Forgot your password?
typodupeerror
Canada Microsoft Security

Krebs on Microsoft Suspending "Patch Tuesday" Emails and Blaming Canada 130

Posted by samzenpus
from the who's-to-blame dept.
tsu doh nimh writes In a move that may wind up helping spammers, Microsoft is blaming a new Canadian anti-spam law for the company's recent decision to stop sending regular emails about security updates for its Windows operating system and other Microsoft software. Some anti-spam experts who worked very closely on Canada's Anti-Spam Law (CASL) say they are baffled by Microsoft's response to a law which has been almost a decade in the making. Indeed, an exception in the law says it does not apply to commercial electronic messages that solely provide "warranty information, product recall information or safety or security information about a product, goods or a service that the person to whom the message is sent uses, has used or has purchased." Several people have observed that Microsoft likely is using the law as a convenient excuse for dumping an expensive delivery channel.
This discussion has been archived. No new comments can be posted.

Krebs on Microsoft Suspending "Patch Tuesday" Emails and Blaming Canada

Comments Filter:
  • by BenSchuarmer (922752) on Monday June 30, 2014 @12:42PM (#47351749)
    Seems like a no brainer
  • by fahrbot-bot (874524) on Monday June 30, 2014 @12:43PM (#47351759)

    Several people have observed that Microsoft likely is using the law as a convenient excuse for dumping an expensive delivery channel.

    Wait, what? I thought Email was cheap, 'cause, you know ... spam.

    • by Penguinisto (415985) on Monday June 30, 2014 @12:56PM (#47351869) Journal

      I thought Email was cheap...

      It is unless you use Exchange server farms to send it. Then it's gawdawful expensive.

      • by X0563511 (793323)

        I can't imagine Microsoft has to pay Microsoft for Microsoft products. Accounting may want them to move the money around, but that's stupid and pointless because it doesn't actually cost them money to give it to themselves.

        • by jeffmeden (135043)

          I can't imagine Microsoft has to pay Microsoft for Microsoft products. Accounting may want them to move the money around, but that's stupid and pointless because it doesn't actually cost them money to give it to themselves.

          If the cost license doesn't get you, then the compute cycles, ram allocations, and administrators' salaries will... /troll

        • by Anonymous Coward
          You really have no idea how budgeting, and accounting and divisions and tax laws and outsourcing works. Got it. Now, for the rest of us, on the triplicate recieving end of notifications that we aren't going to patch till the weekend, this is still slightly good news. Breaking a stick off in some lawmaker while shrugging your shoulders is just funny.
        • by weszz (710261)

          sure it would... the salary of the people doing the work to move money around and account for it.

          A few months ago I put a request into the company I work for asking for a $20 piece of software (against policy to buy it and install it myself, gotta go through the process...)

          Looking at the process, it would have cost thousands in employee time to document, review and approve the purchase of the $20 piece of software at all the different levels of management involved in it. it's insanely wasteful.

    • by Anonymous Coward

      Sending email is cheap. Paying off the people to get it to show up in people's inbox isn't.

    • by freeze128 (544774)
      Email requires bandwidth, and you can't distribute it through a CDN like you can with downloads. It's cheap for spammers because they anonymize their email, but security notifications say they come from microsoft.com. Now consider that you have BILLIONS of emails to send. That can get costly.
      • by jeffmeden (135043)

        Email requires bandwidth, and you can't distribute it through a CDN like you can with downloads. It's cheap for spammers because they anonymize their email, but security notifications say they come from microsoft.com. Now consider that you have BILLIONS of emails to send. That can get costly.

        Why can't you distribute it via a CDN, exactly? I mean someone like Microsoft has either direct control over, or actually runs their own CDN servers: firing up a SMTP service (to route mail based on proximity to destination MX) should be the easy part.

        • by freeze128 (544774)
          You still need to get the recipient list and the body of the emails to the smtp nodes. If you're going to do that, hell, just send the email yourself.
      • by Anonymous Coward

        There are tons of e-mail sending services. I'm not sure how you define a "CDN" but they essentially serve that role. Companies like SendGrid have hundreds of hosts across multiple datacenters that are dedicated to relaying email for their clients.

    • by bob8766 (1075053)
      Combine this with the fact that they have all of the email infrastructure in place already to support message delivery for Hotmail and Exchange Online, and it does literally cost them almost nothing to deliver these messages which are a tiny drop in a huge ocean of mail they deal with. I'm inclined to think that email cost has anything to do with it.
    • Wait, what? I thought Email was cheap, 'cause, you know ... spam.

      No, you're confusing email with the US Mail spam delivery system. The whole thing is subsidized by spam you can actually throw in the trash can.

