Veracrypt project update

Posted by super256 13 hours ago

Veracrypt project update(sourceforge.net)

1042 points | 384 commentspage 2

not_a9 8 hours ago|

https://community.osr.com/t/locked-out-of-microsoft-partner-... Could be a related issue to this? Maybe Microsoft just doesn’t want driver developers for whatever reason.

altairprime 5 hours ago||

Presumably it’s part of their commitment to kill kernel patching in Windows, to prevent another Worldwide Enterprise Windows Outage Caused By A Buggy Vendor DLL event.

superxpro12 5 hours ago||

its my computer. its my os. i own it. I paid my money and bought the program. not them. I am free to install whatever software and modify whatever kernel components as i see fit.

I am so sick and tired of the continued erosion of the ownership model. I dont want to rent anything. But corporations see it as an avenue to increase revenue. We pay more, for less. What else is new.

chaostheory 2 hours ago|||

It’s time to switch to Linux or another open OS.

fsflover 5 hours ago|||

So why don't you stop using the OS that has a completely different approach to computing?

nixpulvis 12 hours ago||

We need a better way to sign and verify software. Clearly companies like Microsoft and Apple have not been good for the open source communities and are inhibiting innovation.

iamniels 12 hours ago||

We need better OSes such that signing of software is not required to keep your computer safe.

drewfax 7 hours ago|||

GrapheneOS is doing lot of things right in this regard. Robust permission system adopted from AOSP and hardening by default in every imaginable way. Things like hardened malloc, storage scopes are excellent security features. Malware cannot do much even with the default settings.

layer8 5 hours ago||||

With a file system driver like Veracrypt, if it’s malicious, the OS might keep your computer safe, but not your files that you store in that file system.

nixpulvis 4 hours ago||||

Yes, I completely agree.

fsflover 6 hours ago|||

Qubes OS is such OS: it runs everything in VMs with strong hardware isolation. My daily driver, can't recommend it enough.

PunchyHamster 12 hours ago|||

Just add code cert generation to letsencrypt, it's not like MS validates the code that you sign used certs from them anyway

mr_mitm 12 hours ago||

What would be the point? How would you prevent malware from being signed? Currently, code signatures are used as a signal for trustworthiness of the code.

sidewndr46 10 hours ago|||

Microsoft signed the Crowdstrike updates. I don't think a CA signing a piece of malware is a realistic thing to be concerned about.

megous 7 hours ago||||

Only signal is that whoever is in the subject DN (highly) probably signed the code. There's 0 signal about trustworthiness of the code in the signature. Thrustworthiness signal is in the behavior/reputation of the signer.

Pretty sure there were historically a lot of apps that stole peoples contact lists and were signed properly. Certainly in the Android world.

duskdozer 11 hours ago||||

Is it some entirely different process than providing hashes and a GPG signature?

mr_mitm 10 hours ago||

Well, yes. Just look at OP and Jason struggling to get their code signed.

Eldt 11 hours ago|||

Misplaced trustworthiness?

Pay08 10 hours ago|||

On the source code side, I quite like the way Guix does things, i.e. needing every commit to be gpg-signed. They even have a handy tool for verifying the repo[0] but I'm not sure how viable this is for non-OSS projects.

[0]: https://guix.gnu.org/manual/devel/en/html_node/Invoking-guix...

uyzstvqs 5 hours ago|||

I suggest that developers could self-sign to verify the legitimacy of future updates. Otherwise leave it unsigned.

This entire "big tech overlords have to sign apps & drivers to keep you safe" concept is one giant pile of nonsense.

tamimio 10 hours ago|||

It should something like web certificates, you can bring your own.

realusername 11 hours ago||

I think this is fundamentally an unsolvable problem and I'm not even sure it's worth pursuing.

Any large scale signing platform will have large oversights and be rendered useless. See the appstore / play store/windows...

tomgag 11 hours ago||

Sorry to hear about this turn of events, but it was pretty much to be expected given the way the world is turning, and Microsoft being Microsoft.

