Microsoft risks enterprise credibility by pushing out insecure mobile Outlook

One thing about Microsoft: it may not be the greatest for usability or convenience, but it does understand enterprise requirements around compliance and protecting corporate data.

At least, I thought it did.

That confidence has been undermined by the release yesterday of new “Outlook” mobile apps for iOS and Android.

I read the cheery blog posts from Office PM Julia White and from new Outlook GM Javier Soltero. “Now, with Outlook, you really can manage your work and personal email on your phone and tablet – as efficiently as you do on your computer,” says White.

There is a snag though. The new Outlook apps are rebadged Acompli apps, Acompli being a company acquired by Microsoft in early December 2014. Acompli, when it thought about how to create user-friendly email apps that connected to multiple accounts, came up with a solution which, as I understand it, looks like this:

  1. User gives us credentials for accessing email account
  2. We store those credentials in our cloud servers – except they are not really our servers, they are virtual machines on Amazon Web Services (AWS)
  3. Our server app grabs your email and we push it down to the app

A reasonable approach? Well, it simplifies the mobile app and means that the server component does all the hard work of dealing with multiple accounts and mail formats; and of course everything is described as “secure”.

However, there are several issues with this from a security and compliance perspective:

  1. From the perspective of the email provider, the app accessing the email is on the server, not on the device, and the server app may push the emails to multiple devices. That means no per-device access control.
  2. Storing credentials anywhere in a third-party cloud is a big deal. In the case of Exchange, they are Active Directory credentials, which means that if they were compromised, the hacker would potentially get access not only to email, but to anything for which the user has permission on that Active Directory domain.
  3. If an organisation has a policy of running servers on its own premises, it is unlikely to want credentials and email cached on the AWS cloud.

The best source of information is this post A Deeper look at Outlook on iOS and Android, and specifically, the comments. Microsoft’s Jon Orton confirms the architecture described above, which is also described in the Acompli privacy policy:

Our service retrieves your incoming and outgoing email messages and securely pushes them to the app on your device. Similarly, the service retrieves the calendar data and address book contacts associated with your email account and securely pushes those to the app on your device. Those messages, calendar events, and contacts, along with their associated metadata, may be temporarily stored and indexed securely both in our servers and locally on the app on your device. If your emails have attachments and you request to open them in our app, the service retrieves them from the mail server, securely stores them temporarily on our servers, and delivers them to the app … If you decide to sign up to use the service, you will need to create an account. That requires that you provide the email address(es) that you want to access with our service. Some email accounts (ones that use Microsoft Exchange, for example) also require that you provide your email login credentials, including your username, password, server URL, and server domain. Other accounts (Google Gmail accounts, for example) use the OAuth authorization mechanism which does not require us to access or store your password.

image

The only solution offered by Microsoft is to block the new apps using Exchange ActiveSync policy rules.

The new apps do not even respect Exchange ActiveSync policies – presumably hard to enforce given the architecture described above – though Microsoft’s AllenFilush says:

Outlook is wired up to work with Active Sync policies, but it currently only supports Remote Wipe (a selective wipe of the corporate data, not a device wipe). We will be adding full support for EAS policies like PIN lock soon.

However a user remarks:

Also, i have set up a test account, and performed a remote wipe, and nothing happened. I also removed the mobile device partnership later and still able to send and receive emails.

The inability to enforce a PIN lock means that if a device is stolen, the recipient might be able simply to turn on the device and read the corporate email.

The disappointment here is that Microsoft held to a higher standard for security and compliance than its competitors, more perhaps than some realise, with things like Bitlocker encryption built into Surface and Windows Phone devices.

Now the company seems willing to throw that reputation away for the sake of getting a consumer-friendly mobile app out of the door quickly. Worse still, it has been left to the community to identify and publicise the problems, leaving admins now racing to put the necessary blocks in place. If Microsoft was determined to do this, it should at least have forewarned administrators so that corporate data could be protected.

Microsoft Financials

Microsoft has released figures for its second quarter, ending December 31st 2014. Here is my simple summary of the figures showing the segment breakdown:

Quarter ending  December 31st 2014 vs quarter ending December 31st 2013, $millions

Segment Revenue Change Gross margin Change
Devices and Consumer Licensing 4167 -1377 3876 -1105
Computing and Gaming Hardware 3997 -473 460 +49
Phone Hardware 2284 N/A 331 N/A
Devices and Consumer Other 2436 +562 550 +163
Commercial Licensing 10679 -227 9926 -154
Commercial Other 2593 +813 900 +485

There are a couple of blotches of red in the figures, reflecting weak PC sales in the consumer market and decline in non-subscription Office products. This is offset by strong growth in cloud and subscription. Microsoft says in the accompanying press release that revenue from Office 365, Azure and Dynamics CRM online grew 114%. SQL Server and System Center grew revenue yet again, with server products up 9% overall. Microsoft also notes that this quarter revenue from Surface exceeded $1 billion for the first time, thanks to the success of Surface 3. Note though that margins are relatively poor on hardware.

