Windows Mobile Team Blog

Conspiracy theories abound. Because WiFi to an Exchange server still works, some people have suggested we did this to sell more Exchange servers. That’s definitely not the case. Exchange has considerably more customers than Windows Mobile (although we

Mike, I certainly appreciate your willingness to "face the music" and discuss some of the less popular decisions that have been made regarding Windows Mobile.  You can count me among those who were very disappointed to see WiFi syncing removed in ActiveSync.

<i>We had to remove the feature.  You may be willing to point a partially loaded gun at your head and pull the trigger.  But we just can’t be the people who loaded the gun for you. </i>

I have to disagree with this.  I can understand the desire not to let users do dumb things, but I also think that users should be given the choice of when and how much to secure their environment as often as possible.  I'd have preferred that you left the ability to sync over WiFi available, even if disabled by default, and given IT administrators the ability to remove it completely by way of a Group Policy where necessary.

Seriously, the article is interesting but there are some funny statements:

Number 1: "Now, enabling Sync over Ethernet happened back in the time when viruses were rare"

Do you mean the 80s?

Number 2: The answer to  "But I don’t care if anyone reads my data.  Enable me." is plain ridiculous (MS developpers are more conscious about security). That's copy and paste from the corporate posters.

Everytime we install a non certified driver on WinXP we get a big red blinking warning; what on Earth is the reason not to have a Triple Red and White Blinking warning, the type that Microsoft like "This is Unsecure do you want to proceed?" "Are you really really sure?" "Are you really really really sure? If anything happens I will tell you "I told you so.""

Since I am writing a comment I might as well ask a for a future post: What is the story behind the various issues for MS Pocket Money (single currency, and forever non forward/backward/at-all compatible)?

"But we just can’t be the people who loaded the gun for you. "

You don't have to load it for me! I am responsible enough to load it myself, to be aware that it is loaded and to take all precautions to not shoot myself in the foot! But you just sell me the gun and refuse to give me the bullets!!!

I am thinking of creating a t-shirt which has written on it "I survived 3 years of ActiveSync 3.8 and am still using it!!!"

Cheers

Peter

Amazing...  then why are we allowed to shutdown the windows firewall?

One way to add encryption and authentication is by using IPSec.  Even if the built-in IPSec support is not adequate, there are third-party solutions that could easily "secure" it.  There are users out there who already use these IPSec solutions to connect back to a corporate VPN gateway to retrieve email, access the intranet, and ActiveSync, at least until it was disabled.

Mike, However much you try to hide behind technical topics, your writing style shines through. If you have done novels or essays, I want to read those. Cheers.

I can only commend the efforts to secure any software and especially something like ActiveSync.  In our organisation we have a lot of "numpties" who don't really know what they are doing with their smartphones.  Users like that need "protection" sometimes.  As a .NET developer myself I would always decide to remove vulnerable features instead of just disabling them by default (which I've done recently on an ASP.NET site).  If there was a trojan that could exploit ActiveSync via Wi-Fi Microsoft would be berated by the media for leaving in such a vulnerable feature.  Nice post, love the entries like this one.  :-)

Mike,

Your excuse for not giving us the choice is incredibly weak.

You have always struck me as a very intelligent guy, so it amazes me that you post such poor reasoning such as not giving people a choice for Wifi or allow them to have their "X" actually close.

MS must be paying you a large sum for "danger pay" because I can't think of another logical reason to even try to push such absurdity on us.

Dave

Sync over wifi is a must and personally it was a selling point for Windows Mobile PDAs.Seems Microsoft don't care about Market Demands.

It's really, really hard to believe it is so difficult to add encryption to Wifi sync.

It is actually a lot more simpler than we may think, MS wants to get rid of 'local' hosting of exchange/outlook.  Companies ought to subscribe to one of the Echange hosting services out there, removing the most common reason to have ActiveSync in the first place.

It's all marketing, isn't?

Richar

This majorly sucks. This was a feature so useful to us that our field force automation had to stick to WM2003 with AS 3.8.

Now the problem for us is that our work force is growing, devices are breaking, and we are having difficulty finding new devices. We don't just need to sync email and our software relies custom synchronization filters... We are painting ourselves in a corner here and it's killing us.

Thanks for sharing this information. Love your articles. Keep up the good work.

