This is the same problem I'm currently facing with WireGuard. No warning at all, no notification. One day I sign in to publish an update, and yikes, account suspended. Currently undergoing some sort of 60 days appeals process, but who knows. That's kind of crazy: what if there were some critical RCE in WireGuard, being exploited in the wild, and I needed to update users immediately? (That's just hypothetical; don't freak out!) In that case, Microsoft would have my hands entirely tied.
If anybody within Microsoft is able to do something, please contact me -- jason at zx2c4 dot com.
Now this is even more alarming! Wireguard's creator has their Microsoft account suspended...
<Tin foil hat on>
Microsoft doesn't want to allow software that would allow the user to shield themselves, either by totally encrypting a drive, or by encrypting their network traffic!
</Tin foil hat on>
> Microsoft doesn't want to allow software that would allow the user to shield themselves
I don't think Microsoft cares (about anything besides making mo' money), but there are plenty of (state) actors that can influence the decision-making at Microsoft when it comes to these issues.
Wait, what?! I was sure that the agenda of Big Tinfoil was to generate FUD so that we buy more tinfoil for our hats. Are you implying their agenda goes even deeper?
Have you tried to buy tin foil lately? Big Aluminum has taken over, and just see how far you get soldering the grounding strap to an aluminum foil hat.
But it is NOT necessarily a factual statement that one of the main uses of electromagnetic radiation is for humans to send information over long distances; nor that I first learned about tinfoil hats from some random piece of information that was being broadcast by means of electromagnetic radiation. It's just a vibe.
>I don't think Microsoft cares (about anything else than making money), but there are plenty of (state) actors that can influence the decision-making at Microsoft when it comes to these issues.
Microsoft the corporation may only care about making money, but a lot of very high ranking folks within MS Security aren't just friendly to intelligence agencies, they take genuine pride in helping intelligence agencies. They're the kinds of people who saw nothing wrong or objectionable with PRISM whatsoever, they were just mad they got caught, and that the end user (who they believe had no right to even know about it) found out anyway. The kind of people who openly defend the legitimacy of the FISA court.
This aren't baseless accusations, this comes from first-hand experience interacting with and talking to several of them. Charlie Bell literally kept a CIA mug on a shelf behind him, prominently visible during Teams calls, as if to brag.
Remember - Microsoft was the very first company on the NSA's own internal slide deck depicting a timeline of PRISM collection capabilities by platform, started all the way back in 2007. All companies on that slide may have been compelled to assist with national security letters. Some were just more eager than others to betray the privacy and trust of their own customers and end-users.
>I don't think Microsoft cares (about anything besides making mo' money)
If Microsoft amounts to a sentient entity (i.e. is able to care about things), we have a bigger problem.
If we put the wall of metaphor between us and that interpretation, it still remains likely that "users shielding themselves" is of primary concern to Microsoft's bottom line.
Where are the people that tried to sell us software signatures as security benefit? The reality is that they are a very specific security problem. In theory and in practice.
It was probably true at some point, then malicious people learned how to fake stupidity and they outnumber actual stupid people, and they learned how to recruit stupid people to their causes.
No. Embrace, Extend, Extinguish was replaced by the AAA strategy: Acquire, Assimilate, Abandon. They were trying to be more Google-like with that "Abandon" step I think.
They've since moved on to the SSS strategy: Ship, Slip, Slop.
Maybe time for a custom license that would require M$ to sign up for special T&Cs if they want to use this software?
Who cares if it's OSI-approved or not, a line saying "M$, Google, and the like need written permission for every use case" would help to make those leeches honest. Just learn from the JSLint example.
Valkey is better because all of the new development work happens on Valkey, not because of the license. If the actual developer changed the license, that would be a different situation.
Having multiple accounts wouldn't help, as Microsoft could easily suspend all the accounts of everyone associated with the project if any account looks suspicious. The single point of failure is Microsoft.
The other day I tried to create a Github account and was repeatedly told I am fraudulent. Nothing else. Try again later, it says.
This is the same thing that's happened every time I've tried to have a Microsoft account. I don't think Microsoft wants to have customers who aren't rich.
I tried to set up a partner account for driver signing last year (as a business entity) and it already seemed basically impossible. I think they're getting ready to just simply not allow it at all.
This is stupid. If Microsoft wants people to stop writing kernel drivers, that's potentially doable (we just need sufficient user mode driver equivalents...) but not doing that and also shortening the list of who can sign kernel drivers down to some elite group of grandfathered companies and individuals is the worst possible outcome.
But at this point I almost wish they didn't fix it, just to drive home the point harder to users how little they really own their computer and OS anymore.
Surprised to see you here. Thanks for all your hard work.
Windows users are in a tough spot, but with the dawn of Copilot, nobody should be surprised. Frankly, those who remain with Windows after this latest betrayal have chosen their fate.
True, but really even if it gets resolved for them it should basically be a huge warning sign to everybody. Projects like those might get reinstated but it would only be because of how big they are that it would matter. Any person or small or 'undesirable' project would not get the same resolution.
I think it’s intentional, those encryption (at rest/transit) applications are outside of MS control and you can assume outside of potential backdoors by three letters agencies, bitlocker vs veracrypt? Of course bitlocker is favorable from their perspective.
I wouldn’t be surprised if NSA already had a list of these applications and the strategies on how to cripple them or worse, compromise them.
Just so people are clear here. IMHO Microsoft had a huge meeting on this with many people then decided to blacklist a person. You usually code a blacklist. Beyond weird. Government involvement for sure.
I have a hard time believing this to be true when for a while now it's always been some automated system that goes completely unchecked and unmonitored. It's not until someone who is wrongfully affected complains on Xitter does anyone notice.
They need to get some tech site like Arstechnica to write about it, like they did when neocities couldn't get ahold of bing. The only way to contact these tech companies to speak to a real human being and not a chatbot is if you know somebody who works there or if the media writes about it.
The time for regulatory action against Microsoft was thirty years ago and the need for it has only grown since then.
The FTC wasn't doing their job between 1980-2020 because of their ridiculous standard of, "if it doesn't raise consumer prices, it must be allowed." This lead to massive consolidation in many industries which of course ended up raising prices and hurting consumers anyway.
Recently they've had some wins but overall they're still failing to do their job.
It's much worse than you think. Press coverage -> manual intervention is at best a bandaid covering up a major wound in a flaw that happens with independent software distribution.
The old model where the user decides which software or apps to run on their machine, is basically already replaced by a whitelist system that is managed by companies who have no interest or obligation to approve developers. Factors like ”being an individual”, an open source developer or god forbid reside outside the USA, you rely on a combination of L1 support doom loops, unjustifiable high recurring prices, kafkaesque and changing requirements, internal inconsistencies. Windows is the worst, but all platforms (except Linux) suffer from this and you can and will get hurt, delayed, and gaslit. If you haven’t, it’s just a matter of time.
I have been blocked for 6 months now with Digicert code cert renewal, for my app Payload, which will never get any media attention. The app doesn’t matter though, the approval process is per-entity (usually, a company). The point is that nobody gives a shit, because they have a monopoly/cartel and they start the validation process after they take your money.
If you are not an app publisher, the best way I can describe it is the ”pre-let’s encrypt” era of SSL certs, but more expensive, strict and ambiguous. In fact, I’ve never gone through any worse approval process in my life, and that includes applying for residency in two countries, business licenses, manual tax filings etc.
Some countries (the EU in general) are already doing things about this. Owning the app store means you are a monopoly and now the only question is are you illegal by the local laws which vary.
You can/should write your congressman (or whatever they are called in your country) and get better laws in place.
This is worrying on many levels. So Microsoft force you to create an account to use Windows and then they reserve the right to block you from your own account, thereby potentially making you lose access to all your OWN data. This is crazy and yet another reason to stop using Windows as soon as possible.
I know it's not what people want to hear but my response to a lot of the comments here is just a general, I agree, it's time to stop using Windows.
They won't let you secure your drive the way you want. They won't let you secure your network the way you want (per the top-level comment about Wireguard). In so doing they are demonstrating not just that they can stop you from running these particular programs but that they are very likely going to exert this control on the entire product category going forward, and I see little reason to believe they will stop there. These are not minor issues; these are fundamental to the safety, security, and functionality of your machine. This indicates that Microsoft will continue to compromise the safety, security, and functionality of your machine going forward to their benefit as they see fit. This is intolerable for many, many use cases.
