Veracrypt project update

Posted by super256 12 hours ago

Veracrypt project update(sourceforge.net)

970 points | 359 comments

zx2c4 9 hours ago|

This is the same problem I'm currently facing with WireGuard. No warning at all, no notification. One day I sign in to publish an update, and yikes, account suspended. Currently undergoing some sort of 60 days appeals process, but who knows. That's kind of crazy: what if there were some critical RCE in WireGuard, being exploited in the wild, and I needed to update users immediately? (That's just hypothetical; don't freak out!) In that case, Microsoft would have my hands entirely tied.

If anybody within Microsoft is able to do something, please contact me -- jason at zx2c4 dot com.

sellmesoap 2 minutes ago||

With these big players who are regularly found supporting people with evil intentions: Don't attribute to incompitence what could be ascribed to malice, nay you must trust the gods of the clouds to keep your secrets for you, all for the low low price of $x.99 a month a seat, you may only cancel your service with an arcaine dance and the sacrifice of your first born!

ninjagoo 4 hours ago|||

It has been clear for a while that certain providers and services need to be regulated as utilities - Microsoft, Google, Apple, Visa, Mastercard, and soon Openai and Anthropic.

It should be illegal for these companies, just like utilities, to deny service to anyone or any entity in good standing for dues.

There is little hope for getting this through in the US where most politicians of any stripe hate the public, and the ones that don't have hardly any power. But it might be possible to do this in the EU.

Then, we non-EU folks need to apply for Estonian e-residency [1] which may get us EU regulatory coverage.

[1] https://en.wikipedia.org/wiki/E-Residency_of_Estonia

nostrademons 43 minutes ago|||

It would not surprise me if these actions are coming at the requests of governments. Strong encryption is one of the few things that challenges their monopoly on information; they have a very strong incentive to apply political pressure to the maintainers of these projects to, well, stop maintaining the projects. We've seen this in overt actions that the EU takes; in more covert actions that the U.S. government is suspected of taking; and in the news headlines about third-world dictatorships that just shut off the Internet. Tech companies are perhaps the most convenient leverage point for these actions.

More regulation won't help here, because the regulation-maker is itself the hostile party.

What would help is full control over the supply chain. Hardware that you own, free and open-source operating systems where no single person is the bottleneck to distribution, and free software that again has no single person who is a failure point and no way to control its distribution.

prox 4 hours ago||||

We need a law that a human representative can be spoken to within 24 hours or directly when something critical happens.

Also “there is no appeal possible” should be plain illegal.

burnt-resistor 1 hour ago|||

Technofeudalism is what happens when grossly under-regulated anarcho-capitalism dominates rather than sustainable, more ordinary capitalism where government regulation is the supreme, minimized biased arbiter that keeps things fairer and sensible for the benefit of the many rather than the benefit of the few.

gzread 3 hours ago||||

In the EU, under GDPR, it is legally required to explain automated profiling.

emsixteen 3 hours ago||

How's that work? Got a link handy to explain to a dummy?

buzer 2 hours ago||

Article 13(2)(f)

"In addition to the information referred to in paragraph 1, the controller shall, at the time when personal data are obtained, provide the data subject with the following further information necessary to ensure fair and transparent processing: the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject."

EDPB Guidelines on automated decision making: https://ec.europa.eu/newsroom/article29/items/612053 especially page 25 is relevant

C‑634/21 is also somewhat relevant to understand how courts have applied ADM in general context of credit reporting https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A... though it didn't specify what information actually needs to provided for 13(2)(f).

beng-nl 3 hours ago|||

I understand the sentiment, but.. do you realize how much more expensive that would make all these services?

I don’t know the number. But personally I think using the services and ‘simply’ only use them if the disappearance isn’t catastrophic and have the price be low or free while it works isn’t too bad a trade-off.

Admittedly that’s a big ‘if.’

alemanek 1 hour ago|||

That is the wrong way to look at it.

If this requirement was in place they would be a bit more careful about terminating accounts because the cost equation would incentivize it. Maybe they would be more careful in their automation or require more than one level of human review before cutting off access.

These companies are gatekeepers for their platform. It isn’t crazy to require them to act more responsibly.

prox 2 hours ago||||

These are usually multi billion dollar companies, they’ll be fine, stop worrying about them.

Start worrying about the erosion of your rights as a consumer.

amluto 1 hour ago||||

These services are designed such that security sort of depends on reviewing the programs that are allowed to run. Microsoft, Google and Apple all do this. It adds expense, annoyance, limitations, and really very little security.

The contrasting approach, where one designs a platform that remains secure even if the owner is allowed to run whatever software they like, may be more complex but is overall much better. There aren’t many personal-use systems like this, but systems like AWS take this approach and generally do quite well with it.

zelphirkalt 38 minutes ago||||

Even if they somehow were so expensive, that it would no longer scale to their size, that is still not our problem and if anything, a sign that either they need to improve their systems, or simply cannot be as big as they are. Shit happens, scale down, I won't cry for them.

_imnothere 3 hours ago||||

They sure do earn enough money to afford whatever number that is on your mind.

rangerelf 3 hours ago||||

If it's impossible for a service provider to even talk to its customers, why is it in operation at all?

HackerThemAll 11 minutes ago||||

Look how much profit Microsoft made last year.

"Financially, it was a year of record performance. Revenue was $281.7 billion, up 15 percent. Operating income grew 17 percent to $128.5 billion." https://www.microsoft.com/investor/reports/ar25/index.html

So don't be so naive to tell us that 1-2 additional people to handle the appeal process is anything but rounding error in their balance sheet.

thefounder 2 hours ago||||

I don't think they would be so much more expensive but they would be less profitable for sure and perhaps less "innovative" as a big chunk of the profit will go into regulation stuff.

harel 2 hours ago||||

Honestly, it's not our problem. Once a service becomes so vital it cannot be terminated without any meaningful process. My meta developer account is suspended and none of my appeals are responded to . Who can I talk to? Nobody. It's wrong.

chromacity 2 hours ago|||

> I understand the sentiment, but.. do you realize how much more expensive that would make all these services?

It wouldn't. For example, before Gmail, email was often free or nearly free (bundled with your internet service), but in most cases, you could talk to a human if you had issues with the service.

What we couldn't do is turn these business models into planetary-scale behemoths that rake in hundreds of billions of dollars in revenue. In essence, you couldn't have Google or Facebook with good customer support. I'm not here to argue that Google or Facebook are a net negative, but the trade-offs here are different from what you describe.

miohtama 4 hours ago||||

If it is regulated as a utility, the government will want to ban these hacking tools.

zelphirkalt 36 minutes ago|||

I think the GP is relating to MS services and accounts as utilities that should not be possible to be taken away easily, not about Wireguard.

JoshTriplett 3 hours ago|||

Agreed. Be careful what you wish for.