Since most of the time I'm connecting thru USB anyway to charge and sync stuff for that <expletive/> Media Player thingy,

I'm not hurt by this too much.

But add $49 of my $100 to the pile for a secure Sync-Over-Anything.

The other $51 go to ActiveSync backup and restore. But that's another story, I guess.

Why not just add a secure sockets layer over RDP? It sounds soooooo easy but then again something tells me it's actually not. What about sync-over-https? What about leaving a deep-buried registry option to enable ethernet sync with a big red "DANGEROUS, UNENCRYPTED DATA" mark on it?

If my wi-fi connection from my device to my router is encrypted how would it be possible for the sync from my computer through my router and to my device to not be.........

I personally feel that this is very sketchy.. I can click on an unsecured wireless network and type in my credit card number and get hijacked the same.. but i wouldn't do that because I know what "Unsecured Wireless Network" means...

It is great to "provide" everyone with a comprehensive security set.. But at some point this has got to be handed to the user...

I mean honestly their is a very easy solution to this... Sync personal folders to personal computers.. No one really needs to sync up their contacts to their home pc when they are not within wireless reach of it and if they did then the obvious solution would be vpn/ipsec and at that point it would be miles beyond the scope of activesync in the first place....  

Thanks for the explanation.  The choice is still the wrong choice for many of us.  Worse, it is infuriating not to have a choice.  You could have create a group policy option to disable this on the PC in corporate environments.  You have a PPTP stack and you could have forced use of that for WiFi sync and also required XP Pro (which can serve this) for the desktop.  You could have done .....  One understands the big push for security, but you have overdone it.  You guys are smart and could and should have found a solution.  You chose to punt because of the security paranoia that swept MS and that is the cowards way out!

I'm not going to go into conspiracy theories or childish name calling.  But I am definitely one of the angry wifi sync'ers that has had to try and make do with the crippled activesync 4 that we have now.  I wish you guys would stop making excuses and just take care of the problem.

Mike, thanks for this brave move to try to explain our little "problem" anyway, but as you can see, there are lots and lots of people wanting to load this gun and have someone pull the trigger for them. Maybe the big-fat-warning-sticker-registry-key and/or group policy restricted setting is the way to go for now?

I am one of those Pocket PC users that have their home wireless network WPA/WPA2 (mixed mode) secured and would like to sync within my home network's boundaries. There's nothing that makes me worried me security-wise. There's a bigger chance of someone doing a MITM attack on my ssl "secured" email connection to a server that doesn't provide trusted certificates.

Is the ethernet sync code completely removed from ActiveSync?

Thanks, Mike.  What many comment authors fail to read is that you weren't involved in the decision to pull plaintext activesync wifi.

I would rather see higher priority for improving ActiveSync's error traps and messages.  Sometimes it spins its wheels forever, with no timeout, and when it throws an error it's some obscure negative 8-digit code.  Often a lookup only yields the frustrating resolution "re-install ActiveSync."  I would like to see some better communication than that.  A few descriptors can go a long way.

Luckily I have Verizon Wireless Sync.  If I did not, I would be forced to deal with ActiveSync and become frustrated when it (often) fails without reason.  I'm lucky enough to not require Outlook, which has terrible PST-file corruption problems, because my company is lucky enough to not use Exchange, which has terrible mailbox size limitations.  Sorry to bring all of this up.  Do you see where I'm going with this?

Holy hanna, talk about NOT LISTENING TO THE PUBLIC..

This issue has been around since 4 came out.  Surely by now the functionality could have been corrected.

Funny thing is, most people who are intelligent enough to even setup their device to syncronize over WIFI are likely already aware of the security implications of doing such over an unsecured wireless network.

Add me to the list of people who don't care about corporate security on my personal device.  As a member of the general public, I want my useful features back.

At the very least, provide a method for the 3rd parties to add the functionality themselves.  If we're forced to put up with crap like this, give other people a chance to capitalize on MS' shortcoming.

There is absolutely no reason why this traffic can't be encapsulated on either end via an encrypted tunnel.

Rant complete,

Chris

I understand that the decision to remove wi-fi may have been due to the security of company's that used it and where therefore unaware that their data was then available to the public, and that's great.... for them.

There are a lot of people out there who use their WM Device for their own personal use, and a lot of them have wireless networks that are protected by security measures that MS suggest and more, not to mention firewalls.

