Microsoft Abruptly Terminates VeraCrypt Account, Halting Windows Updates (404media.co) 102
Microsoft has apparently terminated the account VeraCrypt uses to sign its Windows drivers and bootloader, leaving the encryption project unable to publish Windows updates and throwing future releases into doubt. VeraCrypt's developer says Microsoft gave no clear explanation or warning for the move. "I didn't receive any emails from Microsoft nor any prior warnings," Mounir Idrassi, VeraCrypt's developer, told 404 Media. From the report: VeraCrypt is an open-source tool for encrypting data at rest. Users can create encrypted partitions on their drives, or make individual encrypted volumes to store their files in. Like its predecessor TrueCrypt, which VeraCrypt is based on, it also lets users create a second, innocuous looking volume if they are compelled to hand over their credentials. Last week, Idrassi took to the SourceForge forums to explain why he had been absent for a few months. The most serious challenge, he wrote, "is that Microsoft terminated the account I have used for years to sign Windows drivers and the bootloader."
"Regarding VeraCrypt, I cannot publish Windows updates. Linux and macOS updates can still be done but Windows is the platform used by the majority of users and so the inability to deliver Windows releases is a major blow to the project," he continued. "Currently I'm out of options." Idrassi told 404 Media the termination happened in mid-January. "I was surprised to discover that I could no longer use my account," he said.
On the forum and in the email to 404 Media, Idrassi shared what he said was the only message he received connected to the account shutdown. "Based on the information you have provided to date, we have determined that your organization does not currently meet the requirements to pass verification. There are no appeals available, we have closed your application," it reads. Idrassi told 404 Media the message is concerning his company IDRIX. "As you can read in their message, they say that the organization (IDRIX) doesn't meet their requirements, but I don't see which requirement IDRIX suddenly stopped meeting," he said. Idrassi said he has tried contacting Microsoft support, but he received automated responses that he believes contained AI-generated text.
"Regarding VeraCrypt, I cannot publish Windows updates. Linux and macOS updates can still be done but Windows is the platform used by the majority of users and so the inability to deliver Windows releases is a major blow to the project," he continued. "Currently I'm out of options." Idrassi told 404 Media the termination happened in mid-January. "I was surprised to discover that I could no longer use my account," he said.
On the forum and in the email to 404 Media, Idrassi shared what he said was the only message he received connected to the account shutdown. "Based on the information you have provided to date, we have determined that your organization does not currently meet the requirements to pass verification. There are no appeals available, we have closed your application," it reads. Idrassi told 404 Media the message is concerning his company IDRIX. "As you can read in their message, they say that the organization (IDRIX) doesn't meet their requirements, but I don't see which requirement IDRIX suddenly stopped meeting," he said. Idrassi said he has tried contacting Microsoft support, but he received automated responses that he believes contained AI-generated text.
Microsoft issues the Linux keys too (Score:5, Insightful)
Microsoft issues the secure boot keys that are used by all Linux distributions.
If they can just arbitrarily yank someone's keys like this, apparently without explanation or appeal, then what does that mean for those Linux keys? Are they subject to withdrawal for no reason as well?
Re:Microsoft issues the Linux keys too (Score:5, Insightful)
Re: (Score:1, Flamebait)
For enhanced security.
Is this less obvious than I assumed it was, or do you just not understand what it does?
Re:Microsoft issues the Linux keys too (Score:5, Insightful)
Why doesn't Microsoft want an independent encryption program running? They need to be able to steal all your data, and feed in to their AI training, and hand it over to police. Windows is not a safe OS, Microsoft has proven that time and time again. I use VeraCrypt frequently, any sensitive file on my computer is in a VeryCrypt volume.
If sensitivity is important, you must encrypt the file away from the OS, and other people. The entire point is to keep sensitive stuff safe, and since Microsoft has some delusional belief that all your files are their files, in the wrong hands, they block VeraCrypt.
Re:Microsoft issues the Linux keys too (Score:5, Insightful)
"Why doesn't Microsoft want an independent encryption program running? "
Mr. Dillinger I'm so very disappointed in you. I can't afford to have an independent program monitoring me.