Nadella talked up both cloud and integration in the earnings call. On cloud, he said that new Office 365 features like Sway, Delve and Video are “completely new scenarios”; I am personally not yet convinced by Sway but both Delve (a search service) and video look compelling. On integration he referenced unifying Xbox Live across PC, tablet, phones and Xbox, streaming Xbox games to Windows 10, and the unified app store and platform with Windows 10 phones, tablets and PCs.

A lot rests on Windows 10; following the rocky reception for Windows 8, Microsoft cannot afford to get this one wrong.

Why Microsoft is hard to love

Microsoft CEO Satya Nadella stated last week that “We want to move from people needing Windows to choosing Windows to loving Windows. That is our bold goal with Windows.”

It is an understandable goal. Many users have discovered a better experience using a Mac than with Windows, for example, and they are reluctant to go back. I will not go into all the reasons; personally I find little difference in usability between Mac and Windows, but I do not question the evidence. There are numerous factors, including the damage done by OEMs bundling unwanted software with Windows, countless attacks from malware and adware, badly written applications, low quality hardware sold on price, and yes, problems with Windows itself that cause frustration.

There is more though. What about the interaction customers have with the company, which makes a difference to the emotional response to which Nadella refers? Again, Apple has an advantage here, since high margins enable exceptional customer service, but any company is capable of treating its customers with respect and consideration; it is just that not all of them do.

Now I will point Nadella to this huge thread on Microsoft’s own community forums.  The discussion dates from September 10 2014 and the contributors are customers who own Windows Phone devices such as the Lumia 1020. They discovered that after updating their devices to Windows 8.1 they experienced intermittent freezes, where the phone stops responding and has to be cold booted by pressing an emergency button combination (volume down plus power). These, note, are critical customers for Microsoft since they are in the minority that have chosen Windows Phone and potentially form a group that can evangelise this so far moribund platform to others.

The thread starts with a huge effort by one user (“ArkEngel”) to document the problem and possible fixes. Users understand that these problems can be complex and that a fix may take some time. It seems clear that while not all devices are affected, there are a substantial number which worked fine with Windows Phone 8, but are now unreliable with Windows Phone 8.1. A system freeze is particularly problematic in a phone, since you may not realise it has happened, and until you do, no calls are received, no alerts or reminders fire, and so on, so these customers are anxious to find a solution.

Following the initial complaint, more users report similar issues. Nobody from Microsoft comments. When customers go through normal support channels, they often find that the phone is reset to factory defaults, but this does not fix the problem, leading to multiple returns.

Still no official comment. Then there is an intervention … by Microsoft’s Brian Harry on the developer side. He is nothing to do with the phone team, but on 27 October receives this comment on his official blog:

Brian, sorry to hijack you blog again, but you are the only person in MS who seems to care about customers. Can you please advise whoever in MS is responsible for WP8.1 and make them aware of the “freeze” bug that MANY users are reporting (31 pages on the forum below). There has been NO feedback from MS whatsoever in the months that this has been ongoing and it is obviously affecting many users (myself included). If “cloud first, mobile first” is to be a success, you better make the bl00dy OS work properly. Thanks

Harry promises to raise the issue internally. On 12 Nov still nothing, but a reminder is posted on Harry’s blog and he says:

Nag mail sent.  Sorry for no update.

This (I assume) prompts a post from Microsoft’s Kevin Lee – his only forum post ever according to his profile:

I’m sorry we’ve been dark – I work closely with the Lumia engineering team that’s working directly on this. Trying to shed a little light on this…

Beginning in early September we started to receive an increased number of customer feedback regarding Microsoft Lumia 1020 and 925 device freezes. During the last two months we have been reaching out for more and more data and devices to systematically reproduce and narrow down the root cause. It turned out to be a power regulator logic failure where in combination with multiple reasons the device fails to power up the CPU and peripherals after idling into a deep sleep state.

I am pleased to pass on that we have a fix candidate under validation which we expect to push out the soon with the next SW update!

Appreciate your patience.

OK, so Microsoft knows about the problem, has sat back saying nothing while users try this thing and that, but now after two months says it has a “fix candidate”. This is greeted warmly as good news, but guess what? Phones keep freezing, no fix appears, and in addition, there is lack of clarity about how exactly the fix is being “pushed out”.

Two months later, user Shubhan NeO says:

And I broke my Lumia 1020. Not going back to Windows Phone ever ! Switching back to Android ! Here is sneak peek of my phone !

image

It is not quite clear whether he broke the phone deliberately in a fit of frustration, but perhaps he did as he comments further:

Works ? Seriously ? It hangs 2-3 a day, has stupid support for official apps. So many issue.

I’m done.

Here is another:

I paid the extra £ for a better phone; with a better ’41-megapixel camera’… now to find out that people with cheaper models have not had any freeze problems. Despite peoples comments about this being an aged device, and probably the reason for lack of support, I must add that I only purchased my 1020 ‘NEW’ in July 2014 (which is only 6 months ago). For 3 of those months it has been very unreliable … I am extremely disappointed in how I and everyone else here has been treated by Microsoft.

Read the thread for more stories of frustration and decisions never to buy another Windows Phone.

What are the real problems here? The hardest thing to accept is not the fact of the fault occurring, or even the time taken to fix it, but the apparent lack of concern by the company for the plight of its customers. If Mr Lee, or others from the team, had posted regularly about what the problem is, how they are addressing it, possible workarounds and likely time scales, it would easier for users to understand.

