back to article Windows 11 24H2 might call time on that old NAS under the stairs

Microsoft's Ned Pyle has issued a warning to Windows 11 24H2 users. Security has been tightened up, so attempting to access some third-party Network Attached Storage (NAS) devices or a USB drive plugged into certain routers might fail. Pyle, a principal program manager, has long been an advocate for driving a stake into the …

  1. Snake Silver badge
    Devil

    That's rich

    "However, Pyle recommends upgrading the device, either through a software or firmware update..."

    Haha, oh that *is* funny!! Expecting a company to issue firmware updates for your old NAS. That pig that just flew past my window wants to have a word with you...

    1. cornetman Silver badge

      Re: That's rich

      > and perhaps get the vendor to fix it with an update.

      Assuming of course the vendor still exists and still has the source for that machine, or the tools to rebuild an image for it, or a sample of that machine to test it on.

      Some vendors are pretty shocking with their support for their older kit, but there are NASs out there that are *really* old

    2. Chz

      Re: That's rich

      I know they're a bit slow on the patching, but my old QNAP was still getting OS patches 10 years after I bought it.

      1. Korev Silver badge
        Thumb Up

        Re: That's rich

        My Synology DS916 is getting updates after eight years.

        If only they'd release a model that can do 10G and decent transcoding then I'll probably upgrade...

      2. Snake Silver badge

        Re: still getting patching 10 years later

        Because it's QNAP. I've had two, a TS-253 Pro that died from the Celeron RTC failure, and its current replacement a TS-251D.

        QNAP needs to keep giving us software updated because their firmware is so bug-ridden, so infested with security holes, that they can't help but try to continuously patch their leaking dams. QNAP software "quality" is an oxymoron.

        I replaced a QNAP in my office with a Synology and while I find the hardware less impressive (plastic chassis vs metal, etc) at least the software works. The Synology gets but a fraction of the firmware patches the QNAP [does], and stuff actually does work as expected (surprise!).

    3. simonlb Silver badge
      Facepalm

      Re: That's rich

      Yeah, good luck getting all those redundant Drobo's updated. Mind you, I did predict their demise and haven't used mine now for over three years as they are nowhere as near as good as they were cracked up to be.

  2. Sumpbuster
    Alert

    Voda Ultrahub

    My Vodafone/Cityfibre connection has a supplied Vodafone Ultra Hub. It allows a USB connected harddisk for simple DLNA/SMB sharing....

    A nice notice indicates

    "The protocols in use do NOT support encryption and will only operate in your Local Network. All data will be exchanged in plaintext"

    And it is running V22.1.0515-6261033 of the firmware, and the online updater indicates "you are already running the latest firmware"

    And, no username/password required, all anonymous.

    1. gratou

      Re: Voda Ultrahub

      It could be as simple as adding your server to a white list, but that's too much forward thinking for MS. Better to allow for the whole security setting to be turned off and then blame the users.

    2. Anonymous Coward
      Anonymous Coward

      Re: Voda Ultrahub

      Sounds like that's in breach of the very basic cyber-security requirements, the Product Security and Telecommunications Infrastructure Act 2022 and Regulations 2023:

      https://www.gov.uk/guidance/regulations-consumer-connectable-product-security

      I'd report it to Vodafone, asking when this will be fixed, and telling that unless there's a compelling and prompt response you'll escalate the matter to the Office of Product Safety & Standards (contact details at bottom of that link). If you do escalate it, temper expectations - as with any new regulations the regulator won't want to be heavy handed, so prosecutions are unlikely, and a quick resolution is improbable.

  3. JustAnotherDistro

    Thank goodness there are people who figure out the workarounds for all this and take the time to answer people like me when we go looking for solutions. Otherwise it would be walled gardens and premature obsolescence all around.

    1. doublelayer Silver badge

      The workaround that will consist of the following complicated steps:

      1. Turn it off.

      Changing the default setting doesn't make something obsolete if the previous setting is still there. You can use any insecure thing you want, and it's not anyone's responsibility to leave everything else insecure so you can do it without effort. There are times when something is really intended to make you have to buy new stuff. This isn't one of them.

