of these places are cell signal dead zones and the only way to get a signal is to connect to WiFi. Plus WiFi is faster, more stable and doesn't cut into my limited cell data plan.

[babesh]

- Home - Brother's house - Other brother's house - Sister's house - Brother-in-law's house - Work #1 - Work #2 - Cafe #1 - Cafe #2 - Cafe #3 - School

And these are just the ones that I remember.

[ollysb]

If you're in the habit of connecting wifi at cafes/bars etc. you can easily run past 10 (wow - just checked the list on my 18 month old laptop, it's currently 110 networks).

[jarek]

Though not all of the bar/cafe networks are passworded, likely.

[chrisrhoden]

This is also opt in, as part of the first boot process. It also makes it very clear what will be stored. The difference is that this is free.

[nexox]

Crucially (at least on my device,) there's no granularity to this opt in - I cannot choose to backup my application data but not my WiFi passwords. Now my options are to either accept Google's storage of my network passwords or set up and maintain my own backup system.

[kbenson]

That assumes your application data is less important than your WiFi passwords. I don't think a distinction at that level is useful. To be useful, it would have to be per application. I don't care if some game status is synced, but I surely care if my email credentials are (although caring may just means I'm aware, it doesn't necessarily mean I would change it).

[sixbrx]

Do they mention that it will be unencrypted? I don't remember that, and I think I would have remembered that.

[vectorpush]

I agree that trusting google with wifi passwords is about as benign as it gets (especially if you already trust them with everything else) but the reason we encourage password encryption isn't because we don't trust the service provider, it's because we don't trust hackers or unethical employees. There are a lot of people who would love to get their hands on that data.

[babesh]

Not benign at all. Read the story about how some Facebook administrator challenged Facebookers to hack into Facebook. The way they did it was to drive by his home and impersonate his home wireless router. My understanding is that once you do that, you can do man in the middle attacks.

Example: Oh you thought you were accessing Facebook, bank, stock, tax... oh you are... but first you are passing along your password to a third party.

Also, once you gain access to the network, what percentage of networks allow administrator access over wi-fi? I would bet a good percentage. What percentage of these have the default password? Again, a good percentage. So basically, you can hijack quite a few networks this way. Do you know what most routers keep a log of? Your entire browsing history. Do you know what else you can do to the network? Open up inbound ports.

Note: The impersonation attack may work even without passwords. Figure out what his/her network name is. Give your network the same name. Scramble the signal coming from the other router. Have him/her enter in a password to your network. Voila.

[vectorpush]

Fair enough; it's not really benign, only in comparison to all the other data google stores and aggregates regarding its customers (imagine a map of Google Now data)

[OGC]

> Because your idea of what is going on is frankly ridiculous.

Really?

> It's easy to see the user-experience story for this.

It's even easier to see how handy millions of wifi passwords might come in handy if you already have the information about the wifi networks you got from war-driving (street view).

You now have access to millions of (private) networks all over the world which you previously had not.

[mik3y]

  It's even easier to see how handy millions of wifi
  passwords might come in handy if you already have the 
  information about the wifi networks you got from
  war-driving (street view).

Do you have any idea what you're talking about?

Talk to a real live Googler (they exist!). Any one of them will tell you that:

(a) the war driving thing was one engineer's massive fuckup that was never wanted for any product, and the data was quickly quarantined (and only kept alive due to legal proceedings), and

(b) anything remotely close to nefarious conspiracy theories being posed for this .. sync protocol .. would never, ever pass peer review internally (let alone the flames of eng-misc).

User data confidentiality is one of (if not the most) serious topics within Google. Again, don't take my word for it, ask someone else.

To suggest that Google is collecting customer passwords for the express purpose of future network intrusion, or to share with spy agencies, is just ignorant.

[socillion]

I'm not sure what you're talking about. Google collects information on wireless networks for a very specific purpose - determining location to speed up or replace GPS. Skyhook Wireless is another company that sells the information obtained from wardriving.

https://support.google.com/maps/answer/1725632?hl=en

Are you saying this service was shut down despite all indications to the contrary, or are you disputing the method used to collect this data?

[mik3y]

I was referring to the StreetView Skyhook-like program that did exist, and yes, it was shut down after it was discovered to be collecting more than just SSIDs:

http://googleblog.blogspot.com/2010/05/wifi-data-collection-...

  In addition, given the concerns raised, we have
  decided that it’s best to stop our Street View
  cars collecting WiFi network data entirely. 

I presume this is what the OP meant by "war driving (street view)", and not the on-device collection you refer to.

[socillion]

Wardriving actually specifically refers to "the act of searching for Wi-Fi wireless networks by a person in a moving vehicle, using a portable computer, smartphone or personal digital assistant" per Wikipedia.

It looks like that blog post only states that they deleted the erroneously collected network data.

https://en.wikipedia.org/wiki/Wardriving

[babesh]

So the NSA knows that Google has access to this information. I bet they have ALREADY forced Google to give this information up even if only on a warrant basis (but perhaps not).