Re: (Score:2)
Re: (Score:2)
Because an independent encryption program makes Bitlocker look bad.
Re:Microsoft issues the Linux keys too (Score:5, Interesting)
I'll add to this. Microsoft or the NSA has discovered a vulnerability in VeraCrypt and the government doesn't want the author to be able to push out a fix.
Re: (Score:3)
Re:Microsoft issues the Linux keys too (Score:4, Insightful)
I'll add to this. Microsoft or the NSA has discovered a vulnerability in VeraCrypt and the government doesn't want the author to be able to push out a fix.
It's scary how likely that is.
Re: (Score:2)
Why doesn't Microsoft want an independent encryption program running?
You answered your own question. Here: "since having someone else hold the keys completely mitigates the value of secure boot". Microsoft can't certify the secure boot process isn't maintaining the integrity of the kernel if 3rd party software bootstraps Microsoft's own booting procedure.
They need to be able to steal all your data, and feed in to their AI training, and hand it over to police.
This shows a fundamental failure of understanding of security principles. VeraCrypt encrypting the boot volume (the only thing that it would need a secure boot key for) in no way prevents Microsoft from doing what you're tin
Re: (Score:2)
Re: (Score:3)
You're speaking in circles. You remove all the things you claim you don't want and then you complain that there's nothing left and that you may as well run Linux? Please don't ever advertise for Linux anymore you make it sound horrible.
It's not a conspiracy theory that Microsoft steals your data, they admit it.
No it's a conspiracy theory. They admit to specific things, calling it "your data" is FUD. What is actually taken is known and agreed to in ToS, so not only is it not "your data" it's not "stealing".
They enable One Drive by default.
They don't do anything by default. They force you into a choice screen which
Re: (Score:2)
You can claim they don't take your data, and it's all carefully stated in the ToS, Licensing / Privacy Policies, but it all means nothing if they don't prove it, and they've never proved it. License terms and contracts are for fools, it's all hand waving and legal jargon to excuse themselves from wrongdoing.
If you doubt that, write your own terms, make them fair, and sensible, and ask Microsoft to sign o
Re: (Score:3)
put your own signing key in the UEFI. You only need Microsoft if you want to be able to verify unknown software. If your Ubuntu is signed, you do not know if by Canonical or not, if you don't have a trust anchor. If you sign your own kernel, you know what key you put in the UEFI and everything is fine.
Re: (Score:2)
For enhanced security.
so you're saying your enhanced security isn't secure?
Re: (Score:2)
Re: Microsoft issues the Linux keys too (Score:5, Insightful)
If you think UEFI enhances anything except MSs stranglehold on the PC market then theres a bridge with your name on it.
Re: (Score:3)
If you think UEFI enhances anything except MSs stranglehold on the PC market then theres a bridge with your name on it.
You are technically correct. UEFI doesn't enhance anything, it doesn't force secure boot. Secureboot however objectively does enhance security, it's literally an open standard which puts encryption keys to validate the boot process in the hands of the user. MS has no stranglehold what so ever beyond making sure that unpermitted processes don't precede it in the boot chain, which is explicitly the boot time security hole being plugged.
You do the same thing in Linux, generate a keypair, sign the bootloader, a
Re: Microsoft issues the Linux keys too (Score:2)
A hacker needs root in linux to install boot time malware at which point its game over anyway and youll need to nuke the install from orbit including the loader so UEFI brings nothing to the table.
Re:Microsoft issues the Linux keys too (Score:5, Interesting)
the secure boot in windows enables other features, but in linux it doesn't do anything useful... yes, you have the flag of secure boot, but it is not used by almost anything (may exist tools that check this, but not something breaking)
secure boot in linux is mostly useful for (stupid) laptops where you can't disable secure boot
Re: (Score:2)
but in linux it doesn't do anything useful...
Except for sign the boot process to ensure no resident malware can persist through reboots. There's example of it by the way, this isn't theoretical, Bootkitty is bootlevel malware that is exactly the kind of thing Secure boot protects against.
Re: (Score:2)
Bullshit.