    • Several people have observed that Microsoft likely is using the law as a convenient excuse for dumping an expensive delivery channel.

      Wait, what? I thought Email was cheap, 'cause, you know ... spam.

      I am getting emails from head-hunters, asking me if I will accept emails with their job offerings. So, headhunters can no longer send out reams of emails to me without my approval.

      I wonder if that applies to cross border job offerings.

  • by Anonymous Coward

    OK, what's the real reason for this? It's obviously not the law, and it's obviously not the cost associated with sending out e-mail - if you think ASCII e-mail is a bloated bandwidth hog, you should try watching the average HTTP transaction.

    So, here's my conjecture: they are initiating a corporate policy of phasing out e-mail in favour of... something with more lock-in. Just like they wanted to show that they were so hip-against-the-desktop and in favour of walled garden app stoers that they tried to phase

    • RSS.
      • Re: (Score:2, Interesting)

        by Anonymous Coward

        Specifically,

        Basic Alerts: http://technet.microsoft.com/en-us/security/rss/bulletin
        Comprehensive Alerts: http://technet.microsoft.com/en-us/security/rss/comprehensive
        Security Advisories Alerts: http://technet.microsoft.com/en-us/security/rss/advisory
        Microsoft Security Response Center Blog Alerts: http://blogs.technet.com/b/msrc/rss.aspx

  • by Anonymous Coward

    The average game lasts three minutes, three games a day. That's about 10 minutes lost productivity a day. 200 days a year that's 2000 minutes, or 34 hours a year. That's an entire work-week (FR) spent playing solitaire, each year. Blame it on the rain? Canada? No! Blame Microsoft!

  • they might be right. (Score:5, Interesting)

    by nimbius (983462) on Monday June 30, 2014 @01:03PM (#47351939) Homepage
    for the windows crowd: Unix Linux and BSD sending and receiving an email is pretty mundane business (even to millions of people.) Sendmail begat postfix, which tidied up the nuts and bolts of SMTP in the land of penguins neckbeards and that cartoon blowfish you occasionally see.

    sending email from Exchange is orders of magnitude more complex by the nature of Exchange as a monolithic communications product. Because exchange does scheduling, calendaring, contacts, unified messaging, failover management, automatic load balancing, remote configuration management, archival, database storage, advanced RBAC permission delegation and cool stuff like shadow redundancy, outlook servers themselves have become increasingly divorced from the RFC for the SMTP. It isnt a bad thing for businesses that rely on being constantly connected, but it does mean the simple act of sending an email means relying on what for us would be an OS in itself. Exchange 2013 requires 2 gigabytes of free disk and recommends 16 gigabytes of free RAM. To compare and contrast, many in the BSD community can handle millions of messages per day with 2 gigabytes of ram and 1 gigabyte of free disk. that includes storage for the message being sent.
    I think microsoft is doing this because exchange wasnt designed to just "send an email" anymore. it expects interactivity, redundancy, and universal access to the information being sent by default. the *nix solution runs hard and fast, but as an SMTP implementation requires significantly more engineering to provide the same level of service and feature set as outlook.
    • You don't need to install Exchange to handle mail on a Windows box, the included SMTP, POP and IMAP services work fine.

    • Most FOSS people I know just gave up waiting for good calendaring/contacts etc, and use Gmail and Android.

  • by Anonymous Coward on Monday June 30, 2014 @01:11PM (#47352009)

    Canadian IT head here. Just spent the morning reading over the law that this is in knee-jerk reaction to. I think Microsoft's reaction is warranted. According to the new law, a company can be charged up to 10 Million dollars for an infraction (read single email) of un-solicited email. The law is poorly formed, and not well thought out, as well as lengthy and vague enough to create a broad swatch of culpable people.

    What it boils down to is this. If you send an un-solicited email to someone you have not done business with in the last 2 years, and they have not opted in before and, and they believe your email to be spam, boom, you are culpable. Also if you install software on someone's computer without explicit, but easy to understand examples of what the software is/does you can also be held culpable.

    All email a company produces in Canada form this point on have to include a link in the bottom or ability to opt out of all future email.

    Canadian businesses, no matter how small, are beholden to this law. Small companies are going to fold left and right because they cannot afford to comply wiht the new regulations, and those that don't try to comply run the risk of paying a huge penalty.

    In my personal opinion this is a grab at trying to make Canada Post relevant again (and financially viable). At the moment bulk mail is the only thing keeping Canada post afloat, and if you couldn't send an email to try to drum up business, you can always send a mailer...

    While anti-spam law is well intentioned, in it's current form it is so broken it should not have seen the light of day.

    • by XanC (644172)

      Thank you!

