Microsoft Abruptly Terminates VeraCrypt Account, Halting Windows Updates

Posted by donohoe 5 hours ago

Microsoft Abruptly Terminates VeraCrypt Account, Halting Windows Updates(www.404media.co)

315 points | 119 comments

romaniv 3 hours ago|

I still hope that one of these days people in general will realize that executable signing and SecureBoot are specifically designed for controlling what a normal person can run, rather than for anything resembling real security. The premises of either of those "mitigations" make absolutely no sense for personal computers.

arcfour 1 hour ago||

I strongly disagree on the Secure Boot front. It's necessary for FDE to have any sort of practical security, it reduces malicious/vulnerable driver abuse (making it nontrivial), bootkits are a security nightmare and would otherwise be much more common in malware typical users encounter, and ultimately the user can control their secure boot setup and enroll their own keys if they wish.

Does that mean that Microsoft doesn't also use it as a form of control? Of course not. But conflating "Secure Boot can be used for platform control" with "Secure Boot provides no security" is a non-sequitur.

serf 53 minutes ago|||

>It's necessary for FDE to have any sort of practical security

why? do you mean because evil maid attacks exist? anyone that cared enough about that specific vector just put their bootloader on a removable media. FDE wasn't somehow enabled by secure boot.

>bootkits are a security nightmare and would otherwise be much more common in malware

why weren't they more common before?

serious question. Back in the 90s viruses were huge business, BIOS was about as unprotected as it would ever possibly be, and lots of chips came with extra unused memory. We still barely ever saw those kind of malware.

arcfour 35 minutes ago|||

> anyone that cared enough about that specific vector just put their bootloader on a removable media. FDE wasn't somehow enabled by secure boot.

Sure, but an attacker could still overwrite your kernel which your untouched bootloader would then happily run. With SB at least in theory you have a way to validate the entire boot chain.

> why weren't they more common before?

Because security of the rest of the system was not at the point where they made sense. CIH could wipe system firmware and physically brick your PC - why write a bootkit then? Malware then was also less financially motivated.

When malware moved from notoriety-driven to financially-driven in the 2000s, bootkits did become more common with things like Mebroot & TDL/Alureon. More recently, still before Secure Boot was widespread, we had things like the Classic Shell/Audacity trojan which overwrote your MBR: https://www.youtube.com/watch?v=DD9CvHVU7B4 and Petya ransomware. With SB this is an attack vector that has been largely rendered useless.

It's also a lot more difficult to write a malicious bootloader than it is to write a usermode app that runs itself at startup and pings a C2 or whatever.

cyberax 19 minutes ago|||

> serious question. Back in the 90s viruses were huge business,

No, they were not. They were toys written for fun and/or mischief. The virus authors did not receive any monetary reward from writing them, so they were not even a _business_. So they were the work of individuals, not large teams.

The turning point was Bitcoin. Suddenly it provided all those nice new business models that can be scaled up: mining, stealing cryptowallets, ransomware, etc.

kelseyfrog 1 hour ago|||

Anything that restricts user freedom is entirely bad, even if it's at the expense of security.

arcfour 48 minutes ago|||

But...it doesn't restrict user freedom. If the user wishes to do so, they can disable SB.

kelseyfrog 42 minutes ago|||

They shouldn't _have_ to do anything. The point is that no demands should be placed upon users.

Same problem with age gating. It's fine, as long as zero additional demands are placed upon users.

robotresearcher 12 minutes ago|||

Freedom from the consequences of malware is more valuable than the low cost of turning SecureBoot off if you don’t want it.

We shouldn’t need the hassle of locks on our home and car doors, but we understand they are probably worthwhile for most people.

UrMomsRobotLovr 35 minutes ago|||

Are the demands that users become experts in provider their own security against more advanced actors not significantly worse? The control part is unfortunate but the defaults should make it so users can focus on sharing pictures of cats without fear or need for advanced cyber security knowledge.