Switch to Linux if you can, and come give Shufflecake a try ;)

https://shufflecake.net/

LWIRVoltage 4 hours ago|

.... This deserves it's own posts , on HN, just for awareness-

Aside from https://web.archive.org/web/20250914062843/https://portswigg... , there haven't been really many goes at going for plausible deniability with modern systems, and I see the segment about a Hidden OS feature in work as well.

Hoping this succeeds. Funny, eventually Shufflecake, after it gets fully capable on Linux, might have to look at making versions for Windows and Mac

ninjagoo 12 hours ago||

Looks like Linux and some of the BSDs are the only remaining truly open OSes.

krylon 11 hours ago||

True, however, that has been the case for quite a while. This particular incident doesn't change that, except for the VeraCrypt developer, who is in a crappy situation now (not just regarding VeraCrypt, he mentions he was using the certificate for his main job as well, so this sucks a lot for him).

sph 11 hours ago|||

Well, of course. Have the other commercial offerings every been "truly open OSes"?

Aachen 11 hours ago||

So far I haven't had much concrete reason for my family to switch away from Windows. The updates maybe, needing to pay for a new license and the UI changes are like pulling the chair out from under them, especially as they get older (Windows 7 was hard for my grandma, thankfully they left 10 mostly alone but 11 is quite different again so she's currently staying on 10 — not that her hardware supports 11 anyway but that's fixable), but it's either learning the new Windows UI, let's say ten storypoints of newness, or learning some Linux desktop environment, even if it's Mint which is similar to 7/XP it's not quite the same either and probably like 15 storypoints at minimum, even if then you're done for much longer

But if OSes are being locked down and software has trouble distributing security updates through official repositories for Windows... that's a good reason to finally make the switch. Same as why my family is on Android: I can install f-droid, disable the google store, and don't have to worry about them installing malware / spyware / adware

There's different degrees of openness. Android till 2026 was an acceptable compromise (let's see how it goed forwards). Windows is also on the decline with their account policy, not sure about this certificate revocation thing (thankfully haven't had to deal with it yet; I'm not a user myself) but it sounds like they're moving to a walled garden also

When the degree changes and gets even less open, yeah you can say "well of course, they were never truly open, they're commercial" but it's still a change and might lead people to alter their choices

sph 8 hours ago||

You'll find that people that are not computer experts will take to modern Linux with much more ease than those that have complex needs, which for 90% of the people these days means that access to the Web satisfies all their needs. Moving from Windows 7 to 11 will probably be as traumatic as moving from Windows 11 to KDE, so it's an investment worth doing in my opinion.

SV_BubbleTime 7 hours ago||

While I agree entirely that Linux in 2026 has never been more usable… how much actual work is being put into Office and 365 tooling native on Linux?

Like none. Literally the best office you MIGHT KIND OF be able to run in 2016, but probably more like 2013.

Valve focused on games, that is awesome and really helpful…

But there are 10,000 distros and instead of putting real resources to put even rickety bridges over MS’s moat, no sorry, this team is making duplication-of-effort distro 10,001 which is now identical to thousands of others but the taskbar is in the middle of screen.

The people working on Linux are consistently uninterested in then things people would need to drop windows.

trinsic2 2 hours ago||

> While I agree entirely that Linux in 2026 has never been more usable… how much actual work is being put into Office and 365 tooling native on Linux?

Why the hell would you want that? Office365 is a buggy piece of nightmare.

SV_BubbleTime 1 hour ago||

Because even though you don’t like a thing, the entire world of business uses it.

Hold your nose and work on WINE if you need to think that way. But MS has moats, and office is one of the widest.

xorcist 11 hours ago|||

Until Microsoft decides to no longer sign the Linux boot loader shim (for IBM/Red Hat, no less).

irusensei 5 hours ago||

In most cases you can put your computer secure boot in setup mode and roll your own keys.

trinsic2 2 hours ago||

Until they making CA a requirement, then disable changing the CA settings and it defaults to Microsoft. Then you are fucked.