      1. Anonymous Coward
        Anonymous Coward

        Provided allowing access isn't hidden in the recesses of Microsoft documentation. There will be a lot of home users who won't know how to research the answer and frightened of technical docs. So, we'll all get annoying calls from indignant family members demanding us to re-enable access to their photos because it's "urgent"!

        1. doublelayer Silver badge

          Quite true, but that's not something that should decide how something is designed. Someone can't be bothered to do a simple Google search and, even with Google's reduced quality, the instructions will be the first result if it's not printed right there on Google's page, so therefore we should leave the insecure protocol enabled by default on everyone else's machines? Come on, that's exactly the kind of thing for which Microsoft would be blamed any time someone used that to do something malicious. Insecure protocols get disabled. Manufacturers should stop using them. People should override this if they need to after actually checking if they need to and what other actions they should take, but that shouldn't and doesn't stop us from disabling them when we do not.

      2. Dan 55 Silver badge

        Let's talk again when 25H1 is released and the registry switch disappears.

        I think we all know how the frog is boiled by now.

    2. Anonymous Coward
      Anonymous Coward

      Workaround

      The workaround is start using Linux no matter how painful while you learn. Make the break from the evil empire. ;)

      1. Spazturtle Silver badge

        Re: Workaround

        SMB1 has been disabled on most Linux distros for years.

        1. druck Silver badge

          Re: Workaround

          It's easy to turn back on though, and you could bind a dedicated SMB process to a specific network interface that only has the old NAS on it for extra security.

          We had the problem the other way around on RISC OS as the client was SMBv1 only and couldn't talk to modern a NAS which only supported v3, but a Raspberry Pi running Linux can act as a protocol relay, and you could do that here too.

      2. Phil Kingston

        Re: Workaround

        How do you spot a Linux user? You don't, they'll tell you.

        That said, the moment there's a liveable Linux phone (with VoLTE), I'll be first in line.

  4. Jason Bloomberg Silver badge
    Thumb Down

    Another reason not to upgrade to Windows 11

    Though I had plenty already.

    1. tfewster
      Facepalm

      Re: Another reason not to upgrade to Windows 11

      There are plenty of good reasons not to downgrade to Windows 11. This isn't one of them.

      Damn you for making me take Microsoft's side on anything. But even they get something right occasionally!

      1. Dan 55 Silver badge

        Re: Another reason not to upgrade to Windows 11

        Update to Windows 11 24H2 with yet more telemetry and built-in Copilot nonsense or keep access to backups and data on my NAS. Hmm, big decision.

    2. Anonymous Coward
      Anonymous Coward

      Re: Another reason not to upgrade to Windows 11

      Just like Windows 98 diehards, you'll have to switch eventually.

  5. bernmeister
    Linux

    Stop sigh.

    The only thing I have learnt from this article is that the UK traffic stop sign is eight sided.

    1. mirachu

      Re: Stop sigh.

      Isn't that shape global?

      1. Dave559

        Re: Stop sigh.

        Wikipedia, of course, has a pleasingly thorough article about stop signs.

        Yes, the octagonal style is now probably the most commonplace around the world (at least partly because its unique shape always identifies its meaning if the sign face is obscured by snow, etc), but there is also an older design with the standard Vienna Convention red bordered circle form of sign (usually used for prohibition signs ("You must NOT do this"), although this is really a "You MUST do ONLY this" sign, which more usually use the blue circle form, and you can see why you might want to make a STOP sign emphatically red), with that older design having markings based on "Give Way" within the circle.

        It looks as though some countries might still use something similar to the older design, and you possibly also might still see some older design signs that have simply never been replaced, in some rural places?

        (There is nothing (or maybe very little) unique about UK road signs (other than distances and speed limits not in metric units), which follow the Vienna Convention, which was intentionally devised as an international standard, but, Ireland, on the other hand, uses a rather unholy mishmash of some Vienna Convention signs but US-like yellow diamond warning signs…)

    2. David 132 Silver badge
      Happy

      Re: Stop sigh.

      8 sided yes, but the photo is clearly AI-generated because the actual UK Stop sign design reads “Kindly Cease Forthwith”.

      1. Phil O'Sophical Silver badge

        Re: Stop sigh.

