OT (very OT). ZIP and other encryption.

I have two clients with the identical need -- to send large (100 meg +) 
confidential files to their customers, some of whom are in
"developing" 
nations. Both the clients have ample space in their websites to 
accommodate files of this size, and hopefully, even though in developing 
nations, high speed is available at the customer end.

Now that is about all that is known about the recipients.

It is easy to put the file up, but not linked to on the websites, and 
then forward the link (and decrypting password) to the recipient. Of 
course this does not protect it from anyone using FTP to snoop around 
the website. As I do not control those websites I cannot vouch for them 
being FTP anonymous resistant.

And I and my client have no idea what software the recipient is using. 
In some cases may not be even a PC--who knows?

What sort of password protection/encryption can be used that the 
recipient has a 99% chance of being available? Some of the recipients, 
if on PCs, could well be using Win95, 98, 2000. My clients do not wish 
to spend hours on the phone explaining to someone in South America or 
Asia that they need program "xxxxxxxx". (One of my client's customers

several years ago ran up a $35 bill on *my* 800 number years ago calling 
and calling and calling from the "developing" nation of Florida just 
asking how to read the PDF file my client had had me send her. It really 
hurt to get a $35 telephone bill on a job I only got $10 for!)

Any suggestions? 7-zip self extracting file answers part of the problem 
*IF* the recipient will accept ".EXE" files--something that I
recommend 
against for my own clients, even from the oxymoron of "trusted
sources."

Paul McGee wrote:
> 
> I have two clients with the identical need -- to send large (100 meg +) 
> confidential files to their customers, some of whom are in
"developing" 
> nations. Both the clients have ample space in their websites
<snip>
> It is easy to put the file up, but not linked to on the websites, and 
> then forward the link (and decrypting password) to the recipient. Of 
> course this does not protect it from anyone using FTP to snoop around 
> the website. As I do not control those websites I cannot vouch for them 
> being FTP anonymous resistant.

If you want to go the web route, I'd recommend at minimum a 
password-protected web folder. Easy to set up on most web hosting 
control panels, and provides reasonable protection against unintended 
parties gaining access to the file--assuming you don't send the user 
name and password in cleartext via email, that is. Better would be https 
(SSL protection) to encrypt the data stream on top of protecting the 
folder against unauthorized access. That protects against eavesdropping 
(man in the middle).

Encrypting the file is another matter, especially given the export 
restrictions we have here on encryption above ROT13... ;-) I'd be 
surprised if ZIP-file encryption is very sophisticated.

I myself would consider setting up an SSH account on a local machine 
with carefully restricted access, and use a program like Filezilla or 
WinSCP to connect. I just stumbled on what looks like a nice tutorial on 
the subject of setting up exactly what your client wants:
http://www.digitalmediaminute.com/article/1487/setting-up-a-sftp-server-on-windo
ws

I like to put SSH access on an alternate port, ever since finding myself 
being hammered by attacks on the default port, 22. I use secure 
passwords, but I figure I may as well make it harder for them to find 
me! Of course, after setting it up you have to allow access on that port 
through your firewall(s)--router- and software-based. I've developed 
batch files that handle much of the configuration according to my specs, 
  since I often use VNC over SSH for client remote support.

-- 
Abe Hendin
AtYourSpeed Consulting
http://yourspeed.com
Ventura scripts: http://yourspeed.com/vscripts.html
Ventura automation help: http://yourspeed.com/vscripthelp.html

I forgot to add that you really need to start with the client and find 
out what they've got before you can think effectively about how to do 
this. It's rather unlikely that you'll be able to support Win95 through 
XP with the same solution, yet maintain a good level of security over 
sensitive data. Unless of course you ship them a CD...

Might consider GotoMyPC as a simpler option than the SSH route, but 
whatever you do the only way to save at least some time on the phone is 
to write clear and comprehensive instructions for whichever solution you 
choose, and make it as bulletproof as possible. Good luck!

-- 
Abe Hendin
AtYourSpeed Consulting
http://yourspeed.com
Ventura scripts: http://yourspeed.com/vscripts.html
Ventura automation help: http://yourspeed.com/vscripthelp.html

DEAK JAHN, Gabor wrote:
> there
> is no problem about US export regulations, either, as PGP is legally
> not exported but independently existing outside the US as well.

I was hoping you would chime in here, Gabor. PGP provides excellent 
encryption, but believe it or not I was uncertain that it existed outide 
the US. Do you use a GUI (with you I can't be sure!)? If so, which one?

-- 
Abe Hendin
AtYourSpeed Consulting
http://yourspeed.com
Ventura scripts: http://yourspeed.com/vscripts.html
Ventura automation help: http://yourspeed.com/vscripthelp.html

On Mon, 25 Feb 2008 14:20:57 -0700, Paul McGee
<pmcgee@buzzofftelus.net> wrote:

Paul,

as for the encryption, PGP. Older ZIP encryption was a joke, newer AES
might be incompatible. And PGP makes it rather irrelevant who else can
download the file, they won't be able to encrypt it, anyway. And there
is no problem about US export regulations, either, as PGP is legally
not exported but independently existing outside the US as well.

Bye,
  Gabor

DEAK JAHN, Gabor
Hungarian CVP Forum
http://www.tramontana.co.hu/index_en.php