Hacker News

It would not surprise me if these actions are coming at the requests of governments. Strong encryption is one of the few things that challenges their monopoly on information; they have a very strong incentive to apply political pressure to the maintainers of these projects to, well, stop maintaining the projects. We've seen this in overt actions that the EU takes; in more covert actions that the U.S. government is suspected of taking; and in the news headlines about third-world dictatorships that just shut off the Internet. Tech companies are perhaps the most convenient leverage point for these actions.

More regulation won't help here, because the regulation-maker is itself the hostile party.

What would help is full control over the supply chain. Hardware that you own, free and open-source operating systems where no single person is the bottleneck to distribution, and free software that again has no single person who is a failure point and no way to control its distribution.

We need a law that a human representative can be spoken to within 24 hours or directly when something critical happens.

Also “there is no appeal possible” should be plain illegal.

If it is regulated as a utility, the government will want to ban these hacking tools.

I have a feeling, that the resolve to do something about it is waning in the EU, because of the plans to soften up the GDPR.

It always weird to see how dichotomy of some people saying AI will never be profitable and are doomed to fail and others saying that they are such a essential public service that they are a utility and should be subject to government regulation. Hopefully they are not the same group of people, but I suspect there is a greater overlap that one would expect.

I've gotten business verification for Microsoft before. The kind you need in order to get certain oauth scopes for their O365 platform.

Do not discount complete, total, utter, profound fucking incompetence as the driving reason behind this.

Getting the business verification was an astounding shitshow. With a registered C corp and everything, massively unclear instructions, UI nestled in a partner site with tons of dead ends. And then even after all the docs, it took another week because -- in an action that nobody could possibly have ever foreseen -- we had two different microsoft accounts due to a cofounder buying ONE LICENSE of O365 for excel and doing domain verification because it suggested it.

> Microsoft doesn't want to allow software that would allow the user to shield themselves

I don't think Microsoft cares (about anything besides making mo' money), but there are plenty of (state) actors that can influence the decision-making at Microsoft when it comes to these issues.

No tinfoil needed.

Alternatively they asked copilot to scan for crypto projects and ban them

Or more likely, some automated security system flagged popular but suspicious apps for further review.

It is more likely that government doesn't want to allow people to have privacy. Microsoft just obediently listen to orders and execute them.

"Never attribute to malice that which is adequately explained by stupidity"

Is this another example of their old modus operandi:

https://en.wikipedia.org/wiki/Embrace,_extend,_and_extinguis...

?

Maybe time for a custom license that would require M$ to sign up for special T&Cs if they want to use this software?

Who cares if it's OSI-approved or not, a line saying "M$, Google, and the like need written permission for every use case" would help to make those leeches honest. Just learn from the JSLint example.

It's got a lot of analogy to restaurants banning Uber delivery for not handling their food to their standards.

Agree. Single point of failure. One developer, one account. Crazy.

If someone was a bad actor, right now would be a pretty good time to start exploiting zero days in WireGuard…

Maybe some bot signed up using your email and then did bot things on it. I've had that happen a lot over the years. My Microsoft account is still stuck in German because that's the language the bot used when creating the account (to spam X-Box apparently).

Same here with github.

True, but really even if it gets resolved for them it should basically be a huge warning sign to everybody. Projects like those might get reinstated but it would only be because of how big they are that it would matter. Any person or small or 'undesirable' project would not get the same resolution.

> those who remain with Windows after this latest betrayal have chosen their fate.

Ah. So almost every single business in the world… suckers?

Or found they’ve been compromised by someone else? ;)

No. The humans just said 60 days.

Microsoft hasn't managed to burn down entire towns (But Copilot is probably working on it), so I suppose we do have at least some kind of gauge of callousness to work off of thanks to PG&E. Which was also the company behind that whole slightly famous Erin Brockovich thing, amongst so very many others.

Sometimes, it's both incompetence AND malice.

The time for regulatory action against Microsoft was thirty years ago and the need for it has only grown since then.

The FTC wasn't doing their job between 1980-2020 because of their ridiculous standard of, "if it doesn't raise consumer prices, it must be allowed." This lead to massive consolidation in many industries which of course ended up raising prices and hurting consumers anyway.

Recently they've had some wins but overall they're still failing to do their job.

> If it weren't for the current administration

Because the Democrats were better at keeping them on a leash? No. Clinton was in charge 30 years ago and blew it.

Some countries (the EU in general) are already doing things about this. Owning the app store means you are a monopoly and now the only question is are you illegal by the local laws which vary.

You can/should write your congressman (or whatever they are called in your country) and get better laws in place.

The (new?) X link made me think for a moment you got the username @i

I know it's not what people want to hear but my response to a lot of the comments here is just a general, I agree, it's time to stop using Windows.

