How to make SMB1 as safe as possible?

[YeOldeStonecat]

Yeah, sounds good, but doesn't work in practice. I spent a week once trying to get a P2V machine to legally activate. Then a bit of research/googling shows that doing this with an OEM license (which every single computer I ever see in my end of the market has) is against the TOS. So it works as long as you are comfortable using a cracked key or some other such nonsense for a client solution.

Good to see someone be professional and honor licensing. Correct...OEM licenses are non transferrable, they live and die with the hardware they were initially purchased with. There were no OEM versions of Windows that were exceptions.

 

[Philippe]

Let's assume everyone in this forum does or tries to...

(Edit: spelling)

 

[Sky-Knight]

If I were to do this now, I'd have a VM or a Linux machine with TWO NICs in it.

The 2nd NIC goes into an isolated VLAN and that's where all the SMBv1 stuff lives, it's utterly separate and isolated and nothing but those devices will ever see it, nor does that segment have internet access.

The 1st NIC has SMBv3 running on it to provide access to the very same files.

I would charge at least $2000 for the equipment and setup of this solution. Because it leans HEAVILY on my brain to beat together all this custom stuff into a supportable OS AND a fully tested network deployment I can semi-trust long term. The client should know that replacing those cameras is a requirement for support long term, and every day that goes by the price to not do that goes up.

I'd use Debian as the OS of choice here because it's relatively easy, I don't need more than SSH access to configure SAMBA as I need it, and it's portable. Not to mention the licensing issues of Windows go right out the window, along with Windows... it's wonderful.

 

[britechguy]

I have not kept up with what the US courts may have been saying, but at least for the EU, their courts have explicitly ruled that all licenses are transferrable provided that the original terms in regard to number of machines on which a given license can be used are honored. And since we have a number of participants here who are in the EU, that does matter. (I constantly get the response, "But we're not in the EU!" Well, quite a few participants here are.)

Posted before, but worth a repeat:
With regard to reselling software licenses and legal changes in the EU:

Reselling used software licences – new ruling from the European Court – October 24, 2022 [new case, same result]

Can you resell software licenses? The latest legal position in 2016 The ITAM Review – October 31, 2016

EU court rules resale of used software licenses is legal -- even online Computer World – July 3, 2012

EU Court Says, Yes, You Can Resell Your Software, Even If The Software Company Says You Can't Techdirt.com – July 3, 2012

Top EU court upholds right to resell downloaded software Ars Technica – July 3, 2012

European Court Confirms the Right to Resell Used Software Licenses – Brodies.com – January 1, 2012

See also web search results returned on [software license resale EU].

A direct result of the above legal decisions has been the creation of both a cottage industry for small business computer recyclers and a major industry for large ones of selling recycled licenses. The former, while almost impossible to verify their honesty except through seller ratings from past customers, do exist as legitimate resellers. The latter, two examples of which are Relicense and SoftwareReUse in the EU, are big businesses used by other businesses. It’s almost impossible to question the legitimacy of companies such as these, as they’d have been put out of business by licensing entities if what they were doing was illegal.

So the answer about whether resale/transfer of software licenses is legal, REGARDLESS OF WHAT THE ORIGINAL CONTRACT STIPULATED, is directly dependent on your legal jurisdiction. If the courts stipulate that a certain clause is now null and void, that's what it is. This makes license resale perfectly legal in certain jurisdictions while it remains illegal in others.

 

[Sky-Knight]

@britechguy Reselling a license isn't the same as violating the terms. OEM Microsoft licensing is locked to a specific system, which in MS's case means motherboard. If you sell the software and physically relocate the mainboard in question POOF it works.

Which only adds another wrinkle here. Even EU law says the license is a bit of property that can be resold, but if the license itself is tied to a physical thing then they two would need to be sold together.

But now that the license codes are hidden in the system BIOS, for the most part people in the US are handling things correctly when they simply sell the machine and it has what it has on it.

I really wish MS would just get rid of OEM entirely, and just do retail licensing... and dump the prices across the board to match modern reality. But they aren't going to do that without some serious reason to, it's a lot of money on the table. And Dell and HP lobby them hard to ensure the situation as it exists doesn't change.

 

[britechguy]

I really wish MS would just get rid of OEM entirely

As have I, for a really long time.