As it is, it seems that this part of the company does not care; a particular shame, as Nokia had a good reputation for customer service.

I post this then as feedback to Nadella and suggest that a cultural shift in some areas of Microsoft is necessary in order to make possible the kind of emotional transition he seeks.

The Windows 10 web browser story: it’s complex

Microsoft’s Jason Weber has posted details of the web browser story in Windows 10.

There will be two browsers and two rendering engines in Windows 10:

  • Project Spartan is the “universal app” version of the browser, the successor to Metro IE.
  • Internet Explorer will remain.

The two rendering engines are EdgeHTML (new) and MSHTML (old). Both engines can be used in either browser, so even the “Project Spartan” browser has a compatibility mode. Both browsers default to the new rendering engine.

image

However, only Internet Explorer supports features such as ActiveX controls and Browser Helper Objects, so some legacy web sites and applications will only work properly in IE.

For details of what EdgeHTML supports, see the status page.

Microsoft has been plagued by the “coded for IE” problem, where sites deliver inferior content if IE is detected – even where IE is fully capable of rendering the up-to-date content. Hence this comment:

Edge mode introduces an interoperable UA string designed to get today’s modern Web content, and to avoid old IE-only content. We’ve also spent a lot of time ensuring that the IE platform behaves like modern Web content expects.

It is unfortunate that Windows 10 will still have two web browsers, since this is a point of confusion for users. A lot will depend on presentation and defaults; if Microsoft can hide desktop IE so it is only used by those organisations that know they need it, that would be a good thing – presuming that Project Spartan offers a decent experience when used on the desktop.

There is a debate in the comments to Weber’s post about whether Microsoft should cease developing its own browser:

This looks like chrome. Please contribute to chrome if you want to make the web browser better. All this does is increase development costs by having to support another browser. Enough damage has been done by IE. Please stop development.

and the counter:

No, sane developers don’t want a single engine.

People want different engines that pushes each other forward, make things in a standard way (not like Chrome) and allows to check if the problem is their code or a bug in the browser.

My perspective on this is that Google already dominates web search and if Microsoft were to adopt its browser engine, there would be increased risk of Google dictating whatever standards suit its own purpose – just as Microsoft did in the dark days of stagnant IE development. Microsoft’s energetic development of IE is actually good for Google and for the rest of us.

Windows 10 and HoloLens: quick thoughts and questions following the January reveal

Microsoft is revealing its Windows 10 plans in stages, presumably in part to build up expectation and get feedback, and in part because some pieces are ready to show before others.

image

Today in Redmond Microsoft shared a number of new features. In quick summary:

Windows 10 will be a free upgrade for all Windows 7 and 8.x users, at least for the first year.

Comment: this is necessary since the refusal of Microsoft’s user base to upgrade from Windows 7 is a strategic roadblock. For example, Windows 7 users cannot use Store apps, reducing the market for those apps. It is more important to persuade users to upgrade than to get upgrade revenue. Windows 10, of course, will have to be compelling as well as free for this initiative to work, as well as providing a smooth upgrade process (never a trivial task).

Windows to evolve to become a service Executive VP Terry Myerson says this in this post:

Once a Windows device is upgraded to Windows 10, we will continue to keep it current for the supported lifetime of the device – at no additional charge. With Windows 10, the experience will evolve and get even better over time. We’ll deliver new features when they’re ready, not waiting for the next major release. We think of Windows as a Service – in fact, one could reasonably think of Windows in the next couple of years as one of the largest Internet services on the planet.

And just like any Internet service, the idea of asking “What version are you on?” will cease to make sense – which is great news for our Windows developers.

Comment: What does this mean exactly, beyond what we already have via Windows Update? What does Myerson mean by “the supported lifetime of the device”? What are the implications for the typical three-year Windows release cycle? I hope to discover more detail soon, though when I enquired whether there will be, for example, a “Windows 11” I was told, “We aren’t commenting beyond what’s stated in post that you reference.”

Project Spartan (a code name) is a new browser developed as a universal app – this means an app built for the Windows Runtime (“Metro”) environment, though in Windows 10 these also run in a window on the desktop, blurring the sharp distinction you see in Windows 8. Project Spartan features, according to Microsoft’s Joe Belfiore, a new rendering engine along with features includes the ability to annotate web pages with keyboard or touch/stylus, and the ability to save pages for reading offline. There will also be “enterprise mode compatibility for existing web apps”, which means that old IE will live on.

image

Comment: Creating a new browser is a bold step though it may be as much for marketing reasons as anything else, since IE has a tarnished reputation. The advantages of the new rendering engine, and the way compatibility will be handled, are not yet clear. Another point of interest is compatibility issues caused not only by the new engine, but also by running in sandboxed universal app environment. Looking forward to more detail on this.

Windows 10 across PC, tablet and mobile: the OS will have the same name on all three, universal apps (like a new mobile Office) will run on all three, and there are new efforts to synchronize content. For example, notifications will sync across phone and PC/Tablet.