I think it is becoming clear that Microsoft no longer considers Windows users to be their customers any more. Despite the fact that people do in fact pay for Windows, Microsoft has shifted from largely supporting their customers to out-and-out exploiting their customers. (Granted a certain amount of exploitation has been around for a long time, but things like the best backwards compatibility in the industry showed their support, as well.)
I suspect this is the result of a lot of internal changes (not one big one) but I also see no particular reason at the moment to expect this to change. To my eyes both the first and second derivative is heading in the direction of more exploitation. More treating users like a cattle field and less like customers. When new features or work is being proposed at Microsoft, it is clear that it is being analyzed entirely in terms of how it can benefit Microsoft and users are not at the table.
No amount of wishing this wasn't so is going to change anything. No amount of complaining about how hard it is to get off of Windows is going to change anything; indeed at this point you're just signalling to Microsoft that they are correct and they can treat you this way and there's nothing you will do about it for a long time.
Open source developers are doing Microsoft a big favor when they support Windows and publish Windows builds and installers. It's a substantial effort, and apparently that effort isn't appreciated.
If all open source software dropped support for Windows, it wouldn't really affect the open source community that much. It would definitely cause headaches for Microsoft however.
Honest question, did we ever get an answer what was the cause for the sudden change from the original Truecrypt developer?
Even if one doesn't want to maintain that project for purely private reasons, recommending Bitlocker as the drop-in-replacement always made it smell fishy to me.
I knew the speculation on him being involved in some capacity, but as the wiki page states, this was never confirmed in any substantial way.
More importantly, if development seized with no public comment, that would be one thing and may strengthen the "he got arrested" theory. However, there was some final communication, specific recommendations to rely on Bitlocker of all things, a new version of Truecrypt was released solely for decrypting existing disks and then the web page was removed, including a flag set on robots.txt to ensure it wouldn't appear on archive.org. All this concurrent to a crowd funded source code audit that, in the end, did not find any server issues or backdoors (I recall some speculation back in the day, that either known code quality issues or an intentional backdoor could have caused the exodus).
That all makes it hard to link this to an arrest of the main developer, though I dislike speculation without any hard evidence and if there is no new information, I'll keep this filed under "there is no answer".
I went on a Wikipedia dive and discovered this funny bit regarding the court process surrounding Lavabit and FBI's desire of the TLS private keys.
> The contempt of court was caused by Levison providing the keys printed in a tiny (4 point) font, which was deemed "largely illegible" by an FBI motion, which went on to complain that "To make use of these keys, the FBI would have to manually input all 2560 characters, and one incorrect keystroke in this laborious process would render the FBI collection system incapable of collecting decrypted data."
(And to be clear, that's all they ever saw of said keys)
> The court ordered Levison to be fined $5,000 a day beginning 6 August until he handed over electronic copies of the keys. Two days later Levison handed over the keys hours after he shuttered Lavabit.
Fair assumption, but unlike Lava, TC never had customer/user data. The NSL/forced shut down theories also make little sense to me however, the fork was up by the end of the week and was easy to foresee. Kinda why this fascinates me so much, no theory I ever read survives basic scrutiny. Perhaps some things, we’ll never know.
>When my oldest son [Linus Torvalds] was asked the same question: "Has he been approached by the NSA about backdoors?" he said "No", but at the same time he nodded. Then he was sort of in the legal free. He had given the right answer, [but] everybody understood that the NSA had approached him.
so the assumption here is that TC were also asked to accept "contributions" from bioluminescent individuals, and chose not to. "just use Bitlocker" was a deafeningly loud dogwhistle, don't you think?
Linux is stuck because it's made and maintained by people who love linux.
Look at popular unix based OS's - Android, MacOS, iOS..
Whats the first thing they do? Take the command line out back and shoot it. Whereas for linux users, their is this l33t h4cker festishization of only using a keyboard to do everything. All these distros have an extremely robust CLI under the hood, and an afterthought quasi GUI on the surface. Just good enough for grandma to check her email and watch youtube.
I have had Bazzite on my gaming PC for a while now, never have to mess with the terminal much. It has come a long, long way. Even gentoo has become more accessible than ever. While some of this holds true, you most certainly do not need to live in the command line with some of these distros. Especially if you are just trying to play some games and browse the web, etc.
Why do folks act like windows isn't full of cli commands? First thing on any windows box is running debloat in powershell. Installing apps from a gui in Linux has been solved for a long time.
My kids grew up on Gnome essentially, I can tell you Win11 is a lot more confusing to them, not just because because they grew up on Gnome, there is just so much more ... stuff. And notifications and flashy things and news and weather apps and they all want your attention. Gnome is much more iPadOS like (minus that horrible concoction called the App Store).
Sure, if you're all in on MS365 (like all schools here in the Netherlands), Windows may be somewhat more handy with its native apps and all your stuff there with a single log-in.
And someone once raised their kids speaking Klingon, that isn't a good excuse on why it's a language others should use.
For the vast majority of people MS365 is a requirement, but really the issue is that even minor fixes require the command line on Linux and that makes it unusable.
I guess it means that even when something is (arguably) objectively more simple, people still won't bdge just because they don't want change. They don't want to learn new things.
I myself am quite different. I have thoroughly had it with my current iPhone and am eyeballing /e/OS, before that I really started to find Android boring, before that Windows mobile (the nice one with the cards). I switch Gnome, KDE, some other DE (now getting ready to try Niri) every year or 2. I don't get the struggle, for me a new env is like a present (even though I normally hate presents). So much niceness to explore, so much to optimize. I love it. But I'm also one of those guys that reads the oven manual and tries all functions in week 1.
This isn't really true anymore with the advent of Flatpak & Flathub. It's just an app store like any other platform. Even the majority of games work without tweaking.
I've run Linux as a daily driver recently Flatpak and Flathub still break all the time. Not to mention the last time I bumped my Nvidia drivers nothing decided to open anymore.
Any OS that requires even once going to the command line is unusable for 99% of the population (and for me I just shouldn't ever have to).
Not used does not mean not usable. Primary school aged children used MS-DOS without any documentation in 1990's. Pretty sure randomly selected people would be able to use modern Linux distro, when pre-installed just like windows are.
As someone who is just planning to publish signed desktop software for Windows, this is deeply worrying. What reasons could there be for cancelling a certificate, especially when it has been used for years and the identity is already established?
Are there some ways to combat such decisions legally?
Perhaps not legally, but technically, you have an option: don't use the Microsoft Store. This isn't as wild a suggestion as it may seem to non-Windows users: the store is barely used by Windows users. You can get your own code signing certificate from a public CA, sign your own installer, and post it on your website. This is still the primary way that Windows software is distributed. Microsoft does not have a hand in any part of it; they can't cancel anything. Their only role is including the public CA in their root certificate store. If you're not shipping a kernel driver, you don't need Microsoft's permission for anything. You can still ship an .msix installer which is the same technology used by the Store.
I recently de-listed my app in the store and closed my Microsoft developer account. I was wrong for having bothered with it; just a waste of my time for no benefit. Stick to your own deployment.
Realistically speaking - anything could be a reason. A shakedown or blocking based on some "nudge" (this might come across as tin-foiled though). Some flag/trip-wires going wrong, more worryingly due to a bug/false alarm - and this is more worrying because in this case semi-incompetent large orgs like MSFT find it really hard to accept it, fix, and move on. Some change in OP's account that either they don't see or haven't realised - some edge case, you never know.
And of course, it doesn't affect their earnings and there are no consequence, or significant, so they won't care and won't respond or tell what went wrong.
Can one move legally? Sure. But then it effectively is a combo of who blinks first and who can hold their breath longer.
This is a concern and risk that has realised itself multiple times over the past decades. There have been multiple stories linked to multiple developers in the past.
If you publish to any closed platform including ios, mac, win, android, this is the risk you run and a condition of operating you will need to accept.
There's more to it. Signed desktop software can be signed by any CA.
