As I mentioned in the mailing list post, the Microsoft paperwork shuffling matter got dealt with rather quickly, following all the attention the HN thread from the other day got. And now we're finally out with an update!
NT programming is a lot of fun, though this release was quite challenging, because of all of the toolchain updates. On the plus side, we got to remove pre-Win10 support -- https://lists.zx2c4.com/pipermail/wireguard/2026-March/00954... . But did you know that Microsoft removed support for compiling x86 drivers in their latest driver SDK? So that was interesting to work around. There was also a fun change to the Go runtime included in this release: https://github.com/golang/go/commit/341b5e2c0261cc059b157f1c...
All and all, a fun release, and I'm happy to have the Windows release train cooking again.
Good to know everything was resolved, but did you ever find out why your signing account was suspended? That's not something you brush off as haha silly Microsoft..
They should definitely put up a statement addressing it. Moreover what they plan in the future to avoid such traumatic event, this is not a “simple sign program”, this touches fundamental parts of the OS.
Apparently it's quite widespread, so I would assume a bug on their side. That's what support seemed to imply at least. We're still blocked at my company for one month+ now.
For something like this, I would generalize a "bug" to encompass both software and human processes. Some decision-maker saw some metrics consistent with spam and enacted a spam-blocking measure. Any decision like this is going to lead to false positives. Maybe they decided "I don't need to confer with anyone", or maybe they did and got the green light even after multiple eyeballs looked at it. I'm not saying that this does any good for Microsoft's already-sullied trust, but mistakes happen and combating spam is a constantly evolving arms race. There's no way any organization is going to get it 100% of the time even after decades of dealing with it.
I doubt someone manually went and flagged all the accounts as invalid suddenly or whatever and that was their goal.
By a bug I mean some kind of automated action that did not produce the expected outcome.
Also because, at least on our side, the account was in an inconsistent state: we were correctly enrolled/validated, but could not access the signing interface.
Good question! I've never tried. The NT driver makes use of some of the more advanced features of the networking stack, so possibly not. But you never know. I'd love a Wg4React.
ReactOS was, at one time, targeting a Windows Server 2003-level of compatibility. With that in mind I can't imagine current Wireguard would have even a shred of hope of working on ReactOS.
> following all the attention the HN thread from the other day got
That's great for you, and no offense, but what about developers who can't get buzz in a HN thread? Are they just doomed? Why is support only available to those who can raise a ruckus on social media?
Hey there, thank you for pushing this out. I saw there's a 0.6.1 update now, that also reboots the machine after updating. I don't remember if it said it'd do said reboot...
As a wireguard user myself (even on the lone Windows machine that I still begrundingly have), I am happy that this problem could have been resolved. I am just wondering - if there had not been this kind of public outcry and outrage that Mr. Donenfeld discounts in his announcement message, would the issue have been fixed by now?
What are individual developers of "lesser" (less important, less visible, less used) software with a Windows presence to do? Wait and pray for Goliath to make the first benevolent move, like all the folks who got locked out forever from their Google accounts on a whim? Ha!
The fact of the matter is, the code signing requirements on Windows are a serious threat to Free and Open Source Software on the platform. Code signing requirements are a threat to FOSS on all platforms that support this technique, and infinitely more so where it's effectively mandatory. I firmly believe that these days, THIS is the preferred angle/vector for Microsoft to kill the software variety their C-levels once publicly bad-mouthed as "cancer", and zx2c4 is one of the poor frogs being slowly boiled alive. Just not this time - yet.
They would be ignored. Having an audience is key to getting problems solved, whether it’s a lone hacker or a large corporation. Without an audience, you have no leverage. At that point you might as well create a new Windows account and re-apply, since that would have more luck than getting around a “we’ve closed your account and there’s no appeal process” barrier.
If that sounds Kafkaesque, it is. It’s a small miracle that getting a post to the top of HN can surmount such bureaucracy at all.
The best way to get an audience is to tell a compelling story. Make it interesting. There are ways of doing that for even the least known developers.
My point is to push back against the idea that it should be fair to everyone and that what’s morally right should prevail in every case. The hardware developer program doesn’t exist to treat every developer fairly. They exist to make money for Microsoft. pg puts it more eloquently here: https://paulgraham.com/judgement.html
While this is a small problem for software (and hardware) that needs custom kernel drivers, or software that needs to run as administrator, you seem to have jumped a long way past that to rant about FOSS on Windows with no justification- general unsigned software works just fine on Windows as it always has.
I got a modestly-similar situation resolved by buying a support package and spending 4+ hours across ... not sure, but probably 4-5 support calls? It's been 5 years. If memory serves it was the $200/mo support package for Azure.
In retrospect, I should have not spent 3 weeks trying to get their incompetent software to work and just gone straight to phone calls. And at least in my case, the support agents seemed broadly unfamiliar, but seemed to have access to higher-priority internal case submission which did finally get to someone who could fix my issue.
