: No emails, no warnings, no humans – just bots, catch-22s, and a 60-day appeals queue
Microsoft says that it will work on how it communicates with developers after two leading open source figures were suddenly locked out of their accounts, leaving them unable to sign updates. Mounir Idrassi and Jason Donenfeld, the developers behind VeraCrypt and WireGuard respectively, both recently reported that Microsoft locked them out of their developer accounts for reasons unknown to them.
on March 30, saying:"Microsoft did not send me any emails or prior warnings. I have received no explanation for the termination and their message indicates that no appeal is possible. "I have tried to contact Microsoft through various channels but I have only received automated replies and bots. I was unable to reach a human."The lockout affected the developer account associated with IDRIX, the company behind VeraCrypt, which also handles other projects beyond the encryption utility. "I cannot sign the VeraCrypt driver or the VeraCrypt bootloader through the hardware dashboard," he said."This also prevents me from signing drivers and components for my customers on different projects, so this situation impacts my work beyond VeraCrypt." It was a similar story for Donenfeld, who also claimed Microsoft had not made him aware of why his account access was revoked.He also expressed concerns about cybersecurity. If the WireGuard team became aware of a vulnerability affecting the VPN, he would have no way of signing an update to patch it. "As somebody on Hacker News noted, if someone was a bad actor, right now would be a pretty good time to start exploitingthat his saga began roughly two weeks ago, after spending weeks working on improvements to the WireGuard user application and its kernel driver, including rebuilding the latter's infrastructure to pass the Windows Hardware Lab Kit test suite, which he described as"a neat project," but"a massive pain." He said:"With the WHLK package ready, I got a new super expensive EV code signing certificate – this Microsoft requirement is kind of a racket in its own right – and I was ready to login to the Partner Portal and submit my signed WHLK package and driver to Microsoft for automated inspection, which usually results in a Microsoft signature required for loading drivers into the kernel."Microsoft's message to WireGuard's Jason Donenfeld, informing of his account deactivation "Microsoft never sent me any notification at all about this," Donenfeld added."I've looked in every inbox in every spam folder in every mail log, and zero, nothing, zilch." The appeals process directed Donenfeld to an AI support ticket tool, but this didn't allow him to select the workplace to which the appeal pertained because his account was deactivated. This caused what he called a catch-22 scenario, where he needed to file the appeal to reinstate his account, but he also needed an account to file the appeal. The workaround he eventually found was to file an appeal via the Azure team for something unrelated, and get them to redirect it to the right team. "Finally this week, and after bugging some friends who work at Microsoft, and after emailing the authors of those blog posts, some news started to trickle out," Donenfeld said via email."They received the appeal. It takes 60 days. No, no amount of pressure or vouching that I am, in fact, a real person with a real project will speed it up. Sixty days. No exceptions. "By the way, they didn't note what was required for the appeal in terms of documentation, so I just sort of guessed. So, after sixty days, they could just deny it, and I'd be screwed. "It struck me as contrary to Microsoft's business interests, so I emailed . But they didn't think it was important enough and referred me to the executive support team instead, who told me yesterday that the right people did, in fact, receive my appeal , but there was nothing to do to get it processed and no insight into when/how/etc. Totally opaque."Pavan Davuluri, Microsoft's President of Windows and Devices, said both Idrassi and Donenfeld should have their accounts restored"soon."."We've reached out to VeraCrypt and have spoken to Jason at WireGuard, they should be back up and running soon."in October, giving devs a two-week warning that if their accounts had not been verified since April 2024, Microsoft would issue mandatory account verification notifications. "We worked hard to make sure partners understood this was coming, from emails, banners, reminders," said Davuluri. "And we know that sometimes things still get missed. We're taking this as an opportunity to review how we communicate changes like this and make sure we're doing it better."that his account was reinstated and he was able to get his kernel driver update out as of Thursday morning. ®Months-old Adobe Reader zero-day uses PDFs to size up targetsPeace President's Iran war piles more pain on already battered PC market Unlocking the hidden power of unstructured data with AIZephyr Energy loses £700K in cyber hit that rerouted contractor payment Capita's pension portal exposes civil servants' private dataUK to spend £15M on AI-powered crime mapping in knife violence crackdown
United States Latest News, United States Headlines
Similar News:You can also read news stories similar to this one that we have collected from other news sources.
Hundreds of orgs compromised daily in Microsoft device code phishing attacks: Who needs MFA when you've got EvilTokens?
Read more »
Microsoft hints at bit bunkers for war zones: President Brad Smith tells an interviewer that Microsoft is reconsidering datacenter design in light of Iran war
Read more »
Microsoft calls time on ASP.NET Core 2.3 on .NET Framework: Tangled tale nears end as Redmond classifies it as a tool, not a library
Read more »
AI-Powered Microsoft Device-Code Phishing Campaign Compromises Hundreds of Organizations DailyA sophisticated phishing campaign utilizing AI and automation is targeting organizations globally, exploiting Microsoft's device code authentication process to steal credentials and financial data. The campaign is characterized by its scale, personalized attacks, and evasion techniques, posing a significant threat to businesses of all sizes.
Read more »
Microsoft Reassesses Data Center Design in Response to Iranian AttacksMicrosoft is reevaluating its data center design and construction in conflict-prone regions after Iran targeted Middle Eastern data centers in retaliation for US military operations. The company is calling for international regulations to protect civilian infrastructure, including data centers.
Read more »
Microsoft to End Support for ASP.NET Core 2.3 on .NET Framework in 2027Microsoft will discontinue support for ASP.NET Core 2.3 on the .NET Framework on April 7, 2027. While .NET Framework itself continues to be supported, this decision impacts developers with applications using specific features and running on older Windows Servers. The announcement highlights complexities in compatibility and versioning, particularly with the transition from ASP.NET Core 2.1 to 2.3.
Read more »