About the only thing secure boot really protects from is the evil-maid. All other cases affecting most users by the time something is in a position to modify the kernel or boot loader it was already in a position to do all the damage that would matter to that person.
You had root on my box, you have already had the opportunity to crypto ransom me, just vandalize my system in general, find and extract any sensitive data in my home directories and on any mounted volumes.
Even advanced persistent threat
Re: (Score:2)
Bullshit.
Your lack of understanding doesn't make something bullshit.
You had root on my box, you have already had the opportunity to crypto ransom me, just vandalize my system in general, find and extract any sensitive data in my home directories and on any mounted volumes.
You forgot one. I had root on your box. That made me an evil-maid, and you just said secure boot protects against that. There's a difference between malware at a point in time, and achieving residence. Maybe I don't want your shitty dick picks in your mounted volumes, maybe I'm after your bank account details. Oh I know how about a key logger. But what if you attempt to remove said key logger? Well we have the perfect solution, since you don't know
Re: (Score:2)
I am not the one here that doesn't know what I am talking about.
Availability is a leg of the CIA triangle bro.. If the authorized user CANT get access and its not fixable. That is a security failure, and likely as serious as a total confidentiality failure.
You getting root does not make you the evil made, you getting root means you SE'd the owner into running something, found a nice heap spray in the browser followed by a local privesc etc. Realistically these are all going to be drive-bys of some kind, w
Re: (Score:2)
Secure Boot says nothing else about the state of those bytes. Most importantly, it says nothing about whether or not those bytes can be exploited to run a virus / malware. That's an assumption made by the operator of the sys
Re: (Score:1)
For enhanced security.
Is this less obvious than I assumed it was, or do you just not understand what it does?
Ahahahahahaha, oh sweet summer child....
No "secure" boot does not protect you.
Re: (Score:2)
Ahahahahahaha, oh sweet summer child....
No "secure" boot does not protect you.
Yes I'm sure if you have no idea what you're talking about you'd think that. I agree with you by the way. Passwords do nothing so I just leave the field blank.
Re: (Score:2)
As usual, you are without insight. Your usual mode.
Re: (Score:2)
Re: (Score:2)
Its uses are a) DRM
There is no way of querying secure boot or using it for DRM. All you can do I report if secure boot was on or off.
b) corporate lockdown of hardware in the hands of employees where they don't want to give root
That could be as well, but we already had non-secure boot options for that.
c) DRM
See a) Saying something wrong twice doesn't make it right, it makes you twice as wrong.
d) letting manufacturers or OS vendors control the machine you paid money for
Manufacturers have no control over secure boot. The implementation requires the keys be able to be managed by the user. You just jump into UEFI and delete Microsoft's key if you want and load your own. It's no more giving someone else c
Re: (Score:2)
If you can replace them, then leaving Microsoft's keys installed is just a security risk for exactly the kinds of reason presented in TFS: Your software can arbitrarily stop working because of some random corporate policy change, some copro with an axe to grind, or a "you compete against us in the market therefore we revoke
Re: (Score:3)
Why are you using this in the first place?
Because my employer requires me to use Secure Boot, and sends me nasty-grams if I leave it turned off. It's called a company-managed platform.
Re: (Score:2)
Do you often use VeraCrypt on a company-managed device? I'm sure if you do then it's with the knowledge and consent of your IT department and they'll be responsible for managing any consequences of the VeraCrypt issue according to their official policy as well.
Re: (Score:2)
VeraCrypt on a company-managed platform?
That's just wrong. In that use case, it's only Microsoft BitLocker.
Re: (Score:2)
That works... for now. However, IIRC, the first rev of ARM PCs had no ability to disable Secure Boot, and we may find BIOSes in the future which won't have that option, for sake of economy.
Then, there is scale. If one has a ton of Linux machines, be it workstations to servers, having to go in manually to turn off Secure UEFI, or enroll custom boot keys can get tedious.
Re: (Score:2)
Exactly... how many people have access to your computer and can tear the harddrive out? Whoopie... I can't pull your HDD and boot it on my machine... I can still put it in a drive dock and download your files, unless you use "encryption" (which can be broken in tons of ways).