        Not "Keep calm and brake"?

        1. Bebu Silver badge
          Windows

          Re: Stop sigh.

          Given the UK's last decade I would think Douglas Adams' DON'T PANIC! (in large friendly letters) might be more appropriate.

          1. CountCadaver Silver badge

            Re: Stop sigh.

            Nah I think the Ozzie's have it right

            "Shits fucked cunt" - for a friendly warning

            "Shits fucked mate" - for an unfriendly warning

          2. DJO Silver badge

            Re: Stop sigh.

            Given the UK's last decade I would think inverse paraphrasing Douglas Adams and having "PANIC" (in large scary letters) would be more appropriate.

            1. Mark 78

              Re: Stop sigh.

              "Given the UK's last decade I would think inverse paraphrasing Douglas Adams and having "PANIC" (in large scary letters) would be more appropriate."

              I won't be able to read it due to my Peril Sensitive Sunglasses.

        2. Dave559

          Re: Stop sigh.

          "Keep Calm and DON'T Carry On"

    3. Tim99 Silver badge
      Stop

      Re: Stop sigh.

      Some of us fondly remember the old UK "T" HALT sign: Pre-Worboys Committee (Alamy.com image) whose shape was unique.

      Which like the current octagonal one, could still be understood if the lettering was obscured by snow, bees, etc. >>=====>

      1. ICL1900-G3

        Re: Stop sigh.

        I was with some Dutch friends in Ireland, telling them about our pre 'Continental' road signs and saying that some could be a bit obscure, like the 'torch' sign for 'school'. And lo! Two minutes later, we saw one. For the non-geriatric among you, it represented the torch of learning... obvious, really.

  6. Zibob Bronze badge

    Expectation Vs. Reality

    Expectation:

    "We'll hopefully get the vendors to push updates for older NAS's"

    Reality:

    "Oh yeah, the NAS is not visible from the windows desktop, so I keep an older Linux box around and keep it offline to use the NAS, its just an ingestion/egress box"

    1. simonlb Silver badge
      Flame

      Re: Expectation Vs. Reality

      Well MS did decide to break a lot of network and WiFi functionality when they released Win10: Stuff which had worked perfectly fine for years just stopped working and MS said, "You need to contact the vendor of the relevant device to get updated drivers." Nice.

      The reality is that MS expects you to continue to hoop-jump and suck up everything they throw at you because you are product, they know best and they are doing you a favour so shut up and be grateful you selfish bastards!

      1. PeterM42
        Facepalm

        Re: Expectation Vs. Reality

        The Reality is that Microcrap are continuing to make home networking a difficult as possible.

        It wasn't broke (Windows 7), so they decided to fix it.

        GROAN!

        1. John Brown (no body) Silver badge

          Re: Expectation Vs. Reality

          Yep, the long tyerm plan is for everything to be connected to their cloud, including replacing your home network. Everything in the cloud. Want to share a photo at home? Send it the MS cloud so your whole family can easily access it (and have it slurped) rather than old fashioned local sharing (which is slightly harder to slurp)

  7. The commentard formerly known as Mister_C Silver badge

    Security

    He said: "Both changes will make billions of devices more secure."

    Can't read from it, can't write to it. Totally secure.

    1. hoola Silver badge

      Re: Security

      What is wrong with the statement is that it does not make the devices more secure.

      If there is nothing you can do to update the NAS this does not make it more secure.

      1. doublelayer Silver badge

        Re: Security

        Except that the billions of devices referred to include the following:

        1. Windows computers that don't need SMB1, and therefore are no longer vulnerable to problems with it.

        2. Devices which weren't updated from SMB1, but their manufacturers fixed this because they didn't want to deal with user complaints.

        It does not include these, which were not referred to by the statement:

        3. Devices whose manufacturers can't be bothered to use a secure version of the protocol.

        4. People who re-enable SMB1 to continue using devices in section 3.

        So yes, if you look at the devices he wasn't talking about, you're quite correct that they're no more secure.

  8. karlkarl Silver badge

    > SMB1 is over 40 years old,

    And Windows is similar age. And yet here we are... still plugging away with the old shite.