Veracrypt has kernel drivers. Microsoft's ability to control what you can sign is specific to kernel drivers, and Microsoft's trigger finger around bans exists in the world where bad drivers BSOD machines.
Speculation as well and highly unlikely. Microsoft drivers can very well BSOD your machine as well, not a significant or convincing threat scenario and certainly not something that lead to certificate revocation of driver developers. There is zero quality control or review by Microsoft here. Not for their own products and not for third party ones.
That's not entirely true. Certain classes of signing keys require driver developers to put their driver through a test battery and submit the results to Microsoft.
You just have to start living like they do in Russia and comply in advance. Don't do anything "interesting", no encryption, or if you do, make sure you leave breadcrumbs, scratch that, a bread trail for them to easily get access to customer data. An Oracle or Sharepoint integration maybe?
You can, but it's more than a warning. VeraCrypt has a signed kernel driver, which has higher requirements. You'll need to boot into a special Windows mode and disable Driver Signature Enforcement.
Secure boot is an anti-feature in most of the landscape anyway. Sure, if you have a distribution under your control or influence it could theoretically be a benefit. But you need to not be stupid or naive here.
You can also roll you own encryption if you are not stupid and naive. Probably a question of self-reflection.
prediction: they are testing the waters. If there is enough outcry they will go "oopsie whoopsie, hehe :3 your account is restored".
If there isn't enough outcry they will go forward and disable more signing keys related to things like torrent clients, VPN software, eject UBO from the edge store etc etc.
Atleast now I'm a bit more certain that VC is indeed safe.
~2015, "DevShare". They wrapped open-source software downloads with opt-out adware and PUPs (potentially unwanted programs), without the original developers' consent in some cases. They took over abandoned/unmaintained projects (like GIMP for Windows, VLC, etc.) and replaced the original download with their adware-wrapped version.
True, however, that has been the case for quite a while. This particular incident doesn't change that, except for the VeraCrypt developer, who is in a crappy situation now (not just regarding VeraCrypt, he mentions he was using the certificate for his main job as well, so this sucks a lot for him).
So far I haven't had much concrete reason for my family to switch away from Windows. The updates maybe, needing to pay for a new license and the UI changes are like pulling the chair out from under them, especially as they get older (Windows 7 was hard for my grandma, thankfully they left 10 mostly alone but 11 is quite different again so she's currently staying on 10 — not that her hardware supports 11 anyway but that's fixable), but it's either learning the new Windows UI, let's say ten storypoints of newness, or learning some Linux desktop environment, even if it's Mint which is similar to 7/XP it's not quite the same either and probably like 15 storypoints at minimum, even if then you're done for much longer
But if OSes are being locked down and software has trouble distributing security updates through official repositories for Windows... that's a good reason to finally make the switch. Same as why my family is on Android: I can install f-droid, disable the google store, and don't have to worry about them installing malware / spyware / adware
There's different degrees of openness. Android till 2026 was an acceptable compromise (let's see how it goed forwards). Windows is also on the decline with their account policy, not sure about this certificate revocation thing (thankfully haven't had to deal with it yet; I'm not a user myself) but it sounds like they're moving to a walled garden also
When the degree changes and gets even less open, yeah you can say "well of course, they were never truly open, they're commercial" but it's still a change and might lead people to alter their choices
You'll find that people that are not computer experts will take to modern Linux with much more ease than those that have complex needs, which for 90% of the people these days means that access to the Web satisfies all their needs.
Moving from Windows 7 to 11 will probably be as traumatic as moving from Windows 11 to KDE, so it's an investment worth doing in my opinion.
While I agree entirely that Linux in 2026 has never been more usable… how much actual work is being put into Office and 365 tooling native on Linux?
Like none. Literally the best office you MIGHT KIND OF be able to run in 2016, but probably more like 2013.
Valve focused on games, that is awesome and really helpful…
But there are 10,000 distros and instead of putting real resources to put even rickety bridges over MS’s moat, no sorry, this team is making duplication-of-effort distro 10,001 which is now identical to thousands of others but the taskbar is in the middle of screen.
The people working on Linux are consistently uninterested in then things people would need to drop windows.
Except compulsory age verification in Linux is now becoming a real threat. Some Linux distros are actively against this but many are not seemingly interested in fighting it: CachyOS, Ubuntu, Fedora and others.
Age Verification is the thin end of a much bigger wedge in "open" OS's
the current law requires no verification at all simple attestation, you could put in _any_ age. it also does not effect linux distros as a whole, only distros in jurisdictions with the laws.
Sure, for now... I simply don't believe it will stop at "simple attestation", because we all know that simple attestation is practically useless, but once the various distros accept this "trivial" inconvenience, "Age verification 2" with harsher requirements will soon be on the way.
I would be ecstatic to be proved wrong on this, but experience tells me that is not likely to happen.
We need a better way to sign and verify software. Clearly companies like Microsoft and Apple have not been good for the open source communities and are inhibiting innovation.
GrapheneOS is doing lot of things right in this regard. Robust permission system adopted from AOSP and hardening by default in every imaginable way. Things like hardened malloc, storage scopes are excellent security features. Malware cannot do much even with the default settings.
What would be the point? How would you prevent malware from being signed? Currently, code signatures are used as a signal for trustworthiness of the code.
Only signal is that whoever is in the subject DN (highly) probably signed the code. There's 0 signal about trustworthiness of the code in the signature. Thrustworthiness signal is in the behavior/reputation of the signer.
Pretty sure there were historically a lot of apps that stole peoples contact lists and were signed properly. Certainly in the Android world.
On the source code side, I quite like the way Guix does things, i.e. needing every commit to be gpg-signed. They even have a handy tool for verifying the repo[0] but I'm not sure how viable this is for non-OSS projects.
As much as I like bashing Microsoft, never underestimate people's capacity for incompetence, especially where large organizations are involved. I don't see how they would gain anything from this move.
It doesn’t help that they do that sort of shits AND mandate a microsoft account for logging in to windows. Also how much trust can you have that if you move your business to azure they will not randomly kill it. Incompetence or malice, almost doesn’t matter to the average user.
The outcome is the same, yes. With incompetence, there is at least a glimmer of hope things will get rectified. But you are correct, trust is destroyed this way, and it doesn't look like Microsoft cares much.
That's especially ridiculous because this whole security mechanism that Microsoft is forcing on Windows user doesn't even work. There are tons of leaked certificates and on forums dedicated to game hacking you can find guides on how to get your hands on one yourself. People there use them to write kernel drivers for cheating in games. Game developers often blacklist these in their anti-cheat software so that the game no longer launches on a computer using a driver with that certificate. Microsoft however does not do this and malware developers can then simply use the certificates for their own purposes.
So all this nonsense is basically just a restriction on regular users and honest developers while the “bad guys” can get around it.
Seeing this kind of friction makes me more confident in VeraCrypt. The tools that never seem to run into trouble with platform gatekeepers are the ones I'd worry about.
The biggest risk in encryption software is that you lose access to your data. You seem to be ignoring that risk completely and focusing on something else entirely.
Hope this is resolved. I guess I could run linux in a VM and mount volumes there, but this is getting a bit dicey. But Win 10 is my last windows anyway.
if michalesoft wants to take away our ability to sign drivers, they will find there is more than enough vulnerable easily exploited drivers we can use that are pre-signed online. Thank you micosawft!
From TFA: "I have encountered some challenges but the most serious one is that Microsoft terminated the account I have used for years to sign Windows drivers and the bootloader."
Yeah, and the first comment beneath that mentions that the most recent version is signed with the "2011 CA" that the article I link to discusses being deprecated.
My guess was that he got caught up in some house-cleaning. My theory being that he's still signing his code the way malware authors also do and got flagged by some automated review that's meant to force him to go get WHCP certified or whatever the new route is.
It's perhaps naive, but could he create a new organisation, like a "TotallyNotVeraCrypt" French loi 1901 association, at a different address, and create a new microsoft account by making sure it passes all the requirements.
Yeah but isn't the point of these certificates to express trust?
The point isn't (or: shouldn't be) to forcefully find your way through some back alley to make it look legit. It's to certify that the software is legit.
Trust goes both ways: we ought to trust Microsoft to act as a responsible CA. Obfuscating why they revoked trust (as is apparently the case) and leaving the phone ringing is hurting trust in MS as a CA and as an organization.
