Forgot your password?
typodupeerror
Security Canada Microsoft Spam Windows

Microsoft Suspending "Patch Tuesday" Emails 145

Posted by timothy
from the just-visit-our-lair-for-updates dept.
New submitter outofluck70 (1734164) writes Got an email today from Microsoft, text is below. [Note: text here edited for formatting and brevity; see the full text at seclists.org.] They are no longer going to send out emails regarding patches, you have to use RSS or keep visiting their security sites. They blame "governmental policies" as the reason. What could the real reason be? Anybody in the know? From the email: "Notice to IT professionals: As of July 1, 2014, due to changing governmental policies concerning the issuance of automated electronic messaging, Microsoft is suspending the use of email notifications that announce the following: Security bulletin advance notifications; Security bulletin summaries; New security advisories and bulletins; Major and minor revisions to security advisories and bulletins. In lieu of email notifications, you can subscribe to one or more of the RSS feeds described on the Security TechCenter website." WindowsIT Pro blames Canada's new anti-spam law.
This discussion has been archived. No new comments can be posted.

Microsoft Suspending "Patch Tuesday" Emails

Comments Filter:
  • by Karmashock (2415832) on Friday June 27, 2014 @11:51PM (#47338711)

    I don't know why subscribe and unsubscribe would not satisfy those laws but apparently MS is convinced they don't... so...

    • by sumdumass (711423)

      Perhaps its not about opt in or out. Perhaps MS patched something the NSA was exploiting and they were told to knock it off.

      Of course I'm just guessing. I have no idea what the so called changes are but I can assume it was something that exposed MS to possible financial penalties.

      • by Karmashock (2415832) on Saturday June 28, 2014 @12:31AM (#47338817)

        contextually that doesn't make sense because they're not recalling patches or changing patches but merely informing people ABOUT patches differently.

        Previously you could put yourself on a mass email list for patches.

        MS is saying they're not doing that anymore.

        But they will retain an RSS feed for the same patches.

        Therefore, this appears to be a response to anti spam legislation/rules.

        • by GNious (953874)

          tinfoiling ....

          Perhaps the NSA got tired of everyone using Security Patches, and told Microsoft to stop being so diligent in informing people about the existence of these ? :)

          • again, they haven't stopped informing people... they just won't do it by email anymore.

          • by ruir (2709173)
            Why would they need to worry about Patches when in the past their backdoor and their public key was exposed in NT4 SP 5?
    • by Anonymous Coward on Saturday June 28, 2014 @12:40AM (#47338845)

      Microsoft doesn't have 'unsubscribe'. They link to a profile page that doesn't really have unsubscribe options. I've been trying for years to stop partner emails, but the only way is to stop being a Microsoft partner. Weak. I flag them all as spam on gmail.

    • by hankwang (413283) on Saturday June 28, 2014 @12:54AM (#47338883) Homepage

      From TFA (2nd link): "Your CEO, and each officer, may be fined up to $1,000,000"

      Now that's refreshing! Corporate misbehavior resulting in personal fines for the management. I could think of a few more cases where that would be a good idea.

      • by AuMatar (183847)

        I think just about all of them. If a corporation is fined, an officer should be paying one as well or serving jail time. And be barred from receiving a bonus that year as well (so the company can't just pay back their fine).

      • by cdwiegand (2267)

        Ugh, it's called D&O insurance - every company has them, even many startups. Big whoop-die-do. Mind, I applaud the law, and would love to see one here in America (and have it ACTUALLY ENFORCED - no one enforces CAN-SPAM, given how even Microsoft isn't compliant).

    • by crispytwo (1144275) on Saturday June 28, 2014 @01:32AM (#47339007)

      Canada passed a new law regarding spam in electronic messages (in particular, email) starting July 1

      the law is here: http://laws-lois.justice.gc.ca... [justice.gc.ca]
      faq is here: http://www.crtc.gc.ca/eng/com5... [crtc.gc.ca]
      the potential fine is $10 million

      The companies that are effected are legitimate ones who do business in Canada
      The onus on proving you have permission to send an email is on the company sending it.
      There has been a flurry of activity wanting permissions recently due to the legislation.
      It seems that nobody really knows what it means to be identified as a spammer.

