Re: FTP Client With File Encryption For Remote Backup?

Thanks for the clarification. However, I am using a software firewall (as
well as a firewall on my router) so the firewall would warn that a
particular application is trying to make an outbound connection to a
particular site.

As you said, firewall integrated to networking equipment can only control
ports, since they are not aware of the software, so if I allow port 80
(HTTP), any application could do an HTTP post or GET. The benefit of a
proper software firewall (more advanced than the one built in Windows XP,
which does not allow outbound filtering) is to provide this level of
granularity (eg I want IE to access port 80 but I don't want Outlook
Express).

You are probably right: if I wanted to be sure at 100%, I would create the
software myself. Since I am not a security expert, I would probably end-up
not doing encryption properly, or save the password on a text file!


"Todd H." <comphelp@xxxxxxxxx> wrote in message
news:84psle3ox4.fsf@xxxxxxxxxxxx
"Tom" <Tom@xxxxxxxxxx> writes:
I never said it was top secret files, just personal files like bank
statements which I don't want my ISP staff to look at.

FYI, the software is not cuban, but written by a Swedish
citizen. Secondly, how it is going to send anything to a site, apart
from the FTP I have designated, based on my firewall rules? If the
software was trying to contact a site outside the FTP, I would see
it. In the same way, I would see on my web/FTP site traffic on the
log files.

We're beating a dead horse to some degree, and far be it from me to
talk you out of using the cool program you found that has the exact
functionality you seek. But since this is a security newsgroup, and
we tend to be a paranoid lot, possibilities include:

The application could--unbeknownst to you--generate an http
POST or GET request to port 80 to a web site under the authors
control for capture, encoding the data in POST variables or in
the GET request URI itself. Your firewall rules more than
likely allow such outbound traffic. Only a manual analysis of
the logfile would reveal it happened. And if the get request
were itself encoded even remedially, glancing at logs wouldn't
necessarily be telling you clearly that it happened and that
this app was responsible (unless you were looking at your logs
at the time of the first use of the program).

Hopefully though, the Softpedia "certification" of it being spyware-
free involved some technically astute analysis of the program for such
things.

Also, I might as well trust software written by an individual to be
as secured as software written by, say, Microsoft, which could have
some backdoors...

It's usally at this point in the discusion we have to turn to this
classic paper:
Trusting Trust by Ken Thompson
http://www.acm.org/classics/sep95/
the payoff is:
"The moral is obvious. You can't trust code that you did not
totally create yourself."

Another useful and interesting bit is why the Zimmerman, the author of
PGP, was so intent to defy the US Government's attempt to prevent it
from publishing its source code, and why PGP was so stalwart in the
importance of encryption software being not only open source, but
widely widely peer reviewed:
http://www.philzimmermann.com/EN/findpgp/findpgp.html

More here including history:
http://en.wikipedia.org/wiki/Pretty_Good_Privacy#Security

Zimmerman spoke at defcon a few years ago and had interesting talk
about it all. I especially liked the bit where he had the source code
published in a book complete with optical marks to facilitate OCR
scanning of the book into machine readable form. This was a way
around the government's attempts to enforce a different first
ammendment standard on strong encryption software than print books
enjoyed.

Since you seem to have an answer to everything, what is your
suggestion then to the original question? All I see from you is
contributions with little or no value.

With regard to D Specer Hines contributions, I agree. Even by the
bottom-feeder standard of usenet contrarians (who can only manage to
be right only by pointing out minutiae that is wrong), he seems
hopelessly impaired.

Best Regards,
--
Todd H.
http://www.toddh.net/


.

Relevant Pages

  • Re: keeping ports open
    ... If a port is open, it means that 1) a software or service is running on your ... and 2) you're not using a firewall or your firewall isn't ... Use firewall software and hardware and antivirus software that is ... Follow the instructions for hardening Windows and IIS at ...
    (microsoft.public.security)
  • Re: How to Maintain an IIS Server?
    ... > server running on a Windows 2000 server. ... before a firewall and antivirus have been installed]. ... open ports; however, this will not identify which program is using the port. ...
    (microsoft.public.inetserver.iis.security)
  • Re: CEICW fails at firewall config
    ... ISA Server prevents connection to a remote desktop when you connect through ... Remote Web Workplace on a Windows Small Business Server 2003-based computer ... Acceleration Server as a firewall. ... connection uses TCP port 4125. ...
    (microsoft.public.windows.server.sbs)
  • Re: How to Maintain an IIS Server?
    ... >> server running on a Windows 2000 server. ... > before a firewall and antivirus have been installed]. ... > program or executable using that port. ...
    (microsoft.public.inetserver.iis.security)
  • Re: Activesync / Airsync - Alternative Ports
    ... The problem is that the request to 80 never hits my firewall. ... because the port 80 traffic is stopped before it can ever touch my firewall. ... I have another server with no exchange server sitting at ...
    (microsoft.public.pocketpc.activesync)