This is the same problem I'm currently facing with WireGuard. No warning at all, no notification. One day I sign in to publish an update, and yikes, account suspended. Currently undergoing some sort of 60 days appeals process, but who knows. That's kind of crazy: what if there were some critical RCE in WireGuard, being exploited in the wild, and I needed to update users immediately? (That's just hypothetical; don't freak out!) In that case, Microsoft would have my hands entirely tied.
If anybody within Microsoft is able to do something, please contact me -- jason at zx2c4 dot com.
show comments
newsoftheday
First I was surprised to read the Veracrypt maintainers could be in this situation, then read the top comment where Wireguard maintainers are too (unless I misunderstood). Is this some malicious new program inside Microsoft to try and shutdown open source projects so they can push Windows products and solutions more?
show comments
pogue
They need to get some tech site like Arstechnica to write about it, like they did when neocities couldn't get ahold of bing. The only way to contact these tech companies to speak to a real human being and not a chatbot is if you know somebody who works there or if the media writes about it.
Honest question, did we ever get an answer what was the cause for the sudden change from the original Truecrypt developer?
Even if one doesn't want to maintain that project for purely private reasons, recommending Bitlocker as the drop-in-replacement always made it smell fishy to me.
show comments
0xCE0
Linux is the only hope at this point for the future of computing.
Windows and macOS are just too risky to do any business with. Waste of all resources.
show comments
Ms-J
Posted this earlier from a throwaway since my account wasn't able to reply for some odd reason and it was marked as dead:
Hello Jason!
I want to first thank you for all of your hard work developing Wireguard.
If I can find someone who is willing to put their name on it to help I definitely will, the problem is the spy agencies don't want your project to exist. It makes it harder to put resources to this. I've worked in security departments of certain companies and saw everything you could imagine.
Same for Mounir over at Veracrypt.
Both of you are developing some of the most important software that exists today.
Keep doing what you are doing by keeping everything in the open. User trust almost doesn't exist for these type of projects. Any hint of an issue would wipe that out in seconds.
This leads me to one question I do have for you zx2c4:
Why does Wireguard attempt to contact your servers and auto update on Android with no toggle to turn this off? It's a threat to everyone. Maybe it also does this on other platforms but I haven't tested them all.
I can think of reasons as to why you did this, none nefarious, but still it would be nice if you included that option so I don't have to patch each update to turn this off.
Thanks.
dizhn
Microsoft disabled the developer's certificate so no windows releases can be made.
show comments
no_time
prediction: they are testing the waters. If there is enough outcry they will go "oopsie whoopsie, hehe :3 your account is restored".
If there isn't enough outcry they will go forward and disable more signing keys related to things like torrent clients, VPN software, eject UBO from the edge store etc etc.
Atleast now I'm a bit more certain that VC is indeed safe.
show comments
LWIRVoltage
What sucks about this, is due to implementation,Windows is the only way to achieve some stuff in Veracrypt. For example: doing full system partition encryption, and the Hidden OS install that only Veracrypt can do- requires Windows with the computer set to MBR rather than UEFU. I had hoped we'd see more of the plausible deniability tech at the OS level
- the consumer has nearly lost access to high end plausible deniability
show comments
shelled
I am somewhat also concerned that this software was still being distributed on SourceForge.
show comments
1970-01-01
Why is there no simple workaround for this? Why is it dead in the water and why can't we use another mechanism to verify the update files with SHA1? It's all been done before [1]. This would be an improvement, as it enables the project to continue working without any handcuffed relationship to Microsoft.
The newest frontier AI models can easily find 0-days in all major software stacks, while the two biggest open source security tools on Windows can’t even ship patches.
We need a better way to sign and verify software. Clearly companies like Microsoft and Apple have not been good for the open source communities and are inhibiting innovation.
show comments
ninjagoo
Looks like Linux and some of the BSDs are the only remaining truly open OSes.
show comments
_s_a_m_
Microsoft doing everything in their power to be assholes, as always
show comments
RandomGerm4n
That's especially ridiculous because this whole security mechanism that Microsoft is forcing on Windows user doesn't even work. There are tons of leaked certificates and on forums dedicated to game hacking you can find guides on how to get your hands on one yourself. People there use them to write kernel drivers for cheating in games. Game developers often blacklist these in their anti-cheat software so that the game no longer launches on a computer using a driver with that certificate. Microsoft however does not do this and malware developers can then simply use the certificates for their own purposes.
