That NAS under the stairs
Can't help feeling that there are still an awful lot of them out there, and quite likely some with no practical hope of being updated themselves.
<looks under stairs>... yup, there's one!
Microsoft has taken another step toward the final eradication of the venerable SMB1 protocol with plans to disable it by default in all editions of Windows 11. As is the company's wont, Dev Channel Windows Insiders will first have the protocol not installed for all editions. This will then be the default for the next major …
How much data would we be talking about? For most cases I’d guess that moving it off onto something modern would be almost painless. You can buy a smartphone with more storage than a desktop had in 2006.
Plus the electricity savings would be enormous.
All of the data I’ve accumulated over the last 25 years occupies only a few hundred GB. YMMV of course.
Well, mine isn't from 2006 but from 2015. It's a 4-way Buffalo Link Station in RAID 10. It's my secondary backup, so I only fire it up once a month (primary backup is a WD MyBook in RAID 1, once a week typically, but connected locally). 6-way, those *were* indeed expensive, just the cases, no drives. I see no reason to upgrade it since it works perfectly and suits my needs--plus I'm not Bezos, there *are* people who thanks to the pandemic actually lost money (and didn't go to space just for fun).
MS should start fixing the massive memory leaks introduced with W11 and the new useless Start menu rather than creating even more problems--if that's even on their list of priorities...
If I count the data I moved to DVDs because they are more durable and last longer that hard disks... I have like 4000 GBs of data, maybe more. That includes legal backups of games that alone take like 1000 GB of that. Then again I have been hoarding digital data since like 2008, I started with CD backups, then DVDs, then USB sticks, then external hard disks and now I am back to using DVDs for some stuff as again they last longer. Some of the stuff is ridiculous, like backups of old shareware CDs that came with PC magazines. Others is stuff I keep going back to use; like point and click games. And I have not for example, downloaded my entire GOG library of games yet since my Internet is slow.
Samba has supported SMB versions greater than one for quite a while now. If the NAS was designed before 2008 then maybe it would have SMB 1 only on it. But as hard drive sizes have improved so much since back then, I wonder why anyone would be using the old ones still... (my hard drives that are as old as that have all gone titsup long ago)
Vista was the version that introduced SMB v2 (along with server 2008). So XP and earlier have V1. I would guess that if you use '9x for old games or XP for any reason, you _might_ have trouble if SMBv1 stops being supported at all...
/me has an old XP-based book-sized Lenovo that does 3D printing occasionally
>I wonder why anyone would be using the old ones still...
Because a) it works and b) its not worth the time and trouble 'upgrading' to a protocol that may be incompatible with some devices and may itself have Heaven Only Knows what quirks and vulnerabilities.
I must confess to having 'an old NAS'. It holds my music collection. Its so old it supports NFS and RCP. These are the sorts of protocols that don't belong on the public internet unless they're tunneled but as the systems and their players are a closed entity I don't need to change anything -- should some joker get onto the NAS and screw it up I'll just rebuild it from an offline copy (its not happened in a decade or more).
Many current routers have USB3 ports and advertise hard drive support through smb1. I've seen a lot of people use this feature to plug in usb flash or hard drive for inexpensive backup destination.
The reason routers never upgraded and are sold with smb1 even today is because the branch of samba with smb3 support is way too bloated to fit in a router. Smb2 results in half the performance of smb1, so most often it gets disabled even though the router's software could otherwise support it.
"Windows 10 Home and Pro still had the client just in case. It would, however, be uninstalled automatically in unmanaged environments if not used for 15 days (excluding time during which the computer is off)."
Oh so that's why my client's Windows 10 PC stopped being able to connect to the server under the stairs. He only used it for archiving. ClearOS 5.
SMB2 has been available in Samba since August 2011. It was added to FreebSD Ports in October 2011, and as far as I can see, on Debian, it first arrived with Wheezy in May 2013. If you are using FreeNAS (now TrueNAS), I guess it would lag FreeBSD by a bit, but not 11 years.
