89 comments

[ 2.9 ms ] story [ 74.4 ms ] thread
Microsoft disabled the developer's certificate so no windows releases can be made.
That probably had nothing to do with LibreOffice. Lots of people have had their MS accounts locked for no reason. I guess the automatic abuse detection system just sucks.

My advice is don't use a MS account if you can, at least not for anything critical. You don't need it for development, you can use 3rd party CAs for signatures.

They need to get some tech site like Arstechnica to write about it, like they did when neocities couldn't get ahold of bing. The only way to contact these tech companies to speak to a real human being and not a chatbot is if you know somebody who works there or if the media writes about it.
Looks like Linux and some of the BSDs are the only remaining truly open OSes.
(comment deleted)
We need a better way to sign and verify software. Clearly companies like Microsoft and Apple have not been good for the open source communities and are inhibiting innovation.
I suggest that developers could self-sign to verify the legitimacy of future updates. Otherwise leave it unsigned.

This entire "big tech overlords have to sign apps & drivers to keep you safe" concept is one giant pile of nonsense.

It's perhaps naive, but could he create a new organisation, like a "TotallyNotVeraCrypt" French loi 1901 association, at a different address, and create a new microsoft account by making sure it passes all the requirements.
That's especially ridiculous because this whole security mechanism that Microsoft is forcing on Windows user doesn't even work. There are tons of leaked certificates and on forums dedicated to game hacking you can find guides on how to get your hands on one yourself. People there use them to write kernel drivers for cheating in games. Game developers often blacklist these in their anti-cheat software so that the game no longer launches on a computer using a driver with that certificate. Microsoft however does not do this and malware developers can then simply use the certificates for their own purposes. So all this nonsense is basically just a restriction on regular users and honest developers while the “bad guys” can get around it.
Microsoft has been taking steps to mitigate the leaked code signing certificate problem.

On the driver side of things, new versions of Windows no longer trust the cross-signed certs, so you must submit your driver to Microsoft to validate and sign, so no private key to go missing. https://techcommunity.microsoft.com/blog/windows-itpro-blog/...

On the regular Authenticode side of things, the new CA/B Forum rules have prohibited storing new private keys outside of hardware modules for a while now, so eventually you won't be able to find a leaked private key for code signing that would still be valid.

I am somewhat also concerned that this software was still being distributed on SourceForge.
Microsoft doing everything in their power to be assholes, as always
maybe an old vulnerable signed driver can be used to load the new version :D. on a more seirous note, i think contact with a person at MS, likely via socials triggering that, might help here. It all depends on the reason for the ban/block/cancel.

if they had a reason other than 'oops mistake' its likely just going to remain in place. (sadly, that is how MS is. if you care for privacy maybe go to BSD)

This is the same problem I'm currently facing with WireGuard. No warning at all, no notification. One day I sign in to publish an update, and yikes, account suspended. Currently undergoing some sort of 60 days appeals process, but who knows. That's kind of crazy: what if there were some critical RCE in WireGuard, being exploited in the wild, and I needed to update users immediately? (That's just hypothetical; don't freak out!) In that case, Microsoft would have my hands entirely tied.

If anybody within Microsoft is able to do something, please contact me -- jason at zx2c4 dot com.

It has been clear for a while that certain providers and services need to be regulated as utilities - Microsoft, Google, Apple, Visa, Mastercard, and soon Openai and Anthropic.

It should be illegal for these companies, just like utilities, to deny service to anyone or any entity in good standing for dues.

There is little hope for getting this through in the US where most politicians of any stripe hate the public, and the ones that don't have hardly any power. But it might be possible to do this in the EU.

Then, we non-EU folks need to apply for Estonian e-residency [1] which may get us EU regulatory coverage.

[1] https://en.wikipedia.org/wiki/E-Residency_of_Estonia

You said:

"Currently undergoing some sort of 60 days appeals process, but who knows."

.. and the op said:

"I have tried to contact Microsoft through various channels but I have only received automated replies and bots. I was unable to reach a human."

... which is a roundabout way of saying you did not spend lawyer hours and you did not contact them through channels that they cannot ignore: registered, physical mail, from a lawyer.

I'm sorry for these difficulties, truly, but don't tell me you can't reach a human when you most definitely can reach a human. From my own experience with an organization at least as calloused and indifferent as MS[1], as soon as I sent a real, legal communication I had real live humans lining up to talk to me.

[1] Pacific Gas and Electric

With these big players who are regularly found supporting people with evil intentions: Don't attribute to incompitence what could be ascribed to malice, nay you must trust the gods of the clouds to keep your secrets for you, all for the low low price of $x.99 a month a seat, you may only cancel your service with an arcaine dance and the sacrifice of your first born!
Not exactly the same situation, but RustDesk has recently been removed from the official WinGet community repository because their automated scans have been blocking updates since v1.4.2 in September 2025.

https://github.com/rustdesk/rustdesk/discussions/13025 https://github.com/microsoft/winget-pkgs/pull/345601

tl;dr: ESET Antivirus flags RustDesk as a "Potentially Unsafe Application" because it is a remote administration tool, despite not flagging similar commercial products in the same way, and the WinGet Community repo policy is to block anything flagged as such. Since they were unable to update the repo the RustDesk team requested that the older versions be removed to prevent users from unknowingly installing old versions that could potentially be a security issue in the future. Apparently this has been an issue for a lot of applications especially in the VPN and remote control categories.

