Well, thank goodness nobody would be able to cut-and-paste it to PasteBin
Cue the standing-up of hundreds of 'mirrors'.
Microsoft is facing fierce criticism over its decision to make pre-notification of upcoming patches available only to paid subscribers. The Advance Notification Service (ANS) formerly made information on upcoming software patches available to the public but from now on the information will be restricted to “premier” customers …
The third-party vulnerability reports will still be there for the public to peruse, but they won't be able to see if Microsoft has bothered to fix them now... I can't see how making Windows look like an abandoned legacy OS is going to help market share.
It is just the advanced notification, which is a week before they are released
In other words, those who pay extra get it when it's ready, then they sit on it for a week (so the premium customers get value), then let us peasants have a look-in.
Every MS windows user is a 'paying Customer' - and come to think of it, even non-MS users still pay for the bloody crap when they buy a new machine to put GNU/Linux on it.
Bootnote: When I bought my Samsung notebook N145 plus, I sent a letter to Samsung asking if I could get a refund as I don't use windows. Surprisingly I received a letter back asking me if I said 'no' at the first boot prompt. I replied stating that I never even got that far/saw it, as I booted straight into bios, configured USB as first boot device, then booted straight into a Slackare iso.
I got another letter saying that if I send then back the windows genuine (or whatever it's called) sticker from under the notebook, they would oblige. BUGGER - I had already done that, and destroyed it in the process :(
Not really, this is security issues at stake here. If I bought a car and it was found out that there was a design fault with the steering, no way could a manufacturer say 'only customers paying support' will be told and get this fixed first - ALL cars need to be patched straight away.
They pay for the software, not the support.
Extracts from "Inviting More Heartbleed", Daniel E. Geer Jr., Poul-Henning Kamp:
As Ken Thompson told us in his Turing Award lecture, there’s no technical escape; in strict mathematical terms, you don’t trust a program or a house unless you created it 100 percent yourself, but in reality, most of us will trust a house built by a suitably skilled professional, probably more than one we had built ourselves, even if we’ve never met the builder or he’s long since dead.
The reason for this trust is that shoddy building work has had that crucial “or else ...” clause for more than 3,700 years:
"If a builder builds a house for someone, and does not construct it properly, and the house which he built falls in and kills its owner, then the builder shall be put to death." — Code of Hammurabi, approx. 1750 BCE
Today, the relevant legal concept is “product liability,” and the fundamental formula is, “If you make money selling something, then you better do it well, or you will be held responsible for the trouble it causes.” For better or poorer, the only two products not covered by product liability today are religion and software, and we don’t think software is going to or should escape for much longer. Here’s a strawman proposal for how software liability regulation could be structured:
0. Consult criminal code to see if damage caused was due to intent or willfulness.
1. If you deliver your software with complete and buildable source code and a license that allows disabling any functionality or code the licensee decides, your liability is limited to a refund.
2. In any other case, you’re liable for whatever damage your software causes when it’s used normally.
Would it work? In the long run, absolutely yes. In the short run, it’s pretty certain that there will be some nasty surprises as badly constructed source code gets a wider airing. The FOSS community will, in parallel, have to be clear about the level of care it’s taken, and build environments as well as
source code will have to be kept available indefinitely. The software houses will yell bloody murder the minute legislation like this is introduced, and any pundit and lobbyist they can afford will spew their dire predictions that “This law will mean the end of computing as we all know it!
”To which our considered answer will be, ”Yes, please! That was exactly the idea.”
"If I bought a car and it was found out that there was a design fault with the steering"
Not a good analogy. If you bought a car and the door locks were subsequently found to have a security flaw, you might get a free upgrade if in warranty, but everybody else would likely have to pay.
Jon Rudolph, principal software engineer at Core Security, argued that rather than "just cutting through the clutter...."
“Core Security gives customers the ability to descramble vulnerability management noise”
We like clutter, it allows us to sell stuff....
I guess it would of been better for MS just to simply it.
“Core Security gives customers the ability to descramble vulnerability management noise”
I reckon he's been here:
Phase Two will be the Premier Advantage of receiving the patches on Patch Tuesday. The non-Premier peasants can wait until the following month to receive their patches.
Justification? Non-Premier subscribers are spared the "clutter" of patch notifications; soon they'll be spared the uncertainty of being among the bleeding-edge patch installers. Think of it as yet another leap forward by MS in their on-going effort to enhance customer experience and promote a warm & fuzzy feeling of assurance.
In a more honest universe, Chris Betz wrote -
"We're sick of red-top IT websites trotting out the same story every month and getting a whole bunch of internet fucktards complaining that we're fixing some bugs and claiming their OS's don't have any bugs which, incidentally, they bloody do.
It's just that some vendors don't bother fixing them or admitting to them. Meaning Apple. Now go hassle Adobe."
I like Microsoft as a general principle. I'm old enough to remember trying to make computers usable before MS came along.
But FFS. It's as if they don't have enough to do, so they find new ways to piss people off.
(BTW WIndows Phone 8.1 and Denim firmware update were promised for last quarter 2014 - so far it's only been put on new phones, pissing off users with existing phones. So if they want to try to compete in the phone market this is clearly yet another potshot in the toe area)
"MS came along and taught people to expect computers to crash a lot."
In the era you are comparing with, I don't recall MS-DOS crashing much at all, if ever. Nor CP/M [80|86] before that. On rare occasions 3rd party software may have crashed but the OS was fairly bullet-proof. Things only really started getting flaky when expanded/extended memory drivers started appearing.