So the question has to be put to the team responsible for this decision, "Why not allow the user to enable Wi-Fi Sync and have lots of red lights go off warning them to take precautions?" A company wouldn't activate such a feature due to the risk involved, but a user using it for their personal use on their secured Wireless Network at home would be more likely to have nicer things to say about MS.

Garry

I understand that the decision to remove wi-fi may have been due to the security of company's that used it and where therefore unaware that their data was then available to the public, and that's great.... for them.

There are a lot of people out there who use their WM Device for their own personal use, and a lot of them have wireless networks that are protected by security measures that MS suggest and more, not to mention firewalls.

So the question has to be put to the team responsible for this decision, "Why not allow the user to enable Wi-Fi Sync and have lots of red lights go off warning them to take precautions?" A company wouldn't activate such a feature due to the risk involved, but a user using it for their personal use on their secured Wireless Network at home would be more likely to have nicer things to say about MS.

Garry

This sounds like security as a scapegoat to push people into the exchange lockin. With the ActiveSync, you could be syncing mail that got to Outlook via POP or IMAP, actual standard and not the closed exchange system.

There aren't more viruses so much as they just spread a lot easier now that everyone is using Internet Exploiter and Outhouse for web-browsing and email. But those aren't the real threat. We are transfering data, and regaurdless of how you carry it, the virus in the email will be ransported. If you are worried about the virus hoping on the network, well, killing ActiveSync oesn't stop that as it'll just go some other way over the still-present WiFi connection.

I don't get how the Internet even comes into the picture. Sync over WiFi goes from the handheld to the desktop on the LAN and WLAN. There is no reason that traffic would be getting out to the internet, so if its not encrypted then the only place is available to outsiders is on an unencrypted WiFi connection.

On that topic, a secured WiFi network is stronger than Bluetooth. The Bluetooth encryption is a joke, more trivial to crack than the stupidest WiFi encryption. If you are concerned about security, then Sync over Bluetooth should be disabled too.

The comment about using IPsec or PPTP are spot-on. Those are the easiest way without changing the underlying protocol. But, oh wait, the underlying protocol was already changed a bit to use RNDIS over USB to simulate Ethernet rather than PPP atop a Serial over USB connection. The security could have been incorporated while that update was being made. Of course, nobody was thinking, just like nobody was thinking when they made the handheld the DHCP server, which causes address conflicts, which limits to one device at a time. Just like nobody was thinking when they decided ActiveSync should hijack all network traffic (except its own) on all interfaces, with NO option to disable it, just so it could route it through the (potentially slower) ActiveSync connection, even if its not TCP traffic and thus isn't handled by ActiveSync and instead dropped on the floor, making it impossible to ever use a debugger with an application that needs a real data connection because it talks UDP or raw IP.

People will continue to look at Microsoft negatively as long as they see massive screw ups with both security and stability. As much as you say it, I know Microsoft, as a whole, still doesn't GET security. Whether it be securing software against attacks (multiple remote execution vulnerabilities in IE7 on first week after release) or securing data (NTLMv2 password hash, S/MIME with 40bit RC4), Microsoft consistently makes the same mmistakes every time.

As a developer, sync over Ethernet/WiFi was an absolute godsend before USB sync, because it was several orders of magnitude faster than debugging over a serial connection.

On devices before Windows Mobile 5.0, I have discovered that it is possible, even with ActiveSync 4.x, to begin a sync session with USB, start debugging, then pull the device out of the cradle and continue to debug - the debugging connection seems to fail over to WiFi. I'm sure this is accidental - don't go and remove it, because it's useful.

Windows Mobile 5.0's disabling of the network card and GPRS (or other cell radio) connection on connecting to ActiveSync is completely brain-dead for this reason: it's impossible to debug applications which use the network card or cell radio connection.

With respect, Mike, your timeline is wrong.

Pocket-sized PC devices and the HPCs could be synced over Ethernet. So it's not 2000 when the design choice was made to enable it.

The truth is that insecure communication is not allowed by design anymore in Microsoft product. This is the 'secure by default' principle. So it cannot be enabled by default, and the ActiveSync guys *had* to shut it down.