      The summary makes me want to laugh and cry at the same time. So the people who wrote the law don't think there are any costs of compliance? I'm sure that's not news. That right there is a HUGE problem with government solutions.

    • interesting take on things, and i can see why they would be concerned. a 10 million dollar fine for a single email? if they are sending tens of thousands of them out, even 1 goes to the wrong address and bam. thanks for the insight, wish i had mod points
    • Re: (Score:2, Insightful)

      by Anonymous Coward

      What it boils down to is this. If you send an un-solicited email to someone you have not done business with in the last 2 years, and they have not opted in before and, and they believe your email to be spam, boom, you are culpable.

      Good! That is the definition of spam. Spammers should die.

      And this Canadian law is completely irrelevant to most mailing lists.

      To get on a mailing list, you have to submit your email address, then they send a confirmation message, then you have to click the link in the email to co

    • by GrubInCan (624096)
      Modded Informative?

      This guy is informative: http://www.michaelgeist.ca/con... [michaelgeist.ca]

      You'll note that "The law also includes a three-year transition period that ensures that as long as an organization already has implied consent, it has until 2017 to upgrade to an express consent"
      • Thats the thing. Microsoft did not have implied consent. Thats was this announcement means. They likely have no record of who consented to be on this mailing list. I bet they simply have a list of of email addresses in a db somewhere. When you ask to be on the list they add you and then delete the email. When you ask off they remove you and delete the email. If they want to do an maililng list they have to start from scratch and keep better records.
        • by Anonymous Coward

          If they want to do an maililng list they have to start from scratch and keep better records.

          Flat out wrong.

          Microsoft could just send an email to everyone asking them to click to confirm that they still want to receive the messages. Microsoft could have been doing this in the emails they sent over the last several months.

          The LISTSERV (http://en.wikipedia.org/wiki/LISTSERV) email list software package has had this feature for more than a decade. It would be trivial for Microsoft to do this if they wanted to.

          S

    • by Mashiki (184564)

      "Upto" is the key wording. Remember this is the key point in case law, especially for setting abuse precedents. And it's sure not going to cause small companies to fold left and right. If it does, the business is already doing something wrong, and thriving off of bulk spam in the first place. What this is, is an extension of the DNC, and since we're moving in a direction of tossing mail to the wind--especially with companies now charging between $1 to $8 for a bill to be physically mailed, I'm sure you

    • by cdrudge (68377)

      What it boils down to is this. If you send an un-solicited email to someone you have not done business with in the last 2 years, and they have not opted in before and, and they believe your email to be spam, boom, you are culpable.

      Easy solution: don't email people that you don't have reasonable proof that they explicitly opted in sometime in the previous 2 years. I can't think of too many situations where a 2+ year old lead would be valuable from a marketing standpoint without a more recent business relatio

      • That is exactly what Microsoft has done. They likely have poor records for this massive list. The list also no longer serves a marketing purpose as they can't include advertisements for services and still be exempt. So they canned it. RSS was the cheapest replacement.
        • by cdrudge (68377)

          They could have easily complied with the law by sending out a non-advertisement security-related email saying that if they wished to remain on the mailing list they would need to explicitly "opt-in" to the list again, (re)confirming their desire to receive the emails. At that time they could either specify that the newly reconfirmed opt-in list might receive security AND/OR advertisements, or make the list security only without plugging any of their products/services.

          • I think that is what they have done. They sent out an email with instructions on how to get the security updates. The method they are using, RSS, gives you control over how you recieve those updates. With the new approach microsoft isn't keeping track of your email address or personal information. They are not using some propietarty bs either. RSS is a standard supported by lots of companies.
    • by Garfong (1815272)

      Based on the number of "please click here to continue getting our newsletter" messages I've been getting in my inbox, other companies don't seem to think the sky is falling.

    • "Canadian businesses, no matter how small, are beholden to this law. Small companies are going to fold left and right because they cannot afford to comply wiht the new regulations, and those that don't try to comply run the risk of paying a huge penalty."

      You're an idiot. I have been getting email's all month from like every vendor I have ever dealt with, every company, with an email saying "hey there, please stay in contact with us". So it's hardly killing businesses left and right as you claim. Or even is

    • by tlhIngan (30335)

      Canadian IT head here. Just spent the morning reading over the law that this is in knee-jerk reaction to. I think Microsoft's reaction is warranted. According to the new law, a company can be charged up to 10 Million dollars for an infraction (read single email) of un-solicited email. The law is poorly formed, and not well thought out, as well as lengthy and vague enough to create a broad swatch of culpable people.