They won't let you secure your drive the way you want. They won't let you secure your network the way you want (per the top-level comment about Wireguard). In so doing they are demonstrating not just that they can stop you from running these particular programs but that they are very likely going to exert this control on the entire product category going forward, and I see little reason to believe they will stop there. These are not minor issues; these are fundamental to the safety, security, and functionality of your machine. This indicates that Microsoft will continue to compromise the safety, security, and functionality of your machine going forward to their benefit as they see fit. This is intolerable for many, many use cases.

I think it is becoming clear that Microsoft no longer considers Windows users to be their customers any more. Despite the fact that people do in fact pay for Windows, Microsoft has shifted from largely supporting their customers to out-and-out exploiting their customers. (Granted a certain amount of exploitation has been around for a long time, but things like the best backwards compatibility in the industry showed their support, as well.)

I suspect this is the result of a lot of internal changes (not one big one) but I also see no particular reason at the moment to expect this to change. To my eyes both the first and second derivative is heading in the direction of more exploitation. More treating users like a cattle field and less like customers. When new features or work is being proposed at Microsoft, it is clear that it is being analyzed entirely in terms of how it can benefit Microsoft and users are not at the table.

No amount of wishing this wasn't so is going to change anything. No amount of complaining about how hard it is to get off of Windows is going to change anything; indeed at this point you're just signalling to Microsoft that they are correct and they can treat you this way and there's nothing you will do about it for a long time.

Correction: stop using Microsoft products as soon as possible.

It's not your own data anymore if you gave it away.

Google and Apple have been doing this for a long time, and Microsoft clearly got jealous.

Their first big win was when they banned the Chief Prosecutor of the International Criminal Court from accessing any of the court's documents, then deleted all of those documents. Now they're going after slightly less important enemies of the state. That bar will continue to drop as long as it's allowed to. And let's not kid ourselves: if you develop or use encryption software that Mossad can't break, you are an enemy of the state.

Or create the account but don't use Microsoft services.

I knew the speculation on him being involved in some capacity, but as the wiki page states, this was never confirmed in any substantial way.

More importantly, if development seized with no public comment, that would be one thing and may strengthen the "he got arrested" theory. However, there was some final communication, specific recommendations to rely on Bitlocker of all things, a new version of Truecrypt was released solely for decrypting existing disks and then the web page was removed, including a flag set on robots.txt to ensure it wouldn't appear on archive.org. All this concurrent to a crowd funded source code audit that, in the end, did not find any server issues or backdoors (I recall some speculation back in the day, that either known code quality issues or an intentional backdoor could have caused the exodus).

That all makes it hard to link this to an arrest of the main developer, though I dislike speculation without any hard evidence and if there is no new information, I'll keep this filed under "there is no answer".

> He subsequently admitted to arranging or participating in seven murders, carried out as part of an extensive illegal business empire.

Yikes

Makes you wonder what kind of leverage/information you have to have to only get 25 years for admitting to being involved in 7 murders.

My theory is that Le Roux was just financing the (two?) TrueCrypt developers.

One of the greatest men of our times.

This can be done by Archive.org doing it for whatever reason (asked, on their own, etc) or it can be triggered by the current owner of the domain modifying robots.txt I believe.

I went on a Wikipedia dive and discovered this funny bit regarding the court process surrounding Lavabit and FBI's desire of the TLS private keys.

> The contempt of court was caused by Levison providing the keys printed in a tiny (4 point) font, which was deemed "largely illegible" by an FBI motion, which went on to complain that "To make use of these keys, the FBI would have to manually input all 2560 characters, and one incorrect keystroke in this laborious process would render the FBI collection system incapable of collecting decrypted data."

(And to be clear, that's all they ever saw of said keys)

Fair assumption, but unlike Lava, TC never had customer/user data. The NSL/forced shut down theories also make little sense to me however, the fork was up by the end of the week and was easy to foresee. Kinda why this fascinates me so much, no theory I ever read survives basic scrutiny. Perhaps some things, we’ll never know.

Isn't linux complaint because of the systemd change?

My kids grew up on Gnome essentially, I can tell you Win11 is a lot more confusing to them, not just because because they grew up on Gnome, there is just so much more ... stuff. And notifications and flashy things and news and weather apps and they all want your attention. Gnome is much more iPadOS like (minus that horrible concoction called the App Store).

Sure, if you're all in on MS365 (like all schools here in the Netherlands), Windows may be somewhat more handy with its native apps and all your stuff there with a single log-in.

This is always said by people who either never touch the Linux desktop, or exclusively use their own custom Arch setup.

You can install Fedora Linux, Linux Mint or Manjaro, and it's more user friendly than Windows 11 and macOS.

