Eliot
On 03.01.2026 16:23, Mike Simpson wrote:
Ok. So like many I also have to run some old, vuln kit. What I would do is have a Pi with an OS that allows me to configure it to run smb v1, attach enough storage for the audio library then stick the whole lot on a separate net behind deny ip any any and move on. The point is that we all have so many footguns, some that we have to use and some that we purposefully choose to use* and we all have the right to operate in whatever way we want to within our own domain. However bringing the protocol spec into line with the reality of the current operational landscape to increase resilience of the internetworks seems like an obvious way forward for the IETF even if it means that a teeny tiny amount of vendors or users will have to rethink some edge case solution which really shouldn’t be exposed to or actually traversing the inet at this point. I’m sure people using AH currently will be able to adapt over the next decade or so meanwhile many other folk get to drop stuff on line cards with no control plane involvement and OS folk get to rip out code. What’s not to like? * I used to build OpenBSD -current from source after any sec updates on a production bastion host. Mostly it was fine, sometimes it wasn’t. Snap then sysupgrade reduced the pain.On 3 Jan 2026, at 13:10, Alan DeKok<[email protected]> wrote: On Jan 3, 2026, at 5:31 AM, Mike Simpson<[email protected]> wrote:“My stuff needs smbv1 and I’ve known about it being deprecated for over a decade with the person i/c it at MSFT was begging folk not to use it in 2016 and I haven’t worked out a technical solution for my limited domain and because of my limited experience with a 50 year old file protocol I want to keep all the obvious footguns still enabled by default for all to use.”People still use NTLM, which is not much newer than SMBv1. Why? Because MSFT, in their infinite wisdom has deemed it to be the only way to get certain information from Active Directory. i.e. it's deemed to be more secure to (essentially) send clear-text equivalent passwords over the wire, instead of wrapping them in TLS, and restricting access to authenticated accounts with the correct authorization. There are hundreds of millions of people whose network access depends on NTLM. The admins would be deliriously happy to move to something better. But decades of complaints have gone nowhere. So yes, we've known that things have been deprecated for decades. I don't want to keep using a 40 year-old footgun around. But until I have a replacement, it's the only tool which works. Alan DeKok. <signature.asc>_______________________________________________ Int-area mailing list [email protected] To unsubscribe send an email [email protected]
OpenPGP_0x87B66B46D9D27A33.asc
Description: OpenPGP public key
OpenPGP_signature.asc
Description: OpenPGP digital signature
_______________________________________________ Int-area mailing list -- [email protected] To unsubscribe send an email to [email protected]
