Microsoft Suspending "Patch Tuesday" Emails 145
New submitter outofluck70 (1734164) writes Got an email today from Microsoft, text is below. [Note: text here edited for formatting and brevity; see the full text at seclists.org.] They are no longer going to send out emails regarding patches, you have to use RSS or keep visiting their security sites. They blame "governmental policies" as the reason. What could the real reason be? Anybody in the know? From the email: "Notice to IT professionals: As of July 1, 2014, due to changing governmental policies concerning the issuance of automated electronic messaging, Microsoft is suspending the use of email notifications that announce the following: Security bulletin advance notifications; Security bulletin summaries; New security advisories and bulletins; Major and minor revisions to security advisories and bulletins. In lieu of email notifications, you can subscribe to one or more of the RSS feeds described on the Security TechCenter website." WindowsIT Pro blames Canada's new anti-spam law.
It looks like a response to anti spam laws (Score:5, Insightful)
I don't know why subscribe and unsubscribe would not satisfy those laws but apparently MS is convinced they don't... so...
Re: (Score:2)
Perhaps its not about opt in or out. Perhaps MS patched something the NSA was exploiting and they were told to knock it off.
Of course I'm just guessing. I have no idea what the so called changes are but I can assume it was something that exposed MS to possible financial penalties.
Re:It looks like a response to anti spam laws (Score:5, Insightful)
contextually that doesn't make sense because they're not recalling patches or changing patches but merely informing people ABOUT patches differently.
Previously you could put yourself on a mass email list for patches.
MS is saying they're not doing that anymore.
But they will retain an RSS feed for the same patches.
Therefore, this appears to be a response to anti spam legislation/rules.
Re: (Score:2)
tinfoiling ....
Perhaps the NSA got tired of everyone using Security Patches, and told Microsoft to stop being so diligent in informing people about the existence of these ? :)
Re: (Score:2)
again, they haven't stopped informing people... they just won't do it by email anymore.
Re: (Score:1)
Re:It looks like a response to anti spam laws (Score:5, Insightful)
Microsoft doesn't have 'unsubscribe'. They link to a profile page that doesn't really have unsubscribe options. I've been trying for years to stop partner emails, but the only way is to stop being a Microsoft partner. Weak. I flag them all as spam on gmail.
Re: (Score:2)
That's dumb on their part then because obviously the email should be individually configurable.
Re:It looks like a response to anti spam laws (Score:5, Interesting)
From TFA (2nd link): "Your CEO, and each officer, may be fined up to $1,000,000"
Now that's refreshing! Corporate misbehavior resulting in personal fines for the management. I could think of a few more cases where that would be a good idea.
Re: (Score:2)
I think just about all of them. If a corporation is fined, an officer should be paying one as well or serving jail time. And be barred from receiving a bonus that year as well (so the company can't just pay back their fine).
Re: (Score:2)
Ugh, it's called D&O insurance - every company has them, even many startups. Big whoop-die-do. Mind, I applaud the law, and would love to see one here in America (and have it ACTUALLY ENFORCED - no one enforces CAN-SPAM, given how even Microsoft isn't compliant).
Re:It looks like a response to anti spam laws (Score:5, Informative)
Canada passed a new law regarding spam in electronic messages (in particular, email) starting July 1
the law is here: http://laws-lois.justice.gc.ca... [justice.gc.ca]
faq is here: http://www.crtc.gc.ca/eng/com5... [crtc.gc.ca]
the potential fine is $10 million
The companies that are effected are legitimate ones who do business in Canada
The onus on proving you have permission to send an email is on the company sending it.
There has been a flurry of activity wanting permissions recently due to the legislation.
It seems that nobody really knows what it means to be identified as a spammer.
Microsoft is probably thinking - to hell with it; the risk is too high. The RSS is good enough.
Re: (Score:1)
The only non-adaptive, risk-averse, useless, ancient dinosaur here is government-as-usual.
