Hi,

I would like to use my ISP's FTP server for backing up my personal files
from my desktop. I was wondering if there is a tool available (open
source/freeware if possible) that can automatically encrypt files while
transfering them to a remote FTP server, so that the files on the remote
server cannot be used by the ISP.

Thanks,
Tom

"Tom" <Tom@nospam.com> writes:

File encryption is what you need. Transport level encryption is moot
if the goal is to protect admins of the remote machine from doing
anything with them:

On *nix, or using cygwin in windows (include gpg in what gets installed):

tar cvfz somfile.tgz /path/to/backup
gpg -c somefile.tgz > somefile.tgz.gpg (symmetric key option used for simplicity)
ftp or scp somefile.tgz.gpg to the ISP



--
Todd H.
http://www.toddh.net/

The best that I've come across is FileZilla, found at
http://filezilla.sourceforge.net/. It's free and open-source, and can do ftp,
and sftp, which is ran over an ssh server. FTP is not encrypted, so the easiest
way for security in most cases is to make sure your ISP has an ssh server set up
so you can use sftp (usually you log in with your normal user/pass). FileZilla
will let you set up a profile for this, making it a pretty good tool, IMHO.

~David~

Tom wrote:

~David~ <shadoweyez@gmail.com> writes:
Actually, the original question is more interesting than the
relatively simple question of encrypted transport.

What Tom wants is something that will automagiclaly encrypt the files
on the fly, and leave them in encrypted form on the target server.
The concern is not so much one of securing them from being sniffed in
transit in the clear, but rather to prevent admins of the target
server from being able to do anything useful with his data that he
stores there.

Best Regards,
--
Todd H.
http://www.toddh.net/

Why would his ISP want to allow him to do this?

Encrypted files on their server -- over which they have no access?

Bonkers...

DSH

"Todd H." <comphelp@toddh.net> wrote in message
news:84oe11ssyn.fsf@ripco.com...

"D. Spencer Hines" <poguemidden@hotmail.com> wrote in
news:OipKf.76$2B.1157@eagle.america.net:



There are dozens of such services, including Rapidshare and Megaupload. I
have uploaded and downloaded literally gigabytes of files to/from such
places.

Regards,

PS The interface is usually HTTP rather than FTP though

"D. Spencer Hines" <poguemidden@hotmail.com> writes:
Not "no access." Instead, "No useful access." Sure the file's
readable to the ISP administrator as root, but it's an encrypted mess
from which no useful information can be extracted except by the file's
rightful owner/creator who knows the encryption token (be it password,
or private key, whatever).

Um....no, it's called privacy.

If you want to store an encrypted file on an ISP's servers that
includes backups of your financial software data, encrypted password
hashes for all customers to your web application, etc there's no
(legitimate) reason in the world an ISP shouldn't let you.

Best Regards,
--
Todd H.
http://www.toddh.net/

D. Spencer Hines wrote:

Why would an ISP think they had any say so in the matter, as long as the
OP remained within his contractually agreed upon space allocation limits.

I find it a little disconcerting that you'd assume someone was guilty
until proved innocent, or that an ISP had the right to make that
determination. Last I knew, possession of encrypted data wasn't a crime in
any civilized jurisdiction.

A lot of people might say that of YOUR argument.

Arrant Twaddle...

Great Way For Terrorists To File Data And Plans -- Encrypted -- For Pickup
By Confederates -- On An ISP FTP Server.

Don't You Pogues Realize We Are At War?

Damned, If You Aren't Gullible, Naive Children!

Now, Go Stand In The Dunces' Corner -- With Your Faces To The Wall.

DSH

Lux et Veritas et Libertas

Veni, Vidi, Calcitravi Asinum

"D. Spencer Hines" <poguemidden@hotmail.com> writes:

You're either a troll, being facetious, or a complete imbecile.
Please indicate which.

--
Todd H.
http://www.toddh.net/

If you want to encrypt some files -- put them on an FTP Server at an ISP --
insist that the ISP have no access to them, or anyone else, except as you
designate and/or control -- I want the Department of Homeland Security to be
checking into what you are up to -- through the FBI, and other Agencies as
appropriate.