There are different types of trust, but at the very least with such a signature you can trust that the piece of software is really from Veracrypt and not from a malicious third party.
A signature is a signal, not an absolute. Although, to be fair, if Microsoft (or most other CAs) had done a better job, then that trust would have carried more weight than it does currently.
Trust isn't binary, it's a spectrum. A signature is a signal that should increase trustworthiness. Not the strongest signal, perhaps even a weak one, but it's not zero.
That's what VeraCrypt is, a fork of the original TrueCrypt after all drama, security doubts, and eventual discontinuation. It took a long time and two independent audits to establish trust in it.
This is always a problem when big mega-corporations are involved, be it Google or Microsoft. They want to control the platform.
We really need viable solutions. I have been using Linux since +21 years or so, so it does not affect me personally, but I think Linux needs to become really a LOT more accessible to normal people. And it really has not (on the desktop); all the various "improvements" on GNOME3 or KDE are basically pointless, they have not solved the underlying problem. Ideally problems should be auto-resolvable. If someone wants to use the proprietary nvidia driver, that should be a single click - on ALL Linux distributions. Instead you see some distributions have their own ad-hoc solution and other distributions have no easy solution (for simple people).
I will continue to suppose that the “real issue” with Linux is that the people drawn to developing it will not work well with others and continue year after year to waste time and duplication of effort on five decent, and ten thousand pointless distributions.
Whatever reason for this refusal / inability / choice to not contribute but rather re-create is on the reader to assume.
There is very little effort put into real progress as you point out. Sure, tons of work to move from x11 to Wayland, cool, only the developers give a shit… where is Office/365 that would make daily driving actually viable?
While WINE is impressive, it seems the only real progress for anything past Windows 7 is on paid versions of which there are at least three competing options.
Linux Desktop progress is slow because there it’s thousands of floundering side-projects without a goal of actually pulling normal users in.
I understand that most people want to move to other more modern tools, it's up to you. However, what baffled me is why the author's choice not to move is a problem? Did we pay them to move and they did not move as promised? Was there some crowd funding to move that was not fulfilled?
It wasn’t always scummy… but there was a definite shift after they got bought. It’s kept getting worse since then.
Then again, this was something like 20 years ago. Back then, Sourceforge was something closer to GitHub today. It was the de facto public source repository. You could even get an on-premise version, IIRC.
Actually, this is sounding a lot like GitHub these days… not sure what that means.
maybe an old vulnerable signed driver can be used to load the new version :D. on a more seirous note, i think contact with a person at MS, likely via socials triggering that, might help here. It all depends on the reason for the ban/block/cancel.
if they had a reason other than 'oops mistake' its likely just going to remain in place.
(sadly, that is how MS is. if you care for privacy maybe go to BSD)
This is the same problem I'm currently facing with WireGuard. No warning at all, no notification. One day I sign in to publish an update, and yikes, account suspended. Currently undergoing some sort of 60 days appeals process, but who knows. That's kind of crazy: what if there were some critical RCE in WireGuard, being exploited in the wild, and I needed to update users immediately? (That's just hypothetical; don't freak out!) In that case, Microsoft would have my hands entirely tied.
If anybody within Microsoft is able to do something, please contact me -- jason at zx2c4 dot com.
Now this is even more alarming! Wireguard's creator has their Microsoft account suspended...
<Tin foil hat on> Microsoft doesn't want to allow software that would allow the user to shield themselves, either by totally encrypting a drive, or by encrypting their network traffic! </Tin foil hat on>
> Microsoft doesn't want to allow software that would allow the user to shield themselves
I don't think Microsoft cares (about anything besides making mo' money), but there are plenty of (state) actors that can influence the decision-making at Microsoft when it comes to these issues.
No tinfoil needed.
> No tinfoil needed.
That's what Big Tinfoil wants you to believe!
I heard it doesn’t even contain tin!
Wait, what?! I was sure that the agenda of Big Tinfoil was to generate FUD so that we buy more tinfoil for our hats. Are you implying their agenda goes even deeper?
Have you tried to buy tin foil lately? Big Aluminum has taken over, and just see how far you get soldering the grounding strap to an aluminum foil hat.
This is the dirty secret; Big Weird tried to warn us but we didn't listen.
https://www.youtube.com/watch?v=urglg3WimHA
https://www.goodfellow.com/usa/tin-foil-group
But making money at the expense of people is not a Tinfoil conspiracy - it's a factual statement.
It is also a factual statement, that tinfoil shields (somewhat) from electromagnetic radiation.
But it is NOT necessarily a factual statement that one of the main uses of electromagnetic radiation is for humans to send information over long distances; nor that I first learned about tinfoil hats from some random piece of information that was being broadcast by means of electromagnetic radiation. It's just a vibe.
Yep.
>I don't think Microsoft cares (about anything else than making money), but there are plenty of (state) actors that can influence the decision-making at Microsoft when it comes to these issues.
Microsoft the corporation may only care about making money, but a lot of very high ranking folks within MS Security aren't just friendly to intelligence agencies, they take genuine pride in helping intelligence agencies. They're the kinds of people who saw nothing wrong or objectionable with PRISM whatsoever, they were just mad they got caught, and that the end user (who they believe had no right to even know about it) found out anyway. The kind of people who openly defend the legitimacy of the FISA court.
This aren't baseless accusations, this comes from first-hand experience interacting with and talking to several of them. Charlie Bell literally kept a CIA mug on a shelf behind him, prominently visible during Teams calls, as if to brag.
Remember - Microsoft was the very first company on the NSA's own internal slide deck depicting a timeline of PRISM collection capabilities by platform, started all the way back in 2007. All companies on that slide may have been compelled to assist with national security letters. Some were just more eager than others to betray the privacy and trust of their own customers and end-users.
It's quite possible TLAs plant employees inside important tech companies. So not only are they sympathetic, they directly work for them.
>I don't think Microsoft cares (about anything besides making mo' money)
If Microsoft amounts to a sentient entity (i.e. is able to care about things), we have a bigger problem.
If we put the wall of metaphor between us and that interpretation, it still remains likely that "users shielding themselves" is of primary concern to Microsoft's bottom line.
Alternatively they asked copilot to scan for crypto projects and ban them
You think it would succeed at that? Come on. Copilot is for entertainment purposes only!
Watching Microsoft try to dogfood Copilot is entertaining to me, in a way.
https://techcrunch.com/2026/04/05/copilot-is-for-entertainme...
At least it reached its goal if it entertained you
Or more likely, some automated security system flagged popular but suspicious apps for further review.
Automated systems breaking things without any human contact to get them resolved seems to be the theme of the last 10 years.
Where are the people that tried to sell us software signatures as security benefit? The reality is that they are a very specific security problem. In theory and in practice.
Maybe they let Mythos loose and it suggested the safest approach was to remove access ;)
"Never attribute to malice that which is adequately explained by stupidity"
I'm more convinced than ever that this aphorism has it completely backwards.
It was probably true at some point, then malicious people learned how to fake stupidity and they outnumber actual stupid people, and they learned how to recruit stupid people to their causes.
Never attribute to incompetence that which is adequately explained by profit motives.
Encouraged by this thread, I tweeted about it: https://x.com/EdgeSecurity/status/2041872931576299888
I am astounded that the maintainer and inventor of Wireguard is in this position.
Microsoft even supports Wireguard in Azure Kubernetes Service.
Is this another example of their old modus operandi:
https://en.wikipedia.org/wiki/Embrace,_extend,_and_extinguis...
?
No. Embrace, Extend, Extinguish was replaced by the AAA strategy: Acquire, Assimilate, Abandon. They were trying to be more Google-like with that "Abandon" step I think.
They've since moved on to the SSS strategy: Ship, Slip, Slop.
Maybe time for a custom license that would require M$ to sign up for special T&Cs if they want to use this software?
Who cares if it's OSI-approved or not, a line saying "M$, Google, and the like need written permission for every use case" would help to make those leeches honest. Just learn from the JSLint example.