Re: (Score:2)
It's actually kind of amusing to see these companies that you contacted ONCE and hence start giving newsletters - now they're all begging to continue spamming me. Ironically, some are spamming me to get permission too spam me... lolwhut
It's been awhile since I've seen a law passed that HELPS the little guys, even if it's just an annoyance like spam.
Re: (Score:2)
Now I don't know Microsoft patch emails contain, but from the sound of it, It doesn't seem like it would be effected by canadas new anti spam as it is only for emails that are advertising a product/service for money.
Re: (Score:2)
From what I understand, that is not the case. Any email that is unsolicited would be considered spam.
The SPCA, for example, was commenting that they don't have the resources to get permission to satisfy the law.
Re: (Score:2)
Microsoft is probably thinking - to hell with it; the risk is too high. The RSS is good enough.
And I'm thinking who knew Microsoft was using RSS for that (luckily, I am out of touch on windows patches) when everyone else was taking down their RSS feeds
Re: (Score:2)
"It seems that nobody really knows what it means to be identified as a spammer."
The general definition is UCE - Unsolicited Commercial Email. The FAQ gives some pretty good ideas what a "commercial email" is (SMS is also under this definition). Basically, stuff sent blindly, ignoring any kind of consent on the part of the recipient.
>blaming this law for not being able to send out security update emails
It's one of the explicit exceptions to this law:
http://laws-lois.justice.gc.ca... [justice.gc.ca]
Re: (Score:2)
interesting - didn't see that
Re: (Score:2)
It doesn't matter if it's commercial or not.
The law explicitly says that emails about product warranties, security updates, safety, etc, are exceptions to the consent part of the law.
I posted the relevant parts. Tell me how emailing emails about security is not covered by the exception without stretching language to the breaking point.
--
BMO
Re: (Score:2)
If they're 100% security related, then they likely are exempt.
No, not "likely" - they are exempt.
>Microsoft has a problem sending out security update emails without ads
Well, if they're that incompetent, then they should just completely close up shop.
One wonders how they got along on the Internet before the NSF was no longer the backbone.
Your statements defy credulity and overstate the "problem" to such a degree as to be nonsensical.
--
BMO
Re: (Score:2)
>No, they are likely exempt.
No, they *are* exempt as per the plain wording of the law. Go read it where it says "exceptions". It's astonishingly plain.
>easy for me to blame Microsoft
Microsoft has more lawyers than God (but possibly not IBM). They were able to use the internet back when the NSF's AUP was "No commercial activity at all" - to the extent that posting a "classified ad" to get rid of a file cabinet taking up space in your office would get your account suspended. Microsoft has competent
Re: (Score:2)
So why didn't MS take the same decision when the EU countries installed these rules? MS just followed them and added a working opt out.
Re: (Score:2)
I can confirm, my work e-mail has been bursting with requests to renew email that I don't read anyways!
I work for the Canadian Government in IT, and hidden url's are stripped out of emails, so when these "partner" email request come in, asking for me to consent to receiving marketing, info and other types of email, I can't. Even if I wanted to. But it turns out that this is a great way to reset the emails I'm getting.
I love it, and not really sure why there is so much hate out there for the legislation.
Re: (Score:2)
It's not just MS, OpenSRS (Based out of Canada) has just done away with their email notification for system outages as well. They're now providing an RSS feed or you can periodically check their blog. Their solution for those who liked email alerts, a third party service that watches the RSS feed and emails on updates...
Re: (Score:2)
Come to think of it, I'm getting emails from VMWare asking for permission to get further emails from them as well...
Re: (Score:2)
I'm guessing that of the hundreds of thousands of people who get that "mass mailing", some are reporting the mails as SPAM to the authorities. Even if there is an "unsubscribe link" somewhere.
Those that do this, might have subscribed in the past and now no longer use Microsoft software. Or maybe Microsoft at one point decided to add a class-of-users to the list automatically (which I think they shouldn't have done if they did).