Comment: Sounds good, but there are a few downsides. One is that Windows Phone is tied to the same release cycle as full Windows, which is rather slow. Currently Windows Phone is falling back as it waits for Windows 10 in respect of both operating system upgrade and also the universal app version of Office – which is already available for iOS and Android. CEO Satya Nadella said today that there will be new “flagship” Windows phone devices, which is good news for what is currently a neglected platform, but it will be hard for the platform to thrive if it is constantly waiting for the next big Windows update. Update: if “Windows as a service” means no more monolithic upgrades but constant incremental improvement, perhaps this will not be the case. Watch this space.

Cortana coming to Windows PC and tablet: we saw Microsoft’s digital assistant, powered by Bing search, demonstrated on full Windows.

Comment: Cortana is impressive and fun, but I am not sure how much the feature enhances the platform. On the phone I do not use it much; the problem is that speaking to your phone “what meetings to I have today” and getting a spoken response is a great demo, but in practice it is easier to glance at the calendar, especially as voice control only works in quiet scenarios. The other aspect of Cortana is the personalisation it brings to things like web search or reminders; more data about our preferences and activities can bring some magic. This is Google Now territory, and while Microsoft’s approach to privacy may be preferable, Google will be hard to match in respect of the amount of data it can draw upon.

DirectX 12: Microsoft showed a demo of its latest DirectX graphics API, claiming up to 50% better performance and up to 50% less power consumption.

Comment: this is solid good news. If games run best on Windows 10 a significant enthusiast community will want to upgrade right away. Further, DirectX is not just for games.

Xbox One integration: Microsoft showed how Xbox Live team or competitive games can work across Xbox One and PC, and how games can be streamed from XboxOne so that the console becomes a kind of games server for your Windows 10 tablets and PCs. Xbox One will also run universal apps.

Comment: Better integration between Windows devices and Xbox is long overdue and can help to promote both. Xbox One though has a bit of a Windows 7 problem of its own, with Xbox 360 remaining popular simply because of the huge numbers of games that have not been ported. If only Microsoft could introduce backwards compatibility …

Surface Hub: this is a giant 84”, 4K display wall-hanging PC which you can use as an interactive whiteboard for meetings and so on. It seems to be the next innovation from the Perceptive Pixel folk who also developed the table-top Surface device.

image

Comment: Looks cool, but it will be expensive. May help to encourage businesses to keep faith with the Windows client.

Microsoft HoloLens: this was the big reveal, a secret project that, we were told, has been developed in the basement of the Microsoft Visitor Center on its Redmond campus.

image

HoloLens is a headset which enables 3D augmented reality: projected images are seen like holographic images in the space around you, and you can interact by gesture detected by cameras and motion sensors in the headset. Look carefully at the following image:

image

In this example, the demonstrator is assembling a quad copter using a palette of 3D components in Holo Studio, an application which uses the technology. However, note that you only see the quad copter through the HoloLens headset, the image from which in this case is merged with a view of the demonstrator herself using a custom camera:

image

If you had been in the room, you would see the quad copter only on the screen, not in the room itself. Therefore I suspect this is more accurately described as augmented reality than holography, though the scene does look holographic if you are wearing the headset.

In a final flourish, Microsoft a 3D printed version of the quad copter which duly flew up and down; I am sure the motor and so on was NOT 3D printed, but it made a lovely demo.

Apparently NASA loves the technology and will be using it with Mars Rover in July in a project called OnSight – read the NASA release.

image

Bringing it down to earth, Microsoft also stated that all universal apps will have access to the HoloLens APIs.

Comment: This looks amazing and must have potential for all sorts of scenarios: architects, planners, marketing, games and more. The tough question I suppose is how much it has to do with Windows 10 as experienced by most users.

In closing

Microsoft surprised us today and deserves kudos for that. Nobody can accuse the company of lack of innovation; then again, Windows 8 and the original Surface were innovative too, and proved to be a disaster. I do not think Windows 10 will be a disaster; we have already seen in the preview how it is an easier transition for Windows 7 users.

A key thing to note from a developer and technical perspective is that universal apps are right at the centre of the Windows 10 story. That is a good thing in many respects, since we get Store deployment, sandbox security, and a degree of compatibility across phone, PC, tablet and Xbox One. But is the Store app / Universal app platform mature enough to deliver a good experience for both developers and users, bearing in mind that in Windows 8.x it is really not good enough?

Look to Microsoft Build at the end of April, which Myerson said is the culmination of the Windows 10 reveal, to answer that question.

Microsoft’s Lumia 400, the cheapest Windows Phones yet, but what is the brand becoming?

Microsoft has announced the Lumia 435, the first 400-series Lumia and the cheapest Windows Phone yet. The Lumia 532, also just announced, is an upgrade to the Lumia 530 and also pitched at a low-end market.

image
Lumia 432

The 435 has a dual-core 1.2GHz Snapdragon processor, 1GB RAM and 8GB storage, front-facing camera, back-facing 2MP camera, micro SD slot. 4″ 800 x 480 pixel screen. GPS, wi-fi and Bluetooth. Replaceable battery. Dual-SIM is available.

The 532 has a quad-core 1.2 GHz Snapdragon processor, 1GB RAM and 8GB storage, 5.0MP main camera, front-facing camera, micro SD slot. 4″ 800 x 480 pixel screen. GPS, wi-fi and Bluetooth. Replaceable battery. Dual-SIM is available.

