The entire industry is trying to get everyone off of the old protocol because it is inherently insecure. The devices you have that are still using it, and can't be upgraded, need to go in the rubbish bin of history. If you choose to continue to use something that is antiquated, you should expect to have some difficulty making it work.
I don't disagree with a word you've said in these posts, in principle.
But no one here lives in a principle. We live in the real world. You're basically telling that guy with his Sonos system to throw it in the trash. Maybe he doesn't have enough money to replace it? Maybe it was a gift? Maybe it's on his heavily firewalled private home network?
And the attitude in general. There's absolutely nothing wrong with telling someone a protocol (or etc.) is insecure and shouldn't be used, but forums like these should be solutions-focused, not complaining-that-someone-shouldn't-have-a-problem-they're-having focused. I know you did iterate the solution as far as downgrading to v1, but it was only after lengthily complaining about how users should throw out tech that might be (a) valuable, (b) difficult and time consuming to reproduce, recode, reimage, or (c) supporting some legacy software that is a dependency of something that falls under (a) or (b).
I still have an old laptop running XP because the phone system in our old office (pre-Virus Times) could only have its voicemail managed through a proprietary application from ~2004 that was no longer being updated by the vendor, and try as I might I could not get that app to operate properly on Win7, 8, or 10. I would have loved to upgrade the phone system. My boss' wallet did
not want to upgrade the phone system, and so there we were.
In any case, yes SMB1 is vulnerable and feature-poor. Fine. But who is the arbiter of when we should throw our un-upgradeable tech in the trash? The same day a vulnerability is discovered? The exact day that patches stop being produced, and the maintainer of the code/OS/etc says "we no longer support this"? Or do we, the users, have some leeway against the arbitrary decisions of other entities to stop supporting a particular version of software? What is that leeway? Can I use SMB1 for a month after it's deprecated? A year? Two years? How long until I'm the victim of rants? I know in this case it's been a
very long time, but unfortunately we're the users, not the vendors releasing hardware with firmware that only support SMB1.
Also, as some people have pointed out,
context is important. For example, at home I have an old enterprise switch from HP that's past its prime. For my own ease of use, I have
naked telnet enabled to manage the switch. You would say "throw it out, that's crazy, you're dumb", but it's only enabled on one physical port that has absolutely nothing connected to it. I bring over a laptop and connect to it on the exceedingly rare occasion I need to reconfigure it. Sure, the switch might have a vulnerability or two on its firmware anyway,
but like most people using a free/opensource NAS solution I can't afford to replace it. So by your logic I should use.... an unmanaged Buffalo Technologies switch and just let my VLANs comingle? Or should I just tear out all the cables and take it offline, and call Verizon up and see if they still do landlines?
IMO it's
the user's decision to use outdated tech if they want to. Pointing out the risks is fine, but keep it brief and focus on solving the problem is all I'm asking.
And like it or not, sometimes dependencies are stacked on dependencies on dependencies on some legacy code, and it can be
extremely expensive and time consuming to throw it all in the trash and start over.
Again, it's the real world and some of us have to live with the cards we're dealt. We need workable solutions, not to be reminded of our lack of money and/or time to achieve a perfectly patched and secure environment in our houses / small businesses forever and always. If we were all enterprise sysadmins in a Fortune 500 company with a large ops team, then yes, I'd expect us all to implement security best-practices at all times.