So all this nonsense is basically just a restriction on regular users and honest developers while the “bad guys” can get around it.
show comments
8cvor6j844qw_d6
Seeing this kind of friction makes me more confident in VeraCrypt. The tools that never seem to run into trouble with platform gatekeepers are the ones I'd worry about.
show comments
pjdesno
Interesting.
My only experience with Veracrypt is via a law firm I was consulting with, who used it to protect some files they were sharing with me. Law firm and their end client are both big, prestigious companies.
hereme888
Besides Veracrypt, are there any real alternatives to Bitlocker for total drive encryption in Windows?
baobabKoodaa
Can someone please explain the implications for current Windows users of VeraCrypt?
show comments
folbec
I would not be surprised if it was some sort of AI driven mistake.
Some guy somewhere deciding to delegate threat assessment to Copilot or some other automated tool.
show comments
baobabKoodaa
Anyone here who could reach out to specific persons inside Microsoft who could fix this?
Izmaki
Reminds me of when users of TrueCrypt were urged to just install BitLocker instead. Sus AF.
trashface
Hope this is resolved. I guess I could run linux in a VM and mount volumes there, but this is getting a bit dicey. But Win 10 is my last windows anyway.
Havoc
Microsoft continues to push for year of the Linux desktop
What about the guy who originally created it. Paul Le Roux, the criminal mastermind? That's a wild story :D.
speedgoose
It's perhaps naive, but could he create a new organisation, like a "TotallyNotVeraCrypt" French loi 1901 association, at a different address, and create a new microsoft account by making sure it passes all the requirements.
show comments
swordsith
if michalesoft wants to take away our ability to sign drivers, they will find there is more than enough vulnerable easily exploited drivers we can use that are pre-signed online. Thank you micosawft!
show comments
unethical_ban
I run a dual boot of windows and am currently dauly-driving CachyOS quite happily. I've been playing some Crimson desert and got some occasional crashes... But any other game I have has run smoothly.
Their GUI tools for package management are thin wrappers on CLI tools, but are enough hand-holding that most people should navigate it fine. More devices worked out of the box for my with Linux than Windows.
Just like if you haven't tried AI in a year and have mocked it, you need to try it again. Of you haven't tried Linux desktop in a few years, you need to try again. CachyOS really does seem to handle the driver installs and gaming compatibility well.
steve1977
If only there was a way to sign software and not depend on a centralized authority, something like a... web of trust?
(and yes I know, you'd need to have the option to have "your" (haha...) OS trust it of course)
kwar13
very much sounds like microsoft
avaer
Forced software signing should be illegal.
show comments
shevy-java
This is always a problem when big mega-corporations are involved, be it Google or Microsoft. They want to control the platform.
We really need viable solutions. I have been using Linux since +21 years or so, so it does not affect me personally, but I think Linux needs to become really a LOT more accessible to normal people. And it really has not (on the desktop); all the various "improvements" on GNOME3 or KDE are basically pointless, they have not solved the underlying problem. Ideally problems should be auto-resolvable. If someone wants to use the proprietary nvidia driver, that should be a single click - on ALL Linux distributions. Instead you see some distributions have their own ad-hoc solution and other distributions have no easy solution (for simple people).
show comments
teekert
I'm sorry, is this some sort of Windows joke that I'm too Linux to understand?
bilekas
And yet another example of companies turning actively hostile against their users.
The burden of usage/access is now solely on the customers and the feeling is that regular customers are just a nuisance to be ignored.
ErroneousBosh
Jesus, sourceforge is still on the go?
show comments
hernanhumana
cool project
cynicalsecurity
If you use Veracrypt on Windows then you have no idea what you are doing. Windows is not safe. Use Linux only.
show comments
saidnooneever
maybe an old vulnerable signed driver can be used to load the new version :D. on a more seirous note, i think contact with a person at MS, likely via socials triggering that, might help here. It all depends on the reason for the ban/block/cancel.
if they had a reason other than 'oops mistake' its likely just going to remain in place.
(sadly, that is how MS is. if you care for privacy maybe go to BSD)
show comments
Hizonner
This highlights the fact that not only is supporting Windows dangerous to your project, but using Windows is dangerous to your security.