CodesInChaos 36 minutes ago|||

And will then be locked out from an increasing amount of Applications, Media, and eventually even Websites.

arcfour 32 minutes ago||

I run Linux with Secure Boot and I don't feel locked out of any media, applications, or websites.

My mom uses Secure Boot with Windows and doesn't know or care that it's enabled at all.

brookst 23 minutes ago||||

So like banks requiring you to have a PIN on your ATM card, even if you don’t want one… that’s bad? Seatbelt laws are bad?

astrobe_ 2 hours ago|||

I don't know about executable signing, but in the embedded world SecureBoot is also used to serve the customer; id est provide guarantees to the customer that the firmware of the device they receive has not been tampered with at some point in the supply chain.

201984 2 hours ago|||

And what if that customer wants to run their own firmware, ie after the manufacturer goes out of business? "Security" in this case conveniently prevente that.

hhh 1 hour ago|||

you click the box to turn off secure boot

jmye 38 minutes ago||||

Then that customer shouldn't buy a device that doesn't allow for their use case. Exercise some personal agency. Sheesh.

gjsman-1000 2 hours ago|||

Tradeoffs. Which is more likely here?

1. A customer wants to run their own firmware, or

2. Someone malicious close to the customer, an angry ex, tampers with their device, and uses the lack of Secure Boot to modify the OS to hide all trace of a tracker's existence, or

3. A malicious piece of firmware uses the lack of Secure Boot to modify the boot partition to ensure the malware loads before the OS, thereby permanently disabling all ability for the system to repair itself from within itself

Apple uses #2 and #3 in their own arguments. If your Mac gets hacked, that's bad. If your iPhone gets hacked, that's your life, and your precise location, at all times.

samlinnfer 2 hours ago|||

1. P(someone wants to run their own firmware)

2. P(someone wants to run their own firmware) * P(this person is malicious) * P(this person implants this firmware on someone else’s computer)

3. The firmware doesn’t install itself

Yeah I think 2 and 3 is vastly less likely and strictly lower than 1.

mikestew 1 hour ago|||

As an embedded programmer in my former life, the number of customers that had the capability of running their own firmware, let alone the number that actually would, rapidly approaches zero. Like it or not, what customers bought was an appliance, not a general purpose computer.

(Even if, in some cases, it as just a custom-built SBC running BusyBox, customers still aren't going to go digging through a custom network stack).

itsdesmond 2 hours ago||||

This guy thinks that if you rephrase an argument but put some symbols around it you’ve refuted it statistically.

P(robably not)

samlinnfer 2 hours ago||

The argument is that P(customer wants to run their own firmware) cancels out and 2,3 are just the raw probability of you on the receiving end of an evil maid attack. If you think this is a high probability, a locked bootloader won’t save you.

FabHK 1 hour ago||

Very neat, but 1) is not really P(customer wants to run their own firmware), but P(customer wants to run their own firmware on their own device).

So, the first term in 1) and 2) are NOT the same, and it is quite conceivable that the probability of 2) is indeed higher than the one in 1) (which your pseudo-statistical argument aimed to refute, unsuccessfully).

the__alchemist 1 hour ago||||

I encourage you to re-evaluate this. How many devices do you (or have you) own which have have a microcontroller? (This includes all your appliances, your clocks, and many things you own which use electricity.) How many of these have you reflashed with custom firmware?

Imagine any of your friends, family, or colleagues. (Including some non-programmers/hackers/embedded-engineers) What would their answers be?

philistine 2 hours ago||||

As if the monetary gain of 2 and 3 never entered the picture. Malicious actors want 2 and 3 to make money off you! No one can make reasonable amounts of money off 1.

lazide 2 hours ago||||

Clearly you’ve never met my ex’s (or a past employer). Not even being sarcastic this time.

wombatpm 10 minutes ago||

You expect that stuff to happy with 3 letter agencies.

gjsman-1000 2 hours ago|||

On Android, according to the Coalition Against Stalkerware, there are over 1 million victims of deliberately placed spyware on an unlocked device by a malicious user close to the victim every year.