NewsaHackO 3 hours ago||||

It always weird to see how dichotomy of some people saying AI will never be profitable and are doomed to fail and others saying that they are such a essential public service that they are a utility and should be subject to government regulation. Hopefully they are not the same group of people, but I suspect there is a greater overlap that one would expect.

jonathanstrange 47 minutes ago||

I'm not one of those people but want to point out that there isn't much of a contradiction there. I don't know if hospitals, universities, train tracks, roads, and libraries technically speaking count as utilities but they overall don't seem to be profitable and at the same time are extremely desirable for a society and an economy to have. AI could turn out to be of the same sort.

zelphirkalt 44 minutes ago||||

I have a feeling, that the resolve to do something about it is waning in the EU, because of the plans to soften up the GDPR.

x0x0 3 hours ago|||

I've gotten business verification for Microsoft before. The kind you need in order to get certain oauth scopes for their O365 platform.

Do not discount complete, total, utter, profound fucking incompetence as the driving reason behind this.

Getting the business verification was an astounding shitshow. With a registered C corp and everything, massively unclear instructions, UI nestled in a partner site with tons of dead ends. And then even after all the docs, it took another week because -- in an action that nobody could possibly have ever foreseen -- we had two different microsoft accounts due to a cofounder buying ONE LICENSE of O365 for excel and doing domain verification because it suggested it.

onehair 9 hours ago|||

Now this is even more alarming! Wireguard's creator has their Microsoft account suspended...

<Tin foil hat on> Microsoft doesn't want to allow software that would allow the user to shield themselves, either by totally encrypting a drive, or by encrypting their network traffic! </Tin foil hat on>

unicornporn 9 hours ago|||

> Microsoft doesn't want to allow software that would allow the user to shield themselves

I don't think Microsoft cares (about anything besides making mo' money), but there are plenty of (state) actors that can influence the decision-making at Microsoft when it comes to these issues.

No tinfoil needed.

vstm 9 hours ago|||

> No tinfoil needed.

That's what Big Tinfoil wants you to believe!

whycome 6 hours ago|||

I heard it doesn’t even contain tin!

burnt-resistor 1 hour ago||

Total enshittification with this pure aluminium shit. The hats don't block government UFO mind control waves and hold their shape nearly as well as the tin ones did. Fucking private equity ruins everything.

falcor84 8 hours ago|||

Wait, what?! I was sure that the agenda of Big Tinfoil was to generate FUD so that we buy more tinfoil for our hats. Are you implying their agenda goes even deeper?

kps 6 hours ago|||

Have you tried to buy tin foil lately? Big Aluminum has taken over, and just see how far you get soldering the grounding strap to an aluminum foil hat.

kube-system 3 hours ago|||

Big Alumulumu is soon to be the market leader.

https://www.tiktok.com/@etong_winter_palikir/video/739554877...

bombcar 5 hours ago|||

This is the dirty secret; Big Weird tried to warn us but we didn't listen.

https://www.youtube.com/watch?v=urglg3WimHA

https://www.goodfellow.com/usa/tin-foil-group

shevy-java 8 hours ago|||

But making money at the expense of people is not a Tinfoil conspiracy - it's a factual statement.

lukan 7 hours ago||

It is also a factual statement, that tinfoil shields (somewhat) from electromagnetic radiation.

balamatom 6 hours ago||

But it is NOT necessarily a factual statement that one of the main uses of electromagnetic radiation is for humans to send information over long distances; nor that I first learned about tinfoil hats from some random piece of information that was being broadcast by means of electromagnetic radiation. It's just a vibe.

lukan 6 hours ago||

Yep.

anonym29 8 hours ago||||

>I don't think Microsoft cares (about anything else than making money), but there are plenty of (state) actors that can influence the decision-making at Microsoft when it comes to these issues.

Microsoft the corporation may only care about making money, but a lot of very high ranking folks within MS Security aren't just friendly to intelligence agencies, they take genuine pride in helping intelligence agencies. They're the kinds of people who saw nothing wrong or objectionable with PRISM whatsoever, they were just mad they got caught, and that the end user (who they believe had no right to even know about it) found out anyway. The kind of people who openly defend the legitimacy of the FISA court.

This aren't baseless accusations, this comes from first-hand experience interacting with and talking to several of them. Charlie Bell literally kept a CIA mug on a shelf behind him, prominently visible during Teams calls, as if to brag.

Remember - Microsoft was the very first company on the NSA's own internal slide deck depicting a timeline of PRISM collection capabilities by platform, started all the way back in 2007. All companies on that slide may have been compelled to assist with national security letters. Some were just more eager than others to betray the privacy and trust of their own customers and end-users.

maxo133 4 hours ago|||

I can completely believe this.

I was always convinced that Skype was bought by microsoft so CIA/US intelligence agencies to have listening capabilities.

The first thing Microsoft did after the Skype purchase was making it easier to tap into the calls by removing p2p calling and routing calls using centralized servers.

vardump 8 minutes ago||

Yeah. Otherwise Microsoft purchasing Skype made no sense.

SoftTalker 2 hours ago||||

That's my experience with most computer security folks as well, and tech companies who sell security products. Cloak-and-dagger stuff running 24x7 in their heads.

dboreham 7 hours ago|||

It's quite possible TLAs plant employees inside important tech companies. So not only are they sympathetic, they directly work for them.

balamatom 6 hours ago|||

>I don't think Microsoft cares (about anything besides making mo' money)

If Microsoft amounts to a sentient entity (i.e. is able to care about things), we have a bigger problem.

If we put the wall of metaphor between us and that interpretation, it still remains likely that "users shielding themselves" is of primary concern to Microsoft's bottom line.

Macha 7 hours ago||||

Alternatively they asked copilot to scan for crypto projects and ban them

riskable 6 hours ago||

You think it would succeed at that? Come on. Copilot is for entertainment purposes only!

bombcar 5 hours ago|||

Watching Microsoft try to dogfood Copilot is entertaining to me, in a way.

rvnx 5 hours ago||

https://techcrunch.com/2026/04/05/copilot-is-for-entertainme...

At least it reached its goal if it entertained you

ngetchell 9 hours ago||||

Or more likely, some automated security system flagged popular but suspicious apps for further review.

antiframe 4 hours ago|||

If you use an automated process to disable accounts but then state there is no appeals process available as they stated, then you are not to be trusted to be acting in good faith. Bad actors should be called out and not given the benefit of the doubt.

Gigachad 8 hours ago||||

Automated systems breaking things without any human contact to get them resolved seems to be the theme of the last 10 years.

burnt-resistor 1 hour ago||

This phenomenon is so Orwellian with insufficient awareness, it should both be an SNL skit and a John Oliver episode. It's illiberal, neoliberal, corporate bullshit that causes harm to individuals. These companies need to be treated as utilities and the "companies can do whatever they want" arguments must be debunked and defeated because of the pervasive power they hold and immense harm they can cause to individuals without a remedy when they rug pull access without clear cause.