A license should be a perpetual or time limited right to use a given piece of software on some set number of machines. Provided the set number is not exceeded, it should not matter one bit if you were to choose to "mix up the machines" hourly were you to choose to do so.

Licensing verification should also be easily capable of handling the monitoring of the number of machines with active software under a given license, and enforcing the "set number" itself. It should not be up to the tech or end user to "be sure that we're not violating licensing agreements." It is the licensor that should be the one, and only, gatekeeper, and under the terms of any jurisdictions where they operate.

 

[Philippe]

If Microsoft themselves declare a license legit & activate it with their own servers & own algorithms, why on earth anyone else would say otherwise?

Anyway, eBay has a lot of sealed, genuine & boxed Windows licenses...

 

[britechguy]

If Microsoft themselves declare a license legit & activate it with their own servers & own algorithms, why on earth anyone else would say otherwise?

You're going to have to get an answer from someone who believes/says otherwise. Every time I've ever discussed grey market licenses I've made precisely the same statement you have.

It is not, in any way, shape, or form, up to me to know if a license key that has landed in my hands is legitimate. As a break-fix tech who has to rebuild "cyber worlds" after certain kinds of failures, licenses that I did not acquire are often provided to me. It is the licensor's duty to protect their own assets under their own rules, not for me to play twenty-questions with all my clients doubting the legitimacy of what they've given me to work with.

It has always struck me as inane that everyone "out there in the wild" should be responsible for making sure license terms are being met when, very often, we really have no way of knowing whether they are (though even I'll admit that often we do). But in the end, I refuse to take ultimate responsibility as gatekeeper. My due diligence ends the moment the licensor accepts a license presented to them via their specified methods, and they allow the software to run as licensed.

 

[Philippe]

My due diligence ends the moment the licensor accepts a license presented to them via their specified methods, and they allow the software to run as licensed.

And, I assume, that's what everyone does, even without realizing or admitting it, when we upgrade W7 or W8 to W10 with the embedded license, even if MS says this promotional offer has ended some time ago...

 

[Sky-Knight]

If Microsoft themselves declare a license legit & activate it with their own servers & own algorithms, why on earth anyone else would say otherwise?

Anyway, eBay has a lot of sealed, genuine & boxed Windows licenses...

The activation systems cannot keep up with MS's own requirements in all cases. MS's own agreement states that activation doesn't mean you have a proper license. For an individual, this really doesn't matter much. But for any business at any sort of real scale, it's a phone call away from legal extortion that gets very painful, very expensive, very quickly.

 

[britechguy]

MS's own agreement states that activation doesn't mean you have a proper license.

I would love to see that little gem tested out in court.

I once had a brand new, out of the box machine that insisted that Windows was not activated on it and nothing I could do (alone) helped. It required MS intervention.

If the gatekeeper can't handle keeping it's own gates, that should not be any end user's problem or fault. If you present credentials via any one of several specified channels, and MS verifies them, that should be it. When I was working in corporate and academic environments and was handed a sheet of product keys for setting up machines there was no bloody way in hell that I could ever have known if they were legitimately purchased or fell off the back of a turnip truck. If MS activated them, and they always did, that was proof of legitimacy for me, and still is.

 

[Philippe]

The activation systems cannot keep up with MS's own requirements in all cases.

I do appreciate your answer but if MS can't keep up, how can we?
Do we need a lawyer everytime we install a piece of software?

 

[Sky-Knight]

I do appreciate your answer but if MS can't keep up, how can we?
Do we need a lawyer everytime we install a piece of software?

In the US? Yes! At least with a company as litigious as Microsoft. @britechguy It has been tested... many... many times. Microsoft wins, they're almost as bad as trying to beat The Mouse (Disney) in the courtroom.

 

[trevm999]

I would love to see that little gem tested out in court.

I once had a brand new, out of the box machine that insisted that Windows was not activated on it and nothing I could do (alone) helped. It required MS intervention.

If the gatekeeper can't handle keeping it's own gates, that should not be any end user's problem or fault. If you present credentials via any one of several specified channels, and MS verifies them, that should be it. When I was working in corporate and academic environments and was handed a sheet of product keys for setting up machines there was no bloody way in hell that I could ever have known if they were legitimately purchased or fell off the back of a turnip truck. If MS activated them, and they always did, that was proof of legitimacy for me, and still is.