#2 is WAY more likely than #1. And that's on Android which still has some protections even with a sideloaded APK (deeply nested, but still detectable if you look at the right settings panels).

As for #3; the point is that it's a virus. You start with a webkit bug, you get into kernel from there (sometimes happens); but this time, instead of a software update fixing it, your device is owned forever. Literally cannot be trusted again without a full DFU wipe.

samlinnfer 2 hours ago||

And where are the stats for people running their own firmware and are not running stalkerware for comparison? You don’t need firmware access to install malware on Android, so how many of stalkerware victims actually would have been saved by a locked bootloader?

gjsman-1000 2 hours ago||

The entirety of GrapheneOS is about 200K downloads per update. Malicious use therefore is roughly 5-1.

> You don’t need firmware access to install malware on Android, so how many of stalkerware victims actually would have been saved by a locked bootloader?

With a locked bootloader, the underlying OS is intact, meaning that the privileges of the spyware (if you look in the right settings panel) can easily be detected, revoked, and removed. If the OS could be tampered with, you bet your wallet the spyware would immediately patch the settings system, and the OS as a whole, to hide all traces.

samlinnfer 2 hours ago|||

Assuming that we accept your premise that the most popular custom firmware for Android is stalkerware (I don’t). This is of course, a firmware level malware, which of course acts as a rootkit and is fully undetectable. How did the coalition against stalkerware, pray tell, manage to detect such an undetectable firmware level rootkit on over 1 million Android devices?

kuschku 2 hours ago|||

LineageOS alone has around 4 million active users. So malicious use is at most 1:4, not 5:1.

dns_snek 2 hours ago|||

#2 and #3 are fearmongering arguments and total horseshit, excuse the strong language.

Should either of those things happen the bootloader puts up a big bright flashing yellow warning screen saying "Someone hacked your device!"

I use a Pixel device and run GrapheneOS, the bootloader always pauses for ~5 seconds to warn me that the OS is not official.

root_axis 1 hour ago||

Yes. They're making the point that your flashing yellow warning is a good thing, and that it's helpful to the customer that a mechanism is in place to prevent it from being disabled by an attacker.

tosti 2 hours ago||||

Computers should abide by their owners. Any computer not doing that is broken.

ghighi7878 1 hour ago|||

Its a simple solution in law to enable. Force manufacturers to allow owners of computer to put any signing key in the BIOS.

We need this law. Once we have this law, consumers csn get maximum benefit of secure boot withiut losing contorl

miki123211 23 minutes ago|||

But that's how it already works.

If you install Windows first, Microsoft takes control (but it graciously allows Linux distros to use their key). If you install Linux first, you take control.

It's perfectly possible for you to maintain your own fully-secure trust chain, including a TPM setup which E.G. lets you keep a 4-digit pin while keeping your system secure against brute force attacks. You can't do that with the 1990s "encryption is all you need" style of system security.

PunchyHamster 45 minutes ago|||

> Its a simple solution in law to enable. Force manufacturers to allow owners of computer to put any signing key in the BIOS.

...it's already allowed. The problem is that this isn't the default, but opt in that you need quite a lot of knowledge to set up

cferry 2 hours ago||||

I make the analogy with a company, because on that front, ownership seems to matter a lot in the Western world. It's like it had to have unfaithful management appointed by another company they're a customer of, as a condition to use their products. Worse, said provider is also a provider for every other business, and their products are not interoperable. How long before courts jump in to prevent this and give back control to the business owner?

wat10000 1 hour ago|||

This gets tricky. If I click on a link intending to view a picture of a cat, but instead it installs ransomware, is that abiding by its owner or not? It did what I told it to do, but not at all what I wanted.

ghighi7878 1 hour ago||

We dont need to get philosophical here. You(the admin) can require you (the user) to input a password to signify to you(the admin) to install a ransomware when a link is clicked. That way no control is lost.

wat10000 1 hour ago||

What if the cat pictures are an app too? The computer can't require a password specifically for ransomware, just for software in general. The UI flow for cat pictures apps and ransomware will be identical.