DSH

Lux et Veritas et Libertas

"D. Spencer Hines" <poguemidden@hotmail.com> writes:

Okay, that answers it--you're an imbecile. At least on this topic.

You don't have the requisite knowledge of the legitimate merits of
"confidentiality" that encryption provides to even be _posting_ in
alt.computer.security.

Yes, encryption can be misused by the bad guys. But that's no reason
to suspect everyone who uses it as being up to something nasty.

Ever bought something on the web using an SSL secured website? You
have? Oh my, you terrorist! You actually wanted your credit card
data encrypted in transit over an ISP? Rogue!

Ever entered your credit card number, name, home phone, address
information? Wouldn't you like that company to use strong encryption
on that database to make sure any $10/hr employee of the ISP hosting
that store's server (and up to 100's of other company's databases)
with logical access to that server to be able to read that database?

Say your health care providers records, or your scholastic aptitude
tests from gradeschool are on some institutions computers somewhere,
hosted by an ISP. I suppose you wouldn't want encryption on those to
prevent the janitor there from downloading the files onto a CD-ROM and
selling the records en masse to some company looking to profit off of
the information?

Or would want the DHS to prohibit that and leave you information
exposed? Apparently you do, or you seem to want yourself investigate
by big brother.

"Any society that would give up a little liberty to gain a little
security will deserve neither and lose both." Benjamin Franklin

And in this context where we talk about encryption, liberty is defined
as the right to keep your information just as private as you want it
to be, disclosed only to those to whom you have disclosed them, and no
one else (even the feds).

Best Regards,
--
Todd H.
http://www.toddh.net/

Nonsense!

I didn't say anything of the sort.

Read what I WROTE -- not some anserine STRAWMAN you have conjured up in your
fevered brain.

I described quite SPECIFIC circumstances having nothing whatsoever to do
with your fevered brainfarts.

Neither did I say no one should be allowed to encrypt anything.

'Nuff Said.

DSH

"Todd H." <comphelp@toddh.net> wrote in message
news:84slqdpcy3.fsf@ripco.com...

<baldersnip>

<baldersnip>

"D. Spencer Hines" <poguemidden@hotmail.com> writes:


Okay, I'll bite.

Tell us how your "SPECIFIC circumstances" quoted above are any
different, or programmatically detectable as any different by any ISP
than the extensions to that argument that I detail.

I'm not sure you fully grasp that small businesses use ISPs for web
application and FTP hosting, and remote file backup just like
individuals do, and have all the same legitimate reasons to encrypt
their proprietary data as an individual does.

Remember this thread started with a guy who simply wanted offsite
backup of some stuff on his home machine.

Now tell us, how is an individual's Quicken data file directories, or
backups of their family photos, or personal journals, love letters,
etc that they don't want disclosed to the world or the government:

a) any different in concept than the customer payment database
of a small business that has a hosted shopping cart and
payment system, the photos of a trade secret confidential
prototype, design documentation on trade secret

b) at all detectable as "different" by an internet service
provider so they can be flagged for DHS scrutiny in your
strange little surveillance world

Even if you were able to define that difference in a), b) is
techincally impossible to programmatically define. You can't
differentiate encrypted file a from encrypted file b without some
organization having a backdoor to the encryption algorithm. You also
simply don't get the importance of confidentiality, and why you're off
your rocker for even hinting that the original poster is asking for
something even remotely subversive in wanting to protect his personal
computer's backup files from potential disclosure to average joes at
his ISP.

However, without this style of ignorance in the world, the history
books wouldn't have much to write about at the Salem Witch Trials, or
for the excesses of Senator McCarthy's crusade during the red scare--
where large numbers of completely innocent people suffered mightily at
the hand of their government's and weak-minded people's willingness to
give up the keys to the liberties people have fought and died for.

But then again, dramatic changes in the times causes people to get
pretty irrational.