It also reminds me of the case of the entire family who lost all of their payment-linked individual accounts including business data and an academic dissertation because the son allegedly behaved inappropriately with a bot. Collective punishment on top of technofeudal instant banishment.

raxxorraxor 8 hours ago||||

Where are the people that tried to sell us software signatures as security benefit? The reality is that they are a very specific security problem. In theory and in practice.

nelox 9 hours ago|||

Maybe they let Mythos loose and it suggested the safest approach was to remove access ;)

varispeed 2 hours ago||||

It is more likely that government doesn't want to allow people to have privacy. Microsoft just obediently listen to orders and execute them.

blitzar 7 hours ago|||

"Never attribute to malice that which is adequately explained by stupidity"

justin_oaks 4 hours ago|||

When a company makes it impossible to correct their stupidity, it's a malicious act. The behavior speaks loud and clear: "We don't care what damage we do to developers or users. And we don't want to hear about it."

tux1968 5 hours ago||||

I'm more convinced than ever that this aphorism has it completely backwards.

pocksuppet 5 hours ago||

It was probably true at some point, then malicious people learned how to fake stupidity and they outnumber actual stupid people, and they learned how to recruit stupid people to their causes.

xeonmc 5 hours ago||

Never attribute to incompetence that which is adequately explained by profit motives.

BoredPositron 2 hours ago|||

The guise of a harmless mistake has worn so thin and is so overused by tech companies that I now only see deliberate intent.

teruakohatu 9 hours ago|||

I am astounded that the maintainer and inventor of Wireguard is in this position.

Microsoft even supports Wireguard in Azure Kubernetes Service.

windowliker 7 hours ago|||

Is this another example of their old modus operandi:

https://en.wikipedia.org/wiki/Embrace,_extend,_and_extinguis...

riskable 5 hours ago||

No. Embrace, Extend, Extinguish was replaced by the AAA strategy: Acquire, Assimilate, Abandon. They were trying to be more Google-like with that "Abandon" step I think.

They've since moved on to the SSS strategy: Ship, Slip, Slop.

arcanemachiner 4 hours ago|||

Good heavens! My acronymical notes on Microsoft's product strategy are two revisions out of date!

wtyvn 3 hours ago|||

Damn, I thought it was "Slop, Ship, Smile"

miroljub 9 hours ago||||

Maybe time for a custom license that would require M$ to sign up for special T&Cs if they want to use this software?

Who cares if it's OSI-approved or not, a line saying "M$, Google, and the like need written permission for every use case" would help to make those leeches honest. Just learn from the JSLint example.

greenavocado 5 hours ago|||

This license modifier already exists for others to use (I can't post the direct links here because this site will sanction me for doing so)

plus n-word dot com hosts information about the plus n-word license which purports:

- The software will not be used or hosted by western corporations that promote censorship

- The software will not be used or hosted by compromised individuals that promote censorship

- Users of the software will be immune to attacks that would result in censorship of others

kbelder 44 minutes ago|||

Why "Western" corporations that promote censorship? Non-western censorship is allowed?

greenavocado 38 minutes ago||

They don't care as much about things like this

gzread 3 hours ago|||

It's even GPL compatible, because the GPL makes provision for additional notice requirements.

That would be both hilarious and horrifying if the only thing stopping the corporate dystopia is that Microsoft doesn't want to say the N word.

UqWBcuFx6NV4r 8 hours ago|||

We literally just did this. Now we have Valkey. Nobody won.

pocksuppet 7 hours ago||

Did anyone lose?

Valkey is better because all of the new development work happens on Valkey, not because of the license. If the actual developer changed the license, that would be a different situation.

Already__Taken 4 hours ago||||

It's got a lot of analogy to restaurants banning Uber delivery for not handling their food to their standards.

HackerThemAll 6 minutes ago|||

That actually is not analogy at all and it makes sense. When a low-paid Uber Eats delivery person just throws the box carelessly and brings damaged dish to the customer, that's a real issue.

In digital services there's no such thing. There's only a damned corporation employing idiots who don't care about community.

xiconfjs 3 hours ago|||

What? How?

nelox 9 hours ago|||

Agree. Single point of failure. One developer, one account. Crazy.

ptx 8 hours ago|||

Having multiple accounts wouldn't help, as Microsoft could easily suspend all the accounts of everyone associated with the project if any account looks suspicious. The single point of failure is Microsoft.

pjc50 7 hours ago||||

You're not actually allowed to avoid this by having multiple accounts, that falls under "ban evasion".

But yes, there's a lot of critical single maintainer projects.

raxxorraxor 8 hours ago||||

No, that is not the issue here. The source of the problem is something different. This is a wrong root cause analysis.

jamesnorden 8 hours ago|||

How would more than one account help in this scenario, exactly?

hirako2000 3 hours ago||

Any account can sign any (same) piece of software. Of course Microsoft could detect the it's signing a software related to a banned signed and ban the new account. So veracrypt (and wireguard) is stuck.

It's outrageous. MS is simply enforcing some Government crackdown on encryption software that would interfere with backdoors.

zx2c4 6 hours ago|||

Encouraged by this thread, I tweeted about it: https://x.com/EdgeSecurity/status/2041872931576299888

varun_ch 4 hours ago||

If someone was a bad actor, right now would be a pretty good time to start exploiting zero days in WireGuard…

pocksuppet 7 hours ago|||

The other day I tried to create a Github account and was repeatedly told I am fraudulent. Nothing else. Try again later, it says.

This is the same thing that's happened every time I've tried to have a Microsoft account. I don't think Microsoft wants to have customers who aren't rich.

jandrese 4 hours ago|||

Maybe some bot signed up using your email and then did bot things on it. I've had that happen a lot over the years. My Microsoft account is still stuck in German because that's the language the bot used when creating the account (to spam X-Box apparently).

hirako2000 3 hours ago||

I got a 20y old hotmail/live account deleted by Microsoft because a bot tried to reset my password too many times. Considering the magnitude of the targeted attack, MS found the safest way to keep me secure was to wipe my account. That way the attacker could not get into my account.

reincarnate0x14 1 hour ago||

I had something similar with a 6-letter apple account that has never been compromised but I guess got put on some kind of list, because I had to go through account recovery almost every time I logged in, which wasn't a big deal until I got an iphone. Apple support was completely useless. Random old buried forum post in a stall marked "beware the leopard" mentioned the behavior and suggested changing the account name.

Nothing in the Apple site or phone stuff would even clue the user in to what was happening, much less how to resolve it.

octoberfranklin 1 hour ago|||

Same here with github.

jchw 9 hours ago|||

I tried to set up a partner account for driver signing last year (as a business entity) and it already seemed basically impossible. I think they're getting ready to just simply not allow it at all.

This is stupid. If Microsoft wants people to stop writing kernel drivers, that's potentially doable (we just need sufficient user mode driver equivalents...) but not doing that and also shortening the list of who can sign kernel drivers down to some elite group of grandfathered companies and individuals is the worst possible outcome.

But at this point I almost wish they didn't fix it, just to drive home the point harder to users how little they really own their computer and OS anymore.

gib444 9 hours ago|||

Y'all need to form an alliance or something, get some press coverage (wireguard, veracrypt, libreoffice)

duskdozer 9 hours ago||

True, but really even if it gets resolved for them it should basically be a huge warning sign to everybody. Projects like those might get reinstated but it would only be because of how big they are that it would matter. Any person or small or 'undesirable' project would not get the same resolution.

withinrafael 2 hours ago|||

Will send some emails.

iamnothere 6 hours ago|||

Surprised to see you here. Thanks for all your hard work.

Windows users are in a tough spot, but with the dawn of Copilot, nobody should be surprised. Frankly, those who remain with Windows after this latest betrayal have chosen their fate.

SV_BubbleTime 5 hours ago||

> those who remain with Windows after this latest betrayal have chosen their fate.

