This is the same problem I'm currently facing with WireGuard. No warning at all, no notification. One day I sign in to publish an update, and yikes, account suspended. Currently undergoing some sort of 60 days appeals process, but who knows. That's kind of crazy: what if there were some critical RCE in WireGuard, being exploited in the wild, and I needed to update users immediately? (That's just hypothetical; don't freak out!) In that case, Microsoft would have my hands entirely tied.
If anybody within Microsoft is able to do something, please contact me -- jason at zx2c4 dot com.
Now this is even more alarming! Wireguard's creator has their Microsoft account suspended...
<Tin foil hat on>
Microsoft doesn't want to allow software that would allow the user to shield themselves, either by totally encrypting a drive, or by encrypting their network traffic!
</Tin foil hat on>
> Microsoft doesn't want to allow software that would allow the user to shield themselves
I don't think Microsoft cares (about anything else than making money), but there are plenty of (state) actors that can influence the decision-making at Microsoft when it comes to these issues.
Wait, what?! I was sure that the agenda of Big Tinfoil was to generate FUD so that we buy more tinfoil for our hats. Are you implying their agenda goes even deeper?
>I don't think Microsoft cares (about anything else than making money), but there are plenty of (state) actors that can influence the decision-making at Microsoft when it comes to these issues.
Microsoft the corporation may only care about making money, but a lot of very high ranking folks within MS Security aren't just friendly to intelligence agencies, they take genuine pride in helping intelligence agencies. They're the kinds of people who saw nothing wrong or objectionable with PRISM whatsoever, they were just mad they got caught, and that the end user (who they believe had no right to even know about it) found out anyway. The kind of people who openly defend the legitimacy of the FISA court.
This aren't baseless accusations, this comes from first-hand experience interacting with and talking to several of them. Charlie Bell literally kept a CIA mug on a shelf behind him, prominently visible during Teams calls, as if to brag.
Remember - Microsoft was the very first company on the NSA's own internal slide deck depicting a timeline of PRISM collection capabilities by platform, started all the way back in 2007. All companies on that slide may have been compelled to assist with national security letters. Some were just more eager than others to betray the privacy and trust of their own customers and end-users.
Where are the people that tried to sell us software signatures as security benefit? The reality is that they are a very specific security problem. In theory and in practice.
Having multiple accounts wouldn't help, as Microsoft could easily suspend all the accounts of everyone associated with the project if any account looks suspicious. The single point of failure is Microsoft.
Maybe time for a custom license that would require M$ to sign up for special T&Cs if they want to use this software?
Who cares if it's OSI-approved or not, a line saying "M$, Google, and the like need written permission for every use case" would help to make those leeches honest. Just learn from the JSLint example.
I tried to set up a partner account for driver signing last year (as a business entity) and it already seemed basically impossible. I think they're getting ready to just simply not allow it at all.
This is stupid. If Microsoft wants people to stop writing kernel drivers, that's potentially doable (we just need sufficient user mode driver equivalents...) but not doing that and also shortening the list of who can sign kernel drivers down to some elite group of grandfathered companies and individuals is the worst possible outcome.
But at this point I almost wish they didn't fix it, just to drive home the point harder to users how little they really own their computer and OS anymore.
I think it’s intentional, those encryption (at rest/transit) applications are outside of MS control and you can assume outside of potential backdoors by three letters agencies, bitlocker vs veracrypt? Of course bitlocker is favorable from their perspective.
I wouldn’t be surprised if NSA already had a list of these applications and the strategies on how to cripple them or worse, compromise them.
True, but really even if it gets resolved for them it should basically be a huge warning sign to everybody. Projects like those might get reinstated but it would only be because of how big they are that it would matter. Any person or small or 'undesirable' project would not get the same resolution.
They need to get some tech site like Arstechnica to write about it, like they did when neocities couldn't get ahold of bing. The only way to contact these tech companies to speak to a real human being and not a chatbot is if you know somebody who works there or if the media writes about it.
It's much worse than you think. Press coverage -> manual intervention is at best a bandaid covering up a major wound in a flaw that happens with independent software distribution.
The old model where the user decides which software or apps to run on their machine, is basically already replaced by a whitelist system that is managed by companies who have no interest or obligation to approve developers. Factors like ”being an individual”, an open source developer or god forbid reside outside the USA, you rely on a combination of L1 support doom loops, unjustifiable high recurring prices, kafkaesque and changing requirements, internal inconsistencies. Windows is the worst, but all platforms (except Linux) suffer from this and you can and will get hurt, delayed, and gaslit. If you haven’t, it’s just a matter of time.