The phones are expected to go on the market in February at a price of around €69 (£53.50) for the Lumia 435 and €79 (61.50) for the Lumia 532.

I like the Windows Phone OS, and these devices look like great value. That said, the last aspirational Windows Phone was the Lumia 1020 in Summer 2013, with its fantastic camera. You would be forgiven for concluding that Microsoft has given up on high-end Windows Phone devices, which is unfortunate for developers since those are the devices likely to deliver more app sales.

If the Lumia brand has become strongly associated with cheap phones it will be hard for the company to convince customers that a high-end device is worth their attention in future.

We may get some phone news soon, linked to the launch of Windows 10; we may hear more at the event on January 21 in New York.

More details here.

Mr Tambourine Man

I played this last night; for some reason the words just bowled me over.

The final verse is I think the most extraordinary:

Then take me disappearin’ through the smoke rings of my mind
Down the foggy ruins of time, far past the frozen leaves
The haunted, frightened trees, out to the windy beach
Far from the twisted reach of crazy sorrow
Yes, to dance beneath the diamond sky with one hand waving free
Silhouetted by the sea, circled by the circus sands
With all memory and fate driven deep beneath the waves
Let me forget about today until tomorrow

What is it about? It is about escape I suppose, a dream of freedom from this world of “crazy sorrow”. It is also about music as a gateway to another world. It is a spiritual song; we escape what is frozen and haunted and we arrive on the beach alongside the infinite sea. And then, brilliantly, a reminder that cold reality will return tomorrow.

Dylan’s gift is to come up with phrases that sound both striking and familiar – “the foggy ruins of time” – and yet, did anyone before put those words together in that order? I doubt it. Yet these phrases come tumbling out: “the jingle jangle morning”, “skippin’ reels of rhyme”, “to dance beneath the diamond sky”. You could write an entire song based on just one of these.

When I think of the song, two images come to mind. One is Dylan himself singing it; I was fortunate to hear him perform this at Brixton Academy in 1995. Another is a busker, any busker, sitting in the street strumming and singing this song as a way to transport himself and every passer by to a better place.

Fantastic.

Note: all the words are here.

Reserved IPs and other Microsoft Azure annoyances

I have been doing a little work with Microsoft’s Azure platform recently. A common requirement is that you want a VM which is internet-accessible with a custom domain, for which the best solution is to create a A record in your DNS pointing to the IP number of the VM. In order to do this reliably, you need to reserve an IP number for the VM; otherwise Azure may assign a different IP number if you shut it down and later restart it. If you keep it running you can keep the IP number, but this also means you are have to pay for the VM continuously.

Azure now offers reserved IP numbers. Useful; but note that you can only link a VM with a reserved IP number when it is created, and to do this you have to create the VM with PowerShell.

What if you want to assign a reserved IP number to an existing VM? One suggestion is that you can capture an image from the VM, and then create a new VM from the image, complete with reserved IP. I went partially down this route but came unstuck because Azure for some reason captured the image into a different region (West Europe) than the region where the VM used to be (North Europe). When I ran the magic PowerShell script, it complained that the image was in the wrong region. I then found a post explaining how to move images between regions, which I did, but the metadata of the moved image was not quite the same and creating a new VM from the image did not work. At this point I realised that it would  be easier to recreate the VM from scratch.

Note that when reserved IP number were announced in May 2014, program manager Mahesh Thiagarajan said:

The platform doesn’t support reserving the IP address of the existing Cloud Services or Virtual machines. We expect to announce support for this in the near future.

You can debate what is meant by “near future” and whether Microsoft has already failed this expectation.

There is another wrinkle here that I am not clear about. Some Azure VMs have special pricing, such as those with SQL Server pre-installed. The special pricing is substantial, often forming the largest part of the price, since it includes licensing fees. What happens to the special pricing if you fiddle with cloning VMs, creating new VMs with existing VHDs, moving VMs between regions, or the like? If the special pricing is somehow lost, how do you restore it so SQL Server (for example) is still properly licensed? I imagine this would mean a call to support. I have not seen any documentation relating to this in posts like this about moving a virtual machine into a virtual network.

And there’s another thing. If you want your VM to be in a virtual network, you have to do that when you create it as well; it is a similar problem.

While I am in complaining mode, here is another. Creating a VM with PowerShell is easy enough, but you do need to know the image name you are using. This is not shown in the friendly portal GUI:

image

In order to get the image names, I ran a PowerShell script that exports the available images to a file. I was surprised how many there are: the resulting output has around 13,500 lines and finding what you want is tedious.

Azure is mostly very good in my experience, but I would like to see these annoyances fixed. I would be interested to hear of other things that make the cloud admin or developer’s life harder than it should be.