Ah. So almost every single business in the world… suckers?

serf 9 minutes ago|||

are you making an argument that businesses worldwide somehow are known to make well thought-out, rational, wise decisions that are in best interest for the business and efficiency of running it?

because most managers I know in my professional life go with the vendor that buys them dinner or slips them tickets for box seats.

gzread 3 hours ago||||

Yes.

croes 5 hours ago|||

Given MS‘ track record, yes

tssva 7 hours ago|||

Has your Apple account been suspended for the last few years?

ransom1538 7 hours ago|||

[flagged]

ComputerGuru 4 hours ago|||

That’s not how any of this works. There are separate teams within (each division of) Microsoft that could easily pull the plug on your account (or if not the entire account then your account’s access to the specific service or family of services) for any of a myriad purported reasons or alleged ToS violations.

No one is calling an executive meeting to discuss banning an OSS dev’s account.

0xC0ncord 6 hours ago||||

I have a hard time believing this to be true when for a while now it's always been some automated system that goes completely unchecked and unmonitored. It's not until someone who is wrongfully affected complains on Xitter does anyone notice.

prosopts 7 hours ago|||

What are you basing your remark here on?

malfist 6 hours ago||

[flagged]

tamimio 9 hours ago|||

I think it’s intentional, those encryption (at rest/transit) applications are outside of MS control and you can assume outside of potential backdoors by three letters agencies, bitlocker vs veracrypt? Of course bitlocker is favorable from their perspective.

I wouldn’t be surprised if NSA already had a list of these applications and the strategies on how to cripple them or worse, compromise them.

nelox 8 hours ago||

Or found they’ve been compromised by someone else? ;)

rsync 2 hours ago|||

You said:

"Currently undergoing some sort of 60 days appeals process, but who knows."

.. and the op said:

"I have tried to contact Microsoft through various channels but I have only received automated replies and bots. I was unable to reach a human."

... which is a roundabout way of saying you did not spend lawyer hours and you did not contact them through channels that they cannot ignore: registered, physical mail, from a lawyer.

I'm sorry for these difficulties, truly, but don't tell me you can't reach a human when you most definitely can reach a human. From my own experience with an organization at least as calloused and indifferent as MS[1], as soon as I sent a real, legal communication I had real live humans lining up to talk to me.

[1] Pacific Gas and Electric

reincarnate0x14 1 hour ago|||

Microsoft hasn't managed to burn down entire towns (But Copilot is probably working on it), so I suppose we do have at least some kind of gauge of callousness to work off of thanks to PG&E. Which was also the company behind that whole slightly famous Erin Brockovich thing, amongst so very many others.

Sometimes, it's both incompetence AND malice.

zx2c4 34 minutes ago|||

No. The humans just said 60 days.

matheusmoreira 6 hours ago||

> what if there were some critical RCE in WireGuard, being exploited in the wild, and I needed to update users immediately?

Honestly, anyone still using Windows probably deserves it.

newsoftheday 3 hours ago||

First I was surprised to read the Veracrypt maintainers could be in this situation, then read the top comment where Wireguard maintainers are too (unless I misunderstood). Is this some malicious new program inside Microsoft to try and shutdown open source projects so they can push Windows products and solutions more?

NewsaHackO 3 hours ago||

It feels more like an automated block due to uncharacteristical increase in download activity. Something that it seems more and more companies are taking seriously is the cottage industry of scams involving less technically savvy downloading apps online and getting their information stolen. The motivation for this is probably the same as Google stopping side loading. Take that as you want.

gzread 3 hours ago||

Yes.

pogue 11 hours ago||

They need to get some tech site like Arstechnica to write about it, like they did when neocities couldn't get ahold of bing. The only way to contact these tech companies to speak to a real human being and not a chatbot is if you know somebody who works there or if the media writes about it.

perlgeek 8 hours ago||

Isn't this Microsoft abusing their quasi-monopoly as a consumer PC OS vendor?

If it weren't for the current administration, I'd say it's time for regulatory action.

riskable 5 hours ago|||

The time for regulatory action against Microsoft was thirty years ago and the need for it has only grown since then.

The FTC wasn't doing their job between 1980-2020 because of their ridiculous standard of, "if it doesn't raise consumer prices, it must be allowed." This lead to massive consolidation in many industries which of course ended up raising prices and hurting consumers anyway.

Recently they've had some wins but overall they're still failing to do their job.

newsoftheday 3 hours ago|||

> If it weren't for the current administration

Because the Democrats were better at keeping them on a leash? No. Clinton was in charge 30 years ago and blew it.

tremon 3 hours ago||

It was the Clinton administration that started regulatory proceedings against Microsoft, but it was GW Bush that was president during the conclusion of the case. And, true to form:

> The Department of Justice, now under Bush administration attorney general John Ashcroft, announced on September 6, 2001, that it was no longer seeking to break up Microsoft and would instead seek a lesser antitrust penalty

https://en.wikipedia.org/wiki/United_States_v._Microsoft_Cor...

klabb3 8 hours ago|||

It's much worse than you think. Press coverage -> manual intervention is at best a bandaid covering up a major wound in a flaw that happens with independent software distribution.

The old model where the user decides which software or apps to run on their machine, is basically already replaced by a whitelist system that is managed by companies who have no interest or obligation to approve developers. Factors like ”being an individual”, an open source developer or god forbid reside outside the USA, you rely on a combination of L1 support doom loops, unjustifiable high recurring prices, kafkaesque and changing requirements, internal inconsistencies. Windows is the worst, but all platforms (except Linux) suffer from this and you can and will get hurt, delayed, and gaslit. If you haven’t, it’s just a matter of time.

I have been blocked for 6 months now with Digicert code cert renewal, for my app Payload, which will never get any media attention. The app doesn’t matter though, the approval process is per-entity (usually, a company). The point is that nobody gives a shit, because they have a monopoly/cartel and they start the validation process after they take your money.

If you are not an app publisher, the best way I can describe it is the ”pre-let’s encrypt” era of SSL certs, but more expensive, strict and ambiguous. In fact, I’ve never gone through any worse approval process in my life, and that includes applying for residency in two countries, business licenses, manual tax filings etc.

bluGill 6 hours ago||

Some countries (the EU in general) are already doing things about this. Owning the app store means you are a monopoly and now the only question is are you illegal by the local laws which vary.

You can/should write your congressman (or whatever they are called in your country) and get better laws in place.

klabb3 3 hours ago||

You are not wrong that regulation is desperately needed, and that EU is doing good things. However, even the EU which are doing the right thing on an anti-trust pro-competition basis, they fundamentally succumb to the same misconception – that middlemen are necessary at all. The EU doesn’t care about the App Store model, they care about the App Store monopoly. They are right about that, but the solution isn’t alternative app stores - it’s much simpler: the solution is NO App Store.

More specifically, it used to be feasible to distribute software between me (the developer) and my customers (the users) without a mandatory gate keeper that looks at me and decides whether I’m worthy, am from the right country, have good intentions etc. This is currently necessary on all desktop and mobile platforms except Linux. There is exactly 1 gatekeeper per platform (the platform owner who controls your device), except windows, which effectively have like 3-4 CAs that’s shrinking every year due to mergers and private equity ownership.