So surely everyone has had plenty of time to upgrade their NASes?
an easy target for what, exactly? Stealing all my old forgotten photos from the 2000's? Looking at the resumes I faxed out in 2012? Deleting my UnrealTournament 2004 installer?
Just because "somebody" can get to the files over SMB1 doesn't mean they've commandeered the OS to zombie it. (Well, assuming you aren't running it on a Windows 2000/2003 box, in which case, they might be able to)
The average attacker might not do anything other than encrypt it and drop a ransom note, but someone who wanted to could attach malware to any executable files and hope that you'll eventually execute them. There are also code execution vulnerabilities in SMB1 that could be tried, but it would depend whose implementation and which OS they're using. Everyone has some services that really don't matter if an attacker gets access, but many people have things they think are like that but turn out to be more sensitive. I secure everything I have because I don't want to find out at short notice the problems I didn't anticipate.
There are no more inherent code insecurities in SMB1 than there are in SMB3 or CIFS or NFS. SMB is a protocol, not code. If a vendor did a very poor job implementing it (*cough*Microsoft*cough*) and left it vulnerable to buffer overflows, etc, that's a totally different argument altogether.
Some older NAS boxes don't support it and never will because the vendors want you to upgrade. Used to have a Netgear ReadyNAS and the Duo firmware didn't support anything other than SMB1.
The second issue is that almost every contract I work at, there's still a few Server 2003 boxes lurking around with a legacy app that is still required but can't be moved to anything newer for whatever reason (vendor gone under or it's got to be kept for a few more years unused for compliance reasons).
I was thinking that SMB v2 support was available earlier than that...
and then i found release notes for SMB 3.6 which confirms 2011
So surely everyone has had plenty of time to upgrade their NASes?
It doesn't take long to upgrade a NAS if it's still supported. If your NAS runs a proprietary application on top of a proprietary fork of a Linux distribution for a CPU that's no longer supported ... it may take a little longer.
If, say, you had a SPARC-based Netgear ReadyNAS box (rather than one of the newer ARM-based ones).
It would be nice if the manufacturers of such boxes would Open-Source at least the OS parts, so that people would have a chance to keep older still-working hardware out of landfill.
You're not thinking Microsoft. The protocol is old, but the devices still relying on it aren't that old, and that's the point. Experts (that is, people outside of Microsoft) hacked SMB1 eons ago, but it didn't stop appliances from continuing to rely on it.
So, you say, Microsoft is smart... ok then, then they knew 15+ years ago that it was hack city, just like the rest of us. So, it took them 15+ years to close this down? Whatever....
MS knew the issues with it and fixed most of them in subsequent versions. They have been trying to wean people off it since then. Read some of Ned Pyle's articles from years ago on why you should not be using it. It has been left as an option precisely because there were still devices that used it. Even when it is removed by default you can still add it back with some effort, but you really shouldn't.
If vendors have been making devices that only support SMB 1 in the last 10 years, then that is negligence on their part as they will have been advised that there were security issues and that the replacement protocol has been around since 2006. I have certainly been disabling SMB1 for at least that long. if a client had a device that required it and there was no firmware update available to add SMB2, then I advised them that it should be top of their list for replacement. 10 years is at least 2 or 3 hardware update cycles for most businesses, so there should be very little requirement for SMB1 now.
I worked on this stuff in the mid-80s. IBM's first PC networking attempt, PC-NET, used full length adapter cards
that modulated the data so it could be transmitted over standard TV coaxial cable. The interface to the network was through BIOS extensions on the adapter card, their NETBEUI. MS-NET, Microsoft's version of the same, was more general. File sharing across a network was enabled with MS-DOS 3.0 and the BIOS extensions could be managed as 'terminate and stay resident' programs, allowing you to substitute whatever adapters you could access (consumer adapters used 50 ohm coaxial cable to interconnect systems). There were all sorts of problems with this technology; it definitely worked but its performance wasn't that good. Novell produced a working version of this type of networking which led rapidly to its universal adoption by business oriented PCs.