    1. veti Silver badge

      Really, you're still using Windows 1.0?

      1. John Brown (no body) Silver badge

        "Really, you're still using Windows 1.0?"

        It's highly likely that some code from 1.0 is still in there :-)

  9. Anonymous Coward
    Anonymous Coward

    Arrogant?

    Sounds very arrogant and dictatorial.

    But, if this is just a default change and it is clear how you allow access to that old NAS then no big deal.

    I hate all the "we know what's best for you" attitude, that's unnecessary.

    1. doublelayer Silver badge

      Re: Arrogant?

      I recently tried to access a Linux device that's quite old (about twenty years old), only for my SSH client to refuse to connect because it did not support any modern encryption algorithms. Is it arrogant and dictatorial for OpenSSH to have decided not to include encryption that can be easily broken, exposing my connection to the vulnerability that someone could break in and impersonate me with a little effort?

      Unlike Windows and SMB1, that wasn't a setting. If I wanted it to connect, I was going to have to recompile OpenSSH. OpenSSH was right to remove that. Microsoft is right to disable this.

      1. Mike_T.

        Re: Arrogant?

        I had what I presume was a similar problem but solved it using...

        ssh -o KexAlgorithms=+diffie-hellman-group1-sha1 -o HostKeyAlgorithms=+ssh-dss -c 3des-cbc

        To be fair that is a bit of a mouthful and I'm not using the very latest version of Debian but it worked...

  10. An_Old_Dog Silver badge

    A Pyle of ... Something?

    1. I do see how authenticated, encrypted connections are more-secure than connections which are not authenticated-and-encrypted.

    2. I do not see how unauthenticated connections (passwordless "guest" read-only mode) make it more-likely for BadServer to trick your PC into believing BadServer is GoodServer.

  11. steviebuk Silver badge

    We're not all made of money

    The arsehat. "Just get a firmware update" how about no. Because my Netgear ReadyNAS is so old it no longer gets updates. But its all I got as all I can afford.

    The fuck whit.

    1. Dan 55 Silver badge

      Re: We're not all made of money

      This is from the people who bought you "just buy a new computer" so you can run Windows 11, so having to buy a new NAS, printer, etc... as well is a small step from there.

      1. Anonymous Coward
        Anonymous Coward

        Re: We're not all made of money

        Maybe Bill has inside information on his old company and is buying large swaths of farmland to create new landfills for hardware made redundant by Windows 11? </end sarc>

  12. Bebu Silver badge
    Windows

    Get an update :)

    Two decades ago I was presented with a fairly new consumer lacie nas device whose vital forces had departed this earthly realm. The owner was not too concerned as it was only a secondary backup but unknown to her an academic whose computing skills were legendary (ie nil) had managed to use it as his primary and only storage (not backed up) on his PC.

    I extracted the (pata?) drive which was ok and attached it to a Linux box to discover while in the land of the living it ran an ancient Linux kernel* and software on some odd risc SOC - even then I thought this device was never intended to get an update.

    The data files were on a Linux file system (ext4 or xfs) so complete recovery was possible.

    Personally I wouldn't let gormless users loose with anything more capable than an X Terminal.

    * the SOC just booted linux from a disk partition ie not from firmware.

    1. veti Silver badge

      Re: Get an update :)

      X terminal can be every bit as dangerous as the server it connects to.

    2. Tim99 Silver badge

      Re: Get an update :)

      Some "important" users should only be allowed something like the (text only) DEC VT320 for "important" work. Back then VMS had file version control. If they had stuffed one of their documents, you could get back a previous version - Assuming that they had saved it!

      1. John Brown (no body) Silver badge
        Coat

        Re: Get an update :)

        "Some "important" users should only be allowed something like the (text only) DEC VT320 for "important" work."

        Some "important" users should only be allowed an Etch-a-Sketch

        FTFY

        1. An_Old_Dog Silver badge
          Facepalm

          Re: Get an update :)

          "You reboot it by holding it upside-down ... no, not like ... point the silver side to the floor ... not .. don't ... look, just hold it firmly, and shake it up a bunch."