      Microsoft is probably thinking - to hell with it; the risk is too high. The RSS is good enough.

      • by Arith (708986)
        This right here.
        It's actually kind of amusing to see these companies that you contacted ONCE and hence start giving newsletters - now they're all begging to continue spamming me. Ironically, some are spamming me to get permission too spam me... lolwhut

        It's been awhile since I've seen a law passed that HELPS the little guys, even if it's just an annoyance like spam.
      • Now I don't know Microsoft patch emails contain, but from the sound of it, It doesn't seem like it would be effected by canadas new anti spam as it is only for emails that are advertising a product/service for money.

        • From what I understand, that is not the case. Any email that is unsolicited would be considered spam.

          The SPCA, for example, was commenting that they don't have the resources to get permission to satisfy the law.

      • by drinkypoo (153816)

        Microsoft is probably thinking - to hell with it; the risk is too high. The RSS is good enough.

        And I'm thinking who knew Microsoft was using RSS for that (luckily, I am out of touch on windows patches) when everyone else was taking down their RSS feeds

      • by bmo (77928)

        "It seems that nobody really knows what it means to be identified as a spammer."

        The general definition is UCE - Unsolicited Commercial Email. The FAQ gives some pretty good ideas what a "commercial email" is (SMS is also under this definition). Basically, stuff sent blindly, ignoring any kind of consent on the part of the recipient.

        >blaming this law for not being able to send out security update emails

        It's one of the explicit exceptions to this law:

        http://laws-lois.justice.gc.ca... [justice.gc.ca]

        (c) provides warrant

        • interesting - didn't see that

      • by Teun (17872)
        Similar to long existing EU law, maybe the consequences are a little stricter.

        So why didn't MS take the same decision when the EU countries installed these rules? MS just followed them and added a working opt out.

      • by dakohli (1442929)

        I can confirm, my work e-mail has been bursting with requests to renew email that I don't read anyways!

        I work for the Canadian Government in IT, and hidden url's are stripped out of emails, so when these "partner" email request come in, asking for me to consent to receiving marketing, info and other types of email, I can't. Even if I wanted to. But it turns out that this is a great way to reset the emails I'm getting.

        I love it, and not really sure why there is so much hate out there for the legislation.

    • by Predius (560344)

      It's not just MS, OpenSRS (Based out of Canada) has just done away with their email notification for system outages as well. They're now providing an RSS feed or you can periodically check their blog. Their solution for those who liked email alerts, a third party service that watches the RSS feed and emails on updates...

      • by Predius (560344)

        Come to think of it, I'm getting emails from VMWare asking for permission to get further emails from them as well...

    • by rew (6140)

      I'm guessing that of the hundreds of thousands of people who get that "mass mailing", some are reporting the mails as SPAM to the authorities. Even if there is an "unsubscribe link" somewhere.

      Those that do this, might have subscribed in the past and now no longer use Microsoft software. Or maybe Microsoft at one point decided to add a class-of-users to the list automatically (which I think they shouldn't have done if they did).

      In any case, with so many users, the chances of being reported as spammers are 10

  • Great! (Score:4, Informative)

    by Animats (122034) on Saturday June 28, 2014 @12:01AM (#47338745) Homepage

    That's the way it should be. If you want to subscribe to something, use RSS. That's totally under the control of the recipient. If you unsubscrbe from an RSS feed, there's no way the sender can keep sending to you.

    It's easy to follow an RSS feed if you're using Thunderbird; a bit harder if you're a Google slave.

    • Not that I disagree, but I'm cynical enough to believe this was a cost cutting measure from server/bandwith infrastructure, internal support, and litigation. They probably figure that you would get the news 3rd party via some other IT security e-mail whom will collect RSS feeds already.

  • by presidenteloco (659168) on Saturday June 28, 2014 @12:02AM (#47338751)

    Only emails of a commercial nature are banned without opt-in.

    A security notice is not an email of a commercial nature, unless it also contains marketing offers etc.