An interesting point I don't think I've seen someone make -- people compare the LLM revolution to other technical revolutions. You don't need to worry about skill decay in the same way that you don't know how to bake bread from unprocessed wheat, or you don't know how to build a loom, etc.
But local models aside (which no matter the protests from HN, will only be available to the technically savvy few) all of these LLMs are a service, so, the company could degrade the service, they could charge more than you're willing or able to pay, they could ban you. They could disable your account with no meaningful way appeal or seek support. LLMs could look at lot more like the scenario in this thread than something like not knowing how to make your own shoes.
It might settle into a situation where cutting edge LLMs are a service, while older and smaller LLMs are self-hosted. So you are not at risk of being cut off, but of being degraded.
But what would have happened if they weren't able to get Microsoft's attention through an outside channel (this site) and had to go through the normal process?
I'm glad it was resolved quickly for WireGuard, but I'm concerned the results won't generalize.
There was a lot of speculation about this issue because readers assumed that WireGuard's was the only account that got locked. There was actually a wave of account locks that happened at the same time. If you only saw one of the headlines you might assume it was targeted or the result of some directed conspiracy, not the result of a widespread process.
Microsoft did a (very!) bad job of communicating what was happening, but The Register has more information:
> He explained that both deactivations were executed as part of the Windows Hardware Program's account verification procedures.
> The company published a blog in October, giving devs a two-week warning that if their accounts had not been verified since April 2024, Microsoft would issue mandatory account verification notifications.
> "We worked hard to make sure partners understood this was coming, from emails, banners, reminders," said Davuluri.
>The comments that followed were a bit off the rails. There's no conspiracy here from Microsoft. But the Internet discussion wound up catching the attention of Microsoft, and a day later, the account was unblocked, and all was well. I think this is just a case of bureaucratic processes getting a bit out of hand, which Microsoft was able to easily remedy. I don't think there's been any malice or conspiracy or anything weird.
it was a bit crazy how quickly people got conspiracy-minded about it.
microsoft fucked up, and as per typical big-tech, only fixed it when noise got made on social media. but not everything is a grand conspiracy orchestrated by microsoft or the government or whatever. incompetence is always more likely than malice.
any news from the veracrypt maintainers? i would imagine whatever microsoft employee got tasked with resolving this issue would have also seen that one.
---
edit: well, i certainly underestimated the response to this comment. my mistake for using a common saying rather than being extremely explicit when it comes to something as emotionally charged as microsoft. i dont think i have seen a comment of mine go up and down points so many times before.
what i intended to get across was: "this was not a deliberate, coordinated, purposeful attack on the wireguard project, at the behest of some microsoft executive, to accomplish some goal of making encrypted communication impossible or whatever. instead, this was the result of a stupid system, with a stupid resolution process (social media), that is still awful, but different in important ways from a deliberate attack. this is the typical scenario (stupid system, stupid resolution). the non-typical scenario would be a deliberate choice made and executed by microsoft employees to suddenly destroy a popular project".
i shortened the above paragraph to the common saying "incompetence is always more likely than malice". i shouldnt have. my bad.
"Incompetence" of this degree is malice. It is actively malicious to create a system that automatically locks people out of their accounts with absolutely no possibility for human review or recourse short of getting traction in the media. "No sir, I didn't grind those orphans up. It was this orphan grinding machine I made that did it, teehee!"
i am positive that you understand the spirit of what that saying means.
incompetence is always more likely than [intentional, directed] malice.
microsoft employees did not deliberately attack the wireguard project with a goal of taking it down for whatever grand scheme people's hatred cooks up. if you have evidence that microsoft did this deliberately to ruin the wireguard project, please forward it along to jason (the wireguard maintainer) and several news outlets.
Where possible I recommend not caring because figuring out whether malice was present is difficult and you can likely address a problem without needing to be sure.
For example by creating working processes which never end up "accidentally" causing awful outcomes. This is sometimes more expensive, but we should ensure that the resulting lack of goodwill if you don't is unaffordable.
Worst case there is malice and you've now made it more difficult to hide the malice so you've at least made things easier for those who remain committed to looking for malice, including criminal prosecutors.
>Worst case there is malice and you've now made it more difficult to hide the malice so you've at least made things easier for those who remain committed to looking for malice, including criminal prosecutors.
i am quoting the maintainer of the project. take it up with them if you think microsoft coordinated a directed attack on their project.
I think you're missing the point of the person you're replying to.
It's really easy to end up with procedural machinery that makes it unpleasant for other entities that you don't like.
It seems to get the things that you do like and value less often. Why? Because you think about the consequences to what you consider important and you're inclined to ignore potential consequences to those you oppose or are competing with.
The Vogons weren't necessarily overtly malicious when they obliterated Earth.
Yes, the maintainer continues to be held hostage by Microsoft, so it is no surprise that they don't publicly denounce Microsoft or ascribe ill intent or in any way speak ill of Microsoft.
Microsoft's incompetence is certainly reckless at a minimum, and often manifests in ways that come across as misanthropic toward their users. They don't really fit the pattern of mere bumbling fools.
