Microsoft Abruptly Terminates VeraCrypt Account, Halting Windows Updates (404media.co)
- Reference: 0181418848
- News link: https://tech.slashdot.org/story/26/04/08/1715213/microsoft-abruptly-terminates-veracrypt-account-halting-windows-updates
- Source link: https://www.404media.co/microsoft-abruptly-terminates-veracrypt-account-halting-windows-updates/
> [2]VeraCrypt is an open-source tool for encrypting data at rest. Users can create encrypted partitions on their drives, or make individual encrypted volumes to store their files in. Like its predecessor TrueCrypt, which VeraCrypt is based on, it also lets users create a second, [3]innocuous looking volume if they are compelled to hand over their credentials. Last week, Idrassi [4]took to the SourceForge forums to explain why he had been absent for a few months. The most serious challenge, he wrote, "is that Microsoft terminated the account I have used for years to sign Windows drivers and the bootloader."
>
> "Regarding VeraCrypt, I cannot publish Windows updates. Linux and macOS updates can still be done but Windows is the platform used by the majority of users and so the inability to deliver Windows releases is a major blow to the project," he continued. "Currently I'm out of options." Idrassi told 404 Media the termination happened in mid-January. "I was surprised to discover that I could no longer use my account," he said.
>
> On the forum and in the email to 404 Media, Idrassi shared what he said was the only message he received connected to the account shutdown. "Based on the information you have provided to date, we have determined that your organization does not currently meet the requirements to pass verification. There are no appeals available, we have closed your application," it reads. Idrassi told 404 Media the message is concerning his company IDRIX. "As you can read in their message, they say that the organization (IDRIX) doesn't meet their requirements, but I don't see which requirement IDRIX suddenly stopped meeting," he said. Idrassi said he has tried contacting Microsoft support, but he received automated responses that he believes contained AI-generated text.
[1] https://www.404media.co/microsoft-abruptly-terminates-veracrypt-account-halting-windows-updates/
[2] https://sourceforge.net/projects/veracrypt/
[3] https://veracrypt.io/en/Hidden%20Volume.html?ref=404media.co
[4] https://sourceforge.net/p/veracrypt/discussion/general/thread/9620d7a4b3/?ref=404media.co
Trumpist NSA got to them (Score:1)
N/T.
Re: (Score:1, Insightful)
Unlike Obama NSA who persecuted Snowden.
Re: (Score:1)
Versus the Little Shrub NSA or the Obama NSA? I thought you AC's were strongly pro-Blue.
It wouldn't matter who was sitting in "The Chair"... they would all prosecute Snowden (although what he did was good) for leaking info.
US government (Score:5, Insightful)
Clearly, the US government is unhappy with regular people having robust data encryption.
This is why it is folly for non-US organizations to continue using closed-source US-based software. If they can't see the security risks inherent in this practice, then I don't know what to say.
Re: (Score:1)
It's pretty risky to use any software from a monoculture. You risk going down at the same time as everyone else during a big exploit. You risk getting hit with zero-day code and sitting there compromised without even knowing it. At least, it appears your risk is significantly higher if you are on a closed source commercial operating system.
Security weenies claim security via obscurity doesn't work, but it absolutely does if you like to use data and respect what it tells you. Check the number of sec
Re: (Score:1)
This is why I stick with my Amiga emulator under OS/2.
Re: US government (Score:3)
"Security weenies claim security via obscurity doesn't work, but it absolutely does if you like to use data and respect what it tells you. Check the number of security CVEs for operating systems like OpenVMS, MPE/IX, and see how they compare with Linux or Windows. By volume, the most popular OSes get the most attacks and successful exploits."
That is not security by obscurity. It's security by unpopularity.
Re: (Score:1)
"Security through unpopularity" by using an open-source system makes it easier for an attacker to browse the code and find every gap in security, and you have to hope for an update that patches "thing(s)".
"Security through obscurity" (I assume running like OS/2 or Mac OS9 or something obscure), doesn't work as good as you think... being that those aren't maintained/kept up, their as weak as the "unpopularity" group.
Basic INFOSEC says to regularly inspect your computer (whichever OS it has) with something li
Re: (Score:2)
"Security by obscurity" doesn't work by itself. It's a necessary component of every security policy, however. You can't just pick one. (It's called "defense in depth", but that's not really a good metaphor.)
Re:US government (Score:4)
Put it this way: would you use a closed-source OS implemented in China? What makes you think the US government is more trustworthy than the Chinese government, especially given the direction Trump is taking it? (To be fair, it's been heading that way ever since 9/11.)
Re: (Score:3)
If you want to be fair, it's been headed that way ever since the 1860's. And prior to that the individual states were headed that way.
People in power like to make their jobs easier.
Re: (Score:1)
Hehe... I know.
Not all bad stuff strictly happened, only, ever under Trump... no other President is safe from accusations and such... didn't the Little Shrub invade Iraq under false-pretenses? Did he get rid of terrorism?.