    • by bhcompy (1877290)
      Doesn't stop frivolous lawsuits from costing them lawyer fees, though
    • by msobkow (48369) on Saturday June 28, 2014 @12:24AM (#47338801) Homepage Journal

      That may be technically the case, but IBM, Oracle, and Sybase/SAP have all asked for permission to keep sending technical newsletters. No one wants to take a chance that some bozo is going to interpret a technical notice as being spam and laying charges accordingly.

      What were simple mailing lists now require an authorization database to comply. In many cases companies are just going to shut down the lists rather than go to the expense/hassle of authorization databases or risking non-compliance claims.

      On the bright side, it's nice to see US companies abiding by foreign laws for a change. For far too long they've gone with the attitude "we're on US soil, so we only have to follow US law", but now they're finally waking up to the fact that they have to follow the laws of every jurisdiction they do business in, or stop doing business there.

      • by dryeo (100693)

        Microsoft just moved a bunch of stuff to Vancouver so they are doing more then just doing business in Canada. Just shows that 30 years of tax cuts can bring some business. Of course they promise to leave as soon as they get a better offer and the province is like a junker car that hasn't had maintenance done in years, bald tires, no oil change in years, water instead of anti-freeze, brakes down to metal, and spark plugs that just barely create spark. And they wonder why the mileage is so bad, why the block

      • by munch117 (214551)

        On the bright side, it's nice to see US companies abiding by foreign laws for a change. For far too long they've gone with the attitude "we're on US soil, so we only have to follow US law", but now they're finally waking up to the fact that they have to follow the laws of every jurisdiction they do business in, or stop doing business there.

        Is that a good thing? Case in point: The beta-free site [soylentnews.org] refusing to accept donations, because then they'd have to be separately licensed to receive donations in 50 states. [soylentnews.org] (section Why We Haven't Discussed Pure Donations). I worry that small and even medium size companies will just drop overseas markets, because it's too much hassle.

        Like those obnoxious .com sites that only sell to North America. Usually they don't even mention the fact that they won't sell to you until you reach checkout, and they ask you

        • by msobkow (48369)

          It's a good thing for everyone but the US, so fuck the US.

        • Like those obnoxious .com sites that only sell to North America.

          I live in the US and can say this is never going to change. The internet was not always international, and when it opened up to the public, .com implicitly meant the US. There are still tons of Americans who don't know a .us ccTLD even exists, and no two registrants can share a 2nd level domain in .us. There is a .co.uk but .co.us belongs to the state of Colorodo, and only one person/entity can register something similar like .com.us, so sharin

      • On the bright side, it's nice to see US companies abiding by foreign laws for a change. For far too long they've gone with the attitude "we're on US soil, so we only have to follow US law", but now they're finally waking up to the fact that they have to follow the laws of every jurisdiction they do business in, or stop doing business there.

        So, would that include various foreign Sharia-based laws too? Censorship laws? Anti-homosexuality laws?

        Or only foreign laws that American hipsters like?

        • by Maxwell (13985)

          If you want to do business in countries that have laws like that, yes, of course. Why is that so hard for Americans to understand?

    • by msobkow (48369) on Saturday June 28, 2014 @12:38AM (#47338839) Homepage Journal

      You do realize that if you're sending email about a commercial product it's a commercial email, right?

      It doesn't have to be advertising -- it just has to be commercial in nature, as in about a product that you charge for, not commercial as in advertising.

    • A security notice for a purchased product could be considered to be of a commercial nature.
      Are you willing to bet the farm on it?
      Your legal fees will be over $1,000,000 even if you win.
      OH! and the idiot that sued you is penniless, forget recovery.
    • by hairyfeet (841228)
      Its been years since I got patch emails from MSFT (I just use WSUS Ofline now, saves bandwidth) so maybe they have ads for their other products on them?
    • The definition of CEM is so broad, that just about anything from a vendor will be commercial. Even if there is no expectation of profit, simply inviting someone to do something is "commercial" and requires two stage opt-in.

      It's overly broad to prevent weaseling around it, but it will take a few court cases to actually define it better.