I have been blocked for 6 months now with Digicert code cert renewal, for my app Payload, which will never get any media attention. The app doesn’t matter though, the approval process is per-entity (usually, a company). The point is that nobody gives a shit, because they have a monopoly/cartel and they start the validation process after they take your money.
If you are not an app publisher, the best way I can describe it is the ”pre-let’s encrypt” era of SSL certs, but more expensive, strict and ambiguous. In fact, I’ve never gone through any worse approval process in my life, and that includes applying for residency in two countries, business licenses, manual tax filings etc.
This is worrying on many levels. So Microsoft force you to create an account to use Windows and then they reserve the right to block you from your own account, thereby potentially making you lose access to all your OWN data. This is crazy and yet another reason to stop using Windows as soon as possible.
Honest question, did we ever get an answer what was the cause for the sudden change from the original Truecrypt developer?
Even if one doesn't want to maintain that project for purely private reasons, recommending Bitlocker as the drop-in-replacement always made it smell fishy to me.
I knew the speculation on him being involved in some capacity, but as the wiki page states, this was never confirmed in any substantial way.
More importantly, if development seized with no public comment, that would be one thing and may strengthen the "he got arrested" theory. However, there was some final communication, specific recommendations to rely on Bitlocker of all things, a new version of Truecrypt was released solely for decrypting existing disks and then the web page was removed, including a flag set on robots.txt to ensure it wouldn't appear on archive.org. All this concurrent to a crowd funded source code audit that, in the end, did not find any server issues or backdoors (I recall some speculation back in the day, that either known code quality issues or an intentional backdoor could have caused the exodus).
That all makes it hard to link this to an arrest of the main developer, though I dislike speculation without any hard evidence and if there is no new information, I'll keep this filed under "there is no answer".
You can, but it's more than a warning. VeraCrypt has a signed kernel driver, which has higher requirements. You'll need to boot into a special Windows mode and disable Driver Signature Enforcement.
As someone who is just planning to publish signed desktop software for Windows, this is deeply worrying. What reasons could there be for cancelling a certificate, especially when it has been used for years and the identity is already established?
Are there some ways to combat such decisions legally?
Realistically speaking - anything could be a reason. A shakedown or blocking based on some "nudge" (this might come across as tin-foiled though). Some flag/trip-wires going wrong, more worryingly due to a bug/false alarm - and this is more worrying because in this case semi-incompetent large orgs like MSFT find it really hard to accept it, fix, and move on. Some change in OP's account that either they don't see or haven't realised - some edge case, you never know.
And of course, it doesn't affect their earnings and there are no consequence, or significant, so they won't care and won't respond or tell what went wrong.
Can one move legally? Sure. But then it effectively is a combo of who blinks first and who can hold their breath longer.
This is a concern and risk that has realised itself multiple times over the past decades. There have been multiple stories linked to multiple developers in the past.
If you publish to any closed platform including ios, mac, win, android, this is the risk you run and a condition of operating you will need to accept.
There's more to it. Signed desktop software can be signed by any CA.
Veracrypt has kernel drivers. Microsoft's ability to control what you can sign is specific to kernel drivers, and Microsoft's trigger finger around bans exists in the world where bad drivers BSOD machines.
prediction: they are testing the waters. If there is enough outcry they will go "oopsie whoopsie, hehe :3 your account is restored".
If there isn't enough outcry they will go forward and disable more signing keys related to things like torrent clients, VPN software, eject UBO from the edge store etc etc.
Atleast now I'm a bit more certain that VC is indeed safe.
True, however, that has been the case for quite a while. This particular incident doesn't change that, except for the VeraCrypt developer, who is in a crappy situation now (not just regarding VeraCrypt, he mentions he was using the certificate for his main job as well, so this sucks a lot for him).