In any case, with so many users, the chances of being reported as spammers are 10
Great! (Score:4, Informative)
That's the way it should be. If you want to subscribe to something, use RSS. That's totally under the control of the recipient. If you unsubscrbe from an RSS feed, there's no way the sender can keep sending to you.
It's easy to follow an RSS feed if you're using Thunderbird; a bit harder if you're a Google slave.
Re: (Score:2)
Re: (Score:2)
RSS feeds require continuous polling for updates
How much bandwidth does it take to get a 206 Not Modified response once a day, compared to everything else a network admin does on her PC?
Re: (Score:1)
RSS is how I get my news.
You don't offer a RSS feed? I'm not going to regularly visit your site.
Fortunately, every site I've ever been interested in offers at least one feed.
Re: (Score:2)
Yup exact same thing here. Outside of "techies" I have never heard of a single person who actually uses RSS feeds.
The Canadian law doesn't apply to these (Score:4, Interesting)
Only emails of a commercial nature are banned without opt-in.
A security notice is not an email of a commercial nature, unless it also contains marketing offers etc.
Re: (Score:3)
Re:The Canadian law doesn't apply to these (Score:4, Interesting)
That may be technically the case, but IBM, Oracle, and Sybase/SAP have all asked for permission to keep sending technical newsletters. No one wants to take a chance that some bozo is going to interpret a technical notice as being spam and laying charges accordingly.
What were simple mailing lists now require an authorization database to comply. In many cases companies are just going to shut down the lists rather than go to the expense/hassle of authorization databases or risking non-compliance claims.
On the bright side, it's nice to see US companies abiding by foreign laws for a change. For far too long they've gone with the attitude "we're on US soil, so we only have to follow US law", but now they're finally waking up to the fact that they have to follow the laws of every jurisdiction they do business in, or stop doing business there.
Re: (Score:1)
Microsoft just moved a bunch of stuff to Vancouver so they are doing more then just doing business in Canada. Just shows that 30 years of tax cuts can bring some business. Of course they promise to leave as soon as they get a better offer and the province is like a junker car that hasn't had maintenance done in years, bald tires, no oil change in years, water instead of anti-freeze, brakes down to metal, and spark plugs that just barely create spark. And they wonder why the mileage is so bad, why the block
Re: (Score:2)
On the bright side, it's nice to see US companies abiding by foreign laws for a change. For far too long they've gone with the attitude "we're on US soil, so we only have to follow US law", but now they're finally waking up to the fact that they have to follow the laws of every jurisdiction they do business in, or stop doing business there.
Is that a good thing? Case in point: The beta-free site [soylentnews.org] refusing to accept donations, because then they'd have to be separately licensed to receive donations in 50 states. [soylentnews.org] (section Why We Haven't Discussed Pure Donations). I worry that small and even medium size companies will just drop overseas markets, because it's too much hassle.
Like those obnoxious .com sites that only sell to North America. Usually they don't even mention the fact that they won't sell to you until you reach checkout, and they ask you
Re: (Score:2)
It's a good thing for everyone but the US, so fuck the US.
Re: (Score:2)
Like those obnoxious .com sites that only sell to North America.
I live in the US and can say this is never going to change. The internet was not always international, and when it opened up to the public, .com implicitly meant the US. There are still tons of Americans who don't know a .us ccTLD even exists, and no two registrants can share a 2nd level domain in .us. There is a .co.uk but .co.us belongs to the state of Colorodo, and only one person/entity can register something similar like .com.us, so sharin
Re: (Score:2)
On the bright side, it's nice to see US companies abiding by foreign laws for a change. For far too long they've gone with the attitude "we're on US soil, so we only have to follow US law", but now they're finally waking up to the fact that they have to follow the laws of every jurisdiction they do business in, or stop doing business there.
So, would that include various foreign Sharia-based laws too? Censorship laws? Anti-homosexuality laws?
Or only foreign laws that American hipsters like?
Re: (Score:2)
If you want to do business in countries that have laws like that, yes, of course. Why is that so hard for Americans to understand?
Re:The Canadian law doesn't apply to these (Score:4, Insightful)
You do realize that if you're sending email about a commercial product it's a commercial email, right?