      Microsoft has no good, centralized, newsletter or list management system. So they are stuck with a blanket ban/switch to rss for now.

  • Seemed like a good idea. I don't think so, but someone did.
    What an absolute fail of a law.
    It might work if the sender could reasonably presume that if the email address didn't end in .ca it wasn't a problem.
    The cost. of defense is too high. Canada just screwed the pooch.

    There may be a bright side. It will force international law to cross the internet. As this is a Canadian law, only addresses ending in .ca should matter. Of course that opens a much bigger can of worms.

    Then again it could just re
    • So, .com emails don't get sent to Canada, and shouldn't be required to follow Canadian law because they're not .ca?

      I'm pretty sure you're the one who deserves derision. And rightfully so.

      • by KitFox (712780)

        It's a matter of reasonable effort. How can a company determine that a given email destination is Canadian? It really can't. So Canada's laws are affecting the whole world as companies have to either give up on things that people likely actually want (security bulletins) or scramble to form opt-in databases on worldwide recipients just because of Canada.

        Just like many of the laws in the US that people scorn, this Canadian law will only hurt the legitimate people who are trying to be respectful and operate a

        • Therefore the obvious (but depressing) solution is to create borders on the internet

          Just unplug your computer.

        • by nabsltd (1313397)

          It's a matter of reasonable effort. How can a company determine that a given email destination is Canadian?

          It's impossible without also collecting the user's physical address. A Canadian citizen living in Canada using a gmail.com should be covered by this law, while a US citizen living in the US who happens to have an e-mail provider with servers located in Canada should not be covered by the law.

          • by KitFox (712780)

            It's a matter of reasonable effort. How can a company determine that a given email destination is Canadian?

            It's impossible without also collecting the user's physical address. A Canadian citizen living in Canada using a gmail.com should be covered by this law, while a US citizen living in the US who happens to have an e-mail provider with servers located in Canada should not be covered by the law.

            Which brings the whole can of worms into things. Give your address and how do you verify it's accurate? Puts a major burden on companies and other legitimate places and doesn't discourage the actual abusers at all.

        • by Teun (17872)

          It's a matter of reasonable effort. How can a company determine that a given email destination is Canadian? It really can't. So Canada's laws are affecting the whole world as companies have to either give up on things that people likely actually want (security bulletins) or scramble to form opt-in databases on worldwide recipients just because of Canada.

          No, it's a matter of being a decent business partner, regardless of the country you do business in, as a company with moral standing you give the options of opt-in and opt-out.

          In the EU it's been that way for several years and it caused no grief to any company that does value it's customers.

          • by KitFox (712780)

            It's a matter of reasonable effort. How can a company determine that a given email destination is Canadian? It really can't. So Canada's laws are affecting the whole world as companies have to either give up on things that people likely actually want (security bulletins) or scramble to form opt-in databases on worldwide recipients just because of Canada.

            No, it's a matter of being a decent business partner, regardless of the country you do business in, as a company with moral standing you give the options of opt-in and opt-out.

            In the EU it's been that way for several years and it caused no grief to any company that does value it's customers.

            Many of the companies scrambling already have double-opt-in to get in and very thorough opt-out options (Reply, click in any one of three places, idle detection auto-culling, etc.). So why are they scrambling? Because being a decent business partner is not good enough for the law. And again, the people it won't affect are the Canadian Pharma spammers (as an excellent example, since I'm staring at one's email in my spam box right now) who operate outside the law and know it and don't care. Decent business

    • by Arker (91948)
      From what I have read (and please provide a correction link if you have one) the law only says commercial bulk email has to be requested. My comments presume this is true.

      Now, that's the same rule you should have been following from day one anyway, and if you were not, then shame on you, you dirty spammer!

      If their controls are so poor they are afraid of this law, then they should really just quit using email at all. Block it at the border router and spare the rest of us your spam.
  • by Anonymous Coward

    In addition to email the CASL also affects social media, instant messaging, sms, voice messaging.
    Read an article that if you just reply to a tweet to someone you could be fined under this law that is insane. So tweeting as person can land up to $1 million dollar a fine and a company $10 million that is crazy.