A lot of those are hardcore pro-Immigration (legal and illegal), hardcore anti-Trump, hardcore pro-Blue state, who don't bring anything to the conversation besides trying to start arguments and crap... if you ask them to give links to anything that verifies their claims, you'll never get
Re: (Score:2)
> =What makes you think the US government is more trustworthy than the Chinese government, especially given the direction Trump is taking it?=
Because the US government doesn't make operating systems? They've taken Apple to court to get unfettered access to iPhones and have lost. It's far from perfect, but there is still a system of checks and balances happening.
Besides that, you can post a photo of yourself holding the bloody severed head of Trump, and the worst that happens to you is loosing a gig at CNN and a squatty potty endorsement job. If you call president Xi a silly name, you disappear.
Re: (Score:2)
"Winnie the Pooh" is NOT a silly name!
Re: (Score:2)
Oh Bother!
More likely just AI bullshit (Score:3)
"Never ascribe to malice what can be adequately explained by incompetence." Microsoft is probably using AI to review all the people with signing keys, and it hallucinated a reason to terminate his account. They've been blindly trusting their AI for all sorts of things it can't do properly.
Re: (Score:2)
It might be a hallucination, or it might be a real problem. And there are other possibilities. (E.g. earlier it was suggested that MS noticed a bad bug *somehow* and the government didn't want the bug to be fixed.)
My guess (Score:3)
Microsoft is in bed with the NSA, and the NSA doesn't want people to be able to secure their Windows against government spying.
Re: (Score:2)
Add to it that Microsoft don't want anyone to use something more secure than Bitlocker.
interesting (Score:1)
This tells me that there is a bug in the current Windows version that the TLAs are using.
When encryption works (Score:2)
those in power will want it to go away.
Other privacy-related projects are also affected (Score:5, Informative)
[1]Wireguard [ycombinator.com], a lightweight and secure VPN
[2]Windscribe [x.com], a VPN service.
[1] https://news.ycombinator.com/item?id=47687884
[2] https://x.com/windscribecom/status/2041929519628443943
Re: (Score:2)
> [1]Wireguard [ycombinator.com], a lightweight and secure VPN [2]Windscribe [x.com], a VPN service.
Microsoft has been raising the bar for kernel drivers for a while now. I am thinking that in their enthusiasm for reducing the attack surface (which in the abstract would be a good thing), they have gone too far, or at least too fast.
[1] https://news.ycombinator.com/item?id=47687884
[2] https://x.com/windscribecom/status/2041929519628443943
Re: (Score:1)
You do realize that all that does is slow your connection down? It's no more secure than normal internet... it's made by a company, the company has the master decryption key, and that's delivered to the US government so they can 'peek' at what you sent.
Same with TOR... your end and the end exit have to both have the key to send it out, otherwise it'd be gibberish at the exit node... how do both ends know the key? Answer: they share it, and the encryption routine is already known, so with an hour or two of
Dumbasses in charge (Score:2)
"There are no appeals available, we have closed your application"
That's two sentences that should be separated by a period, not a comma.
Microsoft issues the Linux keys too (Score:4, Insightful)
Microsoft issues the secure boot keys that are used by all Linux distributions.
If they can just arbitrarily yank someone's keys like this, apparently without explanation or appeal, then what does that mean for those Linux keys? Are they subject to withdrawal for no reason as well?
Re:Microsoft issues the Linux keys too (Score:5, Insightful)
Disable secure boot and carry on as usual. Why are you using this in the first place?
Re:Microsoft issues the Linux keys too (Score:5, Insightful)
I also use secure boot, and self-manage the keys, since having someone else hold the keys completely mitigates the value of secure boot. It's not ideal, and it creates a minor headache, but the gains massively outweigh the extra work required. I don't run Windows, so at least that portion is mitigated by OS selection, but it still creates a headache when I have to install Microslop junk on my computer, since they expect a prebuilt key to be present.
Why doesn't Microsoft want an independent encryption program running? They need to be able to steal all your data, and feed in to their AI training, and hand it over to police. Windows is not a safe OS, Microsoft has proven that time and time again. I use VeraCrypt frequently, any sensitive file on my computer is in a VeryCrypt volume.
If sensitivity is important, you must encrypt the file away from the OS, and other people. The entire point is to keep sensitive stuff safe, and since Microsoft has some delusional belief that all your files are their files, in the wrong hands, they block VeraCrypt.
Re:Microsoft issues the Linux keys too (Score:5, Insightful)
"Why doesn't Microsoft want an independent encryption program running? "
Mr. Dillinger I'm so very disappointed in you. I can't afford to have an independent program monitoring me.
Re: (Score:2)
That's hilarious!
Re: (Score:2)
Because an independent encryption program makes Bitlocker look bad.