So far I haven't had much concrete reason for my family to switch away from Windows. The updates maybe, needing to pay for a new license and the UI changes are like pulling the chair out from under them, especially as they get older (Windows 7 was hard for my grandma, thankfully they left 10 mostly alone but 11 is quite different again so she's currently staying on 10 — not that her hardware supports 11 anyway but that's fixable), but it's either learning the new Windows UI, let's say ten storypoints of newness, or learning some Linux desktop environment, even if it's Mint which is similar to 7/XP it's not quite the same either and probably like 15 storypoints at minimum, even if then you're done for much longer
But if OSes are being locked down and software has trouble distributing security updates through official repositories for Windows... that's a good reason to finally make the switch. Same as why my family is on Android: I can install f-droid, disable the google store, and don't have to worry about them installing malware / spyware / adware
There's different degrees of openness. Android till 2026 was an acceptable compromise (let's see how it goed forwards). Windows is also on the decline with their account policy, not sure about this certificate revocation thing (thankfully haven't had to deal with it yet; I'm not a user myself) but it sounds like they're moving to a walled garden also
When the degree changes and gets even less open, yeah you can say "well of course, they were never truly open, they're commercial" but it's still a change and might lead people to alter their choices
Except compulsory age verification in Linux is now becoming a real threat. Some Linux distros are actively against this but many are not seemingly interested in fighting it: CachyOS, Ubuntu, Fedora and others.
Age Verification is the thin end of a much bigger wedge in "open" OS's
the current law requires no verification at all simple attestation, you could put in _any_ age. it also does not effect linux distros as a whole, only distros in jurisdictions with the laws.
Sure, for now... I simply don't believe it will stop at "simple attestation", because we all know that simple attestation is practically useless, but once the various distros accept this "trivial" inconvenience, "Age verification 2" with harsher requirements will soon be on the way.
I would be ecstatic to be proved wrong on this, but experience tells me that is not likely to happen.
As much as I like bashing Microsoft, never underestimate people's capacity for incompetence, especially where large organizations are involved. I don't see how they would gain anything from this move.
It doesn’t help that they do that sort of shits AND mandate a microsoft account for logging in to windows. Also how much trust can you have that if you move your business to azure they will not randomly kill it. Incompetence or malice, almost doesn’t matter to the average user.
We need a better way to sign and verify software. Clearly companies like Microsoft and Apple have not been good for the open source communities and are inhibiting innovation.
On the source code side, I quite like the way Guix does things, i.e. needing every commit to be gpg-signed. They even have a handy tool for verifying the repo[0] but I'm not sure how viable this is for non-OSS projects.
What would be the point? How would you prevent malware from being signed? Currently, code signatures are used as a signal for trustworthiness of the code.
That's especially ridiculous because this whole security mechanism that Microsoft is forcing on Windows user doesn't even work. There are tons of leaked certificates and on forums dedicated to game hacking you can find guides on how to get your hands on one yourself. People there use them to write kernel drivers for cheating in games. Game developers often blacklist these in their anti-cheat software so that the game no longer launches on a computer using a driver with that certificate. Microsoft however does not do this and malware developers can then simply use the certificates for their own purposes.
So all this nonsense is basically just a restriction on regular users and honest developers while the “bad guys” can get around it.
Seeing this kind of friction makes me more confident in VeraCrypt. The tools that never seem to run into trouble with platform gatekeepers are the ones I'd worry about.
It's perhaps naive, but could he create a new organisation, like a "TotallyNotVeraCrypt" French loi 1901 association, at a different address, and create a new microsoft account by making sure it passes all the requirements.
Yeah but isn't the point of these certificates to express trust?
The point isn't (or: shouldn't be) to forcefully find your way through some back alley to make it look legit. It's to certify that the software is legit.
Trust goes both ways: we ought to trust Microsoft to act as a responsible CA. Obfuscating why they revoked trust (as is apparently the case) and leaving the phone ringing is hurting trust in MS as a CA and as an organization.
There are different types of trust, but at the very least with such a signature you can trust that the piece of software is really from Veracrypt and not from a malicious third party.
Trust isn't binary, it's a spectrum. A signature is a signal that should increase trustworthiness. Not the strongest signal, perhaps even a weak one, but it's not zero.
That's what VeraCrypt is, a fork of the original TrueCrypt after all drama, security doubts, and eventual discontinuation. It took a long time and two independent audits to establish trust in it.
maybe an old vulnerable signed driver can be used to load the new version :D. on a more seirous note, i think contact with a person at MS, likely via socials triggering that, might help here. It all depends on the reason for the ban/block/cancel.
if they had a reason other than 'oops mistake' its likely just going to remain in place.