This license modifier already exists for others to use (I can't post the direct links here because this site will sanction me for doing so)
plus n-word dot com hosts information about the plus n-word license which purports:
- The software will not be used or hosted by western corporations that promote censorship
- The software will not be used or hosted by compromised individuals that promote censorship
- Users of the software will be immune to attacks that would result in censorship of others
We literally just did this. Now we have Valkey. Nobody won.
Did anyone lose?
Valkey is better because all of the new development work happens on Valkey, not because of the license. If the actual developer changed the license, that would be a different situation.
Agree. Single point of failure. One developer, one account. Crazy.
Having multiple accounts wouldn't help, as Microsoft could easily suspend all the accounts of everyone associated with the project if any account looks suspicious. The single point of failure is Microsoft.
No, that is not the issue here. The source of the problem is something different. This is a wrong root cause analysis.
You're not actually allowed to avoid this by having multiple accounts, that falls under "ban evasion".
But yes, there's a lot of critical single maintainer projects.
How would more than one account help in this scenario, exactly?
The other day I tried to create a Github account and was repeatedly told I am fraudulent. Nothing else. Try again later, it says.
This is the same thing that's happened every time I've tried to have a Microsoft account. I don't think Microsoft wants to have customers who aren't rich.
I tried to set up a partner account for driver signing last year (as a business entity) and it already seemed basically impossible. I think they're getting ready to just simply not allow it at all.
This is stupid. If Microsoft wants people to stop writing kernel drivers, that's potentially doable (we just need sufficient user mode driver equivalents...) but not doing that and also shortening the list of who can sign kernel drivers down to some elite group of grandfathered companies and individuals is the worst possible outcome.
But at this point I almost wish they didn't fix it, just to drive home the point harder to users how little they really own their computer and OS anymore.
Surprised to see you here. Thanks for all your hard work.
Windows users are in a tough spot, but with the dawn of Copilot, nobody should be surprised. Frankly, those who remain with Windows after this latest betrayal have chosen their fate.
> those who remain with Windows after this latest betrayal have chosen their fate.
Ah. So almost every single business in the world… suckers?
Given MS‘ track record, yes
Has your Apple account been suspended for the last few years?
Y'all need to form an alliance or something, get some press coverage (wireguard, veracrypt, libreoffice)
True, but really even if it gets resolved for them it should basically be a huge warning sign to everybody. Projects like those might get reinstated but it would only be because of how big they are that it would matter. Any person or small or 'undesirable' project would not get the same resolution.
I think it’s intentional, those encryption (at rest/transit) applications are outside of MS control and you can assume outside of potential backdoors by three letters agencies, bitlocker vs veracrypt? Of course bitlocker is favorable from their perspective.
I wouldn’t be surprised if NSA already had a list of these applications and the strategies on how to cripple them or worse, compromise them.
Or found they’ve been compromised by someone else? ;)
Just so people are clear here. IMHO Microsoft had a huge meeting on this with many people then decided to blacklist a person. You usually code a blacklist. Beyond weird. Government involvement for sure.
I have a hard time believing this to be true when for a while now it's always been some automated system that goes completely unchecked and unmonitored. It's not until someone who is wrongfully affected complains on Xitter does anyone notice.
What are you basing your remark here on?
His humble opinion apparently.
> what if there were some critical RCE in WireGuard, being exploited in the wild, and I needed to update users immediately?
Honestly, anyone still using Windows probably deserves it.
They need to get some tech site like Arstechnica to write about it, like they did when neocities couldn't get ahold of bing. The only way to contact these tech companies to speak to a real human being and not a chatbot is if you know somebody who works there or if the media writes about it.
Isn't this Microsoft abusing their quasi-monopoly as a consumer PC OS vendor?
If it weren't for the current administration, I'd say it's time for regulatory action.
The time for regulatory action against Microsoft was thirty years ago and the need for it has only grown since then.
The FTC wasn't doing their job between 1980-2020 because of their ridiculous standard of, "if it doesn't raise consumer prices, it must be allowed." This lead to massive consolidation in many industries which of course ended up raising prices and hurting consumers anyway.
Recently they've had some wins but overall they're still failing to do their job.
I blew the lid on X today:
https://x.com/i/status/2041698657368703484
The (new?) X link made me think for a moment you got the username @i
It's much worse than you think. Press coverage -> manual intervention is at best a bandaid covering up a major wound in a flaw that happens with independent software distribution.
The old model where the user decides which software or apps to run on their machine, is basically already replaced by a whitelist system that is managed by companies who have no interest or obligation to approve developers. Factors like ”being an individual”, an open source developer or god forbid reside outside the USA, you rely on a combination of L1 support doom loops, unjustifiable high recurring prices, kafkaesque and changing requirements, internal inconsistencies. Windows is the worst, but all platforms (except Linux) suffer from this and you can and will get hurt, delayed, and gaslit. If you haven’t, it’s just a matter of time.
I have been blocked for 6 months now with Digicert code cert renewal, for my app Payload, which will never get any media attention. The app doesn’t matter though, the approval process is per-entity (usually, a company). The point is that nobody gives a shit, because they have a monopoly/cartel and they start the validation process after they take your money.
If you are not an app publisher, the best way I can describe it is the ”pre-let’s encrypt” era of SSL certs, but more expensive, strict and ambiguous. In fact, I’ve never gone through any worse approval process in my life, and that includes applying for residency in two countries, business licenses, manual tax filings etc.
Some countries (the EU in general) are already doing things about this. Owning the app store means you are a monopoly and now the only question is are you illegal by the local laws which vary.
You can/should write your congressman (or whatever they are called in your country) and get better laws in place.
It's like LibreOffice all over again: https://www.neowin.net/news/microsoft-bans-libreoffice-devel...
This is worrying on many levels. So Microsoft force you to create an account to use Windows and then they reserve the right to block you from your own account, thereby potentially making you lose access to all your OWN data. This is crazy and yet another reason to stop using Windows as soon as possible.
I know it's not what people want to hear but my response to a lot of the comments here is just a general, I agree, it's time to stop using Windows.
They won't let you secure your drive the way you want. They won't let you secure your network the way you want (per the top-level comment about Wireguard). In so doing they are demonstrating not just that they can stop you from running these particular programs but that they are very likely going to exert this control on the entire product category going forward, and I see little reason to believe they will stop there. These are not minor issues; these are fundamental to the safety, security, and functionality of your machine. This indicates that Microsoft will continue to compromise the safety, security, and functionality of your machine going forward to their benefit as they see fit. This is intolerable for many, many use cases.
I think it is becoming clear that Microsoft no longer considers Windows users to be their customers any more. Despite the fact that people do in fact pay for Windows, Microsoft has shifted from largely supporting their customers to out-and-out exploiting their customers. (Granted a certain amount of exploitation has been around for a long time, but things like the best backwards compatibility in the industry showed their support, as well.)
I suspect this is the result of a lot of internal changes (not one big one) but I also see no particular reason at the moment to expect this to change. To my eyes both the first and second derivative is heading in the direction of more exploitation. More treating users like a cattle field and less like customers. When new features or work is being proposed at Microsoft, it is clear that it is being analyzed entirely in terms of how it can benefit Microsoft and users are not at the table.
No amount of wishing this wasn't so is going to change anything. No amount of complaining about how hard it is to get off of Windows is going to change anything; indeed at this point you're just signalling to Microsoft that they are correct and they can treat you this way and there's nothing you will do about it for a long time.
Stop supporting Windows as well.
Open source developers are doing Microsoft a big favor when they support Windows and publish Windows builds and installers. It's a substantial effort, and apparently that effort isn't appreciated.
If all open source software dropped support for Windows, it wouldn't really affect the open source community that much. It would definitely cause headaches for Microsoft however.
Correction: stop using Microsoft products as soon as possible.
It's not your own data anymore if you gave it away.
Or create the account but don't use Microsoft services.
Honest question, did we ever get an answer what was the cause for the sudden change from the original Truecrypt developer?
Even if one doesn't want to maintain that project for purely private reasons, recommending Bitlocker as the drop-in-replacement always made it smell fishy to me.
It's more or less commonly accepted that its creator got jailed for being an arms dealer.
https://en.wikipedia.org/wiki/Paul_Le_Roux
I knew the speculation on him being involved in some capacity, but as the wiki page states, this was never confirmed in any substantial way.