      What it boils down to is this. If you send an un-solicited email to someone you have not done

  • by iamacat (583406) on Monday June 30, 2014 @01:12PM (#47352019)

    This law or not, any recurring e-mails are spammy. E-mail should be reserved for one time interactions like order confirmations and of course personal communication. With RSS feeds, user can unsubscribe, suspend and resume viewing updates at their convenience.

    • Re: (Score:3, Funny)

      by Anonymous Coward

      What the fuck is RSS?

      • What the fuck is RSS?

        RSS is just markup. A simple rss feed is just a an xml document you host like a web page that contains a list of items. Each item having a title, description and pubDate with rss as the root of the document.

    • Why is it better to have to maintain a whole separate infrastructure of servers, protocols, and clients, when basic email does the job just fine? I can unsubscribe, suspend, and resume at my convenience now, I don't see why we would need another delivery channel. You could just as well say that interested parties should just go to the website when they want to know something.
      • by DarkOx (621550)

        Its not another channel its just a XML document on a webserver (pretty sure MS already runs a number of those)

    • With RSS feeds, user can unsubscribe, suspend and resume viewing updates at their convenience.

      With email subscriptions, users can unsubscribe, suspend, and resume viewing updates at their convenience. Email is also vastly more bandwidth and power friendly than continually polling to ask "have anything for me yet? have anything for me yet? have anything for me yet?".

      An email newsletter that a user can subscribe to and which honors the "unsubscribe" link it at the bottom is identically as spammy as RSS.

      • Email is also vastly more bandwidth and power friendly than continually polling to ask "have anything for me yet? have anything for me yet? have anything for me yet?".

        That really depends on how you access email and how you access rss feeds.

  • by Anonymous Coward

    MS's emails may not be exempt, for example a security notice for an XP security hole suggesting users to upgrade from XP to windows 8, even if it's only a time component of the email, would not be exempt, and they could face a $10 million fine. Per email. Furthermore, the onus is 100% of MS to have documented proof they had consent to send the email if they are charged.

    The law is horrible, how many spam emails are actually coming from Canadian companies? Less then 1%? It will be legitimate businesses th

  • Timeline (Score:5, Insightful)

    by ZombieBraintrust (1685608) on Monday June 30, 2014 @01:17PM (#47352053)
    The Canada Anti Spam Law requires very specific opt in from the people recieving emails. It requires that certian content not be in the email. It has fines. Microsoft is going to have to train its people and change its templates. It is going to have to get its emails approved by Canadian lawyers. It will take time for it to get in complience of the law. But the deadline is tommorow. So they will RSS feeds instead. It is very easy for an expert to say the emails are exsempt to the press. But I bet if you showed them a few emails they would find a few problems. Things Microsoft needs to fix or get fined.
    • by taustin (171655)

      Or maybe this is Microsoft admitting that they, as a corporation, are simply incapable of passing up an opportunity to shove advertising down people's throats, largely because they have no desire to do so.

  • by mbourgon (186257) on Monday June 30, 2014 @01:59PM (#47352505) Homepage

    I automated this a while ago, using Powershell to query the RSS feed, pull out the details, and send the proper parties an email if there's a new message relevant to us.

    It probably seems like reinventing the wheel, but allowed us to split out the emails to relevant for each group, rather than one monolithic email. Which meant each affected party was liable to actually read it.

    Overall though, anything that shows how useful RSS is, is a good thing.

  • "dumping an expensive delivery channel"....

    Aside from the $CDN potential fines, just how is email *expensive"?

  • RSS is the right way. Distributions lists for notifications of this type have been done with mail historically because it was there not because it was a good medium.

    Consider if you use e-mail for this sort of thing you need to take care of several functions e-mail does not itself take care of:
    *allow people to subscript
    *allow people to unsubscribe
    *scrub you mailing lists for dead addresses.

    Your mail servers might be stuck with large disk queues waiting on dead domains where the MX server does not answer etc

  • How easily people forget and get in to a comfort zone. When Microsoft first announced switching to a patch Tuesday email, everybody on /. criticized them for waiting up to a week to announce 0-day vulnerabilities and patch information.

    A once a week email is close to worthless. It's better to leave vulnerability notification to people who are serious about it and stop wasting Internet bandwidth, cycles. and storage.

  • As a Candian I... uh....

    I'm sorry.

  • Just another victim of the issues around bandwidth and cost to do perform the updates.

    With Net Neutrality no longer being upheld, Microsoft's patching and update process is very expensive. Can it even be done with a server onsite getting patched first and updates to the rest of a businesses client machines coming from it? If so, then even that did not help at the multi-national conglomerate I worked at. A huge Java dev cloud user env, the Administrators performing updates to thousands of machines were

Little known fact about Middle Earth: The Hobbits had a very sophisticated computer network! It was a Tolkien Ring...

Working...