Review: Synology DS415+ Network Attached Storage

Synology’s DS415+ is a NAS (Network Attached Storage) device aimed at small businesses or demanding home users. I have been running this on my own network for the last 6 weeks or so.

image

First, a note about Synology’s product range. Let us say you want a NAS with 4 drive bays. Here are the choices, with current bare NAS prices from Amazon.co.uk:

  • DS414j £252.63: Budget offering, 512MB RAM, 1.2 GHz  dual core ARM CPU, 1 USB 2.0, 1 USB 3.0, 1 1GB Ethernet port. 90W power supply, 32.64W power consumption.
  • DS414 Slim £237.87: Smaller case designed for 2.5″ drives. All the other units here support 3.5″ drives. Given that you can normally tuck your NAS away in a corner, there is limited value in restricting yourself to these smaller drives, but there is also an energy as well as space saving. 512MB RAM, 1.2GHz single core ARM CPU, 2 USB 3.0 ports, 2 1Gb Ethernet ports. 30W power supply, 15.48W power consumption.
  • DS414 £332.83: Core product. 1GB RAM, 1.33 GHz dual core ARM CPU, 1 USB 2.0, 2 USB 3.0, 2 1Gb Ethernet ports, 90W power supply, 28.42W power consumption.
  • DS415 Play £379.99: Home oriented. Benefits from hardware video transcoding. 1GB RAM, 1.6GHz dual core Intel Atom CPU, 3 USB 2.0 ports, 2 USB 3.0 ports, 1 1Gb Ethernet port, 90W power supply, 27.33W power consumption.
  • DS415+ £460.74: Business oriented. 2GB RAM, 2.4GHz quad core Intel Atom CPU, 1 USB 2.0 port, 2 USB 3.0 ports, 1 eSATA port, 2 1Gb Ethernet ports, 100W power supply, 32.64W power consumption.

You can get a more detailed comparison of these four models in this table. Incidentally, I am guessing that in the Synology numbering scheme, the first digit represents the number of drive bays, and the second two digits the year of release.

The 415 models are the latest releases then, and the only ones to use Intel CPUs. The extra cost of the 415+ buys you double the amount of RAM, a quad core CPU, and an eSATA port.

The software is mostly the same on all the devices, Synology’s Diskstation Manager (DSM), currently at version 5.1. It looks as if some limits are lifted with the 415+, for example there is support for 256 iSCSI LUNs on the 415+, versus 10 on the 415 Play. The 415+ also has specifica support for VMWare VAAI (vStorage API for Array Integration) and Windows Server ODX (Offloaded Data Transfer); this enables some storage tasks to be offloaded to the storage system for better performance on the virtualization host.

Why buy a unit like this when you could simply get a server with plenty of drive bays, or with hardware RAID, and install Linux or Windows Storage Server? The two reasons are first, simplicity of operation, and second, low power consumption.

The distinction is not as sharp as it first appears, since a Synology device like this is in fact a server. If you require maximum flexibility and do not care about energy use, a generic server is probably better. If you require only simple network attached storage, such as a large shared folder on the network, a unit like the 415+ is overkill; just get a DS414j or some other brand. On the other hand, if you expect to install and use several apps, the extra for a DS415+ buys you a substantially more capable server.

Another way of looking at this is that the processing power in the DS415+, while still modest compared to a modern desktop PC, is sufficient for some real work, such as running web applications or even a media server with software transcoding.

Setup

image

Unpack the box, and you find the NAS unit, power supply and a couple of ethernet cables. Unclip the front cover and you can see the four drive bays, with caddies which can easily be removed for drive installation.

image

The drive caddies are screwless for 3.5″ drives; just remove the side panels, insert the drive, and replace the side panels to secure.

image

You can also install 2.5″ drives with four screws through holes in the caddy base.

At the rear of the unit, there are dual fans, two Ethernet ports, 2 USB 3.0 ports, eSata port, and the power connector.

image

I fitted four 3TB Western Digital Red drives – currently £89.36 on Amazon – attached the device to the network and powered up. You can than access the NAS management UI with any web browser. Normally, entering diskstation:5000 will find it. The initial setup downloads and installs the latest version of DSM, and offers an instant configuration which is a single large network folder backed by Synology Hybrid RAID (SHR).

image

I accepted this just to try it, and then blew it away in favour of a more flexible configuration.

Diskstation Manager

Synology DSM is a version of Linux. You can access the OS via SSH, or use the browser-based GUI. The GUI is rather well done, and presents a desktop-like environment with a windowing system.

image

The button at top right open a kind of Start menu:

image

Applications are installed and removed through the Package Center:

image

Generally, you should use only the Package Center to manage applications, though terminal access can be useful for troubleshooting, cleanup, or tweaking settings if you know what you are doing.

Since packages are only available from Synology, you are limited to those applications which are supported, unless you do a manual install:

image

Even a manual install has to be in the Synology package format (an archive with appropriate metadata). Some packages, such as the Plex media server, are available for download as manual installs, though may need tweaking to install correctly.

Third party developers can create packages, free or paid, and submit them to Synology for approval.

If an application is updated, it can take a while before the Synology package is updated. This could be a problem if, for example, a critical security bug is found in an application running on a Synology device exposed to the internet. There are not a huge number of packages available. I counted 63 in the DS415+ Package Center. However, this does include everything you need for a basic business server, including a mail server, DNS Server, LDAP Directory Server, Drupal CMS, SugarCRM, web server with PHP and MySQL, Tomcat application server, and more.

On the multimedia side, there are applications for serving audio and video, a DLNA media server, and Logitech Media Server (also known as Squeezebox Server).