More importantly, if development seized with no public comment, that would be one thing and may strengthen the "he got arrested" theory. However, there was some final communication, specific recommendations to rely on Bitlocker of all things, a new version of Truecrypt was released solely for decrypting existing disks and then the web page was removed, including a flag set on robots.txt to ensure it wouldn't appear on archive.org. All this concurrent to a crowd funded source code audit that, in the end, did not find any server issues or backdoors (I recall some speculation back in the day, that either known code quality issues or an intentional backdoor could have caused the exodus).
That all makes it hard to link this to an arrest of the main developer, though I dislike speculation without any hard evidence and if there is no new information, I'll keep this filed under "there is no answer".
Makes you wonder what kind of leverage/information you have to have to only get 25 years for admitting to being involved in 7 murders.
I would also like to know why is it excluded from Archive.org
https://web.archive.org/web/20260000000000*/https://www.true...
likely chose to shut down rather than bend over, same as Lavabit a year prior. I find it more plausible than the other theory.
I went on a Wikipedia dive and discovered this funny bit regarding the court process surrounding Lavabit and FBI's desire of the TLS private keys.
> The contempt of court was caused by Levison providing the keys printed in a tiny (4 point) font, which was deemed "largely illegible" by an FBI motion, which went on to complain that "To make use of these keys, the FBI would have to manually input all 2560 characters, and one incorrect keystroke in this laborious process would render the FBI collection system incapable of collecting decrypted data."
(And to be clear, that's all they ever saw of said keys)
> The court ordered Levison to be fined $5,000 a day beginning 6 August until he handed over electronic copies of the keys. Two days later Levison handed over the keys hours after he shuttered Lavabit.
Fair assumption, but unlike Lava, TC never had customer/user data. The NSL/forced shut down theories also make little sense to me however, the fork was up by the end of the week and was easy to foresee. Kinda why this fascinates me so much, no theory I ever read survives basic scrutiny. Perhaps some things, we’ll never know.
https://en.wikipedia.org/wiki/Nils_Torvalds#Linux_kernel_sta...
>When my oldest son [Linus Torvalds] was asked the same question: "Has he been approached by the NSA about backdoors?" he said "No", but at the same time he nodded. Then he was sort of in the legal free. He had given the right answer, [but] everybody understood that the NSA had approached him.
so the assumption here is that TC were also asked to accept "contributions" from bioluminescent individuals, and chose not to. "just use Bitlocker" was a deafeningly loud dogwhistle, don't you think?
Linux is the only hope at this point for the future of computing.
Windows and macOS are just too risky to do any business with. Waste of all resources.
Don't worry, US states are working on making Linux illegal through age verification requirements in the OS.
and yet... still unusable by the mass majority of people.
Linux is stuck because it's made and maintained by people who love linux.
Look at popular unix based OS's - Android, MacOS, iOS..
Whats the first thing they do? Take the command line out back and shoot it. Whereas for linux users, their is this l33t h4cker festishization of only using a keyboard to do everything. All these distros have an extremely robust CLI under the hood, and an afterthought quasi GUI on the surface. Just good enough for grandma to check her email and watch youtube.
I have had Bazzite on my gaming PC for a while now, never have to mess with the terminal much. It has come a long, long way. Even gentoo has become more accessible than ever. While some of this holds true, you most certainly do not need to live in the command line with some of these distros. Especially if you are just trying to play some games and browse the web, etc.
Why do folks act like windows isn't full of cli commands? First thing on any windows box is running debloat in powershell. Installing apps from a gui in Linux has been solved for a long time.
MacOS has a good CLI if you need to use it. There are CLI equivalents for a lot of the system setting/administration stuff.
My kids grew up on Gnome essentially, I can tell you Win11 is a lot more confusing to them, not just because because they grew up on Gnome, there is just so much more ... stuff. And notifications and flashy things and news and weather apps and they all want your attention. Gnome is much more iPadOS like (minus that horrible concoction called the App Store).
Sure, if you're all in on MS365 (like all schools here in the Netherlands), Windows may be somewhat more handy with its native apps and all your stuff there with a single log-in.
And someone once raised their kids speaking Klingon, that isn't a good excuse on why it's a language others should use.
For the vast majority of people MS365 is a requirement, but really the issue is that even minor fixes require the command line on Linux and that makes it unusable.
I guess it means that even when something is (arguably) objectively more simple, people still won't bdge just because they don't want change. They don't want to learn new things.
I myself am quite different. I have thoroughly had it with my current iPhone and am eyeballing /e/OS, before that I really started to find Android boring, before that Windows mobile (the nice one with the cards). I switch Gnome, KDE, some other DE (now getting ready to try Niri) every year or 2. I don't get the struggle, for me a new env is like a present (even though I normally hate presents). So much niceness to explore, so much to optimize. I love it. But I'm also one of those guys that reads the oven manual and tries all functions in week 1.
I'm not weird, all you people are weird.
This isn't really true anymore with the advent of Flatpak & Flathub. It's just an app store like any other platform. Even the majority of games work without tweaking.
I've run Linux as a daily driver recently Flatpak and Flathub still break all the time. Not to mention the last time I bumped my Nvidia drivers nothing decided to open anymore.
Any OS that requires even once going to the command line is unusable for 99% of the population (and for me I just shouldn't ever have to).
I hit this recently - nVidia issues with a Flatpak, I spent about half an hour on it, gave up, and just decided to try the app out on another laptop.
Not used does not mean not usable. Primary school aged children used MS-DOS without any documentation in 1990's. Pretty sure randomly selected people would be able to use modern Linux distro, when pre-installed just like windows are.
The fact that you need to compare modern linux with 90's MSDOS is exactly the reason why linux is perpetually dead in the water as a consumer OS.
Folks like you need to just install Linux and use it.
No I'm just telling you people are not as stupid as everyone assumes.
Microsoft disabled the developer's certificate so no windows releases can be made.
As someone who is just planning to publish signed desktop software for Windows, this is deeply worrying. What reasons could there be for cancelling a certificate, especially when it has been used for years and the identity is already established?
Are there some ways to combat such decisions legally?
Perhaps not legally, but technically, you have an option: don't use the Microsoft Store. This isn't as wild a suggestion as it may seem to non-Windows users: the store is barely used by Windows users. You can get your own code signing certificate from a public CA, sign your own installer, and post it on your website. This is still the primary way that Windows software is distributed. Microsoft does not have a hand in any part of it; they can't cancel anything. Their only role is including the public CA in their root certificate store. If you're not shipping a kernel driver, you don't need Microsoft's permission for anything. You can still ship an .msix installer which is the same technology used by the Store.
I recently de-listed my app in the store and closed my Microsoft developer account. I was wrong for having bothered with it; just a waste of my time for no benefit. Stick to your own deployment.
Realistically speaking - anything could be a reason. A shakedown or blocking based on some "nudge" (this might come across as tin-foiled though). Some flag/trip-wires going wrong, more worryingly due to a bug/false alarm - and this is more worrying because in this case semi-incompetent large orgs like MSFT find it really hard to accept it, fix, and move on. Some change in OP's account that either they don't see or haven't realised - some edge case, you never know.
And of course, it doesn't affect their earnings and there are no consequence, or significant, so they won't care and won't respond or tell what went wrong.
Can one move legally? Sure. But then it effectively is a combo of who blinks first and who can hold their breath longer.
This is a concern and risk that has realised itself multiple times over the past decades. There have been multiple stories linked to multiple developers in the past.
If you publish to any closed platform including ios, mac, win, android, this is the risk you run and a condition of operating you will need to accept.
There's more to it. Signed desktop software can be signed by any CA.
Veracrypt has kernel drivers. Microsoft's ability to control what you can sign is specific to kernel drivers, and Microsoft's trigger finger around bans exists in the world where bad drivers BSOD machines.
In general this isn't your problem.
Speculation as well and highly unlikely. Microsoft drivers can very well BSOD your machine as well, not a significant or convincing threat scenario and certainly not something that lead to certificate revocation of driver developers. There is zero quality control or review by Microsoft here. Not for their own products and not for third party ones.
Exhibit A:
https://en.wikipedia.org/wiki/2024_CrowdStrike-related_IT_ou...