Re:Microsoft issues the Linux keys too (Score:5, Interesting)
I'll add to this. Microsoft or the NSA has discovered a vulnerability in VeraCrypt and the government doesn't want the author to be able to push out a fix.
Re: (Score:3)
I could see that.
Re: (Score:3)
> I'll add to this. Microsoft or the NSA has discovered a vulnerability in VeraCrypt and the government doesn't want the author to be able to push out a fix.
It's scary how likely that is.
Re: (Score:3)
put your own signing key in the UEFI. You only need Microsoft if you want to be able to verify unknown software. If your Ubuntu is signed, you do not know if by Canonical or not, if you don't have a trust anchor. If you sign your own kernel, you know what key you put in the UEFI and everything is fine.
Re: (Score:2)
> For enhanced security.
so you're saying your enhanced security isn't secure?
Re: Microsoft issues the Linux keys too (Score:5, Insightful)
If you think UEFI enhances anything except MSs stranglehold on the PC market then theres a bridge with your name on it.
Re: (Score:3)
the secure boot in windows enables other features, but in linux it doesn't do anything useful... yes, you have the flag of secure boot, but it is not used by almost anything (may exist tools that check this, but not something breaking)
secure boot in linux is mostly useful for (stupid) laptops where you can't disable secure boot
Re: (Score:2)
> Why are you using this in the first place?
Because my employer requires me to use Secure Boot, and sends me nasty-grams if I leave it turned off. It's called a company-managed platform.
Re: (Score:2)
Do you often use VeraCrypt on a company-managed device? I'm sure if you do then it's with the knowledge and consent of your IT department and they'll be responsible for managing any consequences of the VeraCrypt issue according to their official policy as well.
Re: (Score:2)
That works... for now. However, IIRC, the first rev of ARM PCs had no ability to disable Secure Boot, and we may find BIOSes in the future which won't have that option, for sake of economy.
Then, there is scale. If one has a ton of Linux machines, be it workstations to servers, having to go in manually to turn off Secure UEFI, or enroll custom boot keys can get tedious.
Re: (Score:1)
Exactly... how many people have access to your computer and can tear the harddrive out? Whoopie... I can't pull your HDD and boot it on my machine... I can still put it in a drive dock and download your files, unless you use "encryption" (which can be broken in tons of ways).
Remember, no encryption is totally secure... I somehow doubt that Whatsapp would let you discuss an act of terrorism without some state agency having the key to that encryption, same with any other "secure" thing... and, it's pretty co
Re:Microsoft issues the Linux keys too (Score:4, Insightful)
Basically: Yes. I suspect the US government was behind this stunt, but absolutely... if the US government decides it doesn't want foreign companies to have easy access to non-Microsoft, non-Apple OSes, I can see them pulling this stunt.
The only solution is to ensure that whatever hardware you buy lets you either disable secure boot or install your own trusted key.
Re: (Score:1)
> Microsoft issues the secure boot keys that are used by all Linux distributions.
This is separate from secure boot. In Windows kernel drivers are required to be signed. The trust anchors from what I remember are hard coded into the operating system. You can't even add certs for drivers to the systems store.
This can only be bypassed by booting with driver signature enforcement disabled. Having users do that is not all that feasible.
Re:Microsoft issues the Linux keys too (Score:4, Informative)
> Microsoft issues the secure boot keys that are used by all Linux distributions.
> If they can just arbitrarily yank someone's keys like this, apparently without explanation or appeal, then what does that mean for those Linux keys? Are they subject to withdrawal for no reason as well?
Incorrect. Microsoft signs the boot shim. This lets you use Secure Boot with the default Microsoft keys you use to boot Windows. So any PC, with Secure Boot enabled, can boot Linux. The keys built into every PC are Microsoft's, and even if you hard reset the machine, they will revert to those Microsoft keys.
You are encouraged though if you run Linux, to create your own keys, and install them on your PC. Doing so would require you to re-sign the Microsoft bootloader but you are free to use your own keys. The only reason Microsoft signed the shim is because some OEMs do not make it easy to install a third-party key to secure-boot a non-Windows OS. So the Microsoft signed shim means if it can boot Windows, it can boot Linux.
And I say shim because that's the actual component signed - major Linux distributions re-distributed the signed binary. But it's bootloader independent - you can use the signed shim to boot your own version of GRUB or other bootloader and continue the secure boot chain if desired. (If you use something like Ubuntu, you're likely to encounter this if you try to compile your own kernel or module where you then h ave to add a key to the shim so the kernel can run your new module.
Microsoft can stop signing new shims, but that has nothing to do with Secure Boot. It's just a way so everything that can boot Windows can boot other OSes even if the OEMs lock down the computer.
Big companies often use their own keys for secure boot.
Re: (Score:2)
Tell me you have no idea how Secure Boot works without telling me you have no idea how Secure Boot works. I bet you also think that Microsoft invented Secure Boot and has full control over it.