There are several backup applications, including one for Amazon’s Glacier service (low-cost cloud storage).

Storage management

The primary role of a Synology device is for storage of course, and this is configured through the Storage Manager. Configuration begins with Disk Groups, which represent one or more physical drives in a RAID configuration.

image

There are several supported RAID configurations:

SHR: Synology Hybrid RAID with 1- or 2- disk fault tolerance. You need at least 4 drives for 2-disk tolerance.

RAID 0: disk striping, no fault tolerance

RAID 1: drive mirroring

RAID 5: 1-disk fault tolerance

RAID 6: 2-disk fault tolerance

RAID 10: RAID 0 across mirrored drives, 1-disk fault tolerance with high performance.

What is SHR? There is an explanation here. The high-level story is that SHR is more efficient with drives of varying capacity, and more flexible when adding new drives. It is not proprietary and apparently data can be recovered if necessary by mounting SHR drives in a Linux PC (provided no more than one drive has failed).

You set the RAID level when you create a disk group. Once you have a disk group, you can create volumes or iSCSI targets on that group.

I was interested in trying iSCSI. I have a desktop PC that is running out of space. I created a 1500GB iSCSI target and mounted it on the PC using the iSCSI initiator in Control Panel. It worked perfectly, and a new drive appeared in Disk Management.

image

Is this sensible, or should you just use a network folder which is more flexible, since it is shared storage? An iSCSI target behaves like a local drive, which can be an advantage, but iSCSI is mostly used for servers where centralising storage is convenient. You should also use a dedicated network for iSCSI, so it is probably not a great idea for a desktop PC.

I compared performance. On simple tests, such as time taken to copy a file, there was little advantage; in fact, my iSCSI drive was slightly slower: 61.2 MB/s vs 76.4 MB/s for a shared folder.

I tried ODX, copying a file from one iSCSI drive to another. Capturing the copy thermometer was a challenge, as it was near-instant:

image

In general, I have been very happy with the performance of the NAS.

Folder permissions

My local network uses Active Directory (AD), so I was keen to set up permissions on the NAS using AD. Connecting a Linux server to AD can be a problem, and at first the Synology would not play. I connected it, seemingly successfully, but it would not see any users. There are threads on the Synology forums showing users with similar problems. The fix for me was to enter my Domain Controllers as IP numbers rather then FQDNs (fully qualified domain names). Since then it has worked perfectly, though DSM shows the Domain Server Type as “NT4 Domain”, puzzling when my DCs are on Server 2012 R2.

Once connected, you can set folder permissions using the Synology File Station package. First, create the shared folder, then right-click the folder and choose Permissions.

image

Apps and Applications

Aside from the storage services, the main application I run on the Synology is Logitech Media Server (LMS). This used to run on a Windows server, and actually runs much better on the Synology. Search is quicker, the server is more responsive, and it is more reliable.

I tried the Synology audio and video applications, and the media server. There are various companion mobile apps, such as DS Audio and DS Video, for media playback.

image

The apps I tried worked well for me, though I am sticking with LMS for home music streaming.

Final words

I have no complaints about the DS415+, which has performed well so far. Browsing through the user forums though, I have noticed some areas of difficulty. One is that the Cloud Station service, which synchs files between your NAS, computers and mobile devices, is notorious for consuming disk space. Users find their drives filling up even though the total size of their files is much less than the available space. Currently, the best advice seems to be not to use Cloud Station.

The general issue with a system like this is that the friendly GUI is great while everything is working, but if something goes wrong and you have to dive into Linux, the ease of use disappears. That is worth noting if you plan to use this as the main server in a small business (beyond storage), unless someone there has the necessary troubleshooting skills.

The device does tick a lot of boxes though: resilient storage, excellent performance, low power consumption, flexible configuration, AD integration, and enough power to run something like Logitech Media Server without blinking.

Recommended.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

So that was 2014: Samsung stumbles, all change for Microsoft, Sony hack, more cloud, more mobile

What happened in 2014? One thing I did not predict is that Samsung lost its momentum. Here are Gartner’s figures for global smartphone sales by vendor, for the third quarter of 2014:

image

Samsung is still huge, of course. But in 2013, Samsung seemed to be in such control of its premium brand that it could shape Android as it wished, rather than being merely an OEM for Google’s operating system. In the enterprise, Samsung KNOX held promise as a way to bring security and manageability to Android, but only in Samsung’s flavour. Today, that seems less likely. Market share is declining, and much of KNOX has been rolled into Android Lollipop. What is going wrong? The difficulty for Samsung is how to differentiate its products sufficiently, to avoid bleeding market share to keenly priced competition from vendors such as Xiaomi and Huawei. This is difficult if you do not control the operating system.

What of the overall mobile OS wars? 2013 brought few surprises: the Apple/Android duopoly continued, Blackberry further diminished its share, and Windows Phone struggles on, though it was not looking good for Microsoft’s OS as 2013 closed; the Nokia acquisition may have been fumbled.

All change at Microsoft

That brings me to Microsoft, a company I watch closely. 2014 saw Satya Nadella appointed as CEO and several strategic changes, though the extent to which Nadella introduced those changes is uncertain. What changes?