Those asking for the ability to lower their security voluntarily have a point. But they do not have the understanding of the difficulty in changing the ActiveSync (non-Exchange) to be authenticated and secure. SSL isn't a magic wand that makes the scenario work - there is infrastructure (obtaining and deploying certificates) that is not reasonable in many (probably the majority) of non-commercial cases. Remember, this isn't one cert for a single external server, it's one for each desktop and possibly each device.

I doubt the mobile team is serious with security. Currently client certificate authentication with exchange activesync has a serious bug and from what I was told will not be fixed in windows mobile 5. The fix will be in next version of the OS. Meaning that all new devices will have to be purchased to fix the issue.

See http://blogs.msdn.com/windowsmobile/archive/2006/07/06/658142.aspx  “rain man” comments this exactly.

Another non commitment to security is the ability to support third party client certificates. Microsoft blindly wants the whole world to use their CA’s  

Here's a "Secure By Default" solution.. If your wireless connection is encrypted allow sync via wireless if not dont. but still I stress that People that want to use wireless sync on there personal pcs are people that were bright enough to see the true benefits of a WM device and more than likely already are aware of Wireless Encryption and such.

I personally feel that MS is going by the 98% of the population is Stupid stand point. This may work for GUIs and base security on your standard communication protocols but it just tends to make people feel insulted when you say [We took this Feature away for your own good]...

if you think that ssl is the answer than i personally think you're crazy. Lets not even focus on the Certificates portion and point out that it has to be served somehow(no home users allowed). and hosting it at MS would be ridiculous. Why on earth would i want to connect to an ssl MS server to sync with my pc thats in the other room. IPSEC/VPN is your answer for enterprise situations unless they are in the office.

---

LAN traffic/security should be policed by the owner of the traffic(ie. the router or user) not the application.. thats how you build exploitable applications with limited end user support.

---

ok the ssl thing may have been a bit aggressive and not well thought out.. but the point remains valid that i that the encryption of the wireless communication made via activesync should not be in the scope of activesync it should in fact fall in the scope of wireless security. Any pc communication can be mocked to a router if the connection is unencrypted via a standard wireless connection just like a WM device can but that doesnt mean we should just turn off wireless capabilty in Windows now does it?

You're such a good writer, Michael. One doesn't expect that from wireheads. I love reading your comments.

So, if I understand correctly, MS is taking the "here is what I can do, take it or leave it" approach?  

Isn't  this the complete opposite of how MS has been treating their customers in the past?

Anyhow, to fully understand your point about priorities, could you give a few examples of features that are prioritized ahead of sync over wi-fi?

For my part, I do believe as previoulsy mentioned before that an Api could provided for third parties to implement custom sync setup (including wifi for nerds who have a protected wifi link @ home anyways).  

As mentioned earlier, why can we shutdown the windows firewall?

Is it because different departments have different visions of security @ MS?

To me having the possibility to turn off the windows firewall or enabling sync over wifi is the same given your arguments.  In the same line of thoughts, the windows firewall should not offer the possibility to be turned off, no?

Richard

Mike

Appreciate some of the technical decisions that went into removing this option.

From a carrier perspective, it was too niche for me to train my support staff on, and when I did get calls from customers we were put in the embarrasing position of not being able to provide support.

I think we got nearly 400 calls for Xda IIs/i over it's lifetime - no way i could take a massive call team offline to train them on this niche aspect.

So good on MS for taking it out for security, but also allowing sp's time to train up on how to support this feature!

Antonios K

- former manager, Xda, O2

Mike,

If you had your own private build of AS (which just happened to have IP sync options)on your home PC that was connected to your secure wireless network (using WPA2 and whatever else most people use) at home, would you enable that little box for IP Sync?

All most people here are trying to convey is, "Hey we know that there are risks to using that feature, but we are competent enough to take security precautions to ensure that there is little to no risk. All we want is the option to enable it with flashing red images and sounds saying warning this connection may be unsecured if you don't know what you are doing."

It's not that we don't care that the security isn't built into the Software or that we don't think the team understands security, it is more that we are also security minded and that we would prefer to have the option rather than not at all.

Garry

So, if I understand correctly, MS is taking the "here is what I can do, take it or leave it" approach?  

Isn't  this the complete opposite of how MS has been treating their customers in the past?

Anyhow, to fully understand your point about priorities, could you give a few examples of features that are prioritized ahead of sync over wi-fi?