I believe that the original Sonos boxes can only connect to servers with SMB1, so that's going to be an issue for anyone trying to get them to connect to a new Windows box. I ran into the same problem when a NAS upgrade disabled SMB1 by default. As ever, it was only later that I tried streaming music to the Sonos and didn't immediately tie the failure to the previous NAS upgrade. Of course, Sonos sell upgrades for their boxes but that can be a tidy sum for a multi-room system.
I use the Sonos units to stream the music from a NAS and then out of an optical output to the proper hi-fi. Gives a nice interface on a variety of phones and tablets in the household. The hi-fi is fine - and likely will be for years - but the Sonos units not so much. I'd love to switch away from SMB1 but unless Sonos release a feature upgrade that isn't an option. I haven't checked the dates, but I'm pretty sure there were later versions of SMB available when the Sonos first shipped, or within their lifetime, so there's an argument that they could/should have added support.
I have the same issue. For Sonos, the killing off of SMB1 is a godsend. By the magic of doing nothing they shift people away from the non-profitable practice of playing locally stored music to the profitable practice of having to use either a paid service that they get a cut from or their own ad laden streaming service.
SONOS v2 includes SMB2+ support. It's only the old SONOS v1 boxes that only do SMB1.
Don't get me wrong, I'm not incredibly happy with this as I have many SONOS v1 boxes and no way am I giving them any more money, but they have added SMB2+ support (finally), if only for the latest releases.
I'll probably go the SMB2+ mount on a Raspberry PI re-exported via SMB1 to my old SONOS kit.
"It's insecure" is a myth perpetuated by the ignorant. It's prolix, and after being moved to tcp/ip, and having had encryption and authenticated added, it has high latency, which is an issue because it's prolix. Because it's prolix, and because the modern implementation has such high latency, it's been replaced by SMB2, which is less prolix, and has lower latency.
That means that the SMB1 servers and clients are falling out of support. The o/s version on my SMB1 NAS has been out of support many years: even on my ancient hardware, it's moved from 3.x to 5.x.
"Server falling out of support" is insecure, not "SMB1" is insecure.
And, as demonstrated here, most of the those SMB1 servers are appliances, and are the reason why MS has been slow to discontinue SMB1.
Insecure isn't relavent for the people still running SMB 1. The vast majority are running it on a private network at home and serving pictures of their cats. A few will be running it in factory networks which aren't even routable from the other networks in the business, let alone somewhere an attacker would be coming from.
This is the problem with security folks, they think every installation is being designed for fort knox.
And as one of those security folks, this is the problem with non-security folks. They assume they're safe because this box they're looking at isn't very important. They don't think about all the methods an attacker would use, including getting a beachhead in something unimportant and infrequently managed so they can attack the network from within. Since you're posting here, I think it's more likely that you really know what you mean when you say the box is on a network that never will be available to the internet, but many people also say that and find that someone did connect a cable, long ago, forgot about it, and someone has found it and used it to install malware or extract data.
I've worked with those people before. One colleague I've had was of the opinion that no security mattered because, as long as it could defeat the average five-year-old (basically as long as there was a password on any administrative or root accounts), we would be fine. His frequent explanation of this was that, as hard as we worked, we would never get a system the Russian government (for some reason, it was always them in the example) couldn't break into. This despite having several networks compromised with malware, including ransomware, during his tenure. When malware is involved, it doesn't matter that your system is more secure than someone's. It doesn't matter that it doesn't contain particularly interesting data compared to others. While being interesting can make you a bigger target, there are enough attackers attacking indiscriminately that you will always be targetable. If you set up a server with SSH access, even if the disks are otherwise blank and the machine has never sent out a packet, bots will find it and attempt to gain access within hours. Lots of other protocols are also attacked in that manner.
"They don't think about all the methods an attacker would use, including getting a beachhead in something unimportant and infrequently managed so they can attack the network from within. "
The network that contains a lightbulb and a fridge. You are literally the problem. Yes, home networks are connected to the Internet, no that doesn't make the threat a problem either. It's literally just some cat pictures and holiday photos. Meanwhile you're preventing progress in a thousand projects by insisting on a change control to open port 80 on a SaaS web service that only has port 80 open and no other services running.