          *Crash-clatter-clunk*

  13. Andrew Martin 2

    How to check

    Is there a simple way to check if a NAS will be affected by these changes? Would allow some time to prepare some guides on work-arounds

  14. t0m5k1
    Thumb Up

    Drop SMB

    windows for a long time has had NFS capabilities.

    Just install it and set it up on your nas of choice, feed it usernames, rejoice at the nice fast and secure access.

    1. Phil O'Sophical Silver badge

      Re: Drop SMB

      Windows 10 NFS is soooo slooowww compared to SMB, although nobody seems to know why. Crappy client code?

      1. John Brown (no body) Silver badge

        Re: Drop SMB

        "Not Invented here" syndrome?

  15. Marty McFly Silver badge
    Alert

    ....if the user is simply trying to access some holiday snaps on an old NAS...

    That can be a problem. All the Millennials could lose their early childhood pictures snapped 30-years ago on grainy digital cameras.

    Certainly won't be problem for GenX though. Despite all the so-called improvements Microsoft continues to cram down our throats, there is no problem looking at the grainy Kodachrome pictures from 50-years ago.

    Snarky comment aside...

    Deprecating old standards does pose a risk of data loss for historical information. In terms of human civilization we have just started the digital age. The electronic storage mediums have not proven viable for long term storage. Magnetic, flash, and optical media all degrade over a matter of years. Whereas ancient documents have survived thousands of years and can still convey their information.

    Yeah, I did say that.... Papyrus scrolls have a proven track record for long term information storage versus our unproven electronic equivalents.

    1. Tim99 Silver badge

      Re: ....if the user is simply trying to access some holiday snaps on an old NAS...

      Or fired cuneiform tablets? In the 1980s I had a project where we were asked to archive individuals' health/safety data for 70 years, "the possible length of their adult lifetime". IBM suggested their "new" WORM optical storage. A couple of years later they told us that the long term archival properties were "disappointing". We saved everything on disk as ASCII plain text and printed it out onto "unbleached" archive quality paper. Cheap chlorine bleached paper degrades badly and becomes friable and discoloured in a few years/decades. Documents from before the mid 19th century hand-written with tannic or carbon based inks are usually OK, a newspaper from the 1930s is likely to be very degraded.

      1. John Brown (no body) Silver badge

        Re: ....if the user is simply trying to access some holiday snaps on an old NAS...

        "We saved everything on disk as ASCII plain text and printed it out onto "unbleached" archive quality paper."

        And that's probably still the current long term storage solution. OCR can always be used to re-digitise the data for research down the line. The first OCR reader I used was a small puck that slid along a guide to slowly and imperfectly "read" a line of (limited selection of typefaces) text, one line at a time. Nowadays, pretty much any cheap mobile phone can take a photo of a page and produce a pretty good PDF searchable PDF document from it almost instantly. Commerical OCR is usually orders of magnitude better, faster and much more forgiving of creases, page curls etc. and can often fill in minor gaps with one of the rare actual use cases for "AI".

        1. An_Old_Dog Silver badge

          OCR

          Have you seen some of the horrible-quality documents on the Internet which allegedly were scanned-and-OCR'd?!!

          They look like two cats fought while jumping around on the PC's keyboard.

          1. Tim99 Silver badge

            Re: OCR

            That's why with went with plain single column ASCII, no italic, bold, or underlined text, with two lines between paragraphs. It almost always scanned OK. Scanning was the final fall-back position, in conjunction with the Mk1 human eyeball, as we normally moved and backed up these simple .TXT files to new systems as the technology changed.

  16. Zack Mollusc

    Well...

    My computer regularly connects to malicious servers in order to steal my data, I put up with this behaviour because inertia. If, in addition to this behaviour, the latest version of this spyware will also make my NAS unreachable then it may force me to overcome my inertia and go over to a different OS.

  17. pdvr

    You're supposed to use onedrive, of course.

  18. martinusher Silver badge

    Solutions need to be user friendly

    Sure SMB1 is insecure, it has been for decades but in a closed system like a small home network there shouldn't be a need for high levels of security. We know that most users just aren't interested in big network security techniques, they want stuff to be seamless and simple. (This is why WiFi has preshared keys and devices like printers have a mechanism to read that key over the wireless connection. It might completely invalidate the entire security architecture but its easy to set up and it is 'good enough' for most people.) Forcing users to conform to a one-size-fits-all model, especially as its really needed just to support inherently insecure IoT devices, is just going to annoy people. Cloud solutions like MSFT's "One Drive" seem viable but in practice they merely compound the problems by adding complexity, unnecessary expense and many more potential points of failure to what should be simple and seamless.