(sadly, that is how MS is. if you care for privacy maybe go to BSD)
This is always a problem when big mega-corporations are involved, be it Google or Microsoft. They want to control the platform.
We really need viable solutions. I have been using Linux since +21 years or so, so it does not affect me personally, but I think Linux needs to become really a LOT more accessible to normal people. And it really has not (on the desktop); all the various "improvements" on GNOME3 or KDE are basically pointless, they have not solved the underlying problem. Ideally problems should be auto-resolvable. If someone wants to use the proprietary nvidia driver, that should be a single click - on ALL Linux distributions. Instead you see some distributions have their own ad-hoc solution and other distributions have no easy solution (for simple people).
I understand that most people want to move to other more modern tools, it's up to you. However, what baffled me is why the author's choice not to move is a problem? Did we pay them to move and they did not move as promised? Was there some crowd funding to move that was not fulfilled?
It wasn’t always scummy… but there was a definite shift after they got bought. It’s kept getting worse since then.
Then again, this was something like 20 years ago. Back then, Sourceforge was something closer to GitHub today. It was the de facto public source repository. You could even get an on-premise version, IIRC.
Actually, this is sounding a lot like GitHub these days… not sure what that means.
If anybody within Microsoft is able to do something, please contact me -- jason at zx2c4 dot com.
<Tin foil hat on> Microsoft doesn't want to allow software that would allow the user to shield themselves, either by totally encrypting a drive, or by encrypting their network traffic! </Tin foil hat on>
I don't think Microsoft cares (about anything else than making money), but there are plenty of (state) actors that can influence the decision-making at Microsoft when it comes to these issues.
No tinfoil needed.
That's what Big Tinfoil wants you to believe!
Microsoft the corporation may only care about making money, but a lot of very high ranking folks within MS Security aren't just friendly to intelligence agencies, they take genuine pride in helping intelligence agencies. They're the kinds of people who saw nothing wrong or objectionable with PRISM whatsoever, they were just mad they got caught, and that the end user (who they believe had no right to even know about it) found out anyway. The kind of people who openly defend the legitimacy of the FISA court.
This aren't baseless accusations, this comes from first-hand experience interacting with and talking to several of them. Charlie Bell literally kept a CIA mug on a shelf behind him, prominently visible during Teams calls, as if to brag.
Remember - Microsoft was the very first company on the NSA's own internal slide deck depicting a timeline of PRISM collection capabilities by platform, started all the way back in 2007. All companies on that slide may have been compelled to assist with national security letters. Some were just more eager than others to betray the privacy and trust of their own customers and end-users.
Microsoft even supports Wireguard in Azure Kubernetes Service.
Who cares if it's OSI-approved or not, a line saying "M$, Google, and the like need written permission for every use case" would help to make those leeches honest. Just learn from the JSLint example.
This is stupid. If Microsoft wants people to stop writing kernel drivers, that's potentially doable (we just need sufficient user mode driver equivalents...) but not doing that and also shortening the list of who can sign kernel drivers down to some elite group of grandfathered companies and individuals is the worst possible outcome.
But at this point I almost wish they didn't fix it, just to drive home the point harder to users how little they really own their computer and OS anymore.
I wouldn’t be surprised if NSA already had a list of these applications and the strategies on how to cripple them or worse, compromise them.
If it weren't for the current administration, I'd say it's time for regulatory action.
https://x.com/i/status/2041698657368703484
The old model where the user decides which software or apps to run on their machine, is basically already replaced by a whitelist system that is managed by companies who have no interest or obligation to approve developers. Factors like ”being an individual”, an open source developer or god forbid reside outside the USA, you rely on a combination of L1 support doom loops, unjustifiable high recurring prices, kafkaesque and changing requirements, internal inconsistencies. Windows is the worst, but all platforms (except Linux) suffer from this and you can and will get hurt, delayed, and gaslit. If you haven’t, it’s just a matter of time.
I have been blocked for 6 months now with Digicert code cert renewal, for my app Payload, which will never get any media attention. The app doesn’t matter though, the approval process is per-entity (usually, a company). The point is that nobody gives a shit, because they have a monopoly/cartel and they start the validation process after they take your money.
If you are not an app publisher, the best way I can describe it is the ”pre-let’s encrypt” era of SSL certs, but more expensive, strict and ambiguous. In fact, I’ve never gone through any worse approval process in my life, and that includes applying for residency in two countries, business licenses, manual tax filings etc.