Remember, no encryption is totally secure... I somehow doubt that Whatsapp would let you discuss an act of terrorism without some state agency having the key to that encryption, same with any other "secure" thing... and, it's pretty co
Re: (Score:2)
That's why I leave my password fields blank. It's so much easier to ignore security. (Also no Microsoft has no capability of preventing you booting Linux or using Linux with secure boot disabled, the only thing they have the ability to block is you booting Linux using Window's boot loader).
Re:Microsoft issues the Linux keys too (Score:4, Insightful)
Basically: Yes. I suspect the US government was behind this stunt, but absolutely... if the US government decides it doesn't want foreign companies to have easy access to non-Microsoft, non-Apple OSes, I can see them pulling this stunt.
The only solution is to ensure that whatever hardware you buy lets you either disable secure boot or install your own trusted key.
Re: (Score:1)
Microsoft issues the secure boot keys that are used by all Linux distributions.
This is separate from secure boot. In Windows kernel drivers are required to be signed. The trust anchors from what I remember are hard coded into the operating system. You can't even add certs for drivers to the systems store.
This can only be bypassed by booting with driver signature enforcement disabled. Having users do that is not all that feasible.
Re:Microsoft issues the Linux keys too (Score:5, Informative)
Incorrect. Microsoft signs the boot shim. This lets you use Secure Boot with the default Microsoft keys you use to boot Windows. So any PC, with Secure Boot enabled, can boot Linux. The keys built into every PC are Microsoft's, and even if you hard reset the machine, they will revert to those Microsoft keys.
You are encouraged though if you run Linux, to create your own keys, and install them on your PC. Doing so would require you to re-sign the Microsoft bootloader but you are free to use your own keys. The only reason Microsoft signed the shim is because some OEMs do not make it easy to install a third-party key to secure-boot a non-Windows OS. So the Microsoft signed shim means if it can boot Windows, it can boot Linux.
And I say shim because that's the actual component signed - major Linux distributions re-distributed the signed binary. But it's bootloader independent - you can use the signed shim to boot your own version of GRUB or other bootloader and continue the secure boot chain if desired. (If you use something like Ubuntu, you're likely to encounter this if you try to compile your own kernel or module where you then h ave to add a key to the shim so the kernel can run your new module.
Microsoft can stop signing new shims, but that has nothing to do with Secure Boot. It's just a way so everything that can boot Windows can boot other OSes even if the OEMs lock down the computer.
Big companies often use their own keys for secure boot.
Re: (Score:2)
Re: (Score:3)
You can disable secure boot. But Microsoft clearly has too much power and too little oversight and consequences for when they screw up.
Re: (Score:2)
You can disable secure boot. But Microsoft clearly has too much power and too little oversight and consequences for when they screw up.
You have clearly not enough knowledge and too much ignorance on the topic. No you don't need to disable secure boot. Microsoft has no control over secure boot. You can even load your own custom keys for the Windows boot process, to say nothing of Linux's secure boot process having zero to do with Microsoft control either.
But you don't care, you've been told this before. At this point you're willfully ignorant.
Control of Secure Boot via the Windows copyright (Score:2)
Microsoft has no control over secure boot. You can even load your own custom keys for the Windows boot process
Microsoft has control over distribution of the copyrighted Windows operating system. It has used this control to dictate whether or not makers of devices that include Windows are allowed to let users load their own custom keys. For example, Microsoft required makers of devices that come with Windows RT (the port of Windows 8 and Windows 8.1 to ARM architecture) to block end users from turning off Secure Boot and block end users from loading their own custom keys, as conditions for a license under copyright
Re: (Score:2)
Microsoft specifically denies windows certification to any device that doesn't allow secure boot to be disabled and custom keys loaded, and they have since the release of Windows 8.1 (13 years ago). There's no Windows RT devices on sale, and even Microsoft's own first party Surface Pro Snapdragon devices give you, the user, complete control over secure boot process and custom key loading.
But if the best you can come up with is criticising a Windows version that flopped so badly it nearly took an entire idea
Re: (Score:2)
Microsoft issues the secure boot keys that are used by all Linux distributions.