    As someone who owns "an old NAS under the stairs" (actually in a closet) I suppose I should upgrade it but its primarily used as central storage for media -- in other words, its read-only most of the time for most people. That in of itself is more adequate security for everyday use and the fact its mirrored by an air-gapped device (i.e. an even older NAS that's mostly not in service -- and not physically connected) makes it relatively solid. Since the only time we've had a malware outbreak was due to a Windows system infection this is the obvious weak point, its these systems that need to be isolated in their own restricted network space. As for the makers of devices, I suggest something really dumb but easy to use like a physical hardware key that can be given to each device.

    (BTW -- SMB isn't just an old protocol, its really, really, REALLY, old. It belongs in a world of Xerox, triaxial cable and huge network adapters. I bet this fellow thinks its some kind of file sharing protocol that runs on UDP......)

    1. John Brown (no body) Silver badge

      Re: Solutions need to be user friendly

      You have raised the point I cam here to comment on too. People using home networks neither want to require strong internal security. Most things will be accessed either fully openly or via stored credentials. If $Black_Hat has got through the external defences, they have access to all of the LAN and you are stuffed anyway. Having internal certificates for internal SMB shares is not going to slow them down at all since they are probably already logged in as you.

  19. Grunchy Silver badge

    No Problem

    I updated my PC to Ubuntu and that’s all it needed! The problem with old NAS equipment is that it doesn’t have the performance necessary to hold all the surveillance information that spyware from Microsoft Apple Google are collecting on you without your knowledge or consent.

    Just move on from these obsolete corporations, they don’t even pretend to try to improve their products for your benefit, not for years now.

  20. HobartTas

    If it's a really old NAS then wouldn't it be a simple solution to fire up and configure the native FTP server that's probably already installed there but never been used before because it was disabled by default? You just then install an FTP client on your Windows 11 machine and you're off and running again. Or have I missed something with this presumably easy fix?

  21. Mostly Irrelevant

    When Windows started disabling SMB 1.0 by default I updated my old NAS device (Buffalo Linkstation) with a newer version of Samba. I did this by telnetting to it and updating the software it was running manually. I was a little shocked that this was possible, but it's stayed like that for years so it seems to have worked. I'm sure an update would set it back to stock but all we know that's not happening with a 10+ year old NAS device.

    So some of these things might be fixable if you try hard enough.

  22. Marcwolf

    Windows 10.. the new Windows XP

    Remember a time when people would not upgrade from XP because 7 was too buggy etc.

    Now Windows 11 is dictating what it will connect to, or you will find your faithful old NAS or Linux server will keep your files nice and safe from Windows.

  23. BPontius

    Microsoft forcing millions to upgrade hardware to run Windows 11 is calling out vendors to update or patch their hardware, when the same could be done for Windows 11. Microsoft could allow the hundreds of CPUs they have deemed unsupported for Windows 11, best call yourself out Microsoft.

    Microsoft has been saying how insecure SMBv1 is since the '90s, ten years ago they FINALLY disabled it by default in Windows 10, but it still lingers on in Windows 11. Same with old versions of PowerShell, IIS, old insecure utilities: FTP, Telnet, Simple TCP services. legacy Media Player, took them 6 years to finally kill IE after ending development in 2016 and it is only recently been removed from Windows 11. Was well into Windows 10 before Remote Registry was disabled by default, there are still remote shares and remote registry keys set in SecPol\Local Security Policy and gpedit\Local Group Policy in Security Settings\Local Policy\Security Options.

    Have a strange concept of secure\security Microsoft!!

  24. Anonymous Coward
    Anonymous Coward

    Thankfully W11 won't be infesting any of my machines.

  25. Aseries

    No Party NAS

    I wonder about folks using NAS boxes built with shareware. Will the Open-code world come to their rescue?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like