But no one will ever need more than 640k anyway :-)
But no one will ever need more than 640k anyway :-)
Oh yes! I remember that one! Brought to you by the same person that, allegedly, when presented with an example of an Econet network in the dim and distant past, asked the school student that presented it; "What's a network?"
That's our Billy!
They roll it out in waves, and when the MNO can be arsed to 'test' it etc.
It is like torture waiting, especially because this one has Cortana but the record of update reliability compared to others makes it acceptable to me.
Presumably, it also lets them beta test Cortana and improve the accuracy.
There are other neat things, like shot-to-shot times measured in milliseconds and new video features. Sadly, the picture stuff I don't get because it is only for newer phones, possibly having the sensorcore chip.
" However, NSA feedback indicates that many of our large customers no longer use ANS in the same way they did in the past due to optimised testing and deployment methodologies. While some customers still rely on ANS, they want the vast majority to wait for Update Tuesday, or (preferably) take no action, allowing the NSA to pwn their systems automatically."
FTFY
So - let me see if I've got this right. Microsoft want to cut through the clutter of defective patches. So ther're offering their most valued customers (ie the ones they think they can rip off the most) the fantastic opportunity to become paid (ie you pay us) beta testers.
GO!NADS.
El Reg - we need a bad joke icon.
"Still no malware of any note there" -
Well over 99% of mobile Malware is on OSS platforms (Android), and there have been a number of successful widespread attacks of tens of thousands of Linux systems:
http://www.theregister.co.uk/2015/01/12/linux_vxers_hit_devs_where_it_hurts_p0rn_sites/
But then Linux does have a lot more known holes than Windows.
I do a lot of work on end user computing stuff, so patching Microsoft stuff is a pretty big part of routine maintenance work. Advance notification messages are pretty vague, and only give high level details about what's coming. In my experience, they're aimed at huge IT organizations that have to move heaven and earth once a month to crank up the change management engine and follow the ITIL best practice stuff to test and roll out patches. Basically, it lets the patch testing and rollout team say, "OK, what OS components do we have to target regression testing at this month?" When you support thousands of end users running hundreds of apps, you need to be selective.
You could be cynical and say Microsoft is just trying to get companies to sign up for Premier Support (which is not cheap but very necessary in a complex MS environment.) But, is it possible that they don't even want to drop the vague hints that the ANS messages give? When you're talking about vulnerability hunts at the scale of nation-states and organized crime, could even telling them that there's a bug in this component be too much information? In my mind, that would be pretty much an open invitation to just start hammering that particular component over Pre-Patch Tuesday Weekend, and see if you can find what they found before they get a chance to release a patch.
Seems plausible to me, they might just be adjusting to the fact that vulnerabilities aren't generally found by people living in their parents' basements anymore...they're found by companies, governments and criminal gangs first.
You could be cynical and say Microsoft is just trying to get companies to sign up for Premier Support (which is not cheap but very necessary in a complex MS environment.)
When you're talking about vulnerability hunts at the scale of nation-states and organized crime, could even telling them that there's a bug in this component be too much information?
they might just be adjusting to the fact that vulnerabilities aren't generally found by people living in their parents' basements anymore...they're found by companies, governments and criminal gangs first.
But kid hacker in mom's basement won't have the finances to pay for the premier support, whereas nationstate and gang not only can afford that, they maybe can afford to bribe some MS employees as well.
... or at least higher profit margins for Microsoft. Lesser partners, those supporting SMB & SOHO are further pushed away from being forwarned about the coming attractions. If anything, it's of a piece with all the other shoves that Microsoft is giving to lesser beings to get on the Cloud Express where they don't have to worry their little heads about issues such as patching, testing, support, you know, just the grunt work.
Title says it all. I think "clutter" is the lamest excuse I've *EVER* heard for some company restricting information to people under a support contract. Obviously, if admins didn't want to deal with the "clutter" they were not being forced to read various blog posts with the patch lists.
You do not need to know what we are doing.
We always do everything promptly and perfectly.
We never, ever release buggy bug fixes.
We know what you want before you know what you want. Always.
We know what you dont want before you know what you dont want.
We have never released any software with bugs, so you need not worry about them.
We are always right, except when we are wrong, at which point re-read this line.
We are Microsoft. The perfectly perfect Microsoft.
We will decide what you see, and if you will see it.
Never ever question what we are or are not doing.
First they outsource all their Internal IT back in 2010 to India (InfoSys), they then stop TechNet and the Trustworthy Computing Programme and now this?
I really have to wonder what's going on at M$ management as they really seem to have no clue where to go and seem to be clutching at straws. I still think the TechNet decision is going to severely bite them in the long run.
3 Times now I have had to rescue my machine from updates that caused hard drive issues and slowed down 8.1 in a big way. I think some of these updates that they put out corrupt files. With so much geared toward tablets etc. I notice many updates are for tablets but are destined for a PC. MSFT is probably more concerned with getting the update to work on tablets that they do not test hard enough for the PC. In addition the Windows Update program fails to load an update and crashes the app and sometimes the PC. Then you have to research and find out which update needs to go and which needs installed before the other.
Bottom Line: Do not set Update to auto install updates of any kind. Especially Drivers. If we follow this guidance then we do not need to know in advance about updates on the home front. No Auto-Installs.