For my part, I do believe as previoulsy mentioned before that an Api could provided for third parties to implement custom sync setup (including wifi for nerds who have a protected wifi link @ home anyways).  

As mentioned earlier, why can we shutdown the windows firewall?

Is it because different departments have different visions of security @ MS?

To me having the possibility to turn off the windows firewall or enabling sync over wifi is the same given your arguments.  In the same line of thoughts, the windows firewall should not offer the possibility to be turned off, no?

Richard

Quick note: posting is very difficult, I get a lot of server errors; which is why there are multiple posting...

Richard

I can't say I used wireless synch that often - it was too hard to get going. Having said that, I find the arguments for it's removal specious to say the least.

I'm also not sure how this works:

"You can have a fully encrypted WiFi connection to a router so that everything going over the air is protected, and then have it go unencrypted from the router to the desktop PC."

Do I have two wireless LANS connected to one router, the one from the PocketPC to the router encrypted and the one from the router to the desktop not encrypted?

Nope, I just don't see how this works.

Mike, I appreciate your bravery to even address this issue, and the cooments that follow are aimed squarely at your employer and its attitude and not at you personally: It's the whole 'we know best' thing that pervades Microsoft's approach which I object to. I find I really don't much enjoy working with people who persist in treating me like a 3 year-old child: 'There, there, babykins, we don't want you having to worry your little head about whether apps are open or closed do we? Oh, and that nasty WiFi syncing is far too dangerous to let you play with. So, just sit back and watch the eye-candy: Daddy knows best.' Actually, I'm an adult and, providing that you hand me a product that is set up to be safe out-of-the-box, I am capable of making the decision to remove the safety catches in a responsible way. Please trust me to be able to do this.

Thanks for the article Mike. This one actually makes sense, unlike the close button isn't a close button "feature" in a previous article.

It seems like you could just require a "seed" activesync connection over a secure media like USB to exchange crypto keys between the PC and device as part of the "partnership" process and enable encrypted and authenticated activesync over the network based on that.

Really a well written and fun to read articel. But your arguments don't convince me, not even a very little. I really don't think making this feature optional and prompting a warning if activated is that dangerous. Or make it a unsupported powertoy that needs to be installed sepeartely.

Personnaly I really need that feature so much that I stick with AS3.8/WM2.3 as long as my WM2.3 PPC lasts. Its what keeps me from Vista and new PPCs (which I really would like to have). Especially for software development the ethernet (non-wireless) AS is a BIG advantage I really can't give up.

Thorsten

I'm probably going to repeat a few things that have already been said; but I promise to keep this short.

Rather than make the decision for me, I'd rather you warn me, and then let me face my own music. Personally, I think removing WiFi to Desktop AS synching had something do to with the way you're reading packets sent over the network. AS is all IP based, and its the only way you could get the synching x of y to the exchange server read. I think I get that; but removing it from desktop AS just doesn't make sense to me. Again, I'd rather you warn me and let me make the blunder (if any) than take features away from me.

Personally, I don't use the feature anymore, as I have an unlimited data plan from my cell carrier and sync OTA with an Exchange Server; but I know of a lot of people that want this back. I know all about feature priorities, too, as I'm a software QA manager... You have my sympathies and my thanks for the explanation.

Kind Regards,

Christopher Spera

-------

pocketnow Sr. Editor

pocketnow.com -- it's all about portability...

http://www.pocketnow.com

WiFi Did You Do That? Outlook 2007: still famously obscure Backup^H^H^H^H^H^HRestore best practices Gone

Mike, you may say that this was removed purely for security reasons, and that "may" be true.  However, I find it one more example of the Windows Mobile team playing nanny to it's users, and deciding that only the team knows what's best. We have TOO many instances of the WM team deciding its users aren't smart enough to make an informed decision:

1. No Close option - users obviously can't be trusted to manage thier own apps and memory.

2. No True VGA support - we are stuck with pixel doubled apps and even PIE automatically doubles all images - no choice at the user level to toggle this on or off.

3. No ethernet sync - again, the message is users aren't capable enough to make the right decision on when to use this.

I'm sure if I spent more than 2 minutes thinking about it there would be several other examples of this Czarist attitude.