This is the same problem I'm currently facing with WireGuard. No warning at all, no notification. One day I sign in to publish an update, and yikes, account suspended. Currently undergoing some sort of 60 days appeals process, but who knows. That's kind of crazy: what if there were some critical RCE in WireGuard, being exploited in the wild, and I needed to update users immediately? (That's just hypothetical; don't freak out!) In that case, Microsoft would have my hands entirely tied.
If anybody within Microsoft is able to do something, please contact me -- jason at zx2c4 dot com.
First I was surprised to read the Veracrypt maintainers could be in this situation, then read the top comment where Wireguard maintainers are too (unless I misunderstood). Is this some malicious new program inside Microsoft to try and shutdown open source projects so they can push Windows products and solutions more?
They need to get some tech site like Arstechnica to write about it, like they did when neocities couldn't get ahold of bing. The only way to contact these tech companies to speak to a real human being and not a chatbot is if you know somebody who works there or if the media writes about it.
It's like LibreOffice all over again: https://www.neowin.net/news/microsoft-bans-libreoffice-devel...
Honest question, did we ever get an answer what was the cause for the sudden change from the original Truecrypt developer?
Even if one doesn't want to maintain that project for purely private reasons, recommending Bitlocker as the drop-in-replacement always made it smell fishy to me.
Linux is the only hope at this point for the future of computing.
Windows and macOS are just too risky to do any business with. Waste of all resources.
Posted this earlier from a throwaway since my account wasn't able to reply for some odd reason and it was marked as dead:
Hello Jason!
I want to first thank you for all of your hard work developing Wireguard.
If I can find someone who is willing to put their name on it to help I definitely will, the problem is the spy agencies don't want your project to exist. It makes it harder to put resources to this. I've worked in security departments of certain companies and saw everything you could imagine.
Same for Mounir over at Veracrypt.
Both of you are developing some of the most important software that exists today.
Keep doing what you are doing by keeping everything in the open. User trust almost doesn't exist for these type of projects. Any hint of an issue would wipe that out in seconds.
This leads me to one question I do have for you zx2c4:
Why does Wireguard attempt to contact your servers and auto update on Android with no toggle to turn this off? It's a threat to everyone. Maybe it also does this on other platforms but I haven't tested them all.
I can think of reasons as to why you did this, none nefarious, but still it would be nice if you included that option so I don't have to patch each update to turn this off.
Thanks.
Microsoft disabled the developer's certificate so no windows releases can be made.
prediction: they are testing the waters. If there is enough outcry they will go "oopsie whoopsie, hehe :3 your account is restored".
If there isn't enough outcry they will go forward and disable more signing keys related to things like torrent clients, VPN software, eject UBO from the edge store etc etc.
Atleast now I'm a bit more certain that VC is indeed safe.
What sucks about this, is due to implementation,Windows is the only way to achieve some stuff in Veracrypt. For example: doing full system partition encryption, and the Hidden OS install that only Veracrypt can do- requires Windows with the computer set to MBR rather than UEFU. I had hoped we'd see more of the plausible deniability tech at the OS level
But aside from one or two experimental attempts, also presented at BlackHat https://web.archive.org/web/20250914062843/https://portswigg...
- the consumer has nearly lost access to high end plausible deniability
I am somewhat also concerned that this software was still being distributed on SourceForge.
Why is there no simple workaround for this? Why is it dead in the water and why can't we use another mechanism to verify the update files with SHA1? It's all been done before [1]. This would be an improvement, as it enables the project to continue working without any handcuffed relationship to Microsoft.
[1] https://github.com/HyperSine/Windows10-CustomKernelSigners
Sorry to hear about this turn of events, but it was pretty much to be expected given the way the world is turning, and Microsoft being Microsoft.
Switch to Linux if you can, and come give Shufflecake a try ;)
https://shufflecake.net/
Get off Windows right now.
The newest frontier AI models can easily find 0-days in all major software stacks, while the two biggest open source security tools on Windows can’t even ship patches.
https://community.osr.com/t/locked-out-of-microsoft-partner-... Could be a related issue to this? Maybe Microsoft just doesn’t want driver developers for whatever reason.
We need a better way to sign and verify software. Clearly companies like Microsoft and Apple have not been good for the open source communities and are inhibiting innovation.
Looks like Linux and some of the BSDs are the only remaining truly open OSes.