Office is going truly cross-platform, with first-class support for iOS and Android. I covered this recently on the Register; the summary is that there will be mobile versions of Office for iOS, Android and Windows (this last a Store app) with similar features, and that more and more of the functionality of desktop Office will turn up in the mobile versions. I learned from my interview with Technical Product Manager Kaberi Chowdhury that ODF (Open Document) support is planned, as is some level of programmability.

The plans for Office are a clue to the company’s wider strategy, which is focused on cloud and server. Key products include Office 365, Windows Azure, Active Directory (and Azure Active Directory), SQL Server, SharePoint, and System Center as a management tool for hybrid cloud.

The Windows client strategy is to bring back users who disliked Windows 8 with a renewed focus on the desktop in the forthcoming Windows 10, while retaining the Store app model for apps that are secure, touch-friendly, and easily deployed. It is still not clear what Windows 10 phones and tablets will look like, but we can expect convergence; no more Windows RT, but perhaps tablets running Windows Phone OS that are in effect the next generation of Windows RT without a desktop personality.

The company will also hedge its bets with full app support for Office and its cloud services on iOS and Android, and in doing so will make its Windows mobile offerings less compelling.

Microsoft’s developer tools are changing in line with this strategy. The next generation of .NET is open source and cross-platform on the server side, for Windows, Mac and Linux. Xamarin plugs the gap for .NET on iOS and Android, while Microsoft is also adding native support (not .NET based) for cross-platform mobile in the next Visual Studio.

These are big changes to the developer stack, and Microsoft is forking .NET between the continuing Windows-only .NET Framework, and the new cross-platform .NET Core. Developers have many questions about this; see this interview on the Register for what I could glean about the current plans. Watch our for the Build conference at the end of April when the company will attempt to put it all together into a coherent whole for developers targeting either Windows 10, or cloud apps, or cloud services with cross-platform mobile clients.

This entire strategy is a logical progression from the company’s failure in mobile. Can it now succeed with client apps running on platforms controlled by its competitors? Alternatively, is there hope that Windows 10 can keep businesses hooked on Windows clients? Maybe 2015 will bring some answers, though with Windows 10 not expected until towards the end of the year there will be a long wait while iOS, Android and even Chrome OS (the operating system of Chromebook) continue to build.

A side effect is that C# now has a better chance of building a cross-platform user base, rather than being a Windows language. This has already happened in game development, thanks to the use of Mono and C# in the popular Unity game engine. Could it also happen with ASP.NET, deployed to Linux servers, now that this will be officially supported? Or is there little room for it alongside Java, PHP, Ruby, Node.js and the rest? 

The puzzle with Microsoft is that there is still too much mediocrity and complacency that damages the company’s offerings. How can it expect to succeed in the crowded wearable market with a band that is uncomfortable to wear? There is still an attitude in some parts of the company that the world will be happy to put up with problems that might be fixed in a future version after some long interval. Then again, the Azure team is doing great things and Windows server continues to impress. Win or lose, there will be plenty of Microsoft news this year.

A theme for 2015: cloud optimization

Late last year I attended Amazon’s re:Invent conference in Las Vegas; I wrote this up here. The key announcement for me was Amazon Aurora, a MySQL clone, not so much because of its merits as a cloud database server, but more because it represents a new breed of applications that are designed for the cloud. If you design database storage with the knowledge that it will only ever run on a huge cloud-scale infrastructure, you can make optimizations that cannot be replicated on smaller systems. I tried to summarize what this means in another Register piece here. The fact that this type of technology can be rented by any of us at commodity prices increases the advantage of public cloud, despite reservations that many still have concerning security and control. It also poses a challenge for companies like Oracle and Microsoft whose technology is designed for on-premises as well as cloud deployment; they cannot achieve the same advantage unless they fork their products, creating cloud variants that use different architecture.

The Sony hack

The cyber invasion of Sony Pictures in late November was not just another hack; it was a comprehensive takedown in which (as far as I can tell) the company’s entire IT systems were entirely compromised and significantly damaged.

According to this report:

Mountains of documents had been stolen, internal data centers had been wiped clean, and 75 percent of the servers had been destroyed.

Most IT admins worry about disaster recovery (what to do after catastrophic system failure such as a fire in your data center) as well as about security (what to do if hackers gain access to sensitive information). In this case, both seemed to happen simultaneously. Further, as producing movies is in effect a digital business, the business suffered loss of some of its actual products, such as the unreleased “Annie”.

The incident is fascinating in itself, especially as we do not know the identity of the hackers or their purpose, but what interests me more are the implications.

Specifically, how many companies are equally at risk? It seems clear that Sony’s security was towards the weak end of the scale, but there is plenty of weak security out there, especially but not exclusively in smaller businesses.

With the outcome of the Sony hack so spectacular, it is likely that there will be similar efforts in 2015, as well as many businesses looking nervously at their own practices and wondering what they can do to protect themselves.

Cloud may be part of the answer though even if the cloud provider does security right, that is no guarantee that their customers do the same.   

Looking back on looking back

Here is what I wrote a year or so ago, Reflecting on 2013- the year of not the PC, no privacy, and the Internet of Things. Most of it still applies. I have not achieved any of the three goals I set for myself though. Maybe this year…