I used to work for a software company - when bringing the development team there requests from our customers for enhancements to the software, I was often presented with the question - "why would anyone want to do it that way", as if the only correct way is the way the original programmer wrote it.  Needless to say that company has been dealing with the loss of several large customers over the last few years, primarily because those customers felt the organization didn't listen to them and didn't care.  The WM team seems to have much of the same cavalier attitude towards the large base of consumer users that have contributed greatly to the growth of this OS.

Microsoft's paternalistic attitude toward users is the reason I'm seriously planning to learn how to install and use Linux rather than downgrade from a version of Windows that I am perfectly happy with, and throw out a computer I am perfectly happy with so I can have the latest OS, Windows Vista, which is even more bloated than Windows XP, on which I turned off most of the eye-candy in favor of speedier performance.

I'm still unhappy about the decision to change Pocket Outlook authentication when PPC2000 was "upgraded" to PPC2002, so I could no longer use Pocket Outlook with my frontiernet.net ISP. I will stay with WM2003SE PE and ActiveSync 3.8 as long as possible rather than give up any more functionality.

While I have never used WIFI sync, the idea that Microsoft has taken away that option, on the ground that I am incapable of making my own decision whether or not to use it is nothing less than infuriating.

I suspect that Microsoft is still thinking of ways to put us all on a subscription basis for using its bloatware.

I've been waiting for a user-friendly version of Linux, but Microsoft's arrogance may force to learn how to use it in its current form.

<i>It's the IP connection that ActiveSync opens to the entire network that's the problem.</i>

That's only a problem if the entire network itself is unsecure.  My home network is secure.  Both physically (nobody can access it outside of my house) and via hardware firewalls.

So tell me again why running AS on it suddenly makes it unsecure...

As a sequel to this post, I'm sure we all would like to know the hidden reasoning behind the odd (to be nice) file open dialog in Windows Mobile.

Remember, Mike had nothing to do with this. He's just opening MS up to y'all. And frankly remember that the 10-15 people here does not constitute a majority of users. The few million users in corporate America are Microsoft's market more so than the few thousand tech enthusiasts who would want this feature enabled.

Believe me, I'd rather have this re-enabled over SSL than not enabled at all, but its important to remember where everything sits relatively.

There really is a lot of duh-mness is some of the PDA OS from MS.

So.. as the Healthcare person commented there is an absolute positive need for security. How about only passing pre-encrypted password protected files in the first place - Duh#1. You probably are using some proprietary software and you can build in encryption, and vitually all of the MS Office type files have password protection. Even though the PDA Excel program doesn't have password capability, there are other add-ons such as PTab that do.

Here is what I think, you can add this to the kooky conspiracy theories. MS is contracting out the programing to (fill in the blank) India and they don't have the ability to rework the software without a large time spent getting trained and up to speed. They are highly talented, but just can't easily cope with someone elses code.

Theory 2 - As mentioned elsewhere, the PDA ain't where the bucks are. I think Gates is enamored with the Tablet now, so we PDA'ers suffer. I do fieldwork and although I would like a large screen, the weight and short battery life of larger devices kills them for me, but not for all of those who are already lugging notebooks and can plug in almost anywhere.

Theory 2.1 - As mentioned elsewhere, the PDA ain't where the bucks are. I think Gates is enamored with the PDAPhone now, so we PDA'ers suffer.

Theory 3 - Lazy bums

Theory 4 - They think the public is too dumb to live. They might be right, since we actually are continually voting to have term limits for politicians. That is an amazing concept that goes something like this - We want to vote to remove politicians in the future because we will be too stupid in the future to vote for someone else. The only good thing about passing term limits is that we know for sure that we are already stupid. Perhaps we have revealed how stupid we really are and MS found out.

So is MS the stupid one, or are we? We can be certain who has the power to make the software that most of us use. Write Bill a letter, maybe that will work. Now now now, don't be stupid.  

Pat

By the same argument, shouldn’t unencrypted POP3 and SMTP be disabled?

Microsoft: just make AS IP sync a checkbox that comes with a nice long legal form for me to sign to indicates that i understand technology and that everything isn't perfect.  ok?

(how did they get away with providing all the other security holes in PocketPC???)

This is just another example of the arrogance at Microsoft. The sad reality is that Microsoft will not listen to customers until some other competitor gives them a kick up the a** (eg. IE and Firefox). Unfortunately, there doesn't seem to be any real serious competition to the Windows Mobile platform, so we have to take whatever they deem we deserve.