Even if one doesn't want to maintain that project for purely private reasons, recommending Bitlocker as the drop-in-replacement always made it smell fishy to me.
https://web.archive.org/web/20260000000000*/https://www.true...
https://en.wikipedia.org/wiki/Paul_Le_Roux
More importantly, if development seized with no public comment, that would be one thing and may strengthen the "he got arrested" theory. However, there was some final communication, specific recommendations to rely on Bitlocker of all things, a new version of Truecrypt was released solely for decrypting existing disks and then the web page was removed, including a flag set on robots.txt to ensure it wouldn't appear on archive.org. All this concurrent to a crowd funded source code audit that, in the end, did not find any server issues or backdoors (I recall some speculation back in the day, that either known code quality issues or an intentional backdoor could have caused the exodus).
That all makes it hard to link this to an arrest of the main developer, though I dislike speculation without any hard evidence and if there is no new information, I'll keep this filed under "there is no answer".
Are there some ways to combat such decisions legally?
And of course, it doesn't affect their earnings and there are no consequence, or significant, so they won't care and won't respond or tell what went wrong.
Can one move legally? Sure. But then it effectively is a combo of who blinks first and who can hold their breath longer.
If you publish to any closed platform including ios, mac, win, android, this is the risk you run and a condition of operating you will need to accept.
Veracrypt has kernel drivers. Microsoft's ability to control what you can sign is specific to kernel drivers, and Microsoft's trigger finger around bans exists in the world where bad drivers BSOD machines.
In general this isn't your problem.
If there isn't enough outcry they will go forward and disable more signing keys related to things like torrent clients, VPN software, eject UBO from the edge store etc etc.
Atleast now I'm a bit more certain that VC is indeed safe.
It's a bit worrying that a sensitive app such as VeraCrypt is still distributed there.
Switch to Linux if you can, and come give Shufflecake a try ;)
https://shufflecake.net/
But if OSes are being locked down and software has trouble distributing security updates through official repositories for Windows... that's a good reason to finally make the switch. Same as why my family is on Android: I can install f-droid, disable the google store, and don't have to worry about them installing malware / spyware / adware
There's different degrees of openness. Android till 2026 was an acceptable compromise (let's see how it goed forwards). Windows is also on the decline with their account policy, not sure about this certificate revocation thing (thankfully haven't had to deal with it yet; I'm not a user myself) but it sounds like they're moving to a walled garden also
When the degree changes and gets even less open, yeah you can say "well of course, they were never truly open, they're commercial" but it's still a change and might lead people to alter their choices
Age Verification is the thin end of a much bigger wedge in "open" OS's
I would be ecstatic to be proved wrong on this, but experience tells me that is not likely to happen.
[0]: https://guix.gnu.org/manual/devel/en/html_node/Invoking-guix...
Any large scale signing platform will have large oversights and be rendered useless. See the appstore / play store/windows...
The point isn't (or: shouldn't be) to forcefully find your way through some back alley to make it look legit. It's to certify that the software is legit.
Trust goes both ways: we ought to trust Microsoft to act as a responsible CA. Obfuscating why they revoked trust (as is apparently the case) and leaving the phone ringing is hurting trust in MS as a CA and as an organization.
Seems rather clear that he doesn't want French jurisdiction.
So we'd better find a real solution now.
if they had a reason other than 'oops mistake' its likely just going to remain in place. (sadly, that is how MS is. if you care for privacy maybe go to BSD)
We really need viable solutions. I have been using Linux since +21 years or so, so it does not affect me personally, but I think Linux needs to become really a LOT more accessible to normal people. And it really has not (on the desktop); all the various "improvements" on GNOME3 or KDE are basically pointless, they have not solved the underlying problem. Ideally problems should be auto-resolvable. If someone wants to use the proprietary nvidia driver, that should be a single click - on ALL Linux distributions. Instead you see some distributions have their own ad-hoc solution and other distributions have no easy solution (for simple people).
The burden of usage/access is now solely on the customers and the feeling is that regular customers are just a nuisance to be ignored.
Then again, this was something like 20 years ago. Back then, Sourceforge was something closer to GitHub today. It was the de facto public source repository. You could even get an on-premise version, IIRC.
Actually, this is sounding a lot like GitHub these days… not sure what that means.