[Info-vax] SAMBA and Ransomeware
Stephen Hoffman
seaohveh at hoffmanlabs.invalid
Mon Jul 17 14:23:33 EDT 2017
On 2017-07-17 17:22:55 +0000, Scott Dorsey said:
> <already5chosen at yahoo.com> wrote:
>> I really don't like this blog post.
>> If Microsoft knew long ago that SMB1 is bad then why didn't they
>> provided a better variant of SMB with original WinXP? Or with WS2003?
>> Or with one of the winXp service packs or with one of several service
>> packs and releases of WS2003?
>
> Because Microsoft has traditionally not thought about security in any
> way, until they have been forced to think about security.
Nobody does. Not vendors, not end-users, nobody. Security is an
add-on cost.
For Microsoft, their approach toward security was changed massively
around the era of Windows Vista.
https://blogs.microsoft.com/microsoftsecure/2012/01/12/what-a-journey-it-has-been/
https://www.microsoft.com/security/sdl/story/
https://www.microsoft.com/mscorp/execmail/2002/07-18twc.mspx
I'm collecting information and links for an OpenVMS Boot camp
presentation on security. Microsoft has a lot of good information
available. and some clever approaches toward making successful
exploitation harder.)
> Our question, then, becomes this: How do we, knowing we have an
> inherently untrustworthy protocol, manage to implement it in the safest
> possible way? Because we have to implement it. And we have to do it
> as safely as we can.
Microsoft has some guidelines here, and has some helpful tools and
APIs, and the next part of that same discussion is how to upgrade the
implementation with as few perturbations to applications as is
feasible. Also of how to make exploitation more difficult. Because
we're going to make mistakes. Because there will be vulnerabilities.
And because we're going to be presented with new attacks and new
approaches, and just with changes in computing resources that can make
(for instance) brute-forcing a whole lot more affordable to attackers.
Then there's the discussion around how to upgrade legacy apps for
better robustness, around comparative approaches toward security and
related trade-offs, and those and other details are particularly
lacking in the OpenVMS security documentation.
n.b. I'm not a Microsoft proponent, don't use the Windows platform at
all regularly, and find that Windows definitely still has some issues.
But they've learned a lot over the years, have made massive
improvements in their platform and tools and security, and have some
approaches and some suggestions that I routinely use when developing
apps on OpenVMS, and also for Unix, macOS and iOS systems.
--
Pure Personal Opinion | HoffmanLabs LLC
More information about the Info-vax
mailing list