When I asked my question about POP3 I was attempting to play “devil’s advocate”.  I have been really impressed by Microsoft’s new focus on security even if it does create the occasional annoyance.

Both the original post and MikeCal’s comment mention one of the reasons for removing the feature was due to unencrypted data being sent over non-trusted networks.

(From memory) POP3 sends not only email but also usernames and passwords as unencrypted data.  These passwords are reasonably likely to be the same passwords the user is using to access their company network or VPN server.  Although POP3 has various extensions to make it more secure, I would expect that the insecure versions are still in wide spread use.

I assume the main problem with ActiveSync is that home users could decided to poke the ActiveSync TCP/IP ports through their firewall and there was a high risk that the ActiveSync network protocol could have been exploited.  Even if Microsoft had fixed it for WM5 devices, it would still have broken WM2003 devices.

Just like Ethernet ActiveSync, it is possible to use POP3 in an insecure way and it is also possible to use it securely.  ActiveSync using an Ethernet cradle (e.g. the one used by the Intermec 700 series devices) or ActiveSync over WiFi on a private network was reasonably secure and very useful – I hope some new improved version of it arrives soon.

(PS Perhaps you could consider tackling another tricky subject - why Microsoft changes product names with each release e.g. PocketPC to Windows Mobile 2003 to Windows Mobile 5 and also the recent Windows CE change) :-)

Ok - some of you may laugh at this, but I just purchased a HP hx2495 FOR THE EXPLICIT PURPOSE of WiFi sync at work!  

So obviously, this is not what I wanted to hear.  Matter of fact, I am very disappointed that IP ActiveSync has been removed and, at the moment, pissed that Microsoft is trying to following the high road.

After I get over this, it may sink in that this was for the better...MAY BE.  But, in America, we have the RIGHT to do things that are absolutely absurd and nonsensical.  So, why is MS stepping above that??

If nothing else, I hope that the feedback from everyone is heard LOUD AND CLEAR that this is a feature that the public wants.

Now - what about Exchange Active Sync?  This will not help everyone, but that is "too bad".  We use Exchange 2003, but I am not sure what Exchange Active Sync is...and would it work over a wireless connection??  I am using WM5.  If you can tell me that much, at least my problem will be solved (after a bit of setup/configuration work).  

FYI...I am the CIO at my company; maybe I'll agree with this after I calm down.  Typically, I strongly advocate (and demand) to reduce the surface area of exposures.  However, at the moment, I am not happy that this feature is removed indefinitely.  

Mike:

What other work is being done in AS that is getting a priority over IP Sync?  Maybe if you can explain that, it will start the healing process.  I understand priority of projects and goals, but you are asking us to take this for granted.  What are the features that are under development?  

...hey, I'll sign a NDA if necessary!  It is very annoying that this feature should be a "given" function.  We are living in a wireless society - so what's up with this?

-Kevin

After reading the OP and many of the comments I have to say I agree with what MS has done. I can understand it too. Most people arent savy and will blindly fire away like they always do. MS is evil.

By allowing this security issue to go unchecked and place it in the hands of those who dont know better, MS is sending out an open invitation to get persecuted. Again. Like they need more of it right?

We dont have WiFi sync because of less knowledgeable people who are looking for an excuse to bring a law suit, or otherwise "public complaints" exist.

All this talk of "we can secure the wifi interafce but the interface between the router and pc we can't secure" although true begs one to question why MS does not implement encryption at the application layer (if referering to the TCP/IP protocol stack) then secure encryption can and will be available between the router and pc and router and handset (Pocket PC) via the wireless interface?

Shame on MS AS. Why do I have WiFi in the first place? Right, for AS with one of our exchange servers.

We will look for an other application that can do wifi sync, with exchange support (or even not exchange, so we will bash out exchange in our 10000+ pda user company)...

i wish the wifi option would be available for small business/home users who dont care too much about the sercurity of email. I hate the fact that wm5 has no PAN bluetooth,i cannot see it as a "mobilepc" on network and my Microsoft Bluetooth dongle is only the lower class 10m range, so dont work further that the hallway, all this technology and it only elimates the cable connection, but gives me no range further that the desktop.