So if you had a residential licence for some software and decided to install it and use it for commercial use it's fine just because it didn't stop you using the residential licence?

We're not talking just not being able to transfer a licence here, we're talking a usage it is not licenced for. OEM Windows licences are not licenced for virtualization.

If a client explicitly tells you what software to use and licences, it's not necessarily your place to doublecheck to make sure everything is good for licences. But if you are putting together a solution for your client, it is definitely your place to make sure everything is properly licenced. (like if P2V is a part of your solution)

 

[britechguy]

@Sky-Knight,

I don't doubt it's been tested, but the courts are becoming less and less friendly toward giant corporations of all sorts who try to slam "little guys" for missing some tiny something where they have also missed that tiny something.

The idea that any company that licenses something tries to put the burden of licensing proof on the licensee is just plain ridiculous. None of us, not a single one of us, can know that any license we purchase that doesn't come direct from Microsoft is valid. We may have done every last piece of due diligence, yet somehow an illegitimate key lands in our hands. It is beyond ludicrous, absolutely insane, to say that if I type in that key to their verifier, and they activate it, that I have done a single thing that's wrong. The buck stops with the licensor, or should if there is a God in heaven and any reasonable judges out there.

 

[britechguy]

So if you had a residential licence for some software and decided to install it and use it for commercial use it's fine just because it didn't stop you using the residential licence?

No, I am not.

I have never, even once, implied that we as techs should not be operating within the boundaries of the law. But, when it comes to licenses, provided we're using the ones we should be using based on what the client (and that includes a business client) needs, it's beyond our ability to be the ne plus ultra arbiters of whether what we have as a license is legitimate.

We buy what we're supposed to buy. We present as the licensor dictates we present. They either activate, or they don't, but I sure as hell don't have any way but their activating to know, without a scintilla of doubt, that a license is valid. Nor should I be expected to know. THEY SHOULD BE EXPECTED TO KNOW.

 

[Philippe]

So if you had a residential licence for some software and decided to install it and use it for commercial use it's fine just because it didn't stop you using the residential licence?

There is a reason why in MS Office, it's written everywhere: "Non-commercial use".

OEM Windows licences are not licenced for virtualization.

By all means, buy a license direct from MS (newer OS) or eBay (older OS). And yes, you can switch to your new license key in your VM, even in XP (some tools required).

 

[YeOldeStonecat]

When we sell (resell) licenses, we mostly only do A) Volume, or...B) more and more (mostly now)...via CSP/365.
In the days of on prem servers, we never did "OEM" licenses, as....when you spin up a disaster recovery on another physical box (which is what Datto, Veaam, Axcient, Acronis, Paragon, etc..allow you to do)...well, BOOM, there does the OEM thing in the way again. Todays purchasing of server licensing via your 365 CSP portal is great, the key gets put right into the clients 365 tenant for documentation. Same with Windows desktop Pro licenses....which are dirt cheap if client has an M365 Business Premium license.

The old days of Microsoft Office...OEM was a nightmare to deal with for businesses anyways, so we always did retail..volume licensing there.
365 just made it a thousand percent easier.

For desktops/laptops, here's the exception to A or B above, we treat those as disposable...so that's the only thing we pass forward with OEM licensing. The computer dies, quick...replace it with a new one that already comes with an all new OEM license.

 

[Sky-Knight]

@Sky-Knight,

I don't doubt it's been tested, but the courts are becoming less and less friendly toward giant corporations of all sorts who try to slam "little guys" for missing some tiny something where they have also missed that tiny something.

The idea that any company that licenses something tries to put the burden of licensing proof on the licensee is just plain ridiculous. None of us, not a single one of us, can know that any license we purchase that doesn't come direct from Microsoft is valid. We may have done every last piece of due diligence, yet somehow an illegitimate key lands in our hands. It is beyond ludicrous, absolutely insane, to say that if I type in that key to their verifier, and they activate it, that I have done a single thing that's wrong. The buck stops with the licensor, or should if there is a God in heaven and any reasonable judges out there.

I really wish I shared your optimism. Right to repair is all but dead in the water in the US. The large tech companies are sucking up huge portions of our GDP and still want more, and our House can't elect a speaker while the Senate has shown zero interest in anti-trust action during my lifetime.