Software curation and reputation systems can be good, either with whitelists (say steam) or blacklists (say antivirus). I can see some use cases for it, but they should be within user control. What we have now is worse than a fearmongering Stallman rant. It’s incredibly bad, both pragmatically and philosophically.

CR1337 10 hours ago||

I blew the lid on X today:

https://x.com/i/status/2041698657368703484

bombcar 5 hours ago|||

The (new?) X link made me think for a moment you got the username @i

yegle 3 hours ago|||

The /i/ links are not new, but they used to be for internal (?) links e.g. ads.

aaronmdjones 3 hours ago|||

The website formerly known as Twitter has never cared about the username part of the URI; it only looks at the status number and will redirect you to the canonical version if it wasn't.

zymhan 3 hours ago||||

[flagged]

malfist 4 hours ago|||

[flagged]

john_strinlai 3 hours ago||

1) its weird to disparage someone that is trying to help, no matter how small or large of an effect you think the help will have

2) they got 120,000 views, 400 retweets, and 1.7k likes in ~12 hours. that is a good amount of awareness. certainly more than i would get from a tweet. certainly more help than whatever you are doing here.

malfist 3 hours ago||

Their tweet was trying to help. Their comment here is bragging about how important they think they are.

john_strinlai 3 hours ago||

>Their tweet was trying to help. Their comment here is bragging about how important they think they are.

ah, well thank god you came in here and set them straight.

i am sure the veracrypt maintainer is appreciative of your service.

firen777 11 hours ago||

It's like LibreOffice all over again: https://www.neowin.net/news/microsoft-bans-libreoffice-devel...

SeanDav 9 hours ago||

This is worrying on many levels. So Microsoft force you to create an account to use Windows and then they reserve the right to block you from your own account, thereby potentially making you lose access to all your OWN data. This is crazy and yet another reason to stop using Windows as soon as possible.

jerf 6 hours ago|||

I know it's not what people want to hear but my response to a lot of the comments here is just a general, I agree, it's time to stop using Windows.

They won't let you secure your drive the way you want. They won't let you secure your network the way you want (per the top-level comment about Wireguard). In so doing they are demonstrating not just that they can stop you from running these particular programs but that they are very likely going to exert this control on the entire product category going forward, and I see little reason to believe they will stop there. These are not minor issues; these are fundamental to the safety, security, and functionality of your machine. This indicates that Microsoft will continue to compromise the safety, security, and functionality of your machine going forward to their benefit as they see fit. This is intolerable for many, many use cases.

I think it is becoming clear that Microsoft no longer considers Windows users to be their customers any more. Despite the fact that people do in fact pay for Windows, Microsoft has shifted from largely supporting their customers to out-and-out exploiting their customers. (Granted a certain amount of exploitation has been around for a long time, but things like the best backwards compatibility in the industry showed their support, as well.)

I suspect this is the result of a lot of internal changes (not one big one) but I also see no particular reason at the moment to expect this to change. To my eyes both the first and second derivative is heading in the direction of more exploitation. More treating users like a cattle field and less like customers. When new features or work is being proposed at Microsoft, it is clear that it is being analyzed entirely in terms of how it can benefit Microsoft and users are not at the table.

No amount of wishing this wasn't so is going to change anything. No amount of complaining about how hard it is to get off of Windows is going to change anything; indeed at this point you're just signalling to Microsoft that they are correct and they can treat you this way and there's nothing you will do about it for a long time.

zarzavat 5 hours ago|||

Stop supporting Windows as well.

Open source developers are doing Microsoft a big favor when they support Windows and publish Windows builds and installers. It's a substantial effort, and apparently that effort isn't appreciated.

If all open source software dropped support for Windows, it wouldn't really affect the open source community that much. It would definitely cause headaches for Microsoft however.

jraph 1 hour ago||

It's not that easy.

I agree that supporting Windows helps its ecosystem.

But also open source software on Windows is an important gateway to the free world. When you are already used to Firefox, LibreOffice and VLC, you might as well switch to Linux painlessly, but if those didn't run on Windows, switching to Linux would require relearning everything.

ufmace 1 hour ago|||

I think they've been heading that way for a while, and it's only getting clearer.

I've been thinking, and said before, 90s Microsoft was far from perfect, but they at least seemed to care a lot about the quality of Windows. 2020s Microsoft seems to see Windows users as a captive audience they can exploit for whatever the corporate executives fancy at the moment. It seems more like a gradual transition.

In any case, it seems to be getting more clear that Linux is destined to be the best OS for power-users.

BLKNSLVR 6 hours ago||||

Correction: stop using Microsoft products as soon as possible.

xorcist 9 hours ago||||

It's not your own data anymore if you gave it away.

gzread 3 hours ago||||

Google and Apple have been doing this for a long time, and Microsoft clearly got jealous.

Their first big win was when they banned the Chief Prosecutor of the International Criminal Court from accessing any of the court's documents, then deleted all of those documents. Now they're going after slightly less important enemies of the state. That bar will continue to drop as long as it's allowed to. And let's not kid ourselves: if you develop or use encryption software that Mossad can't break, you are an enemy of the state.

criddell 7 hours ago|||

Or create the account but don't use Microsoft services.

whyoh 4 hours ago||

That probably had nothing to do with LibreOffice. Lots of people have had their MS accounts locked for no reason. I guess the automatic abuse detection system just sucks.

My advice is don't use a MS account if you can, at least not for anything critical. You don't need it for development, you can use 3rd party CAs for signatures.

Topfi 8 hours ago||

Honest question, did we ever get an answer what was the cause for the sudden change from the original Truecrypt developer?

Even if one doesn't want to maintain that project for purely private reasons, recommending Bitlocker as the drop-in-replacement always made it smell fishy to me.

abcd_f 8 hours ago||

It's more or less commonly accepted that its creator got jailed for being an arms dealer.

https://en.wikipedia.org/wiki/Paul_Le_Roux

Topfi 8 hours ago|||

I knew the speculation on him being involved in some capacity, but as the wiki page states, this was never confirmed in any substantial way.

More importantly, if development seized with no public comment, that would be one thing and may strengthen the "he got arrested" theory. However, there was some final communication, specific recommendations to rely on Bitlocker of all things, a new version of Truecrypt was released solely for decrypting existing disks and then the web page was removed, including a flag set on robots.txt to ensure it wouldn't appear on archive.org. All this concurrent to a crowd funded source code audit that, in the end, did not find any server issues or backdoors (I recall some speculation back in the day, that either known code quality issues or an intentional backdoor could have caused the exodus).

That all makes it hard to link this to an arrest of the main developer, though I dislike speculation without any hard evidence and if there is no new information, I'll keep this filed under "there is no answer".

Izmaki 4 hours ago|||

I always believed that rather than publicly stating that they were about to be arrested or worse, which may alert regular, non-tech-savy people, he sent a hidden message in the arguably horrendous recommendation of replacing his tool with BitLocker.

I think he was trying to scream “Run!” without actually screaming “run”.

_boffin_ 58 minutes ago|||

Wasn’t there something with 7.1A and that the canary was gone after that version too?