There is a discussion about how best to handle these sorts of situations where legitimate and desirable applications get flagged as "potentially unsafe" or "potentially unwanted" but so far it's just been a discussion with no actual changes proposed yet.

https://github.com/microsoft/winget-cli/issues/6107

Thank you for the extra visibility on this issue. I'm in the exact same boat: account suspended, waiting for the 60 days appeal process. Hopefully it will be resolved swiftly!
Is there a WireGuard version for Windows above 0.5.3 released in 2021?!
I saw a tweet saying that there's a requirement for verification.

> Effective October 16, 2025, Microsoft will initiate mandatory account verification for all partners in the Windows Hardware Program who have not completed account verification since April 2024.

> Partners who fail to complete Account Verification by the deadline, or who do not meet the requirements, will have their status set to Rejected and will be suspended from the program.

https://x.com/shanselman/status/2041974138253013205

/tinfoil time

60 days, long enough for the US to exploit the vulnerabilities discovered by Claude Mythos, short enough to plausibly be bureaucratic corporate awfulness by Microsoft when all is said and done. Basically freezing you and other security software out of protecting the bad guys they particularly want to get at until after the bad guys get got, then everything goes back to normal and Microsoft says "oops, here, we fixed your access."

(comment deleted)
Did you also receive the same support email?

They always just tell me to ask copilot, then they open a case using copilot, and then they tell me to ask copilot again. I said I wanted to prove that the code didn't contain malicious code, and they still told me to ask copilot...

This account has been suspended because the code you submitted contains malware or potential vulnerabilities. If you believe your account was suspended in error and can demonstrate that the code you submitted does not contain malware or vulnerabilities, please follow the below steps, and contact us. . Go here: http://aka.ms/hardwaresupport 2. Click Contact Us 3. Make sure you are signed in with a user associated with the HDC account in Partner Center 4. Select Ask Copilot to receive email support.

How can you _prove_ (“demonstrate”) that your software doesn’t contain malware or any vulnerabilities?

They can’t do that for any of their own software for sure…

I wonder if npcap can route all traffic through a userland service, then handle it there.
Microsoft got in touch. All sorted out now.
After all these statements from M$ claiming they’ve replaced people with AI, wouldn’t be one bit surprised if this “bureaucratic behaviour”, was in fact, some agentic behaviour.
Sorry to hear about this turn of events, but it was pretty much to be expected given the way the world is turning, and Microsoft being Microsoft.

Switch to Linux if you can, and come give Shufflecake a try ;)

https://shufflecake.net/

.... This deserves it's own posts , on HN, just for awareness-

Aside from https://web.archive.org/web/20250914062843/https://portswigg... , there haven't been really many goes at going for plausible deniability with modern systems, and I see the segment about a Hidden OS feature in work as well.

Hoping this succeeds. Funny, eventually Shufflecake, after it gets fully capable on Linux, might have to look at making versions for Windows and Mac

Seeing this kind of friction makes me more confident in VeraCrypt. The tools that never seem to run into trouble with platform gatekeepers are the ones I'd worry about.
And yet another example of companies turning actively hostile against their users.

The burden of usage/access is now solely on the customers and the feeling is that regular customers are just a nuisance to be ignored.

Forced software signing should be illegal.
very much sounds like microsoft
Honest question, did we ever get an answer what was the cause for the sudden change from the original Truecrypt developer?

Even if one doesn't want to maintain that project for purely private reasons, recommending Bitlocker as the drop-in-replacement always made it smell fishy to me.

Agreed, that whole thing was suspicious. I still use TrueCrypt, because of the suspicious nature of how it all went down.
This is always a problem when big mega-corporations are involved, be it Google or Microsoft. They want to control the platform.

We really need viable solutions. I have been using Linux since +21 years or so, so it does not affect me personally, but I think Linux needs to become really a LOT more accessible to normal people. And it really has not (on the desktop); all the various "improvements" on GNOME3 or KDE are basically pointless, they have not solved the underlying problem. Ideally problems should be auto-resolvable. If someone wants to use the proprietary nvidia driver, that should be a single click - on ALL Linux distributions. Instead you see some distributions have their own ad-hoc solution and other distributions have no easy solution (for simple people).

I'm sorry, is this some sort of Windows joke that I'm too Linux to understand?
Linux isn't inherently safe from the signed boot chain mindset either if you run a mainstream distribution.
prediction: they are testing the waters. If there is enough outcry they will go "oopsie whoopsie, hehe :3 your account is restored".

If there isn't enough outcry they will go forward and disable more signing keys related to things like torrent clients, VPN software, eject UBO from the edge store etc etc.

Atleast now I'm a bit more certain that VC is indeed safe.

They've finally sprung their enshittification trap. Their move into "open source" was never of friendly origin. It was a business move, plain and simple.

And now they're locking down Window OS, hard. Expect github and vscode to follow.

Linux is the only hope at this point for the future of computing.

Windows and macOS are just too risky to do any business with. Waste of all resources.

Who knows maybe Valve can expand from just gaming?
The same Valve that popularized getting kids hooked on gambling while rent-seeking other people's work?
Hope this is resolved. I guess I could run linux in a VM and mount volumes there, but this is getting a bit dicey. But Win 10 is my last windows anyway.