21. July 2009
The TrueCrypt Foundation is a joke and their software is a security hole to the PC industry. I would recommend any company using Microsofts bitlocker solution instead of their encryption product. Why? Because of their security politics. They basically say if someone has access to your computer there is no longer need to protect it.
They are trying to fix their security holes with a bad security policy. Of course this does not work out, if there is a software security issue then it cannot be handled by security politics. It has to be fixed, by developers, not a policy. Saying “it is pointless to try to prevent” (from their mail) does not solve the problem.
I suggested them solutions, offered them my help, however they are ignoring the security issue, so I will make my TrueCrypt attack open source. The software I have developed is able to bypass the full volume encryption of TrueCrypt when booting the computer. And they could easily prevent the attack from a running Windows – but they do not.
My “SecureTrueCrypt” patch to secure TrueCrypt:
else if (irpSp->Write.ByteOffset < 63*512)
These 2 lines would secure the MBR from overwriting and would prevent the TrueCrypt attack in Windows. I am a developer, not a “security policy” propagandist as the TrueCrypt Foundation representer Ennead. Of course these two lines are not perfect, there should be a GetMBRSize() function that dynamically determinates the max. size of MBR (i.e. = start of first partition), and there should be additional checks in the driver and the boot software if the MBR is genuine. However, even if not perfect, this would be a good start in securing TrueCrypt.