That's not entirely true. Certain classes of signing keys require driver developers to put their driver through a test battery and submit the results to Microsoft.
You just have to start living like they do in Russia and comply in advance. Don't do anything "interesting", no encryption, or if you do, make sure you leave breadcrumbs, scratch that, a bread trail for them to easily get access to customer data. An Oracle or Sharepoint integration maybe?
We can still install, right? It just comes up with a scary warning. Still not great but at least we aren't locked out.
You can, but it's more than a warning. VeraCrypt has a signed kernel driver, which has higher requirements. You'll need to boot into a special Windows mode and disable Driver Signature Enforcement.
Afaict, you can't disable driver signature enforcement permanently without disabling secure boot.
You also get a huge watermark that says "Test Mode" that takes up the entire screen (not kidding)
Three lines of text in 12-point font in the corner which can be covered by a window is hardly “the entire screen.”
Secure boot is an anti-feature in most of the landscape anyway. Sure, if you have a distribution under your control or influence it could theoretically be a benefit. But you need to not be stupid or naive here.
You can also roll you own encryption if you are not stupid and naive. Probably a question of self-reflection.
Note that signatures are not revoked retroactively when a certificate is revoked. You can still install previous releases.
With all the bugs and potential security flaws that are there and not fixable.
I don't know what to tell you, man. If you don't want bugs then don't use computers.
prediction: they are testing the waters. If there is enough outcry they will go "oopsie whoopsie, hehe :3 your account is restored".
If there isn't enough outcry they will go forward and disable more signing keys related to things like torrent clients, VPN software, eject UBO from the edge store etc etc.
Atleast now I'm a bit more certain that VC is indeed safe.
I am somewhat also concerned that this software was still being distributed on SourceForge.
Yes, I stopped using SourceForge after they started tampering with installers to put adware inside of them.
It's a bit worrying that a sensitive app such as VeraCrypt is still distributed there.
That was 11 years ago, under DHI Group though. I don't think Slashdot Media have been up to the same shady stuff.
But think about it, if they were on Github now, which is owned by Microsoft, would there be even further consequences?
I don’t even understand how SourceForge still exists!
Depending on GitHub and Microsofts largesse there surely is much better. See OP.
Why?
~2015, "DevShare". They wrapped open-source software downloads with opt-out adware and PUPs (potentially unwanted programs), without the original developers' consent in some cases. They took over abandoned/unmaintained projects (like GIMP for Windows, VLC, etc.) and replaced the original download with their adware-wrapped version.
Looks like Linux and some of the BSDs are the only remaining truly open OSes.
True, however, that has been the case for quite a while. This particular incident doesn't change that, except for the VeraCrypt developer, who is in a crappy situation now (not just regarding VeraCrypt, he mentions he was using the certificate for his main job as well, so this sucks a lot for him).
Well, of course. Have the other commercial offerings every been "truly open OSes"?
So far I haven't had much concrete reason for my family to switch away from Windows. The updates maybe, needing to pay for a new license and the UI changes are like pulling the chair out from under them, especially as they get older (Windows 7 was hard for my grandma, thankfully they left 10 mostly alone but 11 is quite different again so she's currently staying on 10 — not that her hardware supports 11 anyway but that's fixable), but it's either learning the new Windows UI, let's say ten storypoints of newness, or learning some Linux desktop environment, even if it's Mint which is similar to 7/XP it's not quite the same either and probably like 15 storypoints at minimum, even if then you're done for much longer
But if OSes are being locked down and software has trouble distributing security updates through official repositories for Windows... that's a good reason to finally make the switch. Same as why my family is on Android: I can install f-droid, disable the google store, and don't have to worry about them installing malware / spyware / adware
There's different degrees of openness. Android till 2026 was an acceptable compromise (let's see how it goed forwards). Windows is also on the decline with their account policy, not sure about this certificate revocation thing (thankfully haven't had to deal with it yet; I'm not a user myself) but it sounds like they're moving to a walled garden also
When the degree changes and gets even less open, yeah you can say "well of course, they were never truly open, they're commercial" but it's still a change and might lead people to alter their choices
You'll find that people that are not computer experts will take to modern Linux with much more ease than those that have complex needs, which for 90% of the people these days means that access to the Web satisfies all their needs. Moving from Windows 7 to 11 will probably be as traumatic as moving from Windows 11 to KDE, so it's an investment worth doing in my opinion.
While I agree entirely that Linux in 2026 has never been more usable… how much actual work is being put into Office and 365 tooling native on Linux?
Like none. Literally the best office you MIGHT KIND OF be able to run in 2016, but probably more like 2013.
Valve focused on games, that is awesome and really helpful…
But there are 10,000 distros and instead of putting real resources to put even rickety bridges over MS’s moat, no sorry, this team is making duplication-of-effort distro 10,001 which is now identical to thousands of others but the taskbar is in the middle of screen.
The people working on Linux are consistently uninterested in then things people would need to drop windows.
Not for long: https://news.ycombinator.com/item?id=46784572
Until Microsoft decides to no longer sign the Linux boot loader shim (for IBM/Red Hat, no less).
Except compulsory age verification in Linux is now becoming a real threat. Some Linux distros are actively against this but many are not seemingly interested in fighting it: CachyOS, Ubuntu, Fedora and others.
Age Verification is the thin end of a much bigger wedge in "open" OS's
I thought community projects (as opposed to the corporate Fedora and Ubuntu) are exempt from such laws.
the current law requires no verification at all simple attestation, you could put in _any_ age. it also does not effect linux distros as a whole, only distros in jurisdictions with the laws.
Sure, for now... I simply don't believe it will stop at "simple attestation", because we all know that simple attestation is practically useless, but once the various distros accept this "trivial" inconvenience, "Age verification 2" with harsher requirements will soon be on the way.
I would be ecstatic to be proved wrong on this, but experience tells me that is not likely to happen.
Sorry to hear about this turn of events, but it was pretty much to be expected given the way the world is turning, and Microsoft being Microsoft.
Switch to Linux if you can, and come give Shufflecake a try ;)
https://shufflecake.net/
https://community.osr.com/t/locked-out-of-microsoft-partner-... Could be a related issue to this? Maybe Microsoft just doesn’t want driver developers for whatever reason.
We need a better way to sign and verify software. Clearly companies like Microsoft and Apple have not been good for the open source communities and are inhibiting innovation.
We need better OSes such that signing of software is not required to keep your computer safe.
Qubes OS is such OS: it runs everything in VMs with strong hardware isolation. My daily driver, can't recommend it enough.
GrapheneOS is doing lot of things right in this regard. Robust permission system adopted from AOSP and hardening by default in every imaginable way. Things like hardened malloc, storage scopes are excellent security features. Malware cannot do much even with the default settings.
Just add code cert generation to letsencrypt, it's not like MS validates the code that you sign used certs from them anyway
What would be the point? How would you prevent malware from being signed? Currently, code signatures are used as a signal for trustworthiness of the code.
Microsoft signed the Crowdstrike updates. I don't think a CA signing a piece of malware is a realistic thing to be concerned about.
Only signal is that whoever is in the subject DN (highly) probably signed the code. There's 0 signal about trustworthiness of the code in the signature. Thrustworthiness signal is in the behavior/reputation of the signer.
Pretty sure there were historically a lot of apps that stole peoples contact lists and were signed properly. Certainly in the Android world.
Is it some entirely different process than providing hashes and a GPG signature?
Well, yes. Just look at OP and Jason struggling to get their code signed.
Misplaced trustworthiness?
On the source code side, I quite like the way Guix does things, i.e. needing every commit to be gpg-signed. They even have a handy tool for verifying the repo[0] but I'm not sure how viable this is for non-OSS projects.
[0]: https://guix.gnu.org/manual/devel/en/html_node/Invoking-guix...
It should something like web certificates, you can bring your own.
I think this is fundamentally an unsolvable problem and I'm not even sure it's worth pursuing.
Any large scale signing platform will have large oversights and be rendered useless. See the appstore / play store/windows...
Microsoft doing everything in their power to be assholes, as always
As much as I like bashing Microsoft, never underestimate people's capacity for incompetence, especially where large organizations are involved. I don't see how they would gain anything from this move.