And the person you are responding is asserting that the response to incompetence of this level should be the SAME as if it directed and intentional malice. Which is a completely valid way to view a fuckup like this.
>response to incompetence of this level should be the SAME
sure.
but this was not a deliberate attack by microsoft employees to shutdown wireguard. that is what i was trying to say and the essence of the quote in question.
Microsoft drove a truck through a school yard at 150mph. It was not a deliberate attack, it was just the fastest route and their map says there's a highway there. Is it malice?
A certain level of recklessness is automatically malice.
in that case, it certainly wouldnt be called a deliberate attack, right?
the edit in my original comment should hopefully clear up any confusion of my intended point. and, well... the comment you replied to should also make it clear that my entire point is centered around something being deliberate attack vs. ridiculous incompetence.
the deliberateness of it is the entirety of the reason i wrote my comment. choosing the phrase "malice vs. incompetence" was a poor choice on my part, when i should have been extremely explicit. it would have avoided all of this back-and-forth.
whether something is a deliberate attack or not is not worth pointing out?
its, like, the only thing worth pointing out. if microsoft is deliberately targeting projects and literally attacking them, that would be huge fucking news. like crazy news. lawsuits galore.
i get that everyone has a frothing-at-the-mouth extreme hatred to microsoft and its employees. but microsoft did not say "fuck jason, fuck wireguard, lets try and shut that down". that would be a way different story.
i point out in my original comment that i think it is stupid that the only way to resolve this sort of thing is via social media. i think it is insane. and the lack of accountability is also crazy, given the influence microsoft (and other big tech) has over everyday life.
i think people are reading my comment as some sort of defense of microsoft. its not.
all i wanted to emphasize was that this incident, while obviously ridiculous, did not come about because a bunch of microsoft employees sat in a cigar-smoke filled room saying "lets destroy wireguard".
It's so unhelpful for people to get mad at made up crap. It completely weakens the impact of the pushback. Like if someone is in a position where people are getting mad over all sorts of made up stuff anyway, what's even the point of avoiding actually doing any of the things they're mad about? Might as well get something out of it if the downside doesn't change either way.
Except that the system that removes culpability, visibility and consequences of this kind of abuse is set up deliberately to avoid liability and consequences of such actions.
This isn't a tee-hee accident, this is deliberate organizational design which removed any kind of bad consequences or even thought about what the software does to user from the engineers at Microsoft. They're happy about that. They now don't need to deal with that. And if you'll ask them, they will refuse a change that will make them responsible for abuse of their users.
and even with all of that in mind, this was not a coordinated microsoft attack against wireguard. which was my point.
i am in no way defending microsoft. just pointing out that the conspiracy-theorists suggesting that some exec at microsoft specifically targeted wireguard for whatever nefarious purpose was, well, a conspiracy.
With the way things are going right now with all the corruption in governments and corporations were way past the point of giving the benefit of the doubt. These organizations are clearly making changes to their OS's to slowly remove user control.
Everything should be treat as suspicious moving forward and I am glad of the skepticism.
The question is, did they notify the user that the account was blocked, or was it done silently? My money is on the latter, obviously I don’t know, just my guess. Was there a reason? Blocked is semantically harsher, than it has been disabled.
yes, i am in agreement. i tried to be extremely clear in my edit that i think that the whole social media being the only way to get an account back is crazy stupid.
root programs are super specific about root cause analysis, what actions lead up to distrust, differentiating deliberate maliciousness from systemic incompetence, etc.
its like the exact opposite of "all this doesnt matter".
of course they still look at the outcome (danger to users, etc.), typically as a first step. but they take great care to determine exactly what lead up to a specific outcome.
It really depends on the scale of the breach, for example DigiNotar was immediately killed for their gross incompetence. In this case even the scale is unclear, with heavy suspicion towards malice and little hope on fixing any process inside that monstrous bureaucracy or even making it meaningfully care if it's not. I see no reason to trust Microsoft anymore, regardless of it being a fuckup or malice.
Microsoft has entitled itself to decide what I can and cannot run on the computer and OS that I paid for, this earns them no additional revenue, so they don't care to do a good job.
i think they have explicitly made it clear that they want to copilot all of the things (unfortunately), so i dont quite file it under the conspiracy label.
If it's not a conspiracy (and to be clear, I don't think it is one) its still a failure on multiple levels of the organisation
We can probably blame copilot for the email about new verification reqirements not going out to everyone. Maybe even for the reports of people who jumped through all the hoops and still got blocked as if they hadn't. But rolling out new verification reqirements, then not monitoring how many developers fulfill your new reqirements and following up is entirely on Microsoft employees. That's management failure and disregard for developers on their platform
I don't think you can let them off that easily, given that the only effective support channel was "get to the front page of hacker news", which isn't usually an option.
and imagine for those guys that dont have the reach wireguard/veracrypt does.
NEVER trust microsoft, NEVER trust any mechanism people dont 100% control themselves. having to rely on microsoft to sign stuff is an abomination and something nobody should do