It doesn't have to be advertising -- it just has to be commercial in nature, as in about a product that you charge for, not commercial as in advertising.
Re: (Score:2)
Are you willing to bet the farm on it?
Your legal fees will be over $1,000,000 even if you win.
OH! and the idiot that sued you is penniless, forget recovery.
Re: (Score:2)
Re:everything is commercial (Score:2)
The definition of CEM is so broad, that just about anything from a vendor will be commercial. Even if there is no expectation of profit, simply inviting someone to do something is "commercial" and requires two stage opt-in.
It's overly broad to prevent weaseling around it, but it will take a few court cases to actually define it better.
Microsoft has no good, centralized, newsletter or list management system. So they are stuck with a blanket ban/switch to rss for now.
Re: (Score:2)
What's funny is I still haven't got emails from Futureshop/Bestbuy yet. Considering the amount they spam I am not sure what they are going to do. If I even get one email from them on or after July 1, I will be reporting them.
The Failure of good intentions. (Score:2)
What an absolute fail of a law.
It might work if the sender could reasonably presume that if the email address didn't end in
The cost. of defense is too high. Canada just screwed the pooch.
There may be a bright side. It will force international law to cross the internet. As this is a Canadian law, only addresses ending in
Then again it could just re
Re: (Score:2)
So, .com emails don't get sent to Canada, and shouldn't be required to follow Canadian law because they're not .ca?
I'm pretty sure you're the one who deserves derision. And rightfully so.
Re: (Score:2)
It's a matter of reasonable effort. How can a company determine that a given email destination is Canadian? It really can't. So Canada's laws are affecting the whole world as companies have to either give up on things that people likely actually want (security bulletins) or scramble to form opt-in databases on worldwide recipients just because of Canada.
Just like many of the laws in the US that people scorn, this Canadian law will only hurt the legitimate people who are trying to be respectful and operate a
Re: (Score:2)
Therefore the obvious (but depressing) solution is to create borders on the internet
Just unplug your computer.
Re: (Score:2)
It's a matter of reasonable effort. How can a company determine that a given email destination is Canadian?
It's impossible without also collecting the user's physical address. A Canadian citizen living in Canada using a gmail.com should be covered by this law, while a US citizen living in the US who happens to have an e-mail provider with servers located in Canada should not be covered by the law.
Re: (Score:2)
It's a matter of reasonable effort. How can a company determine that a given email destination is Canadian?
It's impossible without also collecting the user's physical address. A Canadian citizen living in Canada using a gmail.com should be covered by this law, while a US citizen living in the US who happens to have an e-mail provider with servers located in Canada should not be covered by the law.
Which brings the whole can of worms into things. Give your address and how do you verify it's accurate? Puts a major burden on companies and other legitimate places and doesn't discourage the actual abusers at all.
Re: (Score:2)
It's a matter of reasonable effort. How can a company determine that a given email destination is Canadian? It really can't. So Canada's laws are affecting the whole world as companies have to either give up on things that people likely actually want (security bulletins) or scramble to form opt-in databases on worldwide recipients just because of Canada.
No, it's a matter of being a decent business partner, regardless of the country you do business in, as a company with moral standing you give the options of opt-in and opt-out.
In the EU it's been that way for several years and it caused no grief to any company that does value it's customers.
Re: (Score:2)
It's a matter of reasonable effort. How can a company determine that a given email destination is Canadian? It really can't. So Canada's laws are affecting the whole world as companies have to either give up on things that people likely actually want (security bulletins) or scramble to form opt-in databases on worldwide recipients just because of Canada.
No, it's a matter of being a decent business partner, regardless of the country you do business in, as a company with moral standing you give the options of opt-in and opt-out.
In the EU it's been that way for several years and it caused no grief to any company that does value it's customers.