It doesn’t help that they do that sort of shits AND mandate a microsoft account for logging in to windows. Also how much trust can you have that if you move your business to azure they will not randomly kill it. Incompetence or malice, almost doesn’t matter to the average user.
The outcome is the same, yes. With incompetence, there is at least a glimmer of hope things will get rectified. But you are correct, trust is destroyed this way, and it doesn't look like Microsoft cares much.
For folks looking for a much simpler single binary alternative.
https://github.com/srv1n/kurpod
Besides Veracrypt, are there any real alternatives to Bitlocker for total drive encryption in Windows?
That's especially ridiculous because this whole security mechanism that Microsoft is forcing on Windows user doesn't even work. There are tons of leaked certificates and on forums dedicated to game hacking you can find guides on how to get your hands on one yourself. People there use them to write kernel drivers for cheating in games. Game developers often blacklist these in their anti-cheat software so that the game no longer launches on a computer using a driver with that certificate. Microsoft however does not do this and malware developers can then simply use the certificates for their own purposes. So all this nonsense is basically just a restriction on regular users and honest developers while the “bad guys” can get around it.
That's kind of crazy. Why doesn't Microsoft revoke such certs such that you can't sign new software with it?
Because it's mostly just performative.
Microsoft continues to push for year of the Linux desktop
Can someone please explain the implications for current Windows users of VeraCrypt?
Seeing this kind of friction makes me more confident in VeraCrypt. The tools that never seem to run into trouble with platform gatekeepers are the ones I'd worry about.
That seems like a very nonsensical stance.
The biggest risk in encryption software is that you lose access to your data. You seem to be ignoring that risk completely and focusing on something else entirely.
I don't think you would loose access. You can always recover data on an open platform such as Linux.
Hope this is resolved. I guess I could run linux in a VM and mount volumes there, but this is getting a bit dicey. But Win 10 is my last windows anyway.
I would not be surprised if it was some sort of AI driven mistake.
Some guy somewhere deciding to delegate threat assessment to Copilot or some other automated tool.
Microsoft can't be trusted.
Never was, isn't and I guess won't be.
Anyone here who could reach out to specific persons inside Microsoft who could fix this?
if michalesoft wants to take away our ability to sign drivers, they will find there is more than enough vulnerable easily exploited drivers we can use that are pre-signed online. Thank you micosawft!
Are you having a stroke?
Most likely just intentionally misspelling the name in the spirit of calling them Microslop.
And perhaps the time they sued a kid named Mike Rowe for having a website mikerowesoft.com
Any chance this is the issue?
https://techcommunity.microsoft.com/blog/windows-itpro-blog/...
From TFA: "I have encountered some challenges but the most serious one is that Microsoft terminated the account I have used for years to sign Windows drivers and the bootloader."
Yeah, and the first comment beneath that mentions that the most recent version is signed with the "2011 CA" that the article I link to discusses being deprecated.
My guess was that he got caught up in some house-cleaning. My theory being that he's still signing his code the way malware authors also do and got flagged by some automated review that's meant to force him to go get WHCP certified or whatever the new route is.
If only there was a way to sign software and not depend on a centralized authority, something like a... web of trust?
(and yes I know, you'd need to have the option to have "your" (haha...) OS trust it of course)
It's perhaps naive, but could he create a new organisation, like a "TotallyNotVeraCrypt" French loi 1901 association, at a different address, and create a new microsoft account by making sure it passes all the requirements.
Yeah but isn't the point of these certificates to express trust?
The point isn't (or: shouldn't be) to forcefully find your way through some back alley to make it look legit. It's to certify that the software is legit.
Trust goes both ways: we ought to trust Microsoft to act as a responsible CA. Obfuscating why they revoked trust (as is apparently the case) and leaving the phone ringing is hurting trust in MS as a CA and as an organization.
who on planet earth trusts a piece of software because Microsoft signed it?
There are different types of trust, but at the very least with such a signature you can trust that the piece of software is really from Veracrypt and not from a malicious third party.
For one: Most if not all virus scanners.
A signature is a signal, not an absolute. Although, to be fair, if Microsoft (or most other CAs) had done a better job, then that trust would have carried more weight than it does currently.
Trust isn't binary, it's a spectrum. A signature is a signal that should increase trustworthiness. Not the strongest signal, perhaps even a weak one, but it's not zero.
That's what VeraCrypt is, a fork of the original TrueCrypt after all drama, security doubts, and eventual discontinuation. It took a long time and two independent audits to establish trust in it.
Probably not French though, give how hostile it appears to be to encryption/security related projects (GrapheneOS had a good arguments re: that)
The author is now based in Japan, and even owns a veracrypt.jp domain. Meanwhile, the old veracrypt.fr domain redirects to veracrypt.io.
Seems rather clear that he doesn't want French jurisdiction.
And Microsoft will be happy to shut that one down because their incompetence.
So we'd better find a real solution now.
very much sounds like microsoft
This is always a problem when big mega-corporations are involved, be it Google or Microsoft. They want to control the platform.
We really need viable solutions. I have been using Linux since +21 years or so, so it does not affect me personally, but I think Linux needs to become really a LOT more accessible to normal people. And it really has not (on the desktop); all the various "improvements" on GNOME3 or KDE are basically pointless, they have not solved the underlying problem. Ideally problems should be auto-resolvable. If someone wants to use the proprietary nvidia driver, that should be a single click - on ALL Linux distributions. Instead you see some distributions have their own ad-hoc solution and other distributions have no easy solution (for simple people).
I will continue to suppose that the “real issue” with Linux is that the people drawn to developing it will not work well with others and continue year after year to waste time and duplication of effort on five decent, and ten thousand pointless distributions.
Whatever reason for this refusal / inability / choice to not contribute but rather re-create is on the reader to assume.
There is very little effort put into real progress as you point out. Sure, tons of work to move from x11 to Wayland, cool, only the developers give a shit… where is Office/365 that would make daily driving actually viable?
While WINE is impressive, it seems the only real progress for anything past Windows 7 is on paid versions of which there are at least three competing options.
Linux Desktop progress is slow because there it’s thousands of floundering side-projects without a goal of actually pulling normal users in.
Forced software signing should be illegal.
It's not forced, especially for normal software, you just get a popup. It's a bit of a pain to disable the requirement for drivers, though.
I don't think you can install VeraCrypt, at least for system encryption, unless the installer is signed
According to further up the thread, you can if you disable secureboot.
I'm sorry, is this some sort of Windows joke that I'm too Linux to understand?
And yet another example of companies turning actively hostile against their users.
The burden of usage/access is now solely on the customers and the feeling is that regular customers are just a nuisance to be ignored.
Jesus, sourceforge is still on the go?
I understand that most people want to move to other more modern tools, it's up to you. However, what baffled me is why the author's choice not to move is a problem? Did we pay them to move and they did not move as promised? Was there some crowd funding to move that was not fulfilled?
> what baffled me is why the author's choice not to move is a problem?
Because Sourceforge is horrible to use and was at one point actively pushing malware? It's pretty obvious tbh.
Might be it even not using all your code to train AI. Or at least not asking your explicit permission to do it.
Not every conversation has to be a conversation about AI.
sourceforge was always very scummy, I think they would definitely use the code for that if they could
It wasn’t always scummy… but there was a definite shift after they got bought. It’s kept getting worse since then.
Then again, this was something like 20 years ago. Back then, Sourceforge was something closer to GitHub today. It was the de facto public source repository. You could even get an on-premise version, IIRC.
Actually, this is sounding a lot like GitHub these days… not sure what that means.
And unfortunately some projects exclusively use sourceforge. Which breaks some of my CI pipelines.
yeah, it just works
cool project
maybe an old vulnerable signed driver can be used to load the new version :D. on a more seirous note, i think contact with a person at MS, likely via socials triggering that, might help here. It all depends on the reason for the ban/block/cancel.
if they had a reason other than 'oops mistake' its likely just going to remain in place. (sadly, that is how MS is. if you care for privacy maybe go to BSD)
Who said vulnerable? Perhaps just a driver with less features.
GP refers to the practice of getting kernel level code execution using other, old vulnerable drivers and using it to run the VC driver.
This highlights the fact that not only is supporting Windows dangerous to your project, but using Windows is dangerous to your security.