No, Microsoft issues secure boot keys that allow Linux to be booted by bootstrapping Microsoft's bootloader's shim. You don't need Microsoft to run secure boot in Linux, you just need to load your own key into the BIOS. SecureBoot is 100% under your control.
The problem here that sets VeraCrypt apart is that VeraCrypt after doing its thing needs to load Microsoft's Bootloader. This entire system is interlinked. The whole point of secureboot was that software doesn't fuck with the boot process without authori
Trumpist NSA got to them (Score:1)
Re: (Score:1, Insightful)
Re: (Score:1)
Versus the Little Shrub NSA or the Obama NSA? I thought you AC's were strongly pro-Blue.
It wouldn't matter who was sitting in "The Chair"... they would all prosecute Snowden (although what he did was good) for leaking info.
US government (Score:5, Insightful)
Clearly, the US government is unhappy with regular people having robust data encryption.
This is why it is folly for non-US organizations to continue using closed-source US-based software. If they can't see the security risks inherent in this practice, then I don't know what to say.
Re: (Score:1)
Security weenies claim security via obscurity doesn't work, but it absolutely does if you like to use data and respect what it tells you. Check the number of sec
Re: (Score:1)
Re: (Score:2)
This is why I stick with my Amiga emulator under OS/2.
Can't have your security broken if there is no security. I like the cut of your jib.
Re: US government (Score:5, Insightful)
"Security weenies claim security via obscurity doesn't work, but it absolutely does if you like to use data and respect what it tells you. Check the number of security CVEs for operating systems like OpenVMS, MPE/IX, and see how they compare with Linux or Windows. By volume, the most popular OSes get the most attacks and successful exploits."
That is not security by obscurity. It's security by unpopularity.
Re: (Score:1)
"Security through unpopularity" by using an open-source system makes it easier for an attacker to browse the code and find every gap in security, and you have to hope for an update that patches "thing(s)".
"Security through obscurity" (I assume running like OS/2 or Mac OS9 or something obscure), doesn't work as good as you think... being that those aren't maintained/kept up, their as weak as the "unpopularity" group.
Basic INFOSEC says to regularly inspect your computer (whichever OS it has) with something li
Re: (Score:2)
"Security by obscurity" doesn't work by itself. It's a necessary component of every security policy, however. You can't just pick one. (It's called "defense in depth", but that's not really a good metaphor.)
Re:US government (Score:5, Insightful)
Re: (Score:3)
If you want to be fair, it's been headed that way ever since the 1860's. And prior to that the individual states were headed that way.
People in power like to make their jobs easier.
Re: (Score:1)
Hehe... I know.
Not all bad stuff strictly happened, only, ever under Trump... no other President is safe from accusations and such... didn't the Little Shrub invade Iraq under false-pretenses? Did he get rid of terrorism?.
A lot of those are hardcore pro-Immigration (legal and illegal), hardcore anti-Trump, hardcore pro-Blue state, who don't bring anything to the conversation besides trying to start arguments and crap... if you ask them to give links to anything that verifies their claims, you'll never get
Re: US government (Score:3)
I'd back it up with data but MS revoked my encryption keys /s
Re: (Score:2)
=What makes you think the US government is more trustworthy than the Chinese government, especially given the direction Trump is taking it?=
Because the US government doesn't make operating systems? They've taken Apple to court to get unfettered access to iPhones and have lost. It's far from perfect, but there is still a system of checks and balances happening.
Besides that, you can post a photo of yourself holding the bloody severed head of Trump, and the worst that happens to you is loosing a gig at CNN and a squatty potty endorsement job. If you call president Xi a silly name, you disappear.
Re: (Score:2)
Re: (Score:2)
Oh Bother!
Re: (Score:2)
(To be fair, it's been heading that way ever since 9/11.)
Actually, a lot longer than that; however, 9/11 was a catalyst that brought things to a boil.
More likely just AI bullshit (Score:3)
"Never ascribe to malice what can be adequately explained by incompetence." Microsoft is probably using AI to review all the people with signing keys, and it hallucinated a reason to terminate his account. They've been blindly trusting their AI for all sorts of things it can't do properly.