Best Regards,
--
Todd H.
http://www.toddh.net/

D. Spencer Hines wrote:

You must have let your AFDB support contract lapse. It's obviously
filtering incorrect wavelengths. Those files belong to American agents.
They're securely transferring terrorist plans recently pilfered from the
Evul Umpire's secret island hideaway. But here you are suggesting we
disallow that transfer, thereby causing the deaths of billions of innocent
people.

Way to go, Ace. <snicker>

Don't you realize you're helping them win? Puppeting yourself to their
whims by willfully giving up what they might otherwise have to take by
force? Specifically, your freedom. And for absolutely no benefit to your
safety or security what so ever.

You're what those terrorists refer to as a "useful idiot".

I see. You think terrorists are going to be in any way encumbered by not
allowing people to store encrypted files in their own account space, but
every one else is "naive".

You really *don't* know much about this stuff, do you?

Truth be known, transferring files this way, even encrypted files, is a
pretty piss poor way of getting the job done considering all the better
options there are. You're tying all your files to an account right off the
bat, then leaving them hanging in mid air for some unspecified amount of
time. That leaves not only the people accessing the files, but the files
themselves vulnerable to attack.

Serious terrorists wouldn't be using anything so woefully insecure as any
normal Internet connection to begin with. That's a made-for-TV fantasy
you're using to prop up your amusing paranoia right from the get go. And
if they did find themselves in the position of being forced to communicate
via such insecure means, you can bet bottom dollar it would be ephemeral
and real time. There's just too many easy options and they're *way* more
secure.

By your misguided illogic, the better way to fight terrorism would be to
outlaw SSL. But do we see you wetting yourself over people who bank on
line? No, just PGP users and other "naive" citizens. <chuckle>

Can I borrow your pointy hat?

It seems that what you want is encryption to the disk ON the file server.
Assuming the legality and politics work out (ISP's let you store data, and it
should be whatever data you want to store, so long as its with in your quota
limits) there are two ways I can think of.

One is to encrypt the data on your systems before it is sent over. This seems
to be the most realistic solution at the moment, as it doesn't require any work
or coordination with your ISP.

The second way, which is what I believe you conceptually want, is to transfer
the files and have them encrypted AT the ISP server. This would probably
involve a _lot_ of bash/tsh (assuming your ISP uses unix/linux) scripting along
with gnupg, assuming it is installed on your ISP's server or they give you
permission to install it... Your script would have to detect every file
transfered through scp/sftp and after its transfered run it through "gpg -c
<other options> file.name" and you would have to store a key on the server.

Encrypting it prior to transmission is probably the easiest thing to do. Then
you won't have to bother with sftp and you can use plain FTP. Maybe someday one
of the openSSL or gnupg devs will come up with something easier, or maybe
something like this exists already?

~David~

Tom wrote:

~David~ wrote:

The only acceptable way.

<snip>

Utterly useless. If the files are encrypted at the destination it means
that both the encryption keys and/or pass phrase are available to anyone
with rights on that server. That could include nefarious tech support
people, foreign spies, or anything in between. Your data is only slightly
more secure than cleartext. At least your grandmother wouldn't be able to
read it, assuming she's only a stereotypical grandmother.

Transferring encrypted files securely still has benefits. An eves dropper
wouldn't be able to determine which files are being transfered for
instance. Sometimes file contents aren't the only avenue of attack. It
would still be preferable to move them about via SSL or similar.

Borked Pseudo Mailed wrote:
stronger. But encrypting them before hand is still the best way.

use FTP anyway.

~David~ wrote:

No. Your password strength is completely meaningless in this scenario
because for encryption to be done remotely that password MUST somehow be
transmitted to the remote machine, in a usable form. IOW, you MUST give
them your password willingly, in the clear as far as they're concerned.
There simply is no other way for them to "enter" it

Hilarious!

DSH

"Borked Pseudo Mailed" <nobody@pseudo.borked.net> wrote in message
news:fdbe497ad789e29ec446b9bdc9ff0c6a@pseudo.borke d.net...