Microsoft doing everything in their power to be assholes, as always
That's especially ridiculous because this whole security mechanism that Microsoft is forcing on Windows user doesn't even work. There are tons of leaked certificates and on forums dedicated to game hacking you can find guides on how to get your hands on one yourself. People there use them to write kernel drivers for cheating in games. Game developers often blacklist these in their anti-cheat software so that the game no longer launches on a computer using a driver with that certificate. Microsoft however does not do this and malware developers can then simply use the certificates for their own purposes. So all this nonsense is basically just a restriction on regular users and honest developers while the “bad guys” can get around it.
Seeing this kind of friction makes me more confident in VeraCrypt. The tools that never seem to run into trouble with platform gatekeepers are the ones I'd worry about.
Interesting.
My only experience with Veracrypt is via a law firm I was consulting with, who used it to protect some files they were sharing with me. Law firm and their end client are both big, prestigious companies.
Besides Veracrypt, are there any real alternatives to Bitlocker for total drive encryption in Windows?
Can someone please explain the implications for current Windows users of VeraCrypt?
I would not be surprised if it was some sort of AI driven mistake.
Some guy somewhere deciding to delegate threat assessment to Copilot or some other automated tool.
Anyone here who could reach out to specific persons inside Microsoft who could fix this?
Reminds me of when users of TrueCrypt were urged to just install BitLocker instead. Sus AF.
Hope this is resolved. I guess I could run linux in a VM and mount volumes there, but this is getting a bit dicey. But Win 10 is my last windows anyway.
Microsoft continues to push for year of the Linux desktop
Any chance this is the issue?
https://techcommunity.microsoft.com/blog/windows-itpro-blog/...
Microsoft can't be trusted.
Never was, isn't and I guess won't be.
For folks looking for a much simpler single binary alternative.
https://github.com/srv1n/kurpod
What about the guy who originally created it. Paul Le Roux, the criminal mastermind? That's a wild story :D.
It's perhaps naive, but could he create a new organisation, like a "TotallyNotVeraCrypt" French loi 1901 association, at a different address, and create a new microsoft account by making sure it passes all the requirements.
if michalesoft wants to take away our ability to sign drivers, they will find there is more than enough vulnerable easily exploited drivers we can use that are pre-signed online. Thank you micosawft!
I run a dual boot of windows and am currently dauly-driving CachyOS quite happily. I've been playing some Crimson desert and got some occasional crashes... But any other game I have has run smoothly.
Their GUI tools for package management are thin wrappers on CLI tools, but are enough hand-holding that most people should navigate it fine. More devices worked out of the box for my with Linux than Windows.
Just like if you haven't tried AI in a year and have mocked it, you need to try it again. Of you haven't tried Linux desktop in a few years, you need to try again. CachyOS really does seem to handle the driver installs and gaming compatibility well.
If only there was a way to sign software and not depend on a centralized authority, something like a... web of trust?
(and yes I know, you'd need to have the option to have "your" (haha...) OS trust it of course)
very much sounds like microsoft
Forced software signing should be illegal.
This is always a problem when big mega-corporations are involved, be it Google or Microsoft. They want to control the platform.
We really need viable solutions. I have been using Linux since +21 years or so, so it does not affect me personally, but I think Linux needs to become really a LOT more accessible to normal people. And it really has not (on the desktop); all the various "improvements" on GNOME3 or KDE are basically pointless, they have not solved the underlying problem. Ideally problems should be auto-resolvable. If someone wants to use the proprietary nvidia driver, that should be a single click - on ALL Linux distributions. Instead you see some distributions have their own ad-hoc solution and other distributions have no easy solution (for simple people).
I'm sorry, is this some sort of Windows joke that I'm too Linux to understand?
And yet another example of companies turning actively hostile against their users.
The burden of usage/access is now solely on the customers and the feeling is that regular customers are just a nuisance to be ignored.
Jesus, sourceforge is still on the go?
cool project
If you use Veracrypt on Windows then you have no idea what you are doing. Windows is not safe. Use Linux only.
maybe an old vulnerable signed driver can be used to load the new version :D. on a more seirous note, i think contact with a person at MS, likely via socials triggering that, might help here. It all depends on the reason for the ban/block/cancel.
if they had a reason other than 'oops mistake' its likely just going to remain in place. (sadly, that is how MS is. if you care for privacy maybe go to BSD)
This highlights the fact that not only is supporting Windows dangerous to your project, but using Windows is dangerous to your security.