Re: (Score:2)
It might be a hallucination, or it might be a real problem. And there are other possibilities. (E.g. earlier it was suggested that MS noticed a bad bug *somehow* and the government didn't want the bug to be fixed.)
Re: (Score:3)
"Never ascribe to malice what can be adequately explained by incompetence."
The problem in this case is that Microsoft has a long and extremely well documented history of both of these things.
Re: (Score:2)
Indeed. At least Europe is slowly catching on.
Re: (Score:3)
My guess (Score:4, Interesting)
Re: (Score:2)
Add to it that Microsoft don't want anyone to use something more secure than Bitlocker.
Re: (Score:2)
Hardly. If the user has access to files then Microsoft does as well. That's the fundamental problem with this debate by multiple people here. If you can open a file then Microsoft has access to it. If you use VeraCrypt to secure your windows partition then Microsoft has access to all the files since you literally need to decrypt the partition to load the OS.
Tinfoil hats are not a nice fashion accessory.
interesting (Score:1)
This tells me that there is a bug in the current Windows version that the TLAs are using.
When encryption works (Score:2)
those in power will want it to go away.
Other privacy-related projects are also affected (Score:5, Informative)
Windscribe [x.com], a VPN service.
Re: (Score:2)
Wireguard [ycombinator.com], a lightweight and secure VPN Windscribe [x.com], a VPN service.
Microsoft has been raising the bar for kernel drivers for a while now. I am thinking that in their enthusiasm for reducing the attack surface (which in the abstract would be a good thing), they have gone too far, or at least too fast.
Re: (Score:2)
You are deranged. Wiregard and TOR are FOSS. It is basically impossible to hide a "master key" in that. And no, that is NOT how Tor works.
I have no idea why you are trying to spread lies, but please stop doing so.
Re: (Score:1)
Actually, 'deranged' is one thing I haven't been called on here, ever.
Just because it's FOSS doesn't mean the key isn't generated at run-time, stored locally, and would have to be sent as part of the first packet or burst of data... if the key that decrypts it on your end isn't sent, how does the exit node have usable data to send to the Internet-at-large?
And, especially because it's FOSS, the governments have already reverse-engineered it, figured out the decryption so they can peek at what you send, re-en
Re: (Score:3)
Just because it's FOSS doesn't mean the key isn't generated at run-time, stored locally, and would have to be sent as part of the first packet or burst of data... if the key that decrypts it on your end isn't sent, how does the exit node have usable data to send to the Internet-at-large?
Congrats, you don't understand the basics of secure key exchange, but that's easy to fix: I suggest starting with the colour model for a basic understanding: https://www.arsouyes.org/artic... [arsouyes.org] afterwards you can look into the details of how this works mathematically. No your key is *NEVER* sent anywhere. EVER. It's not required for key exchange.
And, especially because it's FOSS, the governments have already reverse-engineered it, figured out the decryption so they can peek at what you send, re-encrypt it, and send it on it's way.
There's nothing to reverse engineer. Encryption and security is based on well known public algorithms. These are designed to enable secret communication, that you can
Re: (Score:2)
Which somehow is not a surprise. Well, time to kick US monopolies to the curb.
Re: (Score:2)
Re: (Score:2)
Why do we need kernel drivers for a VPN?
Dumbasses in charge (Score:3)
That's two sentences that should be separated by a period, not a comma.
Re:Dumbasses in charge (Score:5, Funny)
Re: (Score:2)
The em-dash is once again crying in the corner for not being invited to the party.
Re: (Score:2)
Semicolon
It appears to have been resolved... (Score:3)
A higher up at Microsoft posted on twitter saying the issue was caused by paperwork that these projects didn't do, that all of them were impacted at once because the missing paperwork is tied to a deadline and that Microsoft is working to get it sorted out so these projects can continue.
Re: (Score:3)
Re: (Score:1)
And you *don't* think that the FBI wants something with a backdoor?
Ples... are you claiming M$ ISN'T evil?
Re: (Score:2)
Maybe it's because the article was not properly researched, leaving everyone to make up their own explanations. 404 sure seems to have missed this - https://techcommunity.microsof... [microsoft.com]