Screen rotation:

i have told my Imate Jarjar to wrk in landscape left handed mode, but it wopuld appear that this setting is overridable by all programs, this makes using the wm5 device in the car a real pain in the neck. I set off on a journey, enable TomTom (at least that stays in landsacpe mode) but then i get a call, duh its displays in portrait mode, so i have to try and use a touch screen in the hardest way possible ...........the the phone reverts  to this mode untill i get somewhere to pull over and reset screen.....If anyone finds a JarJAR on the highway,,,,then you know i got too annoyed with it and used the Windows option on my car instead....

THe X factor....need i day more...why not allow a close and a minimize button on AU4...allow the apps to min down to taskbar....not that would be good.

Voice tags..

Can we find a way to save these...i am so fed up recording them everytime the phone crashes and i have to reboot...please....

Screen Rotation

I have to rotate three times to get to the correct orinatation on device...could we have a default clockwise or anti clockwise feature.

Windows Mobile Media Player

well  om the Imate Jarjar its rubbish, will never play FULLSCREEN, only a postage sized tumbnail in the centre of a huge screen.

I use PocketTV....no problem FULL SCREEN.

The Today/Desktop

Why do i have to buy an app to put icons on desktop..i use my device as a pc. not an electronic diary.

where did somebody decide that these devices should be just beefed up dairys and not mini pcs??....i would get rid of all the clutter, and put icons on istead, its easier tio hit target with finger if its a icon.

i have all the diary devices since the fist pc, but never never use them like that...please stop always trying to make it a diary/calander/reminder device...i got a brain gadget for that task, which i cannot lose and so far in 39 years of continuous use had not crashed, or even a blue screen, mind you i think i did drink a bit too much one day and have a grey out..

Mike,

I can see you are fighting an uphill battle against people who don't see why their Wifi Sync was thrown out the door and I do feel for you.

I'm only a recent addition to the PocketPC scene and so have never had the benefits of Wifi Activesync, though I must admit I *could* find it useful.  I completely understand what you are saying that while you can have WPA encryption on your wireless network, the moment you introduce a cable length or wire in to it that network becomes completely open to man-in-the-middle and  electrical listening devices.  I for one am glad you disabled what is essentially a gaping security hole, and am glad you took the time to say exactly why you disabled it because it confirms exactly what I thought would be the case.

I know you won't have any idea *when* Encrypted Activesync may be made a reality, but is it on the list of Things To Do?

Thanks

That was an excelent post! Thanks so much for taking the time to go into such detail. Shields down Captain! I would say you are safe. :)

You've stood up and taken the bullets for the close button and ActiveSync WiFi.

How about doing a post on dropping support for ADOCE next? It's a natural to allow people to use Access data on devices - why take this away?

(OT)

Mike, you said you aren't being paid for writing all of this? You really should be paid, truly. Your patience and endurance against all these harsh comments are outstanding. I appreciate the time and patience that you used to write and respond here.

When using ASync 4.2 I found the following registry values very interesting:

HKEY_CURRENT_USER\Software\Microsoft\Windows CE Services\Partners\1c0c74e7\Services\Synchronization\Objects

(1c0c74e7 = my device partner number)

Each object here can containt a dword vlaue called WirelessEnabled. Any comments on that Mike?

Tweakradje

In reply to:

How about doing a post on dropping support for ADOCE next? It's a natural to allow people to use Access data on devices - why take this away?

Start regedit and navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows CE Services\Services\Synchronization\Objects\MicrosoftTable

There is a dword Disabled there that can be set to "0"

Dunno if it is funtional but it does show Pocket Access in Active Sync again.

Think it is not supported by MicroSoft ;O)

Tweakradje

i'm pretty sure all your statements are just fictitious.

first of all, Exchange Server connection can be established without SSL encryption through ActiveSync. Now, isn't that unsecure? Ya ya I know it tells me that's unsecure. I'm pretty sure the local version should have done so as well... but it was removed completely.

Second, Exchange Server are most likely connected through intranet or internet. Internet connection would mean it's likely to be a known address. Now, that makes it even more unsecure because people can tap into your stuff over the internet.

Thirdly, Activesync through WiFi locally, has the lowest chances of someone even try to find out about your address having Activesync. And of course, they can't even bypass your firewall or router if they haven't install any trojan in your computer.

So, tell me, what are the chances of people hacking in your personal information through Exchange Server compared to a locally activesynced connection?