    This really kills nearly all email applications. I have some double optin subscriber lists but now they are useless since I never asked what country the user was from. I can resend out a permission p

    • You sound like a case study in why the law was needed. You have no idea who is on your marketing list, no idea where they are in the world, or whether they even want your emails, or how they got on your lists in the first place. Bad law for you, great law for anyone you happen to be spamming. Be prepared for a flood of unsubscribe requests!

    • by Arker (91948)
      "I have some double optin subscriber lists"

      You sound like a spammer. The nonsensical phrase 'double optin' points strongly in that direction. That is a phrase invented by spammers to describe 'opt-in' while implying that it is an unreasonable burden.

      If your lists really are opt-in then the list should not affect you. It does not to the best of my knowledge require you to know or care what country your recipients are in, as long as you are not spamming to any country, then you will also not be spamming to Ca
      • by nabsltd (1313397)

        The nonsensical phrase 'double optin' points strongly in that direction.

        That phrase is just a shorter way of saying "opt-in plus confirm". If a website gets a request for adding an e-mail address to their list, sends a "confirm that you really wanted this" e-mail to the address, and doesn't send any more e-mail unless you click the link and confirm, they definitely aren't a spammer. Honestly, anybody who has a true opt-out that really stops e-mail isn't a spammer...they just aren't as nice as the ones who require opt-in for everything.

        I use a separate e-mail address for every

        • by Arker (91948)
          "That phrase is just a shorter way of saying "opt-in plus confirm". If a website gets a request for adding an e-mail address to their list, sends a "confirm that you really wanted this" e-mail to the address, and doesn't send any more e-mail unless you click the link and confirm, they definitely aren't a spammer."

          That is opt in. There is no plus, this is the minimum required for an opt in list.

          If you just put up a form that says 'add me' and add them that is NOT an effective opt-in, that is simply blind spa
  • They could use a grammar check though:

    If you're not worried about this new law, you haven't been adequately information

  • I read through the actual law and I don't see anywhere that specifies each CEO and officers of a violating company can be fined. The law specifies "individuals" can be fined up to $1million, and "any other person" (presumably corporations-as-people) can be fined up to $10million.

    Anyone care to clue me in?

    Actual FULL text of the law: http://laws-lois.justice.gc.ca... [justice.gc.ca]

    • by Anonymous Coward

      Sections 31-33 (under "Rules About Violations") determine who it is that can be found in violation (including "An officer, director, agent or mandatary of a corporation...", etc.). Basically, they say that directors and officers can be found in violation if they were involved in the contravention, if anyone working under them was involved in the contravention, or if they knew of the contravention and failed to act against it.

      Section 24 specifies that those found in violation, as above, can be assessed finan

  • Blame the spammers that fake the senders. Microsoft is a popular faked sender, and then the junk mail filters throws away the mails and nobody sees the patch info mail.

  • Never Got MS E-mails (Score:5, Informative)

    by DERoss (1919496) on Saturday June 28, 2014 @02:00AM (#47339065)

    I never got E-mails from Micro$oft about updates, vulnerabilities, etc. Instead, I have an RSS feed from US-CERT (computer emergency response team), an agency of the U.S. Department of Homeland Security. (Yes, they do have a few useful functions.) US-CERT not only notifies me about Micro$oft's alerts and provides links to them, but that agency also notifies me of alerts from other companies.

    The link to subscribe to the RSS feed is http://www.us-cert.gov/ncas/cu... [us-cert.gov].

  • I have to look at this tomorrow so i'm stepping out. For many reasons.

  • "Notice to IT professionals: As of July 1, 2014, due to changing governmental policies concerning the issuance of automated electronic messaging, Microsoft is suspending the use of email notifications that announce the following: Security bulletin advance notifications; Security bulletin summaries; New security advisories and bulletins; Major and minor revisions to security advisories and bulletins. In lieu of email notifications, you can subscribe to one or more of the RSS feeds described on the Security

"Regardless of the legal speed limit, your Buick must be operated at speeds faster than 85 MPH (140kph)." -- 1987 Buick Grand National owners manual.

Working...