Microsoft has locked out prominent open source developers Mounir Idrassi and Jason Donenfeld from their accounts, preventing them from signing updates for critical projects like VeraCrypt and WireGuard. The developers received no explanation for the account terminations and have been unable to reach a human representative at Microsoft, raising concerns about cybersecurity vulnerabilities and the ability to patch critical security flaws.
Microsoft says that it will work on how it communicates with developers after two leading open source figures were suddenly locked out of their accounts, leaving them unable to sign updates. Mounir Idrassi and Jason Donenfeld, the developers behind VeraCrypt and WireGuard respectively, both recently reported that Microsoft locked them out of their developer accounts for reasons unknown to them.
on March 30, saying:"Microsoft did not send me any emails or prior warnings. I have received no explanation for the termination and their message indicates that no appeal is possible. "I have tried to contact Microsoft through various channels but I have only received automated replies and bots. I was unable to reach a human."The lockout affected the developer account associated with IDRIX, the company behind VeraCrypt, which also handles other projects beyond the encryption utility. "I cannot sign the VeraCrypt driver or the VeraCrypt bootloader through the hardware dashboard," he said."This also prevents me from signing drivers and components for my customers on different projects, so this situation impacts my work beyond VeraCrypt." It was a similar story for Donenfeld, who also claimed Microsoft had not made him aware of why his account access was revoked.He also expressed concerns about cybersecurity. If the WireGuard team became aware of a vulnerability affecting the VPN, he would have no way of signing an update to patch it. "As somebody on Hacker News noted, if someone was a bad actor, right now would be a pretty good time to start exploitingthat his saga began roughly two weeks ago, after spending weeks working on improvements to the WireGuard user application and its kernel driver, including rebuilding the latter's infrastructure to pass the Windows Hardware Lab Kit test suite, which he described as"a neat project," but"a massive pain." He said:"With the WHLK package ready, I got a new super expensive EV code signing certificate – this Microsoft requirement is kind of a racket in its own right – and I was ready to login to the Partner Portal and submit my signed WHLK package and driver to Microsoft for automated inspection, which usually results in a Microsoft signature required for loading drivers into the kernel."Microsoft's message to WireGuard's Jason Donenfeld, informing of his account deactivation "Microsoft never sent me any notification at all about this," Donenfeld added."I've looked in every inbox in every spam folder in every mail log, and zero, nothing, zilch." The appeals process directed Donenfeld to an AI support ticket tool, but this didn't allow him to select the workplace to which the appeal pertained because his account was deactivated. This caused what he called a catch-22 scenario, where he needed to file the appeal to reinstate his account, but he also needed an account to file the appeal. The workaround he eventually found was to file an appeal via the Azure team for something unrelated, and get them to redirect it to the right team. "Finally this week, and after bugging some friends who work at Microsoft, and after emailing the authors of those blog posts, some news started to trickle out," Donenfeld said via email."They received the appeal. It takes 60 days. No, no amount of pressure or vouching that I am, in fact, a real person with a real project will speed it up. Sixty days. No exceptions. "By the way, they didn't note what was required for the appeal in terms of documentation, so I just sort of guessed. So, after sixty days, they could just deny it, and I'd be screwed. "It struck me as contrary to Microsoft's business interests, so I emailed . But they didn't think it was important enough and referred me to the executive support team instead, who told me yesterday that the right people did, in fact, receive my appeal , but there was nothing to do to get it processed and no insight into when/how/etc. Totally opaque."Pavan Davuluri, Microsoft's President of Windows and Devices, said both Idrassi and Donenfeld should have their accounts restored"soon."."We've reached out to VeraCrypt and have spoken to Jason at WireGuard, they should be back up and running soon."in October, giving devs a two-week warning that if their accounts had not been verified since April 2024, Microsoft would issue mandatory account verification notifications. "We worked hard to make sure partners understood this was coming, from emails, banners, reminders," said Davuluri. "And we know that sometimes things still get missed. We're taking this as an opportunity to review how we communicate changes like this and make sure we're doing it better."that his account was reinstated and he was able to get his kernel driver update out as of Thursday morning. ®Google wants more Intel inside ... its datacenters, taps Chipzilla for more SmartNICs How JumpCloud unifies IT management to tame shadow AIAWS: Agents shouldn't be secret, so we built a registry for themDeere oh Deere: Tractor repair row heads for $99M settlementChevin pulls the handbrake on FleetWave software after security scare
Microsoft Open Source Account Lockout Veracrypt Wireguard
United States Latest News, United States Headlines
Similar News:You can also read news stories similar to this one that we have collected from other news sources.
Hundreds of orgs compromised daily in Microsoft device code phishing attacks: Who needs MFA when you've got EvilTokens?
Read more »
Microsoft hints at bit bunkers for war zones: President Brad Smith tells an interviewer that Microsoft is reconsidering datacenter design in light of Iran war
Read more »
Microsoft calls time on ASP.NET Core 2.3 on .NET Framework: Tangled tale nears end as Redmond classifies it as a tool, not a library
Read more »
AI-Powered Microsoft Device-Code Phishing Campaign Compromises Hundreds of Organizations DailyA sophisticated phishing campaign utilizing AI and automation is targeting organizations globally, exploiting Microsoft's device code authentication process to steal credentials and financial data. The campaign is characterized by its scale, personalized attacks, and evasion techniques, posing a significant threat to businesses of all sizes.
Read more »
Microsoft locks out VeraCrypt and WireGuard devs, blames verification process: No emails, no warnings, no humans – just bots, catch-22s, and a 60-day appeals queue
Read more »
Fervo Locks In 1.7 GW Turbine Supply as Geothermal Ambitions AccelerateThe deal underscores Fervo Energy's push to industrialize enhanced geothermal systems.
Read more »