Linux is stuck because it's made and maintained by people who love linux.

Look at popular unix based OS's - Android, MacOS, iOS..

Whats the first thing they do? Take the command line out back and shoot it. Whereas for linux users, their is this l33t h4cker festishization of only using a keyboard to do everything. All these distros have an extremely robust CLI under the hood, and an afterthought quasi GUI on the surface. Just good enough for grandma to check her email and watch youtube.

>> Linux is the only hope at this point for the future of computing.

Linux is the most obvious, but there are numerous flavors of BSD as well.

> and yet... still unusable by the mass majority of people.

That info is 20+ years out of date. Distros like Suse and Ubuntu made Linux "click, click, click, it's installed" more than two decades ago. i've watched complete non-techies switch to Mint Linux long-term, the only intervention from me (their resident techie) being showing them how to boot up the USB stick installer.

This isn't really true anymore with the advent of Flatpak & Flathub. It's just an app store like any other platform. Even the majority of games work without tweaking.

My wife (former Sales Person and Manager) has used Linux for many, many years and prefers it over Windows.

Not used does not mean not usable. Primary school aged children used MS-DOS without any documentation in 1990's. Pretty sure randomly selected people would be able to use modern Linux distro, when pre-installed just like windows are.

Perhaps not legally, but technically, you have an option: don't use the Microsoft Store. This isn't as wild a suggestion as it may seem to non-Windows users: the store is barely used by Windows users. You can get your own code signing certificate from a public CA, sign your own installer, and post it on your website. This is still the primary way that Windows software is distributed. Microsoft does not have a hand in any part of it; they can't cancel anything. Their only role is including the public CA in their root certificate store. If you're not shipping a kernel driver, you don't need Microsoft's permission for anything. You can still ship an .msix installer which is the same technology used by the Store.

I recently de-listed my app in the store and closed my Microsoft developer account. I was wrong for having bothered with it; just a waste of my time for no benefit. Stick to your own deployment.

Realistically speaking - anything could be a reason. A shakedown or blocking based on some "nudge" (this might come across as tin-foiled though). Some flag/trip-wires going wrong, more worryingly due to a bug/false alarm - and this is more worrying because in this case semi-incompetent large orgs like MSFT find it really hard to accept it, fix, and move on. Some change in OP's account that either they don't see or haven't realised - some edge case, you never know.

And of course, it doesn't affect their earnings and there are no consequence, or significant, so they won't care and won't respond or tell what went wrong.

Can one move legally? Sure. But then it effectively is a combo of who blinks first and who can hold their breath longer.

This is a concern and risk that has realised itself multiple times over the past decades. There have been multiple stories linked to multiple developers in the past.

If you publish to any closed platform including ios, mac, win, android, this is the risk you run and a condition of operating you will need to accept.

According to this: https://x.com/EdgeSecurity/status/2041872931576299888

> ...it seems like they instituted an identity verification policy, didn't notify me about it, and then I guess they suspended accounts who didn't do the verification.

So, make sure you verify your account? Check spam folder regularly? Log in via web interface at least once a year?

There's more to it. Signed desktop software can be signed by any CA.

Veracrypt has kernel drivers. Microsoft's ability to control what you can sign is specific to kernel drivers, and Microsoft's trigger finger around bans exists in the world where bad drivers BSOD machines.

In general this isn't your problem.

You just have to start living like they do in Russia and comply in advance. Don't do anything "interesting", no encryption, or if you do, make sure you leave breadcrumbs, scratch that, a bread trail for them to easily get access to customer data. An Oracle or Sharepoint integration maybe?

You can, but it's more than a warning. VeraCrypt has a signed kernel driver, which has higher requirements. You'll need to boot into a special Windows mode and disable Driver Signature Enforcement.

I left GitHub for GitLab because i knew this was coming.

That was 11 years ago, under DHI Group though. I don't think Slashdot Media have been up to the same shady stuff.

~2015, "DevShare". They wrapped open-source software downloads with opt-out adware and PUPs (potentially unwanted programs), without the original developers' consent in some cases. They took over abandoned/unmaintained projects (like GIMP for Windows, VLC, etc.) and replaced the original download with their adware-wrapped version.

So why don't you stop using the OS that has a completely different approach to computing?