Zak 20 minutes ago||

A computer that can run arbitrary programs can necessarily run malicious ones. Useful operations are often dangerous, and a completely safe computer isn't very useful.

Some sandboxing and a little friction to reduce mistakes is usually wise, but a general-purpose computer that can't be broken through sufficiently determined misuse by its owner is broken as designed.

Galanwe 1 hour ago||||

> id est provide guarantees to the customer that the firmware of the device they receive has not been tampered with

The firmware of the device being a binary blob for the most part... Not like I trust it to begin with.

Whereas my open source Linux distribution requires me to disables SecureBoot.

What a world.

WhyNotHugo 1 hour ago|||

You can set up custom SecureBoot keys on your firmware and configure Linux to boot using it.

There's also plenty of folks combining this with TPM and boot measurements.

The ugly part of SecureBoot is that all hardware comes with MS's keys, and lots of software assume that you'll want MS in charge of your hardware security, but SecureBoot _can_ be used to serve the user.

Obviously there's hardware that's the exception to this, and I totally share your dislike of it.

Galanwe 38 minutes ago||

> You can set up custom SecureBoot keys on your firmware and configure Linux to boot using it.

Right, but as engineers, we should resist the temptation to equate _possible_ with _practical_.

The mere fact that even the most business oriented Linux distributions have issues playing along SecureBoot is worrying. Essentially, SB has become a Windows only technology.

The promise of what SB could be useful for is even muddier. I would argue that the chances of being victim of firmware tampering are pretty thin compared to other attack vectors, yet somehow we end up all having SB and its most significant achievement is training people that disabling it is totally fine.

repelsteeltje 1 hour ago|||

An unsigned hash is plenty guard to against tampering. The supply chain and any secret sauce that went into that firmware is just trust. Trust that the blob is well intentioned, trust that you downloaded from the right URL, checked the right SHA, trust that the organization running the URL is sanctioned to do so by Microsoft...

Once all of that trust for every piece of software is concentrated in one organization, Microsoft, Apple or Google, is has become totally meaningless.

mort96 1 hour ago||||

It's to serve the regulators. The Radio Equipment Directive essentially requires the use of secure boot fir new devices.

petcat 1 hour ago||

I happen to like knowing that my mobile device did not have a ring 0 backdoor installed before it left the factory in Asia. SecureBoot gives me that confidence.

mort96 1 hour ago||

No it doesn't? The factory programs in the secure boot public keys

petcat 1 hour ago||

The public keys are provided by the developer. Google, or Apple, for example. It's how they know that nothing was tampered with before it left the factory.

realusername 33 minutes ago||

Nothing has been tampered with doesn't mean there's no factory backdoor, it just only means same as factory, nothing more.

petcat 7 minutes ago||

Apple or Google know what the cryptographic signature of the boot should be. They provide the keys. It's how they know that "factory reset" does not include covert code installed by the factory. That's what we're talking about.

PunchyHamster 46 minutes ago||||

well, unless govt tells MS to tamper it

gusfoo 16 minutes ago|||

> I still hope that one of these days people in general will realize that executable signing and SecureBoot are specifically designed for controlling what a normal person can run, rather than for anything resembling real security

For home/business users I'd agree. But in Embedded / money-handling then it's a life-saver and a really important technology.

pjmlp 2 hours ago|||

If only people didn't install Ask Jeeves toolbars all over the place and then asked their grandson during vacations to clean their computer.

prerok 29 minutes ago||

Geez, this brings back memories.

At one time at our university we had table desktop dancers installed everywhere. Was kind of funny when it turned up just as a student wanted to defend their work in a lab.

duped 5 minutes ago|||

This is like saying you shouldn't vaccinate your kids because no one gets polio anymore

asveikau 1 hour ago||

Apple is also somewhat responsible for the attitude shift with the introduction of iOS. 20-25 years ago a locked down bootloader and only permitting signed code would have been seen by techies as dystopian. It's now quite normalized. They say it's about security but it's always been about control.