JoshGlazebrook 55 minutes ago||||

> He subsequently admitted to arranging or participating in seven murders, carried out as part of an extensive illegal business empire.

Yikes

diath 6 hours ago||||

Makes you wonder what kind of leverage/information you have to have to only get 25 years for admitting to being involved in 7 murders.

pnw 41 minutes ago||

According to Wikipedia, the DEA gave him immunity on additional charges in return for pleading guilty and running a sting against his associates, but before the DEA knew about the murders.

badocr 4 hours ago||||

My theory is that Le Roux was just financing the (two?) TrueCrypt developers.

Jerrrrrrrry 4 hours ago|||

One of the greatest men of our times.

no_time 8 hours ago|||

I would also like to know why is it excluded from Archive.org

https://web.archive.org/web/20260000000000*/https://www.true...

bombcar 4 hours ago||

This can be done by Archive.org doing it for whatever reason (asked, on their own, etc) or it can be triggered by the current owner of the domain modifying robots.txt I believe.

b65e8bee43c2ed0 8 hours ago|||

likely chose to shut down rather than bend over, same as Lavabit a year prior. I find it more plausible than the other theory.

jug 7 hours ago|||

I went on a Wikipedia dive and discovered this funny bit regarding the court process surrounding Lavabit and FBI's desire of the TLS private keys.

> The contempt of court was caused by Levison providing the keys printed in a tiny (4 point) font, which was deemed "largely illegible" by an FBI motion, which went on to complain that "To make use of these keys, the FBI would have to manually input all 2560 characters, and one incorrect keystroke in this laborious process would render the FBI collection system incapable of collecting decrypted data."

(And to be clear, that's all they ever saw of said keys)

pas 7 hours ago||

> The court ordered Levison to be fined $5,000 a day beginning 6 August until he handed over electronic copies of the keys. Two days later Levison handed over the keys hours after he shuttered Lavabit.

trinsic2 56 minutes ago||

I remember that. That was around the time they were using the National Security Letter to make things happen that were clearly illegal. Now look at where we are at. They are using Nation Security reasoning for anything.

Topfi 7 hours ago|||

Fair assumption, but unlike Lava, TC never had customer/user data. The NSL/forced shut down theories also make little sense to me however, the fork was up by the end of the week and was easy to foresee. Kinda why this fascinates me so much, no theory I ever read survives basic scrutiny. Perhaps some things, we’ll never know.

b65e8bee43c2ed0 6 hours ago||

https://en.wikipedia.org/wiki/Nils_Torvalds#Linux_kernel_sta...

>When my oldest son [Linus Torvalds] was asked the same question: "Has he been approached by the NSA about backdoors?" he said "No", but at the same time he nodded. Then he was sort of in the legal free. He had given the right answer, [but] everybody understood that the NSA had approached him.

so the assumption here is that TC were also asked to accept "contributions" from bioluminescent individuals, and chose not to. "just use Bitlocker" was a deafeningly loud dogwhistle, don't you think?

newsoftheday 3 hours ago||

Agreed, that whole thing was suspicious. I still use TrueCrypt, because of the suspicious nature of how it all went down.

0xCE0 8 hours ago||

Linux is the only hope at this point for the future of computing.

Windows and macOS are just too risky to do any business with. Waste of all resources.

chaostheory 36 minutes ago||

Who knows maybe Valve can expand from just gaming?

delfinom 6 hours ago|||

Don't worry, US states are working on making Linux illegal through age verification requirements in the OS.

gruez 2 hours ago|||

Isn't linux complaint because of the systemd change?

McGlockenshire 1 hour ago||

The only thing that systemd did was add a space and api to store an attested birth date. That is what the entire meltdown was about. A CRUD API.

Everything else about complying with the wacko age verification law is up to distro builders.

GuestFAUniverse 4 hours ago|||

[flagged]

sunaookami 3 hours ago||

EU is currently on its way to introduce mandatory age verification everywhere.

eightysixfour 3 hours ago||

If I understand them correctly, the proposals are quite different. The US is effectively requiring the implementation of a third party verification service at computer set-up. The EUs approach validates an existing cryptographic identity that says you are over a certain age, without exposing your identification.

Please correct me if I am wrong, this is what I read here.

tremon 2 hours ago||

Do you expect the EU to insist on a different solution once the US solution is in-place in all US-based operating systems?

cguess 7 hours ago||

and yet... still unusable by the mass majority of people.

teekert 7 hours ago|||

My kids grew up on Gnome essentially, I can tell you Win11 is a lot more confusing to them, not just because because they grew up on Gnome, there is just so much more ... stuff. And notifications and flashy things and news and weather apps and they all want your attention. Gnome is much more iPadOS like (minus that horrible concoction called the App Store).

Sure, if you're all in on MS365 (like all schools here in the Netherlands), Windows may be somewhat more handy with its native apps and all your stuff there with a single log-in.

cguess 6 hours ago||

And someone once raised their kids speaking Klingon, that isn't a good excuse on why it's a language others should use.

For the vast majority of people MS365 is a requirement, but really the issue is that even minor fixes require the command line on Linux and that makes it unusable.

newsoftheday 3 hours ago|||

> For the vast majority of people MS365 is a requirement

No it isn't actually, not for the majority, my wife (former Sales Person and Manager) uses Google office tools and used LibreOffice Write and Calc for years successfully.

dartharva 3 hours ago||||

None of this is true

teekert 5 hours ago|||

I guess it means that even when something is (arguably) objectively more simple, people still won't bdge just because they don't want change. They don't want to learn new things.

I myself am quite different. I have thoroughly had it with my current iPhone and am eyeballing /e/OS, before that I really started to find Android boring, before that Windows mobile (the nice one with the cards). I switch Gnome, KDE, some other DE (now getting ready to try Niri) every year or 2. I don't get the struggle, for me a new env is like a present (even though I normally hate presents). So much niceness to explore, so much to optimize. I love it. But I'm also one of those guys that reads the oven manual and tries all functions in week 1.

I'm not weird, all you people are weird.

Pay08 3 hours ago||

No, it means that people have requirements that Linux does not fulfill. I need the Office suite, and would rather not gamble with the various compatibility promises made by alternatives.

trinsic2 50 minutes ago||

Good luck with that.

uyzstvqs 4 hours ago||||

This is always said by people who either never touch the Linux desktop, or exclusively use their own custom Arch setup.

You can install Fedora Linux, Linux Mint or Manjaro, and it's more user friendly than Windows 11 and macOS.

WarmWash 6 hours ago||||

Linux is stuck because it's made and maintained by people who love linux.

Look at popular unix based OS's - Android, MacOS, iOS..

Whats the first thing they do? Take the command line out back and shoot it. Whereas for linux users, their is this l33t h4cker festishization of only using a keyboard to do everything. All these distros have an extremely robust CLI under the hood, and an afterthought quasi GUI on the surface. Just good enough for grandma to check her email and watch youtube.

hparadiz 5 hours ago|||

Why do folks act like windows isn't full of cli commands? First thing on any windows box is running debloat in powershell. Installing apps from a gui in Linux has been solved for a long time.

WarmWash 4 hours ago||

Having an excellent CLI doesn't preclude having an excellent GUI. No reason we can't have both.