So far I haven't had much concrete reason for my family to switch away from Windows. The updates maybe, needing to pay for a new license and the UI changes are like pulling the chair out from under them, especially as they get older (Windows 7 was hard for my grandma, thankfully they left 10 mostly alone but 11 is quite different again so she's currently staying on 10 — not that her hardware supports 11 anyway but that's fixable), but it's either learning the new Windows UI, let's say ten storypoints of newness, or learning some Linux desktop environment, even if it's Mint which is similar to 7/XP it's not quite the same either and probably like 15 storypoints at minimum, even if then you're done for much longer

But if OSes are being locked down and software has trouble distributing security updates through official repositories for Windows... that's a good reason to finally make the switch. Same as why my family is on Android: I can install f-droid, disable the google store, and don't have to worry about them installing malware / spyware / adware

There's different degrees of openness. Android till 2026 was an acceptable compromise (let's see how it goed forwards). Windows is also on the decline with their account policy, not sure about this certificate revocation thing (thankfully haven't had to deal with it yet; I'm not a user myself) but it sounds like they're moving to a walled garden also

When the degree changes and gets even less open, yeah you can say "well of course, they were never truly open, they're commercial" but it's still a change and might lead people to alter their choices

In most cases you can put your computer secure boot in setup mode and roll your own keys.

I thought community projects (as opposed to the corporate Fedora and Ubuntu) are exempt from such laws.

Yes time to wake up.

I really believe most "open source" big projects have been compromised long ago. We have saw all those "Foundations" taking them over with all their governance, bureaucracy and goal which do not make any sense at the first look.

One example is Fedora, which is part of "The Digital Public Goods Alliance" [0], "a multi-stakeholder initiative that accelerates the attainment of the Sustainable Development Goals by facilitating the discovery, development, use of, and investment in digital public goods."

The Digital Public Goods Alliance has about every governments as member plus all the usual suspects: Gate Foundation and co.

All the leaderships have usually no background or experience in open source or even computers but are just magically placed there. But you can't say anything because they are mostly women.

You read the goals and roadmaps of those foundations and find out it has nothing to do with software or open source. It is basically there to control those projects and then have them implement all the age verification, digital id, etc.

So yes this is not a surprise all those projects are now all in absurd features such as age verification.

- [0] https://www.digitalpublicgoods.net/

the current law requires no verification at all simple attestation, you could put in _any_ age. it also does not effect linux distros as a whole, only distros in jurisdictions with the laws.

GrapheneOS is doing lot of things right in this regard. Robust permission system adopted from AOSP and hardening by default in every imaginable way. Things like hardened malloc, storage scopes are excellent security features. Malware cannot do much even with the default settings.

With a file system driver like Veracrypt, if it’s malicious, the OS might keep your computer safe, but not your files that you store in that file system.

Yes, I completely agree.

Qubes OS is such OS: it runs everything in VMs with strong hardware isolation. My daily driver, can't recommend it enough.

What would be the point? How would you prevent malware from being signed? Currently, code signatures are used as a signal for trustworthiness of the code.

It doesn’t help that they do that sort of shits AND mandate a microsoft account for logging in to windows. Also how much trust can you have that if you move your business to azure they will not randomly kill it. Incompetence or malice, almost doesn’t matter to the average user.

Well look at something like ANOM. The FBI encouraged its use. Because it was run by the FBI and they could see all the private messages.

If Veracrypt was a honeypot, the powers that be would go out of their way to make it as easy to use as possible. They'd instantly sack whoever made this decision, and reverse it.

I don't think you would loose access. You can always recover data on an open platform such as Linux.

Because it's mostly just performative.

Its not just a web interface. It creates a storage container that can grow and be compacted on the fly is fully portable.

Yeah, and the first comment beneath that mentions that the most recent version is signed with the "2011 CA" that the article I link to discusses being deprecated.

My guess was that he got caught up in some house-cleaning. My theory being that he's still signing his code the way malware authors also do and got flagged by some automated review that's meant to force him to go get WHCP certified or whatever the new route is.

who on planet earth trusts a piece of software because Microsoft signed it?

The author is now based in Japan, and even owns a veracrypt.jp domain. Meanwhile, the old veracrypt.fr domain redirects to veracrypt.io.

Seems rather clear that he doesn't want French jurisdiction.

I think it's a reference to Michaelsoft Binbows :)

https://alf-s-room.com/etc/nandarou/binbows/binbows_english....

https://www.youtube.com/watch?v=QRIklga9IBQ

Most likely just intentionally misspelling the name in the spirit of calling them Microslop.

I don't think you can install VeraCrypt, at least for system encryption, unless the installer is signed

> what baffled me is why the author's choice not to move is a problem?

Because Sourceforge is horrible to use and was at one point actively pushing malware? It's pretty obvious tbh.

I just didn't think Sourceforge was still running. There was a mass exodus from it about 20 years ago when it became a massive ad farm that started injecting ads into people's tarballs.

It was never as good as freshmeat.net even in its heyday.

Not every conversation has to be a conversation about AI.

sourceforge was always very scummy, I think they would definitely use the code for that if they could

GP refers to the practice of getting kernel level code execution using other, old vulnerable drivers and using it to run the VC driver.