Stallman tried to warn us with "tivoization".

VadimPR 2 hours ago||

A year ago I used Azure Trusted Signing to codesign FOSS software that I distribute for Windows. It was the cheapest way to give away free software on that platform.

A couple of months ago I needed to renew the certificate because it expired, and I ran into the same issue as the author here - verification failed, and they refused to accept any documentation I would give them. Very frustrating experience, especially since there no human support available at all, for a product I was willing to pay and use!

We ended up getting our certificate sourced from https://signpath.org and have been grateful to them ever since.

tsujamin 1 hour ago||

For what it’s worth, Trusted Signing verification has been a moving target over the last 12 months. It was open for individuals, then it was closed to anyone except (iirc) US businesses with DUNS numbers, then it opened again to US based individuals (and a few other countries perhaps).

My completely uninformed guess was that someone had done something naughty with Trusted Signing-issued code signing certificates.

Anyway, when I first saw the VeraCrypt thing this morning my initial reaction was “I wonder if this is them pushing developers onto trusted signing the hard way?”

VadimPR 1 hour ago||

I'm in Europe and ended up creating an organization since I have my own company, but they messed up the verification of one of the legitimate documents, and there was no way to reach them once they made that mistake. Frustrating, and definitely a lost customer for them.

riedel 42 minutes ago||

I like the idea of a central signing authority for open source. While this might go against the spirit of open source, I think it eventually creates a critical mass and outcry if Microsoft or Google would play games with them. Also foundations might be a good way to protect against legal trouble distributing OSS under different regulations. I am imagining e.g. an FDroid that plays Googles game. With reproducible or at least audited builds also some trusted authorities could actually produce more trusted builds especially at times of supply chain attacks. However, I think such distribution authorities would need really good governance and a lot of funding.

VadimPR 28 minutes ago||

If someone is willing to put in the work in governance, FOSS projects would be willing to fund it - at least Mudlet would be. We get income from Patreon to cover the costs.

20k 3 hours ago||

There's a good reason everyone calls them microslop these days. The sooner we're all able to ditch this crappy company, the better - they're actively holding back the tech industry at this point

mbix77 2 hours ago||

Yea, I'm in the process of converting our complete ETL infrastructure from SSIS/SQL Server to Python/PostgreSQL. Next step is Office 365, which will be more difficult, but doable since we are a small company anyway.

stvltvs 2 hours ago||

Are you converting the SSIS automatically somehow or rewriting it?

tonyedgecombe 3 hours ago|||

They have been holding back the tech industry for decades now.

embedding-shape 3 hours ago|||

To be fair, the tech industry been holding itself back for decades now too, since lots of people seemingly have somewhat low prices to go from being a FOSS evangelist to wearing a "Microsoft <3 Open Source" t-shirt.

trueno 2 hours ago||

that's just a byproduct of "job creators" holding the keys to a comfortable life over everyones head.

i dont think its fair to conflate the tech industries self-owns with microsofts damages. microsoft has for decades poured untold resources and money into capturing everything they possibly could to sustain themselves with honestly what i call cultural and software vendor lock. we're only just now seeing the gaming industry take its first real footsteps towards non-windows targets, but for the most part the decades of evangelizing Microsoft apis and bankrolling schools and education systems to carry courses for their way of doing things makes that a particularly uphill battle thats going to take a lot more time. people have built entire careers out of the microsoft-way in multiple industries. pure microsoft houses are still everywhere at many orgs, so many of them don't even recognize that there is another path. there's plenty of infra/dbadmin/devops people who are just pure windows still. there's multiple points where microsoft did have the best in class solution for something, but these days you'd be hard pressed to not go another way if you were starting from scratch. problem is such a lift and shift is really hard to do for orgs that have spent decades being a microsoft shop.

in a roundabout way, this sort of translates to real long lasting impact/damage to me. microsoft has always been such a force over history that it caused a massive rift in computing. no matter how much they embrace linux and claim to not fight the uphill battle of open source anymore, that modus operandi of locking people into their suite of things still exists on so many fronts and is in some ways more in your face than it's ever been. there's no benefit of the doubt to give here, i just have a hard time choosing microsoft for... well anything.

ryandrake 1 hour ago||

Microsoft has been trying to kill everything in computers that's not-Microsoft, for as long as I've been alive. Their actual power comes and goes, strengthens and weakens, but it's been a continuous background threat to personal computing since the first day something other than Microsoft tried to get traction in the industry.

p_ing 2 hours ago||||

What does this even mean? It's like throwing around the word 'bloat'.

BizarroLand 30 minutes ago||

We can explain it to you, but we can't understand it for you.

Explanation: Microslop is a power hungry, greedy and frankly evil corporation whose only goal is complete financial domination of the government, business, and personal tech industries. They actively promote making regressive software, increasing complexity, and hiding straightforward processes behind an information veil.

Example: Go to learn.microsoft.com and try to actually learn HOW to do anything. You'll read 35 pages of text talking about the concept of working with a specific microslop product but not 1 single explicit example of HOW to accomplish a specific task.

Example: Windows 11

Example: Copilot

The whole company is run by backassward tech hicks and digital yokels who can't think past a dime on the floor for a dollar in customer satisfaction, and somehow they run the majority of non-server space or personal device tech on the planet.

BigTTYGothGF 3 hours ago|||

Looking at the rest of the tech industry in 2026 that might be a blessing.

giancarlostoro 2 hours ago|||

Outside of work, I don't use Windows very often if at all. I have a 2017 laptop that Microsoft made, and it is so damn sluggish for absolutely no reason, its VERY VERY vanilla mind you.

trueno 3 hours ago|||

i remember years and years ago learning some posix/shell syntax and working in terminal. felt like my love for windows unraveled in real time. these days using windows... feel like i gotta take a shower after. like many i was just raised on windows it was the household operating system i had like 20 years of general computer usage under my belt on windows before i finally felt a mac trackpad for the first time. that hardware experience alone was the first pillar kicked out upholding my "windows is the best" philosophies. then i got into coding, then i tripped and fell out of hourly boeing slave labor into a sql job (lost 55% yearly income, no regrets yo). then i started discovering the open source world, and learned just how much computing goes on outside of the world of windows and how many insanely bright minds are out there contributing to... not microsoft. now i have linux and macos machines everywhere, i still haven't found the bottom but the last 6-7 years or so have been a really rich journey.

currently have a 32bit win xp env spun up in 86box just to compile a project in some omega old visual studio dotnet 7 and the service pack update at the time (don't ask). it is seriously _wild_ being in there, feels like stepping into a time machine. nostalgia aside, the OS is for the most part... quiet. doesn't bother you, everything is kind of exactly where you expect it to be, no noise in my start menu, there isnt some omega bing network callstack in my explorer, no prompts to o365 my life up.

it feels kinda sad, what an era that was. it's just more annoying to do any meaningful work in windows these days.

im currently working with c/cpp the idiot way (nothing about my story is ever conventional sigh), by picking a legacy project from like 22 years ago. this has forced me to step back into old redhat 7.1+icc5, old windows xp + dotnet7 like i explained above, and im definitely taking the most unpragmatic approach ever diving in here.. but there's one thing that absolutely sticks out to me: microsoft has always tried to capitalize on everything. tool? money. vendor lock. os? money. vendor lock. entire industries/education system capture? lotta money. lotta vendor lock. lotta generational knowledge lock.

they are lucky people are still using github. theyve tried to poke the bear a few times and theyre slowly but surely enshittifying the place, but im just kinda losing any reverence for microsoft altogether. microsoft has been big for a hot minute now, they have their eras. you can feel when things are driven by smart visionary engineers working behind the scenes, and you can tell when things are in pure slop mode microservice get rich or die trying mode. yea, microsoft has.. always been vendor-lock aggro and kinda hostile, but the current era microsoft is by far the grossest it's ever been. see: microsoft teams (inb4 "i use teams every day, i dont have a problem with it")

im aware people smarter than me can write diatribes on why windows is the best at x thing, but im only informed by my own experience of having to use all three (linux/macos/windows) for my professional work life: i grew up thinking windows was the best.. now im like mostly confident that windows is actually the worst lol. by a pretty damn decent margin. i was gaslit for ages

philistine 2 hours ago|||

> feel like i gotta take a shower after

I run Crossover and I feel like I gotta take a shower after. Just knowing there's a folder called drive_c on my Mac is the stuff of nightmares.

shevy-java 2 hours ago|||

Yeah. I felt in a similar manner when I moved to Linux. Microsoft seemed to make people dumber. I do actually use both Linux and Windows (Win10 only), largely for testing various things, including java-related software. But every time I use Windows, I am annoyed at how slow everything is compared to Linux. (I should mention that I compile almost everything from source on Linux, so most of the default Linux stack I don't use; many linux distributions also suck by default, so I have to uncripple the software stack. I also use versioned appdirs similar as to how GoboLinux does, but in a more free form.)

TheOtherHobbes 1 hour ago||

Microsoft has spent most of its life as a corporate bureaucracy that produces sales-and-marketing content, some of which happens to moonlight as software.

leptons 2 hours ago||

Apple also holds back the tech industry in many ways. All companies seem willing to put profits before progress.

red-iron-pine 1 hour ago||

active directory and excel runs the world.

what is apple doing that is similar?

billziss 18 minutes ago||

It is not just VeraCrypt that has been affected by this. There is a bunch of Windows driver developers that have been suddenly kicked out of the "Partner Center" without explanation.

https://community.osr.com/t/locked-out-of-microsoft-partner-...

dns_snek 2 hours ago||

This is precisely why we can't allow platform-owners to be the arbiters of what software is allowed to run on our devices. Any software signing that is deemed to be crucial for ensuring grandma-safety needs to be delegated to independent third parties without perverse incentives.

This is what the Digital Markets Act is supposed to protect developers against. Have there been any news regarding EU's investigation into Apple? Last I remember they were still reviewing their signing & fee-collection scheme.

duped 3 minutes ago|

There is nothing stopping you from using third party certificates to sign Windows binaries. It's just expensive. You don't even need a MS toolchain or CLI tool for it.

nubinetwork 4 hours ago||

https://news.ycombinator.com/item?id=47686549

Tempest1981 2 hours ago|

Thanks, the previous title was easy to miss: "Veracrypt project update"

Lihh27 3 hours ago||

heh the same company that controls your secure boot chain just killed the signing account for the tool that encrypts your disk

onehair 2 hours ago||

They should have also picked up that WireGuard Creator account also got his account terminated

tsujamin 2 hours ago|

They did, just further into the article:

> According to a post on Hacker News, the popular VPN client WireGuard is facing the same issue.

onehair 2 hours ago||

I meant to say, in the title. As Wireguard is way more popular than VeraCrypt...

saltamimi 1 hour ago||

I'm confused why they can't just generate their own signing key and deploy it alongside the installer.

Using arbiter platforms like this sounds like a great way to footgun yourself.

Someone1234 51 minutes ago|

Because a bad guy can also generate their own signing key and deploy it alongside the installer.

See Notepad++ for how that winds up.

saltamimi 25 minutes ago||

Then you can publish the public Code Signing certificate for download/import or publish it through WinGet.

Using Azure Trusted Signing or any other certificate vendor does not guarantee that a binary is 100% trustworthy, it just means someone put their name on it.

avipars 2 hours ago|

https://archive.md/Oc85c

More comments...