Crack on though, we all need a wall around our gardens with an open gate in front of the only (locked) door. You're bringing real value to your employer.
So this is the same fate that met Windows .hlp files -- the (sub)system is insecure in ways which we can't be bothered to fix, so you will have to do without it.
The .hlp files were "replaced" by .chm. Anyone remember them?
Current Microsoft "help" seems to be to launch a browser with a search query. Hey, why bother making documentation when you can just outsource the gig to random strangers, most of whom have the same problem and no solution?
I can believe that current implementations of SMB1 are insecure. I can be persuaded that it is difficult to make them secure.
I baulk at impossible.
-A.
The fact remains that a URL is not much help when your desktop is screwed to the point where it cannot connect to the Internet.
Once upon a time, documentation was a local affair, and it was more or less useful following how much work was put into it.
Nowadays, it's just a throwaway thought and you've got to scour the Web's technical forums and pray that enough people have had your problem so that somebody might have been good enough to post something somewhere that is actually a solution.
But actual help from the original vendor ? Or some technical specifications that are up-to-date ?
Rarer than hen's teeth, these days.
"Something for that NAS that has lurked beneath the stairs for a decade or so, or the one weird bit of hardware on the factory floor."
Or for the Windows 2000 domain your company is still running on and the Windows 2003 File Server that is still in use.
Yes really. Yes I've told them... Pays the mortgage though eh.....
NCSC recommend stopping SMB2 where possible, also. Unfortunately it shares Windows internals with SMBv3 so cannot be disabled in your registry without also clobbering SMBv3. I don't know if NFSv4 is any better, but a lot of devices won't support it out without re-configuration.
Now that 1gbit broadband is becoming more common, a lot of these home NASs will be replaced by Cloud storage. The only thing stopping me at the moment is the pathetic 1.2mbit/second uplink speed.
Your home NAS may also photos / scans of your passport, driving licence, utility bills and bank statements someone in your house once needed to apply for something.
Yes it needs to be secure, encrypted and protected from all access. I use a mirrored pair of USB drives on a raspberry pi with nft protection.
Preferably behind a 2nd firewall because you shouldn't trust the broadband provider's router/firewall to be right up-to-date with patches. I just discovered my Sky Q router has a 2nd non-visible set of firewall rules that we cannot see - for example try blocking 10.123.234.1 both ways and then point your browser at it - yep it still works and sends you out to the internet. There's no way of knowing if that is a second chain or forward/pre-routing rule, or what else they have hidden from us. I don't even know if my rules to stop UPNP are worthless now, because it don't have anything that uses it.
Now that 1gbit broadband is becoming more common, a lot of these home NASs will be replaced by Cloud storage. The only thing stopping me at the moment is the pathetic 1.2mbit/second uplink speed.
That is rather optimistic.
I think you would find that its a minority that will be able to get 1Gbit/s broadband, and of those majority quite possibly won't see the need nor want to pay for the additional cost.
i don't see that changing very fast either.
"Now that 1gbit broadband is becoming more common, a lot of these home NASs will be replaced by Cloud storage. "
Why? One would think that someone tech-savy enough to know how to setup and use a NAS at home would also be tech-savy enough to be very, very leery of moving all of their digital stuff out to the "cloud" and losing control of it. Not to mention, well, let's face it - those of us running a NAS at home are already more than a little paranoid about our data. Sure, a NAS disk could blow out, but nobody can take it away from you without a warrant. Your "cloud storage" could evaporate at the drop of a hat, entirely on someone else's whim.
Paint me confused: you are concerned over ID theft and urge the use of extra layers of router to protect your encrypted NAS, but are also looking forwards to the day when you can just gleefully hand everything over to sit on someone else's computer? Just as soon as you get a fast enough upload speed so you don't keep them waiting in suspense.