WiFi Did You Do That?

Having survived explaining why the X button doesn’t close apps, I’ve been emboldened to take on the completely radioactive subject of why WiFi ActiveSync was removed from ActiveSync 4.  I’m sure that I won’t come out of this one unscathed.  The people affected by this are really angry.  And, though I didn’t have anything to do with the decision, I’m guessing that you’re going to take your frustrations out on me anyway.  But, hey, someone needs to explain why these things happen.  That someone might as well be me.

The truth is out there

Conspiracy theories abound.  Because WiFi to an Exchange server still works, some people have suggested we did this to sell more Exchange servers.  That’s definitely not the case.  Exchange has considerably more customers than Windows Mobile (although we’re growing quickly!).  Hurting Windows Mobile to make Exchange do better just wouldn’t make any sense.  Don’t get me wrong, I’m sure that the integration between Exchange and Windows Mobile has driven sales of both.  But we’re not about to hurt one product to help the other.  If nothing else, Windows Mobile and Exchange are in different divisions, and both are expected to make money on their own.  So even if Exchange came to us and said, “Why don’t you hurt yourself to help us?” we’d say “No thank you.”  (Okay, our response would be less polite than that….)

Secure this

The official (and true) reason has always been stated as “We removed it for security reasons.”  But, judging from the number of angry comments I see posted here, that explanation hasn’t really convinced anyone that it was a good idea.  So, let me go into more detail.  The first major issue is this: Exchange ActiveSync is encrypted and desktop ActiveSync isn’t.

Quick diversion to explain what “encrypted” means.  Think back to the old days when you used to send paper mail through the post office.  And think about the difference between sending a post card and sending a letter.  If you put your letters in envelopes, you had some reason to believe only the right people would read them.  But with post cards you wrote, “Having a great time, wish you were here,” on the back and just assumed that anyone in the post office could read it.  For this reason, you never sent company secrets on post cards.  Encryption is like the envelope you put your letter in.  It helps keep people who aren’t supposed to know what you wrote from reading it.  If you don’t use encryption, you’re effectively sending post cards.  Only, it’s not just the post office workers who can read it.  It’s everyone on the internet.

And that’s one of the main reasons we cut the feature.  Desktop ActiveSync over WiFi was sending all your contacts, calendar, and email data over the internet without doing anything to keep people from reading it.  If that doesn’t strike fear into your heart, let me add the second reason.  When a device connects over desktop ActiveSync we don’t do enough to make it prove that it’s really your device (we don’t “authenticate” well enough).  So, yes, when you had WiFi enabled on desktop ActiveSync, people on the internet could watch what you sent and then use that information to pretend to be your device.  If they were successful at this, they could convince the your desktop to start sending your information directly to them.

You shouldn’t be furiously asking why we removed the feature.  You should be furiously asking why we ever implemented it in the first place.

So why did you implement it in the first place?

History lesson time.  (Did you really think you’d get through one of my blog entries without one?)  ActiveSync started out as a way to plug your device directly into your PC over a serial port.  Yes, it’s that old (many PCs don’t even have serial ports anymore).  There was no need for any sort of security here, because the only way to do this was to physically connect two machines.  If you had control of both machines, you’d already compromised whatever security was there. 

At some point, PCs and Pocket PCs started getting USB ports.  So we modified desktop ActiveSync to talk over USB.  But we mostly did it by pretending the USB port was a serial one and sending the same kind of data over it.  At some later point we started seeing Compact Flash network cards.  We thought, “Hey, that’s another way we could connect to ActiveSync,” and built in the ability to sync over Ethernet.  Not too many people used it, though, because it didn’t make too much sense to plug Ethernet cables into your mobile device.  Later on, though, WiFi arrived.  In the end, WiFi is just a wireless way to do Ethernet, so it pretty much automatically worked with what we had already built. 

Another brief aside.  We left Bluetooth enabled for a number of reasons.  For one, Bluetooth is inherently encrypted.  WiFi isn’t.   For another, Bluetooth has a limited range.  WiFi also has a limited range, but it’s a limited range to the nearest internet connection.  From there it can go anywhere.  Bluetooth connects directly to the desktop.  Though the Bluetooth standard supports Bluetooth devices connecting to the internet, we don’t support Syncing to the Desktop over such a connection.  WiFi could potentially connect directly to a desktop, but we’ve never had that feature implemented. 

It’s not really Sync over WiFi that we removed.  We removed Sync over Ethernet.  It’s just that WiFi needed Ethernet Sync to work.  Now, enabling Sync over Ethernet happened back in the time when viruses were rare (no one had figured out how to make money exploiting security flaws yet).  And, in those days, we didn’t foresee the coming storm of malware, nor did we know enough about how to prevent it.  So we enabled what seemed like a useful feature, blissfully unaware of how dangerous it was.

Remember that none of these devices were phones.  When we started making phone devices, we realized that users would have data connections anywhere they went.  And we realized that they’d want to sync their devices from anywhere in the world, not just at their desktops.  So we decided to make a way to sync directly to an Exchange server.  And, for various reasons, the original sync method wasn’t going to work.  We needed to make a new one.  This happened after the internet’s transition to the dark side, so we built encryption in from the start.  That’s why Exchange ActiveSync still works over WiFi.  It’s encrypted, so we didn’t have to disable it.

But I don’t care if anyone reads my data. Enable me.

It’s clear that, as little as 5 years ago, most Microsoft employees didn’t understand security well enough.  That’s changed.  Everyone in development takes mandatory security training every year.  And the training isn’t even the same thing every year.  Each year we learn about new attacks that had been recently invented.  Mistakes can still be made, but we at least get it now.  How would you like to be the guy who caused an airport to be shut down because of a vulnerability in your code?  You could say, “It’s not my fault.  I wrote the code long before that kind of attack had even been invented yet.”  But in the end, you have to feel the weight of the flaw on your shoulders. 

Like it or not, we live in a world where every exploitable hole will be exploited.  And, in that world, we simply can not leave something as big as what I described enabled.  We had to remove the feature.  You may be willing to point a partially loaded gun at your head and pull the trigger.  But we just can’t be the people who loaded the gun for you.  Those days are gone, and they aren’t coming back.  We understand your frustration.  We feel bad when you scream and yell at us.  But we’d feel worse about the things that would happen if we left the vulnerability in.

Then fix it

There are a number of things we can do to fix it, including adding encryption and authentication.  All of them, however, are a ton of work that needs to get prioritized against all the other things we need to do in ActiveSync.  I can tell you definitively that the team responsible wants to re-enable desktop ActiveSync over WiFi.  But I have to also tell you that they have a lot of other things they need to do first.  I can’t tell you when you’ll get your WiFi back. 

Shields at full, Captain

That sound you hear is me slinking down into my bomb shelter.  While I know this post won’t make you any less angry, I hope it at least explains how we got to where we are.  Fire away.

Mike Calligaro