free, secure file shareing method needed

[HiME]

I know that there is quite a few filehosting websites hanging out there, but I'm trying to find one that's reliable and secure. These files that I'm trying to share are personal files (mostly pictures, a total of 200MB in size) and I'd like to make it available for 2 of my friends to download.

I'm thinking about zipping and password protect the pictures before I dump it to one of these filehosting site. But is there any other better ways to share these files? I have no idea on the way how these filehosting sites work. Any suggestions will be appreciated, thanks!!

 

[Yomicron]

http://www.yousendit.com/

 

[Lord Evermore]

Run an FTP or basic web server on your own machine, let them connect and download them, with password protection to log in. Password protect them as a Zip/RAR using a completely random and long password so that even if somebody else got hold of them, it'd take them centuries to open it. (Test out whether using compression actually ends up making the Zip/RAR larger than the actual size of the files, which often happens if you are storing already compressed formats. Just use no compression settings if so.) Of course with this method you end up uploading the data twice in total (you could bittorrent it though so they'd also share some of the bandwidth between each other).

Otherwise, just upload to one of the file hosting sites. Most of them don't allow anyone to browse their files, so the only people who can ever even see them are the people you give the link to to download them. Some sites also let you delete the files after you've done what you need. Either way, do the password protected archive.

 

[bob4432]

Originally posted by: Lord Evermore
Run an FTP or basic web server on your own machine, let them connect and download them, with password protection to log in. Password protect them as a Zip/RAR using a completely random and long password so that even if somebody else got hold of them, it'd take them centuries to open it. (Test out whether using compression actually ends up making the Zip/RAR larger than the actual size of the files, which often happens if you are storing already compressed formats. Just use no compression settings if so.) Of course with this method you end up uploading the data twice in total (you could bittorrent it though so they'd also share some of the bandwidth between each other).

Otherwise, just upload to one of the file hosting sites. Most of them don't allow anyone to browse their files, so the only people who can ever even see them are the people you give the link to to download them. Some sites also let you delete the files after you've done what you need. Either way, do the password protected archive.

setting up your own ftp is going to be the best way. and then use winrar and make a very a very larger alpha-numeric different case password. sure it might take a bit longer, but if your data is that important i woudn't worry abou it.

 

[WildHorse]

Microsoft gives away a free utility for exactly this purpose, which makes it completely unnecessary to use ftp, or to put files on the web.

Install this on each of your computers.
Then you all will have exactly the facility you want for file-sharing among yourselves.
Forget all about putting files on web.

It's free.

Microsoft FolderShare
<a target=_blank class=ftalternatingbarlinklarge href="https://www.foldershare.com/info/abo......share.php?"><a target=_blank class=ftalternatingbarlinklarge href="https://www.foldershare.com/info/aboutFoldershare.php?"><a target=_blank class=ftalternatingbarlinklarge href="https://www.foldershare.com/info/aboutFoldershare.php?"><a target=_blank class=ftalternatingbarlinklarge href="https://www.foldershare.com/info/aboutFoldershare.php?"><a target=_blank class=ftalternatingbarlinklarge href="https://www.foldershare.com/info/aboutFoldershare.php?"><a target=_blