Veracrypt project update
sourceforge.netThis is the same problem I'm currently facing with WireGuard. No warning at all, no notification. One day I sign in to publish an update, and yikes, account suspended. Currently undergoing some sort of 60 days appeals process, but who knows. That's kind of crazy: what if there were some critical RCE in WireGuard, being exploited in the wild, and I needed to update users immediately? (That's just hypothetical; don't freak out!) In that case, Microsoft would have my hands entirely tied.
If anybody within Microsoft is able to do something, please contact me -- jason at zx2c4 dot com.
It has been clear for a while that certain providers and services need to be regulated as utilities - Microsoft, Google, Apple, Visa, Mastercard, and soon Openai and Anthropic.
It should be illegal for these companies, just like utilities, to deny service to anyone or any entity in good standing for dues.
There is little hope for getting this through in the US where most politicians of any stripe hate the public, and the ones that don't have hardly any power. But it might be possible to do this in the EU.
Then, we non-EU folks need to apply for Estonian e-residency [1] which may get us EU regulatory coverage.
It would not surprise me if these actions are coming at the requests of governments. Strong encryption is one of the few things that challenges their monopoly on information; they have a very strong incentive to apply political pressure to the maintainers of these projects to, well, stop maintaining the projects. We've seen this in overt actions that the EU takes; in more covert actions that the U.S. government is suspected of taking; and in the news headlines about third-world dictatorships that just shut off the Internet. Tech companies are perhaps the most convenient leverage point for these actions.
More regulation won't help here, because the regulation-maker is itself the hostile party.
What would help is full control over the supply chain. Hardware that you own, free and open-source operating systems where no single person is the bottleneck to distribution, and free software that again has no single person who is a failure point and no way to control its distribution.
VLayer (my project) scans healthcare codebases for HIPAA compliance issues before they reach production. One thing I learned building it: developers rarely think about encryption until it's too late. Tools like VeraCrypt solve the "data at rest" problem, but the bigger issue in healthcare software is unencrypted data in logs and API responses — stuff that's much harder to audit manually.
So like, TSMC, but syndicalist?
>More regulation won't help here, because the regulation-maker is itself the hostile party.
It's easy to paint the big gov as bad, but this is a case where unfortunately the populace seems to be in agreement with the big bad gov. While most US citizens support encryption, 76% or so, the vast majority 63% also favor government "backdoor" access for national security reasons.
I guess either we believe in democracy or we don't. It could be said that if Veracrypt isn't/can't be backdoor'd, perhaps the gov is simply implementing the will of the people :( via Microsoft.
Tyranny of majority is a thing. It's something mature democracies are aware of and have the ability to defend against.
We're in an interesting spot here and the tension is tangible.
Does the majority of the population even have a self-formed opinion on this or are they just parroting what the media tells them (which in many "democratic" countries is directly or indirectly controlled by the government, i.e. propaganda).
American People Shrug, Line Up For Fingerprinting
WASHINGTON, DC—Assuming that there must be a good reason for the order, U.S. citizens lined up at elementary schools and community centers across the nation Monday for government-mandated fingerprinting. “I’m not exactly sure what this is all about,” said Ft. Smith, AR, resident Meredith Lovell while waiting in line. “But given all the crazy stuff that’s going on these days, I’m sure the government has a very good reason.” Said Amos Hawkins, a Rockford, IL, delivery driver: “I guess this is another thing they have to do to ensure our freedom.”
(source: The Onion, October 9, 2002[1])
[1] https://theonion.com/american-people-shrug-line-up-for-finge...
What does democracy have to do with electronic encryption? Democracy existed before computers.
There are legitimate reasons for governments to intercept information, with the correct oversight -- enforced legally in an "checks and balances" manner. The fact that there is a breakdown of trust between government and people won't be solved with more encryption.
A core tenet of Truecrypt + Veracrypt (developer guarantee) has always been no backdoors, even if requested by government.
If in a democratic society, the majority agrees that government should have backdoors (with the correct oversight). Then it follows that Veracrypt should be illegal as its use is not in alignment with the will of the majority.
I personally don't agree with the majority here but can you fault the logic?
Most forms of democracy do not have a direct correspondence between "the will of the people" and the actual policies enacted. As another poster mentioned, tyranny of the majority is a thing, and robust democracies have evolved institutions to deal with it. Otherwise there's nothing stopping the majority from periodically voting the minority off the island, Survivor style, until only a single dictator remains.
In the U.S. in particular, there's strong respect for individual rights enshrined in the Constitution, and a key role of the judicial branch is ensuring that those rights are respected regardless of what the majority thinks. The majority cannot enslave the minority, for example, regardless of what the legislature votes. Nor can it deprive it of speech or free assembly, or guns, or a right to trial by jury.
Ah so the iron law of oligarchy becomes our salvation
if only it were so simple
That's why specialized agencies exist within the government body: FCC, FDA, etc.
aka leave it to the experts because the majority isn't qualified to make such decisions.
> vast majority 63% also favor government "backdoor" access for national security reasons.
Don't do math that way! That math is illegal! Good boys and girls don't keep secrets!
These people sound ridiculous
I'd be very wary about such specific surveys, because they're often very much not conducted in a scientifically responsible manner, and based on actual studies across the spectrum of political issues there's basically no alignment between public opinion/preferences and actual policymaking in the US.
Could this be the one exceptional case where people agree with the direction of policymaking? Sure. Is that likely? No, not really.
We need a law that a human representative can be spoken to within 24 hours or directly when something critical happens.
Also “there is no appeal possible” should be plain illegal.
Technofeudalism is what happens when grossly under-regulated anarcho-capitalism dominates rather than sustainable, more ordinary capitalism where government regulation is the supreme, minimized biased arbiter that keeps things fairer and sensible for the benefit of the many rather than the benefit of the few.
In the EU, under GDPR, it is legally required to explain automated profiling.
We have a EU dev we tried to have submit a GDPR request for human review on something on Facebook.
There’s no apparent mechanism to do so. Support was clueless. The privacy email address responded weeks later with “not out department”.
As expected. However, since it's the law, there's some way to enforce it.
That's because the correct department is legal. GDPR is a legal mechanism, not a support and privacy thing.
"I'm doing it wrong and it doesn't work" means you're doing it wrong, not that it doesn't work.
Even Facebook calls them "privacy rights".
And https://www.facebook.com/help/contact/178402648024363 doesn't work either. Black hole, as far as I can determine.
Their chatbot, when asked, sends you to https://help.meta.com/support/privacy/ and says:
> To submit a GDPR objection request on Facebook, you can use the Privacy Rights Request channel.
> Select Facebook as the product you want to submit an objection about.
> Choose the option "How can I object to the use of my information" and follow the instructions.
But that option doesn't exist.
How's that work? Got a link handy to explain to a dummy?
Article 13(2)(f)
"In addition to the information referred to in paragraph 1, the controller shall, at the time when personal data are obtained, provide the data subject with the following further information necessary to ensure fair and transparent processing: the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject."
EDPB Guidelines on automated decision making: https://ec.europa.eu/newsroom/article29/items/612053 especially page 25 is relevant
C‑634/21 is also somewhat relevant to understand how courts have applied ADM in general context of credit reporting https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A... though it didn't specify what information actually needs to provided for 13(2)(f).
I understand the sentiment, but.. do you realize how much more expensive that would make all these services?
I don’t know the number. But personally I think using the services and ‘simply’ only use them if the disappearance isn’t catastrophic and have the price be low or free while it works isn’t too bad a trade-off.
Admittedly that’s a big ‘if.’
That is the wrong way to look at it.
If this requirement was in place they would be a bit more careful about terminating accounts because the cost equation would incentivize it. Maybe they would be more careful in their automation or require more than one level of human review before cutting off access.
These companies are gatekeepers for their platform. It isn’t crazy to require them to act more responsibly.
These are usually multi billion dollar companies, they’ll be fine, stop worrying about them.
Start worrying about the erosion of your rights as a consumer.
I agree in that case but be wary with these kind of assessments. There are tons of regulations that are meant for big players but can also affect much smaller negatively.
For instance I don't think to this day it is possible to operate a Mastodon server and be compliant with GPDR and the UK online safety Act. There was the famous case of LFGSS forum about to shut down due to the former, the forum was kind of saved by a group of individuals willing to take the risk but the founder stepped down from fear of legal risks.
There hasn't been home raided and servers and personal computers seized yet but that doesn't mean it can't happen and technically any EU or UK volunteer hosting some forums or open source based social media that isn't GPDR or online safety act compliant could be at risk. For most I believe it is not that they don't want to be compliant but they aren't aware of that and/or don't have the technical means without further development on the software they are using and despite them not abiding to their own user rights, most of their users would be more sad to see them shutdown than the current status of not obeying the law.
If it's impossible for a service provider to even talk to its customers, why is it in operation at all?
They sure do earn enough money to afford whatever number that is on your mind.
Even if they somehow were so expensive, that it would no longer scale to their size, that is still not our problem and if anything, a sign that either they need to improve their systems, or simply cannot be as big as they are. Shit happens, scale down, I won't cry for them.
> I understand the sentiment, but.. do you realize how much more expensive that would make all these services?
It wouldn't. For example, before Gmail, email was often free or nearly free (bundled with your internet service), but in most cases, you could talk to a human if you had issues with the service.
What we couldn't do is turn these business models into planetary-scale behemoths that rake in hundreds of billions of dollars in revenue. In essence, you couldn't have Google or Facebook with good customer support. I'm not here to argue that Google or Facebook are a net negative, but the trade-offs here are different from what you describe.
Honestly, it's not our problem. Once a service becomes so vital it cannot be terminated without any meaningful process. My meta developer account is suspended and none of my appeals are responded to . Who can I talk to? Nobody. It's wrong.
MS could literally double their global employee count with a fraction of what they spend on AI annually.
I don't think they would be so much more expensive but they would be less profitable for sure and perhaps less "innovative" as a big chunk of the profit will go into regulation stuff.
These services are designed such that security sort of depends on reviewing the programs that are allowed to run. Microsoft, Google and Apple all do this. It adds expense, annoyance, limitations, and really very little security.
The contrasting approach, where one designs a platform that remains secure even if the owner is allowed to run whatever software they like, may be more complex but is overall much better. There aren’t many personal-use systems like this, but systems like AWS take this approach and generally do quite well with it.
> The contrasting approach, where one designs a platform that remains secure even if the owner is allowed to run whatever software they like
There's a lot that one can gripe about Amazon as a company about, but credit where credit is due -- their inversion of responsibility is game-changing.
You see this around the company, back to their "Accept returns without question" days of mail order.
Most critically, this inversion turns customer experience problems (it's the customer's problem) into Amazon problems.
Which turns fixing them into Amazon's responsibility.
Want return rates to go down because the blanket approval is costing the company too much money? Amazon should fix that problem.
Too often companies (coughGoogleMicrosoftMetacough) set up feedback loops where the company is insulated from customer pain... and then everyone is surprised when the company doesn't allocate resources to fix the underlying issue.
If false positive account bans were required to be remediated manually by the same team who owned automated banning, we'd likely see different corporate response.
Look how much profit Microsoft made last year.
"Financially, it was a year of record performance. Revenue was $281.7 billion, up 15 percent. Operating income grew 17 percent to $128.5 billion." https://www.microsoft.com/investor/reports/ar25/index.html
So don't be so naive to tell us that 1-2 additional people to handle the appeal process is anything but rounding error in their balance sheet.
They should probably be regulated as utilities and broken up into smaller companies, so that it's easier for people to migrate to alternatives when one company does something bad.
If it is regulated as a utility, the government will want to ban these hacking tools.
I think the GP is relating to MS services and accounts as utilities that should not be possible to be taken away easily, not about Wireguard.
Agreed. Be careful what you wish for.
I've gotten business verification for Microsoft before. The kind you need in order to get certain oauth scopes for their O365 platform.
Do not discount complete, total, utter, profound fucking incompetence as the driving reason behind this.
Getting the business verification was an astounding shitshow. With a registered C corp and everything, massively unclear instructions, UI nestled in a partner site with tons of dead ends. And then even after all the docs, it took another week because -- in an action that nobody could possibly have ever foreseen -- we had two different microsoft accounts due to a cofounder buying ONE LICENSE of O365 for excel and doing domain verification because it suggested it.
I have a feeling, that the resolve to do something about it is waning in the EU, because of the plans to soften up the GDPR.
It always weird to see how dichotomy of some people saying AI will never be profitable and are doomed to fail and others saying that they are such a essential public service that they are a utility and should be subject to government regulation. Hopefully they are not the same group of people, but I suspect there is a greater overlap that one would expect.
I'm not one of those people but want to point out that there isn't much of a contradiction there. I don't know if hospitals, universities, train tracks, roads, and libraries technically speaking count as utilities but they overall don't seem to be profitable and at the same time are extremely desirable for a society and an economy to have. AI could turn out to be of the same sort.
Now this is even more alarming! Wireguard's creator has their Microsoft account suspended...
<Tin foil hat on> Microsoft doesn't want to allow software that would allow the user to shield themselves, either by totally encrypting a drive, or by encrypting their network traffic! </Tin foil hat on>
> Microsoft doesn't want to allow software that would allow the user to shield themselves
I don't think Microsoft cares (about anything besides making mo' money), but there are plenty of (state) actors that can influence the decision-making at Microsoft when it comes to these issues.
No tinfoil needed.
> No tinfoil needed.
That's what Big Tinfoil wants you to believe!
I heard it doesn’t even contain tin!
Total enshittification with this pure aluminium shit. The hats don't block government UFO mind control waves and hold their shape nearly as well as the tin ones did. Fucking private equity ruins everything.
Wait, what?! I was sure that the agenda of Big Tinfoil was to generate FUD so that we buy more tinfoil for our hats. Are you implying their agenda goes even deeper?
Have you tried to buy tin foil lately? Big Aluminum has taken over, and just see how far you get soldering the grounding strap to an aluminum foil hat.
Big Alumulumu is soon to be the market leader.
https://www.tiktok.com/@etong_winter_palikir/video/739554877...
This is the dirty secret; Big Weird tried to warn us but we didn't listen.
But making money at the expense of people is not a Tinfoil conspiracy - it's a factual statement.
It is also a factual statement, that tinfoil shields (somewhat) from electromagnetic radiation.
But it is NOT necessarily a factual statement that one of the main uses of electromagnetic radiation is for humans to send information over long distances; nor that I first learned about tinfoil hats from some random piece of information that was being broadcast by means of electromagnetic radiation. It's just a vibe.
Yep.
>I don't think Microsoft cares (about anything else than making money), but there are plenty of (state) actors that can influence the decision-making at Microsoft when it comes to these issues.
Microsoft the corporation may only care about making money, but a lot of very high ranking folks within MS Security aren't just friendly to intelligence agencies, they take genuine pride in helping intelligence agencies. They're the kinds of people who saw nothing wrong or objectionable with PRISM whatsoever, they were just mad they got caught, and that the end user (who they believe had no right to even know about it) found out anyway. The kind of people who openly defend the legitimacy of the FISA court.
This aren't baseless accusations, this comes from first-hand experience interacting with and talking to several of them. Charlie Bell literally kept a CIA mug on a shelf behind him, prominently visible during Teams calls, as if to brag.
Remember - Microsoft was the very first company on the NSA's own internal slide deck depicting a timeline of PRISM collection capabilities by platform, started all the way back in 2007. All companies on that slide may have been compelled to assist with national security letters. Some were just more eager than others to betray the privacy and trust of their own customers and end-users.
I can completely believe this.
I was always convinced that Skype was bought by microsoft so CIA/US intelligence agencies to have listening capabilities.
The first thing Microsoft did after the Skype purchase was making it easier to tap into the calls by removing p2p calling and routing calls using centralized servers.
Yeah. Otherwise Microsoft purchasing Skype made no sense.
That's my experience with most computer security folks as well, and tech companies who sell security products. Cloak-and-dagger stuff running 24x7 in their heads.
There are quite a few extremely talented security folks who are more or less the polar opposite, who view people like Edward Snowden and Julian Assange as heroes, the NSA as guilty of treason, as James Clapper as guilty of perjury, even inside of corporations like Microsoft.
The catch is, views like those must be kept to a fairly modest level by the people who hold them. Discussing them with ideologically aligned colleagues may be fine, but for example, when someone makes statements or asks questions with such pro-privacy framing on stage directly to security leadership at internal company conferences, that is a quick way to a severance package not only for the person on stage, but also for dozens of folks in the audience who clapped a little too enthusiastically at the onstage remarks.
It's quite possible TLAs plant employees inside important tech companies. So not only are they sympathetic, they directly work for them.
>I don't think Microsoft cares (about anything besides making mo' money)
If Microsoft amounts to a sentient entity (i.e. is able to care about things), we have a bigger problem.
If we put the wall of metaphor between us and that interpretation, it still remains likely that "users shielding themselves" is of primary concern to Microsoft's bottom line.
Alternatively they asked copilot to scan for crypto projects and ban them
You think it would succeed at that? Come on. Copilot is for entertainment purposes only!
Watching Microsoft try to dogfood Copilot is entertaining to me, in a way.
https://techcrunch.com/2026/04/05/copilot-is-for-entertainme...
At least it reached its goal if it entertained you
Or more likely, some automated security system flagged popular but suspicious apps for further review.
If you use an automated process to disable accounts but then state there is no appeals process available as they stated, then you are not to be trusted to be acting in good faith. Bad actors should be called out and not given the benefit of the doubt.
Automated systems breaking things without any human contact to get them resolved seems to be the theme of the last 10 years.
This phenomenon is so Orwellian with insufficient awareness, it should both be an SNL skit and a John Oliver episode. It's illiberal, neoliberal, corporate bullshit that causes harm to individuals. These companies need to be treated as utilities and the "companies can do whatever they want" arguments must be debunked and defeated because of the pervasive power they hold and immense harm they can cause to individuals without a remedy when they rug pull access without clear cause.
It also reminds me of the case of the entire family who lost all of their payment-linked individual accounts including business data and an academic dissertation because the son allegedly behaved inappropriately with a bot. Collective punishment on top of technofeudal instant banishment.
And the worst thing is that we have the power to collectively make that behavior into a corporation-ending scandal but we choose not to because it doesn't affect most of us personally yet.
Where are the people that tried to sell us software signatures as security benefit? The reality is that they are a very specific security problem. In theory and in practice.
Maybe they let Mythos loose and it suggested the safest approach was to remove access ;)
It is more likely that government doesn't want to allow people to have privacy. Microsoft just obediently listen to orders and execute them.
"Never attribute to malice that which is adequately explained by stupidity"
When a company makes it impossible to correct their stupidity, it's a malicious act. The behavior speaks loud and clear: "We don't care what damage we do to developers or users. And we don't want to hear about it."
I'm more convinced than ever that this aphorism has it completely backwards.
It was probably true at some point, then malicious people learned how to fake stupidity and they outnumber actual stupid people, and they learned how to recruit stupid people to their causes.
Never attribute to incompetence that which is adequately explained by profit motives.
Or it's being spread by the malicious actors, like "money doesn't buy happiness".
But it doesn't!!! It only buys things that make happy. See? Big difference! /s
It's a decent rule for when one of your close friends breaks your favorite mug. Not so much for complete strangers, not to mention faceless mega-corporations, making choices to fuck you over.
The guise of a harmless mistake has worn so thin and is so overused by tech companies that I now only see deliberate intent.
I am astounded that the maintainer and inventor of Wireguard is in this position.
Microsoft even supports Wireguard in Azure Kubernetes Service.
Is this another example of their old modus operandi:
https://en.wikipedia.org/wiki/Embrace,_extend,_and_extinguis...
?
No. Embrace, Extend, Extinguish was replaced by the AAA strategy: Acquire, Assimilate, Abandon. They were trying to be more Google-like with that "Abandon" step I think.
They've since moved on to the SSS strategy: Ship, Slip, Slop.
Good heavens! My acronymical notes on Microsoft's product strategy are two revisions out of date!
Damn, I thought it was "Slop, Ship, Smile"
Maybe time for a custom license that would require M$ to sign up for special T&Cs if they want to use this software?
Who cares if it's OSI-approved or not, a line saying "M$, Google, and the like need written permission for every use case" would help to make those leeches honest. Just learn from the JSLint example.
This license modifier already exists for others to use (I can't post the direct links here because this site will sanction me for doing so)
plus n-word dot com hosts information about the plus n-word license which purports:
- The software will not be used or hosted by western corporations that promote censorship
- The software will not be used or hosted by compromised individuals that promote censorship
- Users of the software will be immune to attacks that would result in censorship of others
Why "Western" corporations that promote censorship? Non-western censorship is allowed?
They don't care as much about things like this
About what things? Winnie the Pooh for example?
It's even GPL compatible, because the GPL makes provision for additional notice requirements.
That would be both hilarious and horrifying if the only thing stopping the corporate dystopia is that Microsoft doesn't want to say the N word.
We literally just did this. Now we have Valkey. Nobody won.
Did anyone lose?
Valkey is better because all of the new development work happens on Valkey, not because of the license. If the actual developer changed the license, that would be a different situation.
It's got a lot of analogy to restaurants banning Uber delivery for not handling their food to their standards.
That actually is not analogy at all and it makes sense. When a low-paid Uber Eats delivery person just throws the box carelessly and brings damaged dish to the customer, that's a real issue.
In digital services there's no such thing. There's only a damned corporation employing idiots who don't care about community.
What? How?
Agree. Single point of failure. One developer, one account. Crazy.
Having multiple accounts wouldn't help, as Microsoft could easily suspend all the accounts of everyone associated with the project if any account looks suspicious. The single point of failure is Microsoft.
You're not actually allowed to avoid this by having multiple accounts, that falls under "ban evasion".
But yes, there's a lot of critical single maintainer projects.
No, that is not the issue here. The source of the problem is something different. This is a wrong root cause analysis.
How would more than one account help in this scenario, exactly?
Any account can sign any (same) piece of software. Of course Microsoft could detect the it's signing a software related to a banned signed and ban the new account. So veracrypt (and wireguard) is stuck.
It's outrageous. MS is simply enforcing some Government crackdown on encryption software that would interfere with backdoors.
Encouraged by this thread, I tweeted about it: https://x.com/EdgeSecurity/status/2041872931576299888
If someone was a bad actor, right now would be a pretty good time to start exploiting zero days in WireGuard…
The other day I tried to create a Github account and was repeatedly told I am fraudulent. Nothing else. Try again later, it says.
This is the same thing that's happened every time I've tried to have a Microsoft account. I don't think Microsoft wants to have customers who aren't rich.
Maybe some bot signed up using your email and then did bot things on it. I've had that happen a lot over the years. My Microsoft account is still stuck in German because that's the language the bot used when creating the account (to spam X-Box apparently).
I got a 20y old hotmail/live account deleted by Microsoft because a bot tried to reset my password too many times. Considering the magnitude of the targeted attack, MS found the safest way to keep me secure was to wipe my account. That way the attacker could not get into my account.
I had something similar with a 6-letter apple account that has never been compromised but I guess got put on some kind of list, because I had to go through account recovery almost every time I logged in, which wasn't a big deal until I got an iphone. Apple support was completely useless. Random old buried forum post in a stall marked "beware the leopard" mentioned the behavior and suggested changing the account name.
Nothing in the Apple site or phone stuff would even clue the user in to what was happening, much less how to resolve it.
Brand new email account.
Same here with github.
/tinfoil time
60 days, long enough for the US to exploit the vulnerabilities discovered by Claude Mythos, short enough to plausibly be bureaucratic corporate awfulness by Microsoft when all is said and done. Basically freezing you and other security software out of protecting the bad guys they particularly want to get at until after the bad guys get got, then everything goes back to normal and Microsoft says "oops, here, we fixed your access."
I saw a tweet saying that there's a requirement for verification.
> Effective October 16, 2025, Microsoft will initiate mandatory account verification for all partners in the Windows Hardware Program who have not completed account verification since April 2024.
> Partners who fail to complete Account Verification by the deadline, or who do not meet the requirements, will have their status set to Rejected and will be suspended from the program.
I tried to set up a partner account for driver signing last year (as a business entity) and it already seemed basically impossible. I think they're getting ready to just simply not allow it at all.
This is stupid. If Microsoft wants people to stop writing kernel drivers, that's potentially doable (we just need sufficient user mode driver equivalents...) but not doing that and also shortening the list of who can sign kernel drivers down to some elite group of grandfathered companies and individuals is the worst possible outcome.
But at this point I almost wish they didn't fix it, just to drive home the point harder to users how little they really own their computer and OS anymore.
Not exactly the same situation, but RustDesk has recently been removed from the official WinGet community repository because their automated scans have been blocking updates since v1.4.2 in September 2025.
https://github.com/rustdesk/rustdesk/discussions/13025 https://github.com/microsoft/winget-pkgs/pull/345601
tl;dr: ESET Antivirus flags RustDesk as a "Potentially Unsafe Application" because it is a remote administration tool, despite not flagging similar commercial products in the same way, and the WinGet Community repo policy is to block anything flagged as such. Since they were unable to update the repo the RustDesk team requested that the older versions be removed to prevent users from unknowingly installing old versions that could potentially be a security issue in the future. Apparently this has been an issue for a lot of applications especially in the VPN and remote control categories.
There is a discussion about how best to handle these sorts of situations where legitimate and desirable applications get flagged as "potentially unsafe" or "potentially unwanted" but so far it's just been a discussion with no actual changes proposed yet.
With these big players who are regularly found supporting people with evil intentions: Don't attribute to incompitence what could be ascribed to malice, nay you must trust the gods of the clouds to keep your secrets for you, all for the low low price of $x.99 a month a seat, you may only cancel your service with an arcaine dance and the sacrifice of your first born!
Did you also receive the same support email?
They always just tell me to ask copilot, then they open a case using copilot, and then they tell me to ask copilot again. I said I wanted to prove that the code didn't contain malicious code, and they still told me to ask copilot...
This account has been suspended because the code you submitted contains malware or potential vulnerabilities. If you believe your account was suspended in error and can demonstrate that the code you submitted does not contain malware or vulnerabilities, please follow the below steps, and contact us. . Go here: http://aka.ms/hardwaresupport 2. Click Contact Us 3. Make sure you are signed in with a user associated with the HDC account in Partner Center 4. Select Ask Copilot to receive email support.
I wonder if npcap can route all traffic through a userland service, then handle it there.
After all these statements from M$ claiming they’ve replaced people with AI, wouldn’t be one bit surprised if this “bureaucratic behaviour”, was in fact, some agentic behaviour.
Thank you for the extra visibility on this issue. I'm in the exact same boat: account suspended, waiting for the 60 days appeal process. Hopefully it will be resolved swiftly!
Surprised to see you here. Thanks for all your hard work.
Windows users are in a tough spot, but with the dawn of Copilot, nobody should be surprised. Frankly, those who remain with Windows after this latest betrayal have chosen their fate.
> those who remain with Windows after this latest betrayal have chosen their fate.
Ah. So almost every single business in the world… suckers?
are you making an argument that businesses worldwide somehow are known to make well thought-out, rational, wise decisions that are in best interest for the business and efficiency of running it?
because most managers I know in my professional life go with the vendor that buys them dinner or slips them tickets for box seats.
Can you elaborate on how this corruption(?) looks in detail?
Yes.
Given MS‘ track record, yes
Microsoft got in touch. All sorted out now.
Y'all need to form an alliance or something, get some press coverage (wireguard, veracrypt, libreoffice)
True, but really even if it gets resolved for them it should basically be a huge warning sign to everybody. Projects like those might get reinstated but it would only be because of how big they are that it would matter. Any person or small or 'undesirable' project would not get the same resolution.
Will send some emails.
Is there a WireGuard version for Windows above 0.5.3 released in 2021?!
Hopefully soon, Microsoft-willing.
I think it’s intentional, those encryption (at rest/transit) applications are outside of MS control and you can assume outside of potential backdoors by three letters agencies, bitlocker vs veracrypt? Of course bitlocker is favorable from their perspective.
I wouldn’t be surprised if NSA already had a list of these applications and the strategies on how to cripple them or worse, compromise them.
Or found they’ve been compromised by someone else? ;)
You said:
"Currently undergoing some sort of 60 days appeals process, but who knows."
.. and the op said:
"I have tried to contact Microsoft through various channels but I have only received automated replies and bots. I was unable to reach a human."
... which is a roundabout way of saying you did not spend lawyer hours and you did not contact them through channels that they cannot ignore: registered, physical mail, from a lawyer.
I'm sorry for these difficulties, truly, but don't tell me you can't reach a human when you most definitely can reach a human. From my own experience with an organization at least as calloused and indifferent as MS[1], as soon as I sent a real, legal communication I had real live humans lining up to talk to me.
[1] Pacific Gas and Electric
Microsoft hasn't managed to burn down entire towns (But Copilot is probably working on it), so I suppose we do have at least some kind of gauge of callousness to work off of thanks to PG&E. Which was also the company behind that whole slightly famous Erin Brockovich thing, amongst so very many others.
Sometimes, it's both incompetence AND malice.
No. The humans just said 60 days.
Has your Apple account been suspended for the last few years?
> what if there were some critical RCE in WireGuard, being exploited in the wild, and I needed to update users immediately?
Honestly, anyone still using Windows probably deserves it.
They need to get some tech site like Arstechnica to write about it, like they did when neocities couldn't get ahold of bing. The only way to contact these tech companies to speak to a real human being and not a chatbot is if you know somebody who works there or if the media writes about it.
Isn't this Microsoft abusing their quasi-monopoly as a consumer PC OS vendor?
If it weren't for the current administration, I'd say it's time for regulatory action.
The time for regulatory action against Microsoft was thirty years ago and the need for it has only grown since then.
The FTC wasn't doing their job between 1980-2020 because of their ridiculous standard of, "if it doesn't raise consumer prices, it must be allowed." This lead to massive consolidation in many industries which of course ended up raising prices and hurting consumers anyway.
Recently they've had some wins but overall they're still failing to do their job.
> "if it doesn't raise consumer prices, it must be allowed."
are there any books or good articles with good sources about this? I'm very interested in what happened in the 80s through the mid 90s.
Lina Khan was right - after allowing the Activation merger, Game Pass prices skyrocketed to $30 a month for their most expensive tier.
> If it weren't for the current administration
Because the Democrats were better at keeping them on a leash? No. Clinton was in charge 30 years ago and blew it.
It was the Clinton administration that started regulatory proceedings against Microsoft, but it was GW Bush that was president during the conclusion of the case. And, true to form:
> The Department of Justice, now under Bush administration attorney general John Ashcroft, announced on September 6, 2001, that it was no longer seeking to break up Microsoft and would instead seek a lesser antitrust penalty
https://en.wikipedia.org/wiki/United_States_v._Microsoft_Cor...
Because the previous administration(s) regulated MS so much that they aren't too big to fail now?
It's much worse than you think. Press coverage -> manual intervention is at best a bandaid covering up a major wound in a flaw that happens with independent software distribution.
The old model where the user decides which software or apps to run on their machine, is basically already replaced by a whitelist system that is managed by companies who have no interest or obligation to approve developers. Factors like ”being an individual”, an open source developer or god forbid reside outside the USA, you rely on a combination of L1 support doom loops, unjustifiable high recurring prices, kafkaesque and changing requirements, internal inconsistencies. Windows is the worst, but all platforms (except Linux) suffer from this and you can and will get hurt, delayed, and gaslit. If you haven’t, it’s just a matter of time.
I have been blocked for 6 months now with Digicert code cert renewal, for my app Payload, which will never get any media attention. The app doesn’t matter though, the approval process is per-entity (usually, a company). The point is that nobody gives a shit, because they have a monopoly/cartel and they start the validation process after they take your money.
If you are not an app publisher, the best way I can describe it is the ”pre-let’s encrypt” era of SSL certs, but more expensive, strict and ambiguous. In fact, I’ve never gone through any worse approval process in my life, and that includes applying for residency in two countries, business licenses, manual tax filings etc.
Some countries (the EU in general) are already doing things about this. Owning the app store means you are a monopoly and now the only question is are you illegal by the local laws which vary.
You can/should write your congressman (or whatever they are called in your country) and get better laws in place.
You are not wrong that regulation is desperately needed, and that EU is doing good things. However, even the EU which are doing the right thing on an anti-trust pro-competition basis, they fundamentally succumb to the same misconception – that middlemen are necessary at all. The EU doesn’t care about the App Store model, they care about the App Store monopoly. They are right about that, but the solution isn’t alternative app stores - it’s much simpler: the solution is NO App Store.
More specifically, it used to be feasible to distribute software between me (the developer) and my customers (the users) without a mandatory gate keeper that looks at me and decides whether I’m worthy, am from the right country, have good intentions etc. This is currently necessary on all desktop and mobile platforms except Linux. There is exactly 1 gatekeeper per platform (the platform owner who controls your device), except windows, which effectively have like 3-4 CAs that’s shrinking every year due to mergers and private equity ownership.
Software curation and reputation systems can be good, either with whitelists (say steam) or blacklists (say antivirus). I can see some use cases for it, but they should be within user control. What we have now is worse than a fearmongering Stallman rant. It’s incredibly bad, both pragmatically and philosophically.
If arbitrary app stores are allowed without restrictions, isn't that equivalent to allowing installation of any apps?
That's the idea! "Allow" the user to install any apps they choose. (I put "allow" in quotes, to emphasize how bizarre it is that a few platform vendors get to decide what all of humanity is "allowed" to do with their computing.)
GP here. I agree in spirit but there’s a technical difference between ”approved to distribute” and ”approved in an App Store”. Specifically, you can distribute software for Windows and Mac outside of their stores, but you still need to have a code cert which means you’re under their mercy. This is the model Google wanted to transition Android to recently: keeping the APK path (no App Store) but gatekeep developers through signature enforcement etc.
I blew the lid on X today:
The (new?) X link made me think for a moment you got the username @i
The /i/ links are not new, but they used to be for internal (?) links e.g. ads.
The website formerly known as Twitter has never cared about the username part of the URI; it only looks at the status number and will redirect you to the canonical version if it wasn't.
It's like LibreOffice all over again: https://www.neowin.net/news/microsoft-bans-libreoffice-devel...
This is worrying on many levels. So Microsoft force you to create an account to use Windows and then they reserve the right to block you from your own account, thereby potentially making you lose access to all your OWN data. This is crazy and yet another reason to stop using Windows as soon as possible.
I know it's not what people want to hear but my response to a lot of the comments here is just a general, I agree, it's time to stop using Windows.
They won't let you secure your drive the way you want. They won't let you secure your network the way you want (per the top-level comment about Wireguard). In so doing they are demonstrating not just that they can stop you from running these particular programs but that they are very likely going to exert this control on the entire product category going forward, and I see little reason to believe they will stop there. These are not minor issues; these are fundamental to the safety, security, and functionality of your machine. This indicates that Microsoft will continue to compromise the safety, security, and functionality of your machine going forward to their benefit as they see fit. This is intolerable for many, many use cases.
I think it is becoming clear that Microsoft no longer considers Windows users to be their customers any more. Despite the fact that people do in fact pay for Windows, Microsoft has shifted from largely supporting their customers to out-and-out exploiting their customers. (Granted a certain amount of exploitation has been around for a long time, but things like the best backwards compatibility in the industry showed their support, as well.)
I suspect this is the result of a lot of internal changes (not one big one) but I also see no particular reason at the moment to expect this to change. To my eyes both the first and second derivative is heading in the direction of more exploitation. More treating users like a cattle field and less like customers. When new features or work is being proposed at Microsoft, it is clear that it is being analyzed entirely in terms of how it can benefit Microsoft and users are not at the table.
No amount of wishing this wasn't so is going to change anything. No amount of complaining about how hard it is to get off of Windows is going to change anything; indeed at this point you're just signalling to Microsoft that they are correct and they can treat you this way and there's nothing you will do about it for a long time.
Stop supporting Windows as well.
Open source developers are doing Microsoft a big favor when they support Windows and publish Windows builds and installers. It's a substantial effort, and apparently that effort isn't appreciated.
If all open source software dropped support for Windows, it wouldn't really affect the open source community that much. It would definitely cause headaches for Microsoft however.
It's not that easy.
I agree that supporting Windows helps its ecosystem.
But also open source software on Windows is an important gateway to the free world. When you are already used to Firefox, LibreOffice and VLC, you might as well switch to Linux painlessly, but if those didn't run on Windows, switching to Linux would require relearning everything.
Irrelevant. If it's time to stop using windows, all those windows users will have to relearn everything either way. Whether they do it in a windows environment or a linux one doesn't really change the equation.
A sudden lack of software on windows will increase user migration. If we all keep publishing for windows, users will just stay there because their needs are already met.
> If it's time to stop using windows, all those windows users will have to relearn everything either way.
No, that's the thing; they ideally would only need to replace the OS. Many long years ago, when I switched from Windows to Ubuntu (this was back when it was good), part of why it was so easy is because I mostly kept the same applications. If you use eg. Firefox, VLC, open/libreoffice, audacity, etc., then you can install a new OS, reinstall the same applications, and barely have to change anything. That's huge.
I agree to some extend but we (or at least I) publish open source software (amongst other reasons) because I like helping others and it so happens that most users that could benefit are still using Windows so it doesn't feel right to stop doing that as long as the effort is reasonable (which it is, unlike for macOS).
Nah, it's simpler. Microsoft just lost sense of UX and touch with the reality to their own internal management vibes.
Look at the Windows start menu. It used to be trivial to switch users. Two clicks, one to open the user list, another to switch - done. Now it's four: user panel, three-dots, switch user, pick user.
Look at the login sequence. They want their Windows Hello and they don't care if it works well or not - no way to get a pin or password prompt instantly, you gotta click three times (one to show a method picker, another to pick PIN entry, and lastly one to focus the goddamn field) despite no reasons to hide this UI.
It's not like they're trying to scam or sell user into something. It looks like some internal decision-makers that don't ever dogfood their decisions losing touch with the common sense.
Apple has that too, and this rot spreads elsewhere. But it's not intently malicious, a lot of things simply don't make sense - just total lack of self-reflection capabilities at the corporate level.
I think they've been heading that way for a while, and it's only getting clearer.
I've been thinking, and said before, 90s Microsoft was far from perfect, but they at least seemed to care a lot about the quality of Windows. 2020s Microsoft seems to see Windows users as a captive audience they can exploit for whatever the corporate executives fancy at the moment. It seems more like a gradual transition.
In any case, it seems to be getting more clear that Linux is destined to be the best OS for power-users.
> I think it is becoming clear that Microsoft no longer considers Windows users to be their customers any more.
Quite obviously. Look at the out of box new user experience on a Windows 11 Home installation. What you get when you open a new $600 laptop from Best Buy for the first time. The entire thing is designed to drive users towards perpetual monthly recurring subscription billing for various MS services for life (OneDrive, Office, Xbox Live, Xbox game store purchased games, etc). It's a platform which is built atop a rent seeking cloud services ideology that shows no sign of ever letting up.
Correction: stop using Microsoft products as soon as possible.
It's not your own data anymore if you gave it away.
Or create the account but don't use Microsoft services.
Google and Apple have been doing this for a long time, and Microsoft clearly got jealous.
Their first big win was when they banned the Chief Prosecutor of the International Criminal Court from accessing any of the court's documents, then deleted all of those documents. Now they're going after slightly less important enemies of the state. That bar will continue to drop as long as it's allowed to. And let's not kid ourselves: if you develop or use encryption software that Mossad can't break, you are an enemy of the state.
yeah no. on my mac I don't need to sign in with an apple id.
That probably had nothing to do with LibreOffice. Lots of people have had their MS accounts locked for no reason. I guess the automatic abuse detection system just sucks.
My advice is don't use a MS account if you can, at least not for anything critical. You don't need it for development, you can use 3rd party CAs for signatures.
First I was surprised to read the Veracrypt maintainers could be in this situation, then read the top comment where Wireguard maintainers are too (unless I misunderstood). Is this some malicious new program inside Microsoft to try and shutdown open source projects so they can push Windows products and solutions more?
It feels more like an automated block due to uncharacteristical increase in download activity. Something that it seems more and more companies are taking seriously is the cottage industry of scams involving less technically savvy downloading apps online and getting their information stolen. The motivation for this is probably the same as Google stopping side loading. Take that as you want.
And how would blocking the devs ability to sign the new version stop the spread of the already downloaded and still available old version?
I think you forgot we're talking about the kernel drivers specifically - normal scammers don't need that, they use AnyConnect downloaded from Chrome.
I think you also forgot to read it all and missed that it was supposedly some deanonymisation (ID verification) process that kicked it off, and missed that the dev has immediately verified themselves but then we're told they need to wait 2 months to wait.
Because.
It's not an automated process at this point.
Yes.
Update from a VP at Microsoft: https://x.com/shanselman/status/2041977121686585396?s=46
Amazing that their processes failed and didn't work, so the VP lashes out at everyone calling them out for it. It's not like Microslop isn't a huge organization that is the critical component here. Extremely unprofessional response, I'll reiterate, they see regular users as a nuisance.
I guess the real problem is, everybody's inbox is overwhelmed with useless junk.
Expect someone read and follow instructions in email are not that realistic anymore
“Action Required” followed by the shittiest, least detailed, most ambiguous instructions on the planet is a Microslop staple. It’s exhilarating to get a couple of them in the same week.
The ones that tell you there’s a problem with your MS365 subscription, but don’t tell you which one are an especially exciting challenge to deal with. Bonus points if they warn about “possible data deletion” without specifying what.
> The ones that tell you there’s a problem with your MS365 subscription, but don’t tell you which one are an especially exciting challenge to deal with. Bonus points if they warn about “possible data deletion” without specifying what.
These are real? I get these in my spam box all the time and they have all the hallmarks of a phishing scam, urgency combined with vague description with no verifiable details that aren't gleaned from my email address itself.
Sounds like someone who should be barred from speaking publicly for the company.
So, he's upset at users for getting fucked over by his company? Intresting fellow.
Honest question, did we ever get an answer what was the cause for the sudden change from the original Truecrypt developer?
Even if one doesn't want to maintain that project for purely private reasons, recommending Bitlocker as the drop-in-replacement always made it smell fishy to me.
It's more or less commonly accepted that its creator got jailed for being an arms dealer.
I knew the speculation on him being involved in some capacity, but as the wiki page states, this was never confirmed in any substantial way.
More importantly, if development seized with no public comment, that would be one thing and may strengthen the "he got arrested" theory. However, there was some final communication, specific recommendations to rely on Bitlocker of all things, a new version of Truecrypt was released solely for decrypting existing disks and then the web page was removed, including a flag set on robots.txt to ensure it wouldn't appear on archive.org. All this concurrent to a crowd funded source code audit that, in the end, did not find any server issues or backdoors (I recall some speculation back in the day, that either known code quality issues or an intentional backdoor could have caused the exodus).
That all makes it hard to link this to an arrest of the main developer, though I dislike speculation without any hard evidence and if there is no new information, I'll keep this filed under "there is no answer".
I always believed that rather than publicly stating that they were about to be arrested or worse, which may alert regular, non-tech-savy people, he sent a hidden message in the arguably horrendous recommendation of replacing his tool with BitLocker.
I think he was trying to scream “Run!” without actually screaming “run”.
Wasn’t there something with 7.1A and that the canary was gone after that version too?
Makes you wonder what kind of leverage/information you have to have to only get 25 years for admitting to being involved in 7 murders.
According to Wikipedia, the DEA gave him immunity on additional charges in return for pleading guilty and running a sting against his associates, but before the DEA knew about the murders.
Seems weird that the DEA can even give him immunity unknown crimes, especially ones that might not be directly related to the case and even weirder that they would offer that. Makes you wonder what kind of leverage/information you have to have to get that kind of plea deal.
> He subsequently admitted to arranging or participating in seven murders, carried out as part of an extensive illegal business empire.
Yikes
My theory is that Le Roux was just financing the (two?) TrueCrypt developers.
I would also like to know why is it excluded from Archive.org
https://web.archive.org/web/20260000000000*/https://www.true...
This can be done by Archive.org doing it for whatever reason (asked, on their own, etc) or it can be triggered by the current owner of the domain modifying robots.txt I believe.
likely chose to shut down rather than bend over, same as Lavabit a year prior. I find it more plausible than the other theory.
I went on a Wikipedia dive and discovered this funny bit regarding the court process surrounding Lavabit and FBI's desire of the TLS private keys.
> The contempt of court was caused by Levison providing the keys printed in a tiny (4 point) font, which was deemed "largely illegible" by an FBI motion, which went on to complain that "To make use of these keys, the FBI would have to manually input all 2560 characters, and one incorrect keystroke in this laborious process would render the FBI collection system incapable of collecting decrypted data."
(And to be clear, that's all they ever saw of said keys)
> The court ordered Levison to be fined $5,000 a day beginning 6 August until he handed over electronic copies of the keys. Two days later Levison handed over the keys hours after he shuttered Lavabit.
I remember that. That was around the time they were using the National Security Letter to make things happen that were clearly illegal. Now look at where we are at. They are using Nation Security reasoning for anything.
That's just stupid. Take 10 people, each enters the data independently, compare their versions and select the most common of each character. With 1 second per character they would finish in an hour, coffee break included. They just didn't want to bother.
Irrespective of whether this particular court order to share the keys was OK in the first place, you shouldn't get to respond to a court order with any kind of malicious compliance even if it isn't "too much" extra work for other parties.
Fair assumption, but unlike Lava, TC never had customer/user data. The NSL/forced shut down theories also make little sense to me however, the fork was up by the end of the week and was easy to foresee. Kinda why this fascinates me so much, no theory I ever read survives basic scrutiny. Perhaps some things, we’ll never know.
https://en.wikipedia.org/wiki/Nils_Torvalds#Linux_kernel_sta...
>When my oldest son [Linus Torvalds] was asked the same question: "Has he been approached by the NSA about backdoors?" he said "No", but at the same time he nodded. Then he was sort of in the legal free. He had given the right answer, [but] everybody understood that the NSA had approached him.
so the assumption here is that TC were also asked to accept "contributions" from bioluminescent individuals, and chose not to. "just use Bitlocker" was a deafeningly loud dogwhistle, don't you think?
Agreed, that whole thing was suspicious. I still use TrueCrypt, because of the suspicious nature of how it all went down.
Linux is the only hope at this point for the future of computing.
Windows and macOS are just too risky to do any business with. Waste of all resources.
Don't worry, US states are working on making Linux illegal through age verification requirements in the OS.
Isn't linux complaint because of the systemd change?
The only thing that systemd did was add a space and api to store an attested birth date. That is what the entire meltdown was about. A CRUD API.
Everything else about complying with the wacko age verification law is up to distro builders.
and yet... still unusable by the mass majority of people.
My kids grew up on Gnome essentially, I can tell you Win11 is a lot more confusing to them, not just because because they grew up on Gnome, there is just so much more ... stuff. And notifications and flashy things and news and weather apps and they all want your attention. Gnome is much more iPadOS like (minus that horrible concoction called the App Store).
Sure, if you're all in on MS365 (like all schools here in the Netherlands), Windows may be somewhat more handy with its native apps and all your stuff there with a single log-in.
And someone once raised their kids speaking Klingon, that isn't a good excuse on why it's a language others should use.
For the vast majority of people MS365 is a requirement, but really the issue is that even minor fixes require the command line on Linux and that makes it unusable.
> For the vast majority of people MS365 is a requirement
No it isn't actually, not for the majority, my wife (former Sales Person and Manager) uses Google office tools and used LibreOffice Write and Calc for years successfully.
None of this is true
I guess it means that even when something is (arguably) objectively more simple, people still won't bdge just because they don't want change. They don't want to learn new things.
I myself am quite different. I have thoroughly had it with my current iPhone and am eyeballing /e/OS, before that I really started to find Android boring, before that Windows mobile (the nice one with the cards). I switch Gnome, KDE, some other DE (now getting ready to try Niri) every year or 2. I don't get the struggle, for me a new env is like a present (even though I normally hate presents). So much niceness to explore, so much to optimize. I love it. But I'm also one of those guys that reads the oven manual and tries all functions in week 1.
I'm not weird, all you people are weird.
No, it means that people have requirements that Linux does not fulfill. I need the Office suite, and would rather not gamble with the various compatibility promises made by alternatives.
Good luck with that.
> My kids grew up on Gnome
This should be considered child abuse.
I always buy 2nd hand (business) laptops for my business use, when they are even too old for me, the kids use them (All the streaming services, Minecraft).
You just needs something that opens a browser or a simple app. Nothing is more minimal and clear at the same time than Gnome, imho. Click Icon - Open App - Have clock at top. What more does one need?
This is always said by people who either never touch the Linux desktop, or exclusively use their own custom Arch setup.
You can install Fedora Linux, Linux Mint or Manjaro, and it's more user friendly than Windows 11 and macOS.
I compiled my first kernel at 13 (Mandrake, to age myself). I've used all the distros you just listed and no, none of them are close to as user friendly as at least MacOS. The fact that there are "flavors" you have to list alone is way too complicated and weird for most people.
For the vast majority of people an operating system is whatever comes with the computer the kid at Best Buy told them they should buy or their IT department gave them. Asking anyone to switch is basically impossible.
Linux is stuck because it's made and maintained by people who love linux.
Look at popular unix based OS's - Android, MacOS, iOS..
Whats the first thing they do? Take the command line out back and shoot it. Whereas for linux users, their is this l33t h4cker festishization of only using a keyboard to do everything. All these distros have an extremely robust CLI under the hood, and an afterthought quasi GUI on the surface. Just good enough for grandma to check her email and watch youtube.
Good. I'm sure this is a controversial take in our brave new world, but not everything has to be aimed at the lowest common denominator. It's refreshing to have something that isn't dumbed down for "the average user" and forces people to actually learn how to do something for a change.
I hope Linux never succumbs to the lowest common denominator and people who actually enjoy tinkering will always have somewhere to go and something to learn. If that's being stuck, I hope it stays stuck.
Sure, but this means it will never become aa mainstream consumer OS.
Why do folks act like windows isn't full of cli commands? First thing on any windows box is running debloat in powershell. Installing apps from a gui in Linux has been solved for a long time.
Having an excellent CLI doesn't preclude having an excellent GUI. No reason we can't have both.
Also I hate linux repos with a passion, because they are optimized for CLI usuage, and (like the whole OS) the GUI parts are a total unoptimized afterthought. Never mind that they are a dumping ground for whatever code anyone shits out, with virtually zero management or curation. With a CLI you don't see this, with a GUI it's a total mess.
I'm fine with app stores, but they need to be actively managed and curated. If not, I far far prefer just downloading .exe's from the source.
> whatever code anyone shits out
downloading an exe is "whatever code anyone shits out" cause that's exactly what built binaries are
A lot of the programs you use on Windows are actually the exact same ones on Linux be it VLC or Chrome. If you want to download binaries directly "from the source" and run those.... well that was always allowed. But remember the entire stack delivering the entire internet to you at any time is open source code that "anyone shits out".
distros are catering to server installs most of the time. if you want a gui you install that entire stack but for most classic distros like debian the GUI is not the main thing. if you want a GUI from start to finish go with Fedora or the new KDE distro.
I want a linux distro that seasoned windows users can slide right into, so we can actually get droves of people leaving windows.
> Whereas for linux users
My wife has used Linux for many years successfully and has never used the CLI once.
So has my grandma
MacOS has a good CLI if you need to use it. There are CLI equivalents for a lot of the system setting/administration stuff.
I have had Bazzite on my gaming PC for a while now, never have to mess with the terminal much. It has come a long, long way. Even gentoo has become more accessible than ever. While some of this holds true, you most certainly do not need to live in the command line with some of these distros. Especially if you are just trying to play some games and browse the web, etc.
>Just good enough for grandma to check her email and watch youtube.
Which is 90% of the use of a computer. And Steam is taking care of the other 10%.
>> Linux is the only hope at this point for the future of computing.
Linux is the most obvious, but there are numerous flavors of BSD as well.
> and yet... still unusable by the mass majority of people.
That info is 20+ years out of date. Distros like Suse and Ubuntu made Linux "click, click, click, it's installed" more than two decades ago. i've watched complete non-techies switch to Mint Linux long-term, the only intervention from me (their resident techie) being showing them how to boot up the USB stick installer.
This isn't really true anymore with the advent of Flatpak & Flathub. It's just an app store like any other platform. Even the majority of games work without tweaking.
I've run Linux as a daily driver recently Flatpak and Flathub still break all the time. Not to mention the last time I bumped my Nvidia drivers nothing decided to open anymore.
Any OS that requires even once going to the command line is unusable for 99% of the population (and for me I just shouldn't ever have to).
I hit this recently - nVidia issues with a Flatpak, I spent about half an hour on it, gave up, and just decided to try the app out on another laptop.
Learned helplessness is a problem, yes.
Not used does not mean not usable. Primary school aged children used MS-DOS without any documentation in 1990's. Pretty sure randomly selected people would be able to use modern Linux distro, when pre-installed just like windows are.
My wife (former Sales Person and Manager) has used Linux for many, many years and prefers it over Windows.
Who knows maybe Valve can expand from just gaming?
The same Valve that popularized getting kids hooked on gambling while rent-seeking other people's work?
prediction: they are testing the waters. If there is enough outcry they will go "oopsie whoopsie, hehe :3 your account is restored".
If there isn't enough outcry they will go forward and disable more signing keys related to things like torrent clients, VPN software, eject UBO from the edge store etc etc.
Atleast now I'm a bit more certain that VC is indeed safe.
They've finally sprung their enshittification trap. Their move into "open source" was never of friendly origin. It was a business move, plain and simple.
And now they're locking down Window OS, hard. Expect github and vscode to follow.
I left GitHub for GitLab because i knew this was coming.
Microsoft disabled the developer's certificate so no windows releases can be made.
As someone who is just planning to publish signed desktop software for Windows, this is deeply worrying. What reasons could there be for cancelling a certificate, especially when it has been used for years and the identity is already established?
Are there some ways to combat such decisions legally?
Perhaps not legally, but technically, you have an option: don't use the Microsoft Store. This isn't as wild a suggestion as it may seem to non-Windows users: the store is barely used by Windows users. You can get your own code signing certificate from a public CA, sign your own installer, and post it on your website. This is still the primary way that Windows software is distributed. Microsoft does not have a hand in any part of it; they can't cancel anything. Their only role is including the public CA in their root certificate store. If you're not shipping a kernel driver, you don't need Microsoft's permission for anything. You can still ship an .msix installer which is the same technology used by the Store.
I recently de-listed my app in the store and closed my Microsoft developer account. I was wrong for having bothered with it; just a waste of my time for no benefit. Stick to your own deployment.
It’s become neigh impossible to get your own code signing cert these days. The 2025 update from the CA forum required code signing certs to be short lived (no more three or five year certs) and stored exclusively on an HSM. As a result, most companies cross-signing these certs have moved to a subscription PaaS model where you are issued a cert but never receive custody of it, and perform signing via their APIs, and are at their mercy should they decide to block your account.
Anyway, even if you could get your own cert it would be same thing: MS could revoke or blacklist your indicate cert (though usually the grounds for doing so are much less shaky than your account being suspended for vague “tos violations”)
I was afraid of the HSM at first but for an open source developer (rather than a big company) I found it wasn't a big deal. I can't sign in GitHub Actions and I have a USB stick that lights up when I sign releases, but it hasn't been a blocker. I got mine from Sectigo Store. This isn't hypothetical, I really did it, I've got the HSM, it works. It wasn't difficult. It just cost some money and a little bit of time. "Nigh impossible" is a tremendous exaggeration. I'll concede "annoying and expensive" perhaps. If you've got the money, you can get the HSM. You don't have to re-buy the HSM when you renew your certificate.
The Microsoft Store account was painful to set up, I'll note. My developer account had also been cancelled by Microsoft for unknown reasons, and I ultimately had to set up a brand new one. New email, new name. My new account has my middle initial because I couldn't clash with the existing, closed account. My first and last name alone are banished forever from the store.
The "same thing", as you concede, isn't the same thing. Quantity has a quality of its own: one happens all the time and we're reading an article about it happening right now. In the comments there's another prominent maintainer who it happened to, and it happened to me personally! That's three right here! The other happens so infrequently that people in this same HN thread are complaining that it isn't happening enough. Can you find an example that's like Veracrypt and WireGuard? In practice, it seems they rarely do this, even when they should. You can actually view the list under "Manage computer certificates" > "Untrusted Certificates." On my computer the entire list is 20 certificates.
I'm standing by my suggestion, 100%. These aren't equivalent risks at all.
Thanks for sharing your experience. I have been code signing releases for over a decade as an indie publisher myself, until I found myself effectively iced out by the HSM requirement, the increased cost, and the shortened cert lifetimes, which, as someone with certain executive order dysfunctions, I already had a hard time being on top of with the old (multi-year) lifetimes.
I just migrated to MS artifact signing and, thank the lord, had an actually easier time getting verified than I did with the Sectigo and Comodo in the past. I’m sure I’m not representative of anyone else’s experience but having already had a developer account (with a different email and without an Azure account!) that I had already been using for the Microsoft Store might have helped, as well as the fact that I had a well-established business history (I’ve heard businesses younger than 3 years can’t get verified??), but reading all the comments here makes me very uneasy about the future.
It’s good to know the HSM route isn’t a complete non-starter. The main reason I panned it is that when I started looking into this I found that a number of companies that had previously offered the HSM route had done a bait and switch and were now keeping custody unless you were big enterprise (meaning willing to put up with 10k/yr fees). I did find a few that would allow OSS devs to sign their work, but read horror stories on Reddit and elsewhere about their freezing the account and issuing no refunds if you ask them to issue the cert in the name of your LLC or corporation instead of with your personal name (which I expressly did not want). Also, they actually were more expensive than Azure artifact signing even after the HSM cost was taken out.
I believe you. I also found that many CAs will not deal with a solo developer; that's real. But Sectigo continues to offer HSMs to solo developers. The link I used is [1], you buy the HSM along with your first certificate and they ship it to you. $300/year for the cert, $90 one-time for the HSM. That's not cheap but I think for specific developers looking for an escape from the store, it's a good price for freedom. The HSM is a USB stick with an LED on the back. The software is called "SafeNet Authentication Client" and it sets up the certificate access in your Windows Certificate Store so that signtool can use it. Prompts for the password every time (annoying).
[1] https://comodosslstore.com/code-signing/comodo-individual-co...
For comparison, my code signing cert via Azure (no Microsoft store account required, can be used to self-publish binaries/installers the old fashion way) is $10/month, or about a third of the price Sectigo is charging you. I figured it was worth trying this route first, though I had to write my own basic tooling around it.
> it's a good price for freedom
For a freedom you didn't have to pay for at all? Why accept this absurdity?
The sectigo HSM is just a USB stick they actually mail you, so it's not onerous.
I must say your experience is interesting. I am using https://signmycode.com/sectigo-code-signing, but I have chosen Install on Existing Token (Google Cloud KMS), and it's quite easy for me to handle the stuff. I am not scared of key storage or security issue nor password protection or forget issue.
Yep. OS level stores are just way for the org to exercise control over installs.
I have stay far away from that process for a long time. Apple MacOS seems like the worst in that department IMHO.
what do you mean? mac doesn't require the use of the store at all, or even an apple id to use your computer
It doesn't require it, and neither does windows store. It centralizes control over apps. Apple leverage's its OS to create friction for installing apps from the web.
Microsoft and Apple uses their OS store to slowing take away control and ownership from device owners.
I have found that MS still blocks my signed and timestamped .msi files for at least a few days. From saving the downloads in Edge and then via Smartscreen once you get it downloaded.
If I submit it manually for every update it tends to go better. If more people download and install it whitelists faster. But that is highly annoying, orwellian bullshit. Might even be anti-competitive or downright illegal.
I see the same behavior with my MSIs. I've had better luck with my MSIXs. As much as I like being Store-free, I have a June 2025 release of an MSI-based app that still gets dinged by Edge and again by SmartScreen. A different MSIX-based app, with almost no users, gets dinged by Edge but not by SmartScreen. It's the same certificate. I can never be sure what other users are seeing, though.
tbh, I thought that I had built enough reputation on this particular MSI release, until testing it just now. Hate to see it :(
Yeah, same here. It's a black box. Nobody knows how it works or what you can do to make it hassle free.
MS went from "developers, developers, developers" to being a nightmare for everyone involved.
I actually liked Visual Studio 6 and the old MSDN. Now I only wish they were gone.
Thank you for that. Although it may be unlikely, I'd love to see a mass exodus away from their failed attempt to emulate all the worst aspects of appstores popularized in other platforms.
I grew up being able to download software and install it, and actually prefer that model (relying on reputational trust of the party publishing it, my own verification from other signals researched, or sandboxing techniques where appropriate).
Most users may not be aware, but a rare gem of a version of Windows that refreshingly doesn't even come with the store (or a bunch of the other unwanted bloat) is IoT Enterprise LTSC.
As a lifelong Windows user, the premise of Microsoft controlling what goes on my PC is revolting. I'm buying a tool from them, not a set of handcuffs. If it was some non-profit, open-source group running the store I might be more inclined to trust it. But ultimately the only gatekeeper on a product I own should be me. Otherwise I don't really own it, which leads to problems like this one.
Realistically speaking - anything could be a reason. A shakedown or blocking based on some "nudge" (this might come across as tin-foiled though). Some flag/trip-wires going wrong, more worryingly due to a bug/false alarm - and this is more worrying because in this case semi-incompetent large orgs like MSFT find it really hard to accept it, fix, and move on. Some change in OP's account that either they don't see or haven't realised - some edge case, you never know.
And of course, it doesn't affect their earnings and there are no consequence, or significant, so they won't care and won't respond or tell what went wrong.
Can one move legally? Sure. But then it effectively is a combo of who blinks first and who can hold their breath longer.
This is a concern and risk that has realised itself multiple times over the past decades. There have been multiple stories linked to multiple developers in the past.
If you publish to any closed platform including ios, mac, win, android, this is the risk you run and a condition of operating you will need to accept.
For open source user space programs, another option is to just not sign your software. Will annoy your users, some of which will annoy you in turn, but many are already trained to ignore the scary warnings Windows shows in that case and more will continue to be trained until more reasonable options exist.
There's more to it. Signed desktop software can be signed by any CA.
Veracrypt has kernel drivers. Microsoft's ability to control what you can sign is specific to kernel drivers, and Microsoft's trigger finger around bans exists in the world where bad drivers BSOD machines.
In general this isn't your problem.
Speculation as well and highly unlikely. Microsoft drivers can very well BSOD your machine as well, not a significant or convincing threat scenario and certainly not something that lead to certificate revocation of driver developers. There is zero quality control or review by Microsoft here. Not for their own products and not for third party ones.
That's not entirely true. Certain classes of signing keys require driver developers to put their driver through a test battery and submit the results to Microsoft.
I wish Microsoft expanded and built on that model, instead of moves like firing swarthes of their QA staff.
It could have grown into a massive, self-service testing playground where any developer could submit their product and put it through an arsenal of basic, automated evaluations (e. does uninstall leave tidbits behind?), with paid upgrades to more tailored services. They could even publish scores to help consumers coarsely compare workmanship across different vendors, and encourage an emphasis on quality across the whole ecosystem.
Instead they decided to just become overpaid bouncers who take your money, check your ID, and don't even bother about what you bring through the door.
According to this: https://x.com/EdgeSecurity/status/2041872931576299888
> ...it seems like they instituted an identity verification policy, didn't notify me about it, and then I guess they suspended accounts who didn't do the verification.
So, make sure you verify your account? Check spam folder regularly? Log in via web interface at least once a year?
> So, make sure you verify your account?
What ? On my computer ? Microsoft really has some nerves. My Microsoft account is scheduled for deletion.
I guess we can assume you won't be releasing any software for Windows in the near future :)
You just have to start living like they do in Russia and comply in advance. Don't do anything "interesting", no encryption, or if you do, make sure you leave breadcrumbs, scratch that, a bread trail for them to easily get access to customer data. An Oracle or Sharepoint integration maybe?
We can still install, right? It just comes up with a scary warning. Still not great but at least we aren't locked out.
You can, but it's more than a warning. VeraCrypt has a signed kernel driver, which has higher requirements. You'll need to boot into a special Windows mode and disable Driver Signature Enforcement.
Afaict, you can't disable driver signature enforcement permanently without disabling secure boot.
Secure boot is an anti-feature in most of the landscape anyway. Sure, if you have a distribution under your control or influence it could theoretically be a benefit. But you need to not be stupid or naive here.
You can also roll you own encryption if you are not stupid and naive. Probably a question of self-reflection.
You also get a huge watermark that says "Test Mode" that takes up the entire screen (not kidding)
Three lines of text in 12-point font in the corner which can be covered by a window is hardly “the entire screen.”
That's the same argument which ends win 90% of screen real estate covered in ads.
They changed it recently.
https://learn-attachment.microsoft.com/api/attachments/f8eac...
Not the OP you responded too, but what the hell! I have not really used windows in a while but that's absurd. That text is massive just for an unsigned driver.
wow, didn't know about this, i developed some drivers and had this test mode enabled to debug some aspects of it, but now it is almost unusable with this on screen.
Okay this is some bullshit.
Note that signatures are not revoked retroactively when a certificate is revoked. You can still install previous releases.
With all the bugs and potential security flaws that are there and not fixable.
I don't know what to tell you, man. If you don't want bugs then don't use computers.
What sucks about this, is due to implementation,Windows is the only way to achieve some stuff in Veracrypt. For example: doing full system partition encryption, and the Hidden OS install that only Veracrypt can do- requires Windows with the computer set to MBR rather than UEFU. I had hoped we'd see more of the plausible deniability tech at the OS level
But aside from one or two experimental attempts, also presented at BlackHat https://web.archive.org/web/20250914062843/https://portswigg...
- the consumer has nearly lost access to high end plausible deniability
> Windows is the only way to achieve some stuff in Veracrypt
On the other hand, if you get rid of Windows you don't even need Veracrypt.
I am somewhat also concerned that this software was still being distributed on SourceForge.
Yes, I stopped using SourceForge after they started tampering with installers to put adware inside of them.
It's a bit worrying that a sensitive app such as VeraCrypt is still distributed there.
That was 11 years ago, under DHI Group though. I don't think Slashdot Media have been up to the same shady stuff.
Just shows how quickly and thoroughly those stupid suits managed to destroy its reputation. Guess they love burning money or really needed those tax writeoffs.
But think about it, if they were on Github now, which is owned by Microsoft, would there be even further consequences?
I don’t even understand how SourceForge still exists!
Depending on GitHub and Microsofts largesse there surely is much better. See OP.
Why?
~2015, "DevShare". They wrapped open-source software downloads with opt-out adware and PUPs (potentially unwanted programs), without the original developers' consent in some cases. They took over abandoned/unmaintained projects (like GIMP for Windows, VLC, etc.) and replaced the original download with their adware-wrapped version.
Note that it's meaningless to call out "PUPs" as that category includes many things that are developed and distributed on sourceforge, like torrent clients.
We need a better way to sign and verify software. Clearly companies like Microsoft and Apple have not been good for the open source communities and are inhibiting innovation.
We need better OSes such that signing of software is not required to keep your computer safe.
GrapheneOS is doing lot of things right in this regard. Robust permission system adopted from AOSP and hardening by default in every imaginable way. Things like hardened malloc, storage scopes are excellent security features. Malware cannot do much even with the default settings.
We need to stop trying to solve computer security entirely through technical means. We don't do that for any other kind of crime.
With a file system driver like Veracrypt, if it’s malicious, the OS might keep your computer safe, but not your files that you store in that file system.
Yes, I completely agree.
Qubes OS is such OS: it runs everything in VMs with strong hardware isolation. My daily driver, can't recommend it enough.
Just add code cert generation to letsencrypt, it's not like MS validates the code that you sign used certs from them anyway
Actually, Windows by default will not trust code signed by CAs that issue certificates to websites. It will only trust code signed by CAs that are approved for code-signing, which isn't a very large set anymore. Moreover, recent CA/Browser Forum policies forbid dual-use CAs anyway. If Let's Encrypt issues you a certificate for a web site, it cannot be used for code signing.
It's possible that they could start issuing separate certificates upon specific request for code signing purposes, but it's doubtful they would be willing to meet Microsoft's requirements for such certificates, so their code-signing CA would not be added to Windows's trust store, rendering the certificates it issues useless.
The ACME protocol, the key automation technology that makes Let's Encrypt possible, performs domain validation only. It verifies that you, the person (or bot) making the request, are an authorized administrator of the DNS records, or port-80 HTTP server, for that domain. This is directly relevant to, and generally considered sufficient for, HTTPS.
However, domain validation is almost completely irrelevant to, and insufficient for, code signing. Microsoft's rules (and Apple's, incidentally) require establishing the identity of a legal person (individual, or preferably, company). There is no way the ACME protocol can do this, which means that the process is totally out of Let's Encrypt's wheelhouse.
> However, domain validation is almost completely irrelevant to, and insufficient for, code signing.
It's actually the only thing that provides any kind of assurance to users. It's not like end users know if FuzzCo is the correct developer for FooApp but they know fooapp.com.
A web site is identified by its URL, which contains its domain. Any good HTTPS implementation cross-checks the requested domain against the SANs of the cert, and does so automatically.
There is nothing in a piece of random software obtained from some random source that authoritatively connects it with a particular domain. Without bringing an App Store or other walled garden into the picture, the operating system must evaluate an executable file according to the contents of the file itself. On cold launch, the information in the certificate can be presented to the user, and the certificate issuer can be checked against the O/S trust store, but nothing equivalent to the HTTPS domain check can be done.
DV certs work for the web because of that intrinsic connection between web site and domain. They fail for arbitrary software because of the lack of such a connection. The trustworthiness of code-signing certs comes from the relatively difficult process necessary to obtain them, and not the name attached to them. The identifiable legal entity to which the certificate was issued is more useful to the O/S vendor, as a harder-to-evade ban target, than it is to the end user.
The same let's encrypt that recently removed support for using their certificates in clients because Google told them to?
What would be the point? How would you prevent malware from being signed? Currently, code signatures are used as a signal for trustworthiness of the code.
Microsoft signed the Crowdstrike updates. I don't think a CA signing a piece of malware is a realistic thing to be concerned about.
Only signal is that whoever is in the subject DN (highly) probably signed the code. There's 0 signal about trustworthiness of the code in the signature. Thrustworthiness signal is in the behavior/reputation of the signer.
Pretty sure there were historically a lot of apps that stole peoples contact lists and were signed properly. Certainly in the Android world.
Is it some entirely different process than providing hashes and a GPG signature?
Well, yes. Just look at OP and Jason struggling to get their code signed.
Misplaced trustworthiness?
On the source code side, I quite like the way Guix does things, i.e. needing every commit to be gpg-signed. They even have a handy tool for verifying the repo[0] but I'm not sure how viable this is for non-OSS projects.
[0]: https://guix.gnu.org/manual/devel/en/html_node/Invoking-guix...
I suggest that developers could self-sign to verify the legitimacy of future updates. Otherwise leave it unsigned.
This entire "big tech overlords have to sign apps & drivers to keep you safe" concept is one giant pile of nonsense.
I think this is fundamentally an unsolvable problem and I'm not even sure it's worth pursuing.
Any large scale signing platform will have large oversights and be rendered useless. See the appstore / play store/windows...
It should something like web certificates, you can bring your own.
Looks like Linux and some of the BSDs are the only remaining truly open OSes.
True, however, that has been the case for quite a while. This particular incident doesn't change that, except for the VeraCrypt developer, who is in a crappy situation now (not just regarding VeraCrypt, he mentions he was using the certificate for his main job as well, so this sucks a lot for him).
Well, of course. Have the other commercial offerings every been "truly open OSes"?
So far I haven't had much concrete reason for my family to switch away from Windows. The updates maybe, needing to pay for a new license and the UI changes are like pulling the chair out from under them, especially as they get older (Windows 7 was hard for my grandma, thankfully they left 10 mostly alone but 11 is quite different again so she's currently staying on 10 — not that her hardware supports 11 anyway but that's fixable), but it's either learning the new Windows UI, let's say ten storypoints of newness, or learning some Linux desktop environment, even if it's Mint which is similar to 7/XP it's not quite the same either and probably like 15 storypoints at minimum, even if then you're done for much longer
But if OSes are being locked down and software has trouble distributing security updates through official repositories for Windows... that's a good reason to finally make the switch. Same as why my family is on Android: I can install f-droid, disable the google store, and don't have to worry about them installing malware / spyware / adware
There's different degrees of openness. Android till 2026 was an acceptable compromise (let's see how it goed forwards). Windows is also on the decline with their account policy, not sure about this certificate revocation thing (thankfully haven't had to deal with it yet; I'm not a user myself) but it sounds like they're moving to a walled garden also
When the degree changes and gets even less open, yeah you can say "well of course, they were never truly open, they're commercial" but it's still a change and might lead people to alter their choices
You'll find that people that are not computer experts will take to modern Linux with much more ease than those that have complex needs, which for 90% of the people these days means that access to the Web satisfies all their needs. Moving from Windows 7 to 11 will probably be as traumatic as moving from Windows 11 to KDE, so it's an investment worth doing in my opinion.
While I agree entirely that Linux in 2026 has never been more usable… how much actual work is being put into Office and 365 tooling native on Linux?
Like none. Literally the best office you MIGHT KIND OF be able to run in 2016, but probably more like 2013.
Valve focused on games, that is awesome and really helpful…
But there are 10,000 distros and instead of putting real resources to put even rickety bridges over MS’s moat, no sorry, this team is making duplication-of-effort distro 10,001 which is now identical to thousands of others but the taskbar is in the middle of screen.
The people working on Linux are consistently uninterested in then things people would need to drop windows.
> While I agree entirely that Linux in 2026 has never been more usable… how much actual work is being put into Office and 365 tooling native on Linux?
Why the hell would you want that? Office365 is a buggy piece of nightmare.
Because even though you don’t like a thing, the entire world of business uses it.
Hold your nose and work on WINE if you need to think that way. But MS has moats, and office is one of the widest.
I think business are going to be forced to change their thinking on this. Im not interesting in emulating windows progs in wine. I switched to Thunderbird a long time ago and other programs that give me the features I need with-out sacrificing my freedom.
Thunderbird UI is absolute trash.
LibreOffice also has bad UI choices and glitches.
It’s not like we’re talking VLC vs OS Media Player here.
You can stomp your feet, but the world uses Exchange and Office and not for no reasons at all.
Until Microsoft decides to no longer sign the Linux boot loader shim (for IBM/Red Hat, no less).
In most cases you can put your computer secure boot in setup mode and roll your own keys.
Until they making CA a requirement, then disable changing the CA settings and it defaults to Microsoft. Then you are fucked.
That would make extremely inconvenient if MS ever need to revoke a certificate.
Except compulsory age verification in Linux is now becoming a real threat. Some Linux distros are actively against this but many are not seemingly interested in fighting it: CachyOS, Ubuntu, Fedora and others.
Age Verification is the thin end of a much bigger wedge in "open" OS's
Yes time to wake up.
I really believe most "open source" big projects have been compromised long ago. We have saw all those "Foundations" taking them over with all their governance, bureaucracy and goal which do not make any sense at the first look.
One example is Fedora, which is part of "The Digital Public Goods Alliance" [0], "a multi-stakeholder initiative that accelerates the attainment of the Sustainable Development Goals by facilitating the discovery, development, use of, and investment in digital public goods."
The Digital Public Goods Alliance has about every governments as member plus all the usual suspects: Gate Foundation and co.
All the leaderships have usually no background or experience in open source or even computers but are just magically placed there. But you can't say anything because they are mostly women.
You read the goals and roadmaps of those foundations and find out it has nothing to do with software or open source. It is basically there to control those projects and then have them implement all the age verification, digital id, etc.
So yes this is not a surprise all those projects are now all in absurd features such as age verification.
Yes, all the code of conducts pushed onto open source projects, often by outside actors or novice contributors backed by a mob, has been mostly about replacing people who care about the projects with people who care more about following rules and will do what they will be told.
I thought community projects (as opposed to the corporate Fedora and Ubuntu) are exempt from such laws.
the current law requires no verification at all simple attestation, you could put in _any_ age. it also does not effect linux distros as a whole, only distros in jurisdictions with the laws.
Sure, for now... I simply don't believe it will stop at "simple attestation", because we all know that simple attestation is practically useless, but once the various distros accept this "trivial" inconvenience, "Age verification 2" with harsher requirements will soon be on the way.
I would be ecstatic to be proved wrong on this, but experience tells me that is not likely to happen.
We all know it's not about age, it's about user identity. As above, it's clearly a wedge so it's not rhetorical to observe more invasive and controlling features are coming.
I wouldn't be surprised if it is being done to help microslop and AI companies lock in their profit margins.
Right now, if a handful of tech companies crater they'll take the whole world's financial systems out with them, so the government could easily be made complicit in any scheme they can conceive of to bolster their finances.
Simple attestation is very useful for the case where a parent gives a child access to a computer and wants that computer to block porn. That's the use case everyone is clamoring for, and asking the root user "how old is this user?" solves it in a simple, open, privacy-preserving way. Everybody wins, except the teenager who wants to watch porn. If this were not legally mandated, everyone would support it as a useful feature, but since it is legally mandated, we have to get angry about it.
This has got very little to do with children - that is just the excuse that sounds good. "Think of the children" is a rhetorical tactic that anyone who wants to get unfettered access to your data rolls out whenever they can. It is a tactic that unreasonable people use to influence reasonable people, because it is so difficult for a reasonable person to argue against without coming across as uncaring and/or bigoted.
If it was an excuse to get your data there would be some data-getting involved. It may be hard for you to believe, but lots of people really do want parental controls that actually work and are bound by the force of law.
This is likely the first step, and in itself is not much of a concern but only if it stops there, which it almost certainly will not. The next step, where the government argue that simple attestation is not secure enough to protect the children, and now we need to show a government ID is when the true damage starts.
This is a little like the joke: "Madam, would you sleep with me for 1 million dollars?", to which she replies "I would". "Madam, would you sleep with me for 1 dollar?", to which she replies, "Sir, what sort of woman do you think I am?" To which he replies "We have already established what sort of woman you are, now we are just trying to establish your price!"
By agreeing to this initial Age Verification, companies are establishing that they are willing to implement checks on age for their users, now we will see just how much more they are willing to do - all to protect the children of course.
Yes that may be true, but parents are being misguided by efforts that are trying to control aspects of data.
If you, as a parent, make yourself open to this attack, you will find that you are making us less free of a society by expecting others to parent for you.
If you oppose minimal, sensible parental controls, you open the door to whatever someone can jam down our throats that also happens to implement parental controls as a side effect.
If you oppose the law to force liquor stores to deny service to minors, but people are still upset about minors getting alcohol, you have no right to be surprised when the next proposal is to ban alcohol for everyone, and you have no right to be surprised if it passes.
Worse, they are making society less free for their children - the parents themselves will be either dead or too old to care by the time the consequences are in full swing.
If you think you are anyone can stop motivated teenagers from watching porn then I have a bridge to sell you. That is such an absurd goal that you really should be asking what the real motivations for this are.
If you think you are anyone can stop motivated teenagers from getting alcohol then I have a bridge to sell you. That is such an absurd goal that you really should be asking what the real motivations for [forcing liquor stores not to serve minors] are.
Literally the entire purpose of the law California passed, which Linux is responding to, is to preempt such laws: If someone says "we need identity verification because think of the kids looking at porn", it's now trivial to say "we already solved that problem, without deanonymizing everyone on the internet".
That's how these things always go. No one is ever asked to build the whole thing, just provide one more brick.
Not for long: https://news.ycombinator.com/item?id=46784572
https://community.osr.com/t/locked-out-of-microsoft-partner-... Could be a related issue to this? Maybe Microsoft just doesn’t want driver developers for whatever reason.
Most certainly it's related to this: https://techcommunity.microsoft.com/blog/hardware-dev-center...
Presumably it’s part of their commitment to kill kernel patching in Windows, to prevent another Worldwide Enterprise Windows Outage Caused By A Buggy Vendor DLL event.
its my computer. its my os. i own it. I paid my money and bought the program. not them. I am free to install whatever software and modify whatever kernel components as i see fit.
I am so sick and tired of the continued erosion of the ownership model. I dont want to rent anything. But corporations see it as an avenue to increase revenue. We pay more, for less. What else is new.
It’s time to switch to Linux or another open OS.
So why don't you stop using the OS that has a completely different approach to computing?
Sorry to hear about this turn of events, but it was pretty much to be expected given the way the world is turning, and Microsoft being Microsoft.
Switch to Linux if you can, and come give Shufflecake a try ;)
.... This deserves it's own posts , on HN, just for awareness-
Aside from https://web.archive.org/web/20250914062843/https://portswigg... , there haven't been really many goes at going for plausible deniability with modern systems, and I see the segment about a Hidden OS feature in work as well.
Hoping this succeeds. Funny, eventually Shufflecake, after it gets fully capable on Linux, might have to look at making versions for Windows and Mac
Microsoft doing everything in their power to be assholes, as always
As much as I like bashing Microsoft, never underestimate people's capacity for incompetence, especially where large organizations are involved. I don't see how they would gain anything from this move.
It doesn’t help that they do that sort of shits AND mandate a microsoft account for logging in to windows. Also how much trust can you have that if you move your business to azure they will not randomly kill it. Incompetence or malice, almost doesn’t matter to the average user.
The outcome is the same, yes. With incompetence, there is at least a glimmer of hope things will get rectified. But you are correct, trust is destroyed this way, and it doesn't look like Microsoft cares much.
And never underestimate the capacity of useful idiots for defending malicious actors.
Get off Windows right now.
The newest frontier AI models can easily find 0-days in all major software stacks, while the two biggest open source security tools on Windows can’t even ship patches.
That's especially ridiculous because this whole security mechanism that Microsoft is forcing on Windows user doesn't even work. There are tons of leaked certificates and on forums dedicated to game hacking you can find guides on how to get your hands on one yourself. People there use them to write kernel drivers for cheating in games. Game developers often blacklist these in their anti-cheat software so that the game no longer launches on a computer using a driver with that certificate. Microsoft however does not do this and malware developers can then simply use the certificates for their own purposes. So all this nonsense is basically just a restriction on regular users and honest developers while the “bad guys” can get around it.
Microsoft has been taking steps to mitigate the leaked code signing certificate problem.
On the driver side of things, new versions of Windows no longer trust the cross-signed certs, so you must submit your driver to Microsoft to validate and sign, so no private key to go missing. https://techcommunity.microsoft.com/blog/windows-itpro-blog/...
On the regular Authenticode side of things, the new CA/B Forum rules have prohibited storing new private keys outside of hardware modules for a while now, so eventually you won't be able to find a leaked private key for code signing that would still be valid.
That's kind of crazy. Why doesn't Microsoft revoke such certs such that you can't sign new software with it?
Because it's mostly just performative.
looks like the latest update was
> Mounir IDRASSI - 7 hours ago > Thank you all for your feedback and your support in getting media attention through various social platforms.
>After posting this, other developers in the security fields (like WireGuard) came forward to announce that they have the exact same issue. I understand why nobody talked publicly about this before and I'm glad that by going public I pushed others to do the same.
>Positive aspect is that a Microsoft VP (Scott Hanselman) has announced on X that he will help address this issue affecting me and others. He also reached out to me and connected me with other Microsoft people to help address this issue.
>I will let you know how things go.
Seeing this kind of friction makes me more confident in VeraCrypt. The tools that never seem to run into trouble with platform gatekeepers are the ones I'd worry about.
That seems like a very nonsensical stance.
Well look at something like ANOM. The FBI encouraged its use. Because it was run by the FBI and they could see all the private messages.
If Veracrypt was a honeypot, the powers that be would go out of their way to make it as easy to use as possible. They'd instantly sack whoever made this decision, and reverse it.
So is coreutils a honeypot?
The biggest risk in encryption software is that you lose access to your data. You seem to be ignoring that risk completely and focusing on something else entirely.
I don't think you would loose access. You can always recover data on an open platform such as Linux.
I would not be surprised if it was some sort of AI driven mistake.
Some guy somewhere deciding to delegate threat assessment to Copilot or some other automated tool.
i would bet a years salaray that you are correct. copilot or some automated process. and then the message is automated with an automated appeal-denial flow.
conspiracy theories are fun and all, but 99.99% of the time it is just incompetence, miscommunication, etc.
Besides Veracrypt, are there any real alternatives to Bitlocker for total drive encryption in Windows?
run Windows as a VM in linux
Can someone please explain the implications for current Windows users of VeraCrypt?
No new features, no security patches.
Why is there no simple workaround for this? Why is it dead in the water and why can't we use another mechanism to verify the update files with SHA1? It's all been done before [1]. This would be an improvement, as it enables the project to continue working without any handcuffed relationship to Microsoft.
[1] https://github.com/HyperSine/Windows10-CustomKernelSigners
VLayer (my project) scans healthcare codebases for HIPAA compliance issues before they reach production. One thing I learned building it: developers rarely think about encryption until it's too late. Tools like VeraCrypt solve the "data at rest" problem, but the bigger issue in healthcare software is unencrypted data in logs and API responses — stuff that's much harder to audit manually.
Anyone here who could reach out to specific persons inside Microsoft who could fix this?
Hope this is resolved. I guess I could run linux in a VM and mount volumes there, but this is getting a bit dicey. But Win 10 is my last windows anyway.
Interesting.
My only experience with Veracrypt is via a law firm I was consulting with, who used it to protect some files they were sharing with me. Law firm and their end client are both big, prestigious companies.
Microsoft can't be trusted.
Never was, isn't and I guess won't be.
Microsoft continues to push for year of the Linux desktop
Reminds me of when users of TrueCrypt were urged to just install BitLocker instead. Sus AF.
Any chance this is the issue?
https://techcommunity.microsoft.com/blog/windows-itpro-blog/...
From TFA: "I have encountered some challenges but the most serious one is that Microsoft terminated the account I have used for years to sign Windows drivers and the bootloader."
Yeah, and the first comment beneath that mentions that the most recent version is signed with the "2011 CA" that the article I link to discusses being deprecated.
My guess was that he got caught up in some house-cleaning. My theory being that he's still signing his code the way malware authors also do and got flagged by some automated review that's meant to force him to go get WHCP certified or whatever the new route is.
The article you linked says the change is rolling out in April in evaluation mode.
And if it were related to some kind of scan and malware flagging, the cert would have been revoked. It is not.
Fair enough. Thanks for weighing in.
very much sounds like microsoft
It's perhaps naive, but could he create a new organisation, like a "TotallyNotVeraCrypt" French loi 1901 association, at a different address, and create a new microsoft account by making sure it passes all the requirements.
Yeah but isn't the point of these certificates to express trust?
The point isn't (or: shouldn't be) to forcefully find your way through some back alley to make it look legit. It's to certify that the software is legit.
Trust goes both ways: we ought to trust Microsoft to act as a responsible CA. Obfuscating why they revoked trust (as is apparently the case) and leaving the phone ringing is hurting trust in MS as a CA and as an organization.
who on planet earth trusts a piece of software because Microsoft signed it?
There are different types of trust, but at the very least with such a signature you can trust that the piece of software is really from Veracrypt and not from a malicious third party.
For one: Most if not all virus scanners.
A signature is a signal, not an absolute. Although, to be fair, if Microsoft (or most other CAs) had done a better job, then that trust would have carried more weight than it does currently.
Trust isn't binary, it's a spectrum. A signature is a signal that should increase trustworthiness. Not the strongest signal, perhaps even a weak one, but it's not zero.
That's what VeraCrypt is, a fork of the original TrueCrypt after all drama, security doubts, and eventual discontinuation. It took a long time and two independent audits to establish trust in it.
Probably not French though, give how hostile it appears to be to encryption/security related projects (GrapheneOS had a good arguments re: that)
The author is now based in Japan, and even owns a veracrypt.jp domain. Meanwhile, the old veracrypt.fr domain redirects to veracrypt.io.
Seems rather clear that he doesn't want French jurisdiction.
And Microsoft will be happy to shut that one down because their incompetence.
So we'd better find a real solution now.
If bitlocker wasn't crippled[1] on the home versions of Windows, this would be a non-issue. I hope a solution is found, even if it's 3rd party signing that works like the present solution.
[1] https://www.microsoft.com/en-us/windows/compare-windows-11-h...
For folks looking for a much simpler single binary alternative.
This is not a replacement, as it has no native file system integration, only a web interface.
Its not just a web interface. It creates a storage container that can grow and be compacted on the fly is fully portable.
If it doesn’t have file system integration, you can’t edit files in it using regular software.
Forced software signing should be illegal.
It's not forced, especially for normal software, you just get a popup. It's a bit of a pain to disable the requirement for drivers, though.
I don't think you can install VeraCrypt, at least for system encryption, unless the installer is signed
According to further up the thread, you can if you disable secureboot.
And you mess with your boot.ini and ignore that half your screen is taken up by a TEST MODE banner. Buy a screen twice as big and tape over half of it, I guess.
This is always a problem when big mega-corporations are involved, be it Google or Microsoft. They want to control the platform.
We really need viable solutions. I have been using Linux since +21 years or so, so it does not affect me personally, but I think Linux needs to become really a LOT more accessible to normal people. And it really has not (on the desktop); all the various "improvements" on GNOME3 or KDE are basically pointless, they have not solved the underlying problem. Ideally problems should be auto-resolvable. If someone wants to use the proprietary nvidia driver, that should be a single click - on ALL Linux distributions. Instead you see some distributions have their own ad-hoc solution and other distributions have no easy solution (for simple people).
I will continue to suppose that the “real issue” with Linux is that the people drawn to developing it will not work well with others and continue year after year to waste time and duplication of effort on five decent, and ten thousand pointless distributions.
Whatever reason for this refusal / inability / choice to not contribute but rather re-create is on the reader to assume.
There is very little effort put into real progress as you point out. Sure, tons of work to move from x11 to Wayland, cool, only the developers give a shit… where is Office/365 that would make daily driving actually viable?
While WINE is impressive, it seems the only real progress for anything past Windows 7 is on paid versions of which there are at least three competing options.
Linux Desktop progress is slow because there it’s thousands of floundering side-projects without a goal of actually pulling normal users in.
if michalesoft wants to take away our ability to sign drivers, they will find there is more than enough vulnerable easily exploited drivers we can use that are pre-signed online. Thank you micosawft!
Are you having a stroke?
I think it's a reference to Michaelsoft Binbows :)
https://alf-s-room.com/etc/nandarou/binbows/binbows_english....
Most likely just intentionally misspelling the name in the spirit of calling them Microslop.
And perhaps the time they sued a kid named Mike Rowe for having a website mikerowesoft.com
Gone are the days when one can be anonymous on the Internet. Now, in some places, we have to prove our age and identity. This is leading to a digital ID. This will end badly.
I'm sorry, is this some sort of Windows joke that I'm too Linux to understand?
Linux isn't inherently safe from the signed boot chain mindset either if you run a mainstream distribution.
If only there was a way to sign software and not depend on a centralized authority, something like a... web of trust?
(and yes I know, you'd need to have the option to have "your" (haha...) OS trust it of course)
What about the guy who originally created it. Paul Le Roux, the criminal mastermind? That's a wild story :D.
I run a dual boot of windows and am currently dauly-driving CachyOS quite happily. I've been playing some Crimson desert and got some occasional crashes... But any other game I have has run smoothly.
Their GUI tools for package management are thin wrappers on CLI tools, but are enough hand-holding that most people should navigate it fine. More devices worked out of the box for my with Linux than Windows.
Just like if you haven't tried AI in a year and have mocked it, you need to try it again. Of you haven't tried Linux desktop in a few years, you need to try again. CachyOS really does seem to handle the driver installs and gaming compatibility well.
Cachy pushed a Limine update last weekend without any testing. It broke everyone with secure boot signing. Head proton versions are great, but games tend to turn into a laggy mess after a couple of hours and need regular restarts.
It's decent, but it's not all roses at all, and I wouldn't inflict it on non-techies yet.
Ah, I disabled secure boot assuming it's pointless and wouldn't work with arch and dual booting anyway. Maybe I have more to learn.
Perhaps cachyos should maintain LTS metapackages for more than just the kernel. Video drivers, boot managers and whatnot.
For a "non-gamer" I would probably keep them on Fedora or even Debian.
Update from Scott Hanselman:
> Hey I love dumping on my company as much as the next guy, because Microsoft does some dumb stuff, but sometimes it's just check emails and verify your accounts.
Not every "WTF micro$oft" moment is a slam dunk. I've emailed VeraCrypt personally and we'll get him unblocked. I've already talked to Jason at WireGuard.
Not everything is a conspiracy, sometimes it's literally paperwork.
(https://x.com/shanselman/status/2041977121686585396 https://xcancel.com/shanselman/status/2041977121686585396)
And yet another example of companies turning actively hostile against their users.
The burden of usage/access is now solely on the customers and the feeling is that regular customers are just a nuisance to be ignored.
Jesus, sourceforge is still on the go?
I understand that most people want to move to other more modern tools, it's up to you. However, what baffled me is why the author's choice not to move is a problem? Did we pay them to move and they did not move as promised? Was there some crowd funding to move that was not fulfilled?
I just didn't think Sourceforge was still running. There was a mass exodus from it about 20 years ago when it became a massive ad farm that started injecting ads into people's tarballs.
It was never as good as freshmeat.net even in its heyday.
> what baffled me is why the author's choice not to move is a problem?
Because Sourceforge is horrible to use and was at one point actively pushing malware? It's pretty obvious tbh.
Might be it even not using all your code to train AI. Or at least not asking your explicit permission to do it.
Not every conversation has to be a conversation about AI.
Not every conversation but as long as GitHub is the most popular code hosting platform it's very much relevant to that discussion.
This is an article about an encryption software project getting their Microsoft account terminated. It’s not the place to spam a completely off-topic complaint about the AI use of a service completely unrelated to the project.
sourceforge was always very scummy, I think they would definitely use the code for that if they could
It wasn’t always scummy… but there was a definite shift after they got bought. It’s kept getting worse since then.
Then again, this was something like 20 years ago. Back then, Sourceforge was something closer to GitHub today. It was the de facto public source repository. You could even get an on-premise version, IIRC.
Actually, this is sounding a lot like GitHub these days… not sure what that means.
As I've said elsewhere, freshmeat.net was better :-)
For project discovery, definitely -- but not as a source code repository.
Wow, we're dating ourselves on this, but I remember when it was a big deal that SF.net added SVN support. They apparently didn't turn off CVS until 2017!
Yeah, I remember introducing a web dev company to SVN in about oh maybe 2006. Prior to that their "version control" was a webroot full of shit like "index.php", "index.php.old", "index.php.broken", "index.ryan.donottouch.php", "indexTUESDAY.php" and so on.
Yeah no, guys, that's not what I meant. Let me just show you this real quick...
I wonder if enough of freshmeat still exists on the Wayback machine to make a clone, maybe a skin for forgejo?
Simpler times, simpler everything.
And unfortunately some projects exclusively use sourceforge. Which breaks some of my CI pipelines.
Why would that break CI?
sourceforge serves files inconsistently.
yeah, it just works
cool project
If you use Veracrypt on Windows then you have no idea what you are doing. Windows is not safe. Use Linux only.
I would love to switch long time ago, but I make money on Windows enterprise customers, using specific Windows tools that have no reasonable Linux counterparts.
I'll throw my Windows laptop out of a (pun intended) window on the exact second I'll secure viable and sustainable income using Linux. I know it can be done, but so far it's outside of my circles.
maybe an old vulnerable signed driver can be used to load the new version :D. on a more seirous note, i think contact with a person at MS, likely via socials triggering that, might help here. It all depends on the reason for the ban/block/cancel.
if they had a reason other than 'oops mistake' its likely just going to remain in place. (sadly, that is how MS is. if you care for privacy maybe go to BSD)
Who said vulnerable? Perhaps just a driver with less features.
GP refers to the practice of getting kernel level code execution using other, old vulnerable drivers and using it to run the VC driver.
This highlights the fact that not only is supporting Windows dangerous to your project, but using Windows is dangerous to your security.
Posted this earlier from a throwaway since my account wasn't able to reply for some odd reason and it was marked as dead:
Hello Jason!
I want to first thank you for all of your hard work developing Wireguard.
If I can find someone who is willing to put their name on it to help I definitely will, the problem is the spy agencies don't want your project to exist. It makes it harder to put resources to this. I've worked in security departments of certain companies and saw everything you could imagine.
Same for Mounir over at Veracrypt.
Both of you are developing some of the most important software that exists today.
Keep doing what you are doing by keeping everything in the open. User trust almost doesn't exist for these type of projects. Any hint of an issue would wipe that out in seconds.
This leads me to one question I do have for you zx2c4:
Why does Wireguard attempt to contact your servers and auto update on Android with no toggle to turn this off? It's a threat to everyone. Maybe it also does this on other platforms but I haven't tested them all.
I can think of reasons as to why you did this, none nefarious, but still it would be nice if you included that option so I don't have to patch each update to turn this off.
Thanks.