SeanDav 11 hours ago|||

Except compulsory age verification in Linux is now becoming a real threat. Some Linux distros are actively against this but many are not seemingly interested in fighting it: CachyOS, Ubuntu, Fedora and others.

Age Verification is the thin end of a much bigger wedge in "open" OS's

Pay08 10 hours ago|||

I thought community projects (as opposed to the corporate Fedora and Ubuntu) are exempt from such laws.

sunshine-o 4 hours ago||||

Yes time to wake up.

I really believe most "open source" big projects have been compromised long ago. We have saw all those "Foundations" taking them over with all their governance, bureaucracy and goal which do not make any sense at the first look.

One example is Fedora, which is part of "The Digital Public Goods Alliance" [0], "a multi-stakeholder initiative that accelerates the attainment of the Sustainable Development Goals by facilitating the discovery, development, use of, and investment in digital public goods."

The Digital Public Goods Alliance has about every governments as member plus all the usual suspects: Gate Foundation and co.

All the leaderships have usually no background or experience in open source or even computers but are just magically placed there. But you can't say anything because they are mostly women.

You read the goals and roadmaps of those foundations and find out it has nothing to do with software or open source. It is basically there to control those projects and then have them implement all the age verification, digital id, etc.

So yes this is not a surprise all those projects are now all in absurd features such as age verification.

- [0] https://www.digitalpublicgoods.net/

akimbostrawman 11 hours ago|||

the current law requires no verification at all simple attestation, you could put in _any_ age. it also does not effect linux distros as a whole, only distros in jurisdictions with the laws.

SeanDav 10 hours ago||

Sure, for now... I simply don't believe it will stop at "simple attestation", because we all know that simple attestation is practically useless, but once the various distros accept this "trivial" inconvenience, "Age verification 2" with harsher requirements will soon be on the way.

I would be ecstatic to be proved wrong on this, but experience tells me that is not likely to happen.

imglorp 5 hours ago|||

We all know it's not about age, it's about user identity. As above, it's clearly a wedge so it's not rhetorical to observe more invasive and controlling features are coming.

pocksuppet 5 hours ago|||

Simple attestation is very useful for the case where a parent gives a child access to a computer and wants that computer to block porn. That's the use case everyone is clamoring for, and asking the root user "how old is this user?" solves it in a simple, open, privacy-preserving way. Everybody wins, except the teenager who wants to watch porn. If this were not legally mandated, everyone would support it as a useful feature, but since it is legally mandated, we have to get angry about it.

SeanDav 5 hours ago||

This has got very little to do with children - that is just the excuse that sounds good. "Think of the children" is a rhetorical tactic that anyone who wants to get unfettered access to your data rolls out whenever they can. It is a tactic that unreasonable people use to influence reasonable people, because it is so difficult for a reasonable person to argue against without coming across as uncaring and/or bigoted.

pocksuppet 2 hours ago||

If it was an excuse to get your data there would be some data-getting involved. It may be hard for you to believe, but lots of people really do want parental controls that actually work and are bound by the force of law.

trinsic2 2 hours ago||

Yes that may be true, but parents are being misguided by efforts that are trying to control aspects of data.

If you, as a parent, make yourself open to this attack, you will find that you are making us less free of a society by expecting others to parent for you.

egorfine 10 hours ago||

Not for long: https://news.ycombinator.com/item?id=46784572

1970-01-01 1 hour ago||

Why is there no simple workaround for this? Why is it dead in the water and why can't we use another mechanism to verify the update files with SHA1? It's all been done before [1]. This would be an improvement, as it enables the project to continue working without any handcuffed relationship to Microsoft.

[1] https://github.com/HyperSine/Windows10-CustomKernelSigners

idolofdust 1 hour ago||

Get off Windows right now.

The newest frontier AI models can easily find 0-days in all major software stacks, while the two biggest open source security tools on Windows can’t even ship patches.

Ms-J 1 hour ago||

Posted this earlier from a throwaway since my account wasn't able to reply for some odd reason and it was marked as dead:

Hello Jason!