Also I hate linux repos with a passion, because they are optimized for CLI usuage, and (like the whole OS) the GUI parts are a total unoptimized afterthought. Never mind that they are a dumping ground for whatever code anyone shits out, with virtually zero management or curation. With a CLI you don't see this, with a GUI it's a total mess.

I'm fine with app stores, but they need to be actively managed and curated. If not, I far far prefer just downloading .exe's from the source.

PokestarFan 5 hours ago||||

MacOS has a good CLI if you need to use it. There are CLI equivalents for a lot of the system setting/administration stuff.

kbelder 3 hours ago||||

>Just good enough for grandma to check her email and watch youtube.

Which is 90% of the use of a computer. And Steam is taking care of the other 10%.

newsoftheday 3 hours ago||||

> Whereas for linux users

My wife has used Linux for many years successfully and has never used the CLI once.

goolz 5 hours ago|||

I have had Bazzite on my gaming PC for a while now, never have to mess with the terminal much. It has come a long, long way. Even gentoo has become more accessible than ever. While some of this holds true, you most certainly do not need to live in the command line with some of these distros. Especially if you are just trying to play some games and browse the web, etc.

sgbeal 3 hours ago||||

>> Linux is the only hope at this point for the future of computing.

Linux is the most obvious, but there are numerous flavors of BSD as well.

> and yet... still unusable by the mass majority of people.

That info is 20+ years out of date. Distros like Suse and Ubuntu made Linux "click, click, click, it's installed" more than two decades ago. i've watched complete non-techies switch to Mint Linux long-term, the only intervention from me (their resident techie) being showing them how to boot up the USB stick installer.

tapoxi 6 hours ago||||

This isn't really true anymore with the advent of Flatpak & Flathub. It's just an app store like any other platform. Even the majority of games work without tweaking.

cguess 6 hours ago||

I've run Linux as a daily driver recently Flatpak and Flathub still break all the time. Not to mention the last time I bumped my Nvidia drivers nothing decided to open anymore.

Any OS that requires even once going to the command line is unusable for 99% of the population (and for me I just shouldn't ever have to).

raudette 6 hours ago||

I hit this recently - nVidia issues with a Flatpak, I spent about half an hour on it, gave up, and just decided to try the app out on another laptop.

newsoftheday 3 hours ago||||

My wife (former Sales Person and Manager) has used Linux for many, many years and prefers it over Windows.

megous 6 hours ago|||

Not used does not mean not usable. Primary school aged children used MS-DOS without any documentation in 1990's. Pretty sure randomly selected people would be able to use modern Linux distro, when pre-installed just like windows are.

WarmWash 6 hours ago||

[flagged]

megous 5 hours ago|||

No I'm just telling you people are not as stupid as everyone assumes.

hparadiz 5 hours ago|||

Folks like you need to just install Linux and use it.

WarmWash 4 hours ago||

[flagged]

no_time 8 hours ago||

prediction: they are testing the waters. If there is enough outcry they will go "oopsie whoopsie, hehe :3 your account is restored".

If there isn't enough outcry they will go forward and disable more signing keys related to things like torrent clients, VPN software, eject UBO from the edge store etc etc.

Atleast now I'm a bit more certain that VC is indeed safe.

superxpro12 4 hours ago|

They've finally sprung their enshittification trap. Their move into "open source" was never of friendly origin. It was a business move, plain and simple.

And now they're locking down Window OS, hard. Expect github and vscode to follow.

trinsic2 42 minutes ago||

I left GitHub for GitLab because i knew this was coming.

dizhn 11 hours ago||

Microsoft disabled the developer's certificate so no windows releases can be made.

jonathanstrange 11 hours ago||

As someone who is just planning to publish signed desktop software for Windows, this is deeply worrying. What reasons could there be for cancelling a certificate, especially when it has been used for years and the identity is already established?

Are there some ways to combat such decisions legally?

electroly 5 hours ago|||

Perhaps not legally, but technically, you have an option: don't use the Microsoft Store. This isn't as wild a suggestion as it may seem to non-Windows users: the store is barely used by Windows users. You can get your own code signing certificate from a public CA, sign your own installer, and post it on your website. This is still the primary way that Windows software is distributed. Microsoft does not have a hand in any part of it; they can't cancel anything. Their only role is including the public CA in their root certificate store. If you're not shipping a kernel driver, you don't need Microsoft's permission for anything. You can still ship an .msix installer which is the same technology used by the Store.

I recently de-listed my app in the store and closed my Microsoft developer account. I was wrong for having bothered with it; just a waste of my time for no benefit. Stick to your own deployment.

ComputerGuru 4 hours ago|||

It’s become neigh impossible to get your own code signing cert these days. The 2025 update from the CA forum required code signing certs to be short lived (no more three or five year certs) and stored exclusively on an HSM. As a result, most companies cross-signing these certs have moved to a subscription PaaS model where you are issued a cert but never receive custody of it, and perform signing via their APIs, and are at their mercy should they decide to block your account.

Anyway, even if you could get your own cert it would be same thing: MS could revoke or blacklist your indicate cert (though usually the grounds for doing so are much less shaky than your account being suspended for vague “tos violations”)

electroly 1 hour ago||

I was afraid of the HSM at first but for an open source developer (rather than a big company) I found it wasn't a big deal. I can't sign in GitHub Actions and I have a USB stick that lights up when I sign releases, but it hasn't been a blocker. I got mine from Sectigo Store. This isn't hypothetical, I really did it, I've got the HSM, it works. It wasn't difficult. It just cost some money and a little bit of time. "Nigh impossible" is a tremendous exaggeration. I'll concede "annoying and expensive" perhaps. If you've got the money, you can get the HSM. You don't have to re-buy the HSM when you renew your certificate.

The Microsoft Store account was painful to set up, I'll note. My developer account had also been cancelled by Microsoft for unknown reasons, and I ultimately had to set up a brand new one. New email, new name. My new account has my middle initial because I couldn't clash with the existing, closed account. My first and last name alone are banished forever from the store.

The "same thing", as you concede, isn't the same thing. Quantity has a quality of its own: one happens all the time and we're reading an article about it happening right now. In the comments there's another prominent maintainer who it happened to, and it happened to me personally! That's three right here! The other happens so infrequently that people in this same HN thread are complaining that it isn't happening enough. Can you find an example that's like Veracrypt and WireGuard? In practice, it seems they rarely do this, even when they should. You can actually view the list under "Manage computer certificates" > "Untrusted Certificates." On my computer the entire list is 20 certificates.

I'm standing by my suggestion, 100%. These aren't equivalent risks at all.

ComputerGuru 9 minutes ago||

Thanks for sharing your experience. I have been code signing releases for over a decade as an indie publisher myself, until I found myself effectively iced out by the HSM requirement, the increased cost, and the shortened cert lifetimes, which, as someone with certain executive order dysfunctions, I already had a hard time being on top of with the old (multi-year) lifetimes.

I just migrated to MS artifact signing and, thank the lord, had an actually easier time getting verified than I did with the Sectigo and Comodo in the past. I’m sure I’m not representative of anyone else’s experience but having already had a developer account (with a different email and without an Azure account!) that I had already been using for the Microsoft Store might have helped, as well as the fact that I had a well-established business history (I’ve heard businesses younger than 3 years can’t get verified??), but reading all the comments here makes me very uneasy about the future.

