Posted: Thu Nov 02, 2006 1:20 pm Post subject: Storage file is not always encrypted??
I just came across something that concerns me greatly about this product. Just for fun today, I copied off the .vol file that is supposed to be the encrypted version of the data and opened it with a hex editor. All of my data was clearly in the file and NOT encrypted! How could this be happening??
So, just for testing, I did this:
1. Went into the app and created a new mount called "TEST" on my SD card. It mounted it.
2. Copied two JPEG images and a text file into the TEST directory on the SD card.
3. Dismounted the TEST volume.
4. Copied the TEST.vol file to my PC and opened it with a hex editor. It was all encrypted garbage -- just like I would expect.
5. Mounted TEST again.
6. Copied another JPEG into the TEST directory.
7. Dismounted TEST again.
8. Copied the TEST.vol file again to my PC and opened it with a hex editor. THIS TIME IT WAS COMPLETELY READABLE!
In other words, when I created the volume the first time, it was encrypted as expected. But after I later remounted it and added more data to it, the file was left UNENCRYPTED even though it was supposed to be!
This is very repeatable for me. I just grabbed 4 old .vol files from an old SD card that I had been using and ALL of them were UNENCRYPTED, PLAINTEXT!
What the heck is going on here?? This seems to be a SERIOUS flaw!
P.S. Note that it didn't seem to matter if I used the "global" password or assigned individual passwords to my volumes. I tested both ways and both became unencrypted .vol files after I had remounted and dismounted them a couple of times.
I appreciate your bringing it up. There was a security bug, but it was fixed (see the recent press release).
Ah -- I see that there is a v2.9. I actually checked the download section before posting to make sure I was on the latest version, but couldn't find any version information there. Now that I see the press release, I see that I am behind apparently. Am I missing a place besides the press releases that indicates the current version and where to get it to upgrade? As a suggestion, I think the current version should be prominently listed on the product page(s)...
Can you tell me what version of the encrypter you are using? We need to check this ASAP. Thanks for your help.
I am running v2.7. I'll try to upgrade to the new v2.9 tomorrow. Thanks.
Also, did you verify that you dismounted (encrypt) the .vol at the end of your test? I'm sure you did, but I want to check.
Yes, I made sure it was dismounted first in all of my testing.
P.S. Your press release says that it is v2.9, but then says to "completely remove any previous version before installing version 3. I assume this is a typo, yes?
Thanks -- and, next time, I'll indeed just email directly if it is a security concern.
However, I seem to have another problem. I can't import my old .vol file now that I have upgraded to v2.9. When I try to import, it says that it is not a valid Encryptor volume.
Not a huge deal because I have a backup -- but I can see some people really freaking out if they upgraded and then couldn't import their v2.7 .vol files.
Note that it seems to recognize the password. If I purposely put in an invalid password, it says: "The password entered is invalid or blah.vol is not a valid Encryptor volume" -- but if I put in the right password, it just says "blah.vol is not a valid Encryptor volume." So, it knows that the password is right -- but still doesn't think it is a valid .vol file to import.
Oh - I see now. After more testing, it is the ones that aren't really encrypted (that I was complaining about above) that won't import. This makes some sense now since they are indeed "funny." But, since this was a known bug, I would think that the importer would need to be written to handle it. Basically, it appears that it can't import the non-encrypted .vol files (which are supposed to be encrypted, but weren't because of the bug you mentioned previously).
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
Copyright 2001-2010, Chris De Herrera, All Rights Reserved