Many of the companies scrambling already have double-opt-in to get in and very thorough opt-out options (Reply, click in any one of three places, idle detection auto-culling, etc.). So why are they scrambling? Because being a decent business partner is not good enough for the law. And again, the people it won't affect are the Canadian Pharma spammers (as an excellent example, since I'm staring at one's email in my spam box right now) who operate outside the law and know it and don't care. Decent business
Re: (Score:2)
Now, that's the same rule you should have been following from day one anyway, and if you were not, then shame on you, you dirty spammer!
If their controls are so poor they are afraid of this law, then they should really just quit using email at all. Block it at the border router and spare the rest of us your spam.
CASL bad law and affects more than email (Score:1)
In addition to email the CASL also affects social media, instant messaging, sms, voice messaging.
Read an article that if you just reply to a tweet to someone you could be fined under this law that is insane. So tweeting as person can land up to $1 million dollar a fine and a company $10 million that is crazy.
This really kills nearly all email applications. I have some double optin subscriber lists but now they are useless since I never asked what country the user was from. I can resend out a permission p
Re:CASL case study right here... (Score:2)
You sound like a case study in why the law was needed. You have no idea who is on your marketing list, no idea where they are in the world, or whether they even want your emails, or how they got on your lists in the first place. Bad law for you, great law for anyone you happen to be spamming. Be prepared for a flood of unsubscribe requests!
Re: (Score:2)
You sound like a spammer. The nonsensical phrase 'double optin' points strongly in that direction. That is a phrase invented by spammers to describe 'opt-in' while implying that it is an unreasonable burden.
If your lists really are opt-in then the list should not affect you. It does not to the best of my knowledge require you to know or care what country your recipients are in, as long as you are not spamming to any country, then you will also not be spamming to Ca
Re: (Score:2)
The nonsensical phrase 'double optin' points strongly in that direction.
That phrase is just a shorter way of saying "opt-in plus confirm". If a website gets a request for adding an e-mail address to their list, sends a "confirm that you really wanted this" e-mail to the address, and doesn't send any more e-mail unless you click the link and confirm, they definitely aren't a spammer. Honestly, anybody who has a true opt-out that really stops e-mail isn't a spammer...they just aren't as nice as the ones who require opt-in for everything.
I use a separate e-mail address for every
Re: (Score:1)
That is opt in. There is no plus, this is the minimum required for an opt in list.
If you just put up a form that says 'add me' and add them that is NOT an effective opt-in, that is simply blind spa
Nice article (Score:1)
They could use a grammar check though:
If you're not worried about this new law, you haven't been adequately information
Someone invented some extra penalties (Score:2)
I read through the actual law and I don't see anywhere that specifies each CEO and officers of a violating company can be fined. The law specifies "individuals" can be fined up to $1million, and "any other person" (presumably corporations-as-people) can be fined up to $10million.
Anyone care to clue me in?
Actual FULL text of the law: http://laws-lois.justice.gc.ca... [justice.gc.ca]
Re: (Score:1)
Sections 31-33 (under "Rules About Violations") determine who it is that can be found in violation (including "An officer, director, agent or mandatary of a corporation...", etc.). Basically, they say that directors and officers can be found in violation if they were involved in the contravention, if anyone working under them was involved in the contravention, or if they knew of the contravention and failed to act against it.
Section 24 specifies that those found in violation, as above, can be assessed finan
Blame the spammers (Score:2)
Blame the spammers that fake the senders. Microsoft is a popular faked sender, and then the junk mail filters throws away the mails and nobody sees the patch info mail.
Never Got MS E-mails (Score:5, Informative)
I never got E-mails from Micro$oft about updates, vulnerabilities, etc. Instead, I have an RSS feed from US-CERT (computer emergency response team), an agency of the U.S. Department of Homeland Security. (Yes, they do have a few useful functions.) US-CERT not only notifies me about Micro$oft's alerts and provides links to them, but that agency also notifies me of alerts from other companies.
The link to subscribe to the RSS feed is http://www.us-cert.gov/ncas/cu... [us-cert.gov].
IDK or is it care? (Score:1)
I have to look at this tomorrow so i'm stepping out. For many reasons.