It’s good to know the HSM route isn’t a complete non-starter. The main reason I panned it is that when I started looking into this I found that a number of companies that had previously offered the HSM route had done a bait and switch and were now keeping custody unless you were big enterprise (meaning willing to put up with 10k/yr fees). I did find a few that would allow OSS devs to sign their work, but read horror stories on Reddit and elsewhere about their freezing the account and issuing no refunds if you ask them to issue the cert in the name of your LLC or corporation instead of with your personal name (which I expressly did not want). Also, they actually were more expensive than Azure artifact signing even after the HSM cost was taken out.

trinsic2 48 minutes ago||||

Yep. OS level stores are just way for the org to exercise control over installs.

I have stay far away from that process for a long time. Apple MacOS seems like the worst in that department IMHO.

rkagerer 3 hours ago|||

Thank you for that. Although it may be unlikely, I'd love to see a mass exodus away from their failed attempt to emulate all the worst aspects of appstores popularized in other platforms.

I grew up being able to download software and install it, and actually prefer that model (relying on reputational trust of the party publishing it, my own verification from other signals researched, or sandboxing techniques where appropriate).

Most users may not be aware, but a rare gem of a version of Windows that refreshingly doesn't even come with the store (or a bunch of the other unwanted bloat) is IoT Enterprise LTSC.

As a lifelong Windows user, the premise of Microsoft controlling what goes on my PC is revolting. I'm buying a tool from them, not a set of handcuffs. If it was some non-profit, open-source group running the store I might be more inclined to trust it. But ultimately the only gatekeeper on a product I own should be me. Otherwise I don't really own it, which leads to problems like this one.

shelled 10 hours ago||||

Realistically speaking - anything could be a reason. A shakedown or blocking based on some "nudge" (this might come across as tin-foiled though). Some flag/trip-wires going wrong, more worryingly due to a bug/false alarm - and this is more worrying because in this case semi-incompetent large orgs like MSFT find it really hard to accept it, fix, and move on. Some change in OP's account that either they don't see or haven't realised - some edge case, you never know.

And of course, it doesn't affect their earnings and there are no consequence, or significant, so they won't care and won't respond or tell what went wrong.

Can one move legally? Sure. But then it effectively is a combo of who blinks first and who can hold their breath longer.

politelemon 10 hours ago||||

This is a concern and risk that has realised itself multiple times over the past decades. There have been multiple stories linked to multiple developers in the past.

If you publish to any closed platform including ios, mac, win, android, this is the risk you run and a condition of operating you will need to accept.

technion 10 hours ago||||

There's more to it. Signed desktop software can be signed by any CA.

Veracrypt has kernel drivers. Microsoft's ability to control what you can sign is specific to kernel drivers, and Microsoft's trigger finger around bans exists in the world where bad drivers BSOD machines.

In general this isn't your problem.

raxxorraxor 8 hours ago||

Speculation as well and highly unlikely. Microsoft drivers can very well BSOD your machine as well, not a significant or convincing threat scenario and certainly not something that lead to certificate revocation of driver developers. There is zero quality control or review by Microsoft here. Not for their own products and not for third party ones.

steve1977 7 hours ago|||

Exhibit A:

https://en.wikipedia.org/wiki/2024_CrowdStrike-related_IT_ou...

fluoridation 6 hours ago|||

That's not entirely true. Certain classes of signing keys require driver developers to put their driver through a test battery and submit the results to Microsoft.

rkagerer 3 hours ago||

I wish Microsoft expanded and built on that model, instead of moves like firing swarthes of their QA staff.

It could have grown into a massive, self-service testing playground where any developer could submit their product and put it through an arsenal of basic, automated evaluations (e. does uninstall leave tidbits behind?), with paid upgrades to more tailored services. They could even publish scores to help consumers coarsely compare workmanship across different vendors, and encourage an emphasis on quality across the whole ecosystem.

Instead they decided to just become overpaid bouncers who take your money, check your ID, and don't even bother about what you bring through the door.

lossyalgo 3 hours ago||||

According to this: https://x.com/EdgeSecurity/status/2041872931576299888

> ...it seems like they instituted an identity verification policy, didn't notify me about it, and then I guess they suspended accounts who didn't do the verification.

So, make sure you verify your account? Check spam folder regularly? Log in via web interface at least once a year?

hulitu 3 hours ago||

> So, make sure you verify your account?

What ? On my computer ? Microsoft really has some nerves. My Microsoft account is scheduled for deletion.

lossyalgo 2 hours ago||

I guess we can assume you won't be releasing any software for Windows in the near future :)

actionfromafar 7 hours ago|||

You just have to start living like they do in Russia and comply in advance. Don't do anything "interesting", no encryption, or if you do, make sure you leave breadcrumbs, scratch that, a bread trail for them to easily get access to customer data. An Oracle or Sharepoint integration maybe?

Gareth321 10 hours ago||

We can still install, right? It just comes up with a scary warning. Still not great but at least we aren't locked out.

Strom 9 hours ago||

You can, but it's more than a warning. VeraCrypt has a signed kernel driver, which has higher requirements. You'll need to boot into a special Windows mode and disable Driver Signature Enforcement.

HauntingPin 9 hours ago|||

Afaict, you can't disable driver signature enforcement permanently without disabling secure boot.

nslsm 8 hours ago|||

You also get a huge watermark that says "Test Mode" that takes up the entire screen (not kidding)

DHowett 5 hours ago||

Three lines of text in 12-point font in the corner which can be covered by a window is hardly “the entire screen.”

nslsm 4 hours ago||

They changed it recently.

https://learn-attachment.microsoft.com/api/attachments/f8eac...

anfilt 5 minutes ago||

Not the OP you responded too, but what the hell! I have not really used windows in a while but that's absurd. That text is massive just for an unsigned driver.

raxxorraxor 8 hours ago|||

Secure boot is an anti-feature in most of the landscape anyway. Sure, if you have a distribution under your control or influence it could theoretically be a benefit. But you need to not be stupid or naive here.

You can also roll you own encryption if you are not stupid and naive. Probably a question of self-reflection.

fluoridation 6 hours ago|||

Note that signatures are not revoked retroactively when a certificate is revoked. You can still install previous releases.

bluGill 6 hours ago||

With all the bugs and potential security flaws that are there and not fixable.

fluoridation 6 hours ago||

I don't know what to tell you, man. If you don't want bugs then don't use computers.

idolofdust 16 minutes ago||

Get off Windows right now.

The newest frontier AI models can easily find 0-days in all major software stacks, while the two biggest open source security tools on Windows can’t even ship patches.

LWIRVoltage 4 hours ago|

What sucks about this, is due to implementation,Windows is the only way to achieve some stuff in Veracrypt. For example: doing full system partition encryption, and the Hidden OS install that only Veracrypt can do- requires Windows with the computer set to MBR rather than UEFU. I had hoped we'd see more of the plausible deniability tech at the OS level

But aside from one or two experimental attempts, also presented at BlackHat https://web.archive.org/web/20250914062843/https://portswigg...

- the consumer has nearly lost access to high end plausible deniability

More comments...