I want to first thank you for all of your hard work developing Wireguard.

If I can find someone who is willing to put their name on it to help I definitely will, the problem is the spy agencies don't want your project to exist. It makes it harder to put resources to this. I've worked in security departments of certain companies and saw everything you could imagine.

Same for Mounir over at Veracrypt.

Both of you are developing some of the most important software that exists today.

Keep doing what you are doing by keeping everything in the open. User trust almost doesn't exist for these type of projects. Any hint of an issue would wipe that out in seconds.

This leads me to one question I do have for you zx2c4:

Why does Wireguard attempt to contact your servers and auto update on Android with no toggle to turn this off? It's a threat to everyone. Maybe it also does this on other platforms but I haven't tested them all.

I can think of reasons as to why you did this, none nefarious, but still it would be nice if you included that option so I don't have to patch each update to turn this off.

Thanks.

_s_a_m_ 11 hours ago||

Microsoft doing everything in their power to be assholes, as always

krylon 11 hours ago|

As much as I like bashing Microsoft, never underestimate people's capacity for incompetence, especially where large organizations are involved. I don't see how they would gain anything from this move.

cm2187 11 hours ago||

It doesn’t help that they do that sort of shits AND mandate a microsoft account for logging in to windows. Also how much trust can you have that if you move your business to azure they will not randomly kill it. Incompetence or malice, almost doesn’t matter to the average user.

krylon 9 hours ago||

The outcome is the same, yes. With incompetence, there is at least a glimmer of hope things will get rectified. But you are correct, trust is destroyed this way, and it doesn't look like Microsoft cares much.

RandomGerm4n 12 hours ago||

That's especially ridiculous because this whole security mechanism that Microsoft is forcing on Windows user doesn't even work. There are tons of leaked certificates and on forums dedicated to game hacking you can find guides on how to get your hands on one yourself. People there use them to write kernel drivers for cheating in games. Game developers often blacklist these in their anti-cheat software so that the game no longer launches on a computer using a driver with that certificate. Microsoft however does not do this and malware developers can then simply use the certificates for their own purposes. So all this nonsense is basically just a restriction on regular users and honest developers while the “bad guys” can get around it.

Deathmax 5 hours ago||

Microsoft has been taking steps to mitigate the leaked code signing certificate problem.

On the driver side of things, new versions of Windows no longer trust the cross-signed certs, so you must submit your driver to Microsoft to validate and sign, so no private key to go missing. https://techcommunity.microsoft.com/blog/windows-itpro-blog/...

On the regular Authenticode side of things, the new CA/B Forum rules have prohibited storing new private keys outside of hardware modules for a while now, so eventually you won't be able to find a leaked private key for code signing that would still be valid.

redox99 9 hours ago|||

That's kind of crazy. Why doesn't Microsoft revoke such certs such that you can't sign new software with it?

steve1977 7 hours ago||

Because it's mostly just performative.

vaginaphobic 11 hours ago||

[dead]

8cvor6j844qw_d6 11 hours ago|

Seeing this kind of friction makes me more confident in VeraCrypt. The tools that never seem to run into trouble with platform gatekeepers are the ones I'd worry about.

Pay08 10 hours ago||

That seems like a very nonsensical stance.

pocksuppet 5 hours ago|||

Well look at something like ANOM. The FBI encouraged its use. Because it was run by the FBI and they could see all the private messages.

If Veracrypt was a honeypot, the powers that be would go out of their way to make it as easy to use as possible. They'd instantly sack whoever made this decision, and reverse it.

Pay08 5 hours ago||

So is coreutils a honeypot?

andrewmcwatters 6 hours ago|||

[dead]

baobabKoodaa 9 hours ago||

The biggest risk in encryption software is that you lose access to your data. You seem to be ignoring that risk completely and focusing on something else entirely.

dboreham 8 hours ago||

I don't think you would loose access. You can always recover data on an open platform such as Linux.

More comments...