Re: (Score:2)
All i was saying is that i was tired. I really don't care what you thought.
Microsoft throwing a temper tantrum (Score:2)
sudo apt-get install xubuntu-desktop #already (Score:3)
Re: (Score:2)
Re:Linux? (Score:4, Insightful)
I think you must be confused, Linux [kernel.org] requires none of the things you just mentioned, and neither does a linux-based OS [slackware.org].
Re: (Score:1, Offtopic)
Re: (Score:2, Offtopic)
The same thing happened in the Windows world. Windows 7 was faster than Vista, and Windows 8 was faster than Windows 7. Each new version got better with their use of resources, although the system requirements remained the same for the three versions (1 GHz CPU, 1GB RAM for 32bit, 2GB for 64bit) except for hard drive use with went up by 1GB per release.
When I first tried the beta of Windows 8, the only computer that I had spare was a 2GHZ Celeron with 1GB RAM and a slow hard drive (I think that it was from
NX and SSE2 (Score:3)
Re: (Score:2)
They do. Intel never crippled away these feature ; most Pentium 4 don't have NX but it is commonly found on late Pentium 4 Celeron (which can be 64bit even)
Parent might have a Celeron 440 or 450 (core 2 solo) and that's another beast. Excellent CPU with low power use, still actually worth using.
Re:Linux? (Score:4, Insightful)
Your post is off topic, and bashes Microsoft for things not relevant. As for your previous posts, having modded comments, previous posts are pretty much impossible to find. Modding is based on the current comment.
I'm not a fan of Microsoft. I've been playing and working with computers since before Microsoft existed. I've posted on this thread. Canada is the party at fault, Microsoft is just responding to a stupid law.
I love bashing Microsoft, but the pickings have been slim lately, they're failing. They won't go out of business, but their clout is gone.
Re: (Score:3)
Canada is the party at fault, Microsoft is just responding to a stupid law.
Whats stupid about requiring people to opt-in? Microsoft could always add an unsubscribe option and ask Canadians if they want to receive their spam.
Re: (Score:2)
Canada is the party at fault, Microsoft is just responding to a stupid law.
Whats stupid about requiring people to opt-in?
Because this law (and any anti-spam law) is just like DRM...it only really affects honest people.
Large companies like Microsoft generally try not to "spam" you. Yes, you may technically receive an unwanted e-mail from them, but they do use some sort of opt-in right now. On the other had, true spammers don't care...they are just blasting e-mail to any e-mail address they can get their hands on. Then, when it comes time to enforce the law, only companies that are easy to find will actually be prosecuted...
Re: (Score:2)
OK, another case of a good idea and bad implementation. Probably would have been better just to require commercial mail to have a clear opt out, which it seems to me most legitimate commercial email all ready has.
Re: (Score:2)
Have you actually read the law? This seems like a ton of FUD.
At any rate some Canadian companies have behaved horribly when it comes to email. I have had problems with companies refusing to change a mistyped email address unless I was the confirmed (with security questions) account holder and some not even bother to check if the recipient mail server even accepted the message for over a year.
Re: (Score:1)
I love bashing Microsoft, but the pickings have been slim lately, they're failing.
Whenever I hear the geek talk about how rapidly Microsoft is failing, I am consoled by the thought of the record returns certain to be posted in its next quarterly report.
Re: (Score:2)
Re: (Score:1)
Apple has never really addressed patches or pre notifications of updates or security fixes.
https://lists.apple.com/mailma... [apple.com]
Re: (Score:2)
And you have to opt-in. So they're already in compliance with the law.
Re: (Score:2)
Nope! Just because they're "opt-in" doesn't mean they're in compliance. You have to TRACK that optin, exactly which list, and you can only use that list for the SPECIFIC activity - not even a footer mentioning a new product you've come out with if that list's description on the optin page doesn't say ", and new products as released!" So if you sign up for a security patches/updates list, they can ONLY send you that information - absolutely nothing else commercial. Not even a single line. Want to mention tha