[Info-vax] SAMBA and Ransomeware

[Scott Dorsey]

 <already5chosen at yahoo.com> wrote:
>I really don't like this blog post.
>If Microsoft knew long ago that SMB1 is bad then why didn't they provided a better variant of SMB with original WinXP? Or with WS2003? Or with one of the  winXp service packs or with one of several service packs and releases of WS2003?

Because Microsoft has traditionally not thought about security in any way,
until they have been forced to think about security.

And, because the security profile has changed... systems that were designed
for use on a small local network somehow got connected to the public internet
and all of a sudden design decisions that seemed reasonable turned out to be
incredibly stupid.

>Telling people to stop using WinXp is *not* a solution. Telling people to stop using Ws2003 is somewhat more bearable, but also problematic.

That's what Microsoft has done, yes.  You can take that up with them.

>For reference, WinXP SP3 is at least two years newer than the first implementations of SMB2, so my suggestions are not anachronistic.

SMB1 was a terribly designed protocol.  SMB2 is a terribly designed protocol
but one with security features that SMB1 did not have.  I have not looked
under the covers of SMB3 but I suspect it's also terribly designed but with
additional security bags on the side.  I predict soon we will have SMB4 to
deal with whatever is gone wrong in SMB3.

If I had a choice, I wouldn't deal with SMB at all because it is just so
horrible.  It's like hanging a KICK ME sign on your computer.  But we live
in the world where Microsoft compatibility is critical, so we have to talk
SMB.

Our question, then, becomes this: How do we, knowing we have an inherently
untrustworthy protocol, manage to implement it in the safest possible way?
Because we have to implement it.  And we have to do it as safely as we can.
--scott
-- 
"C'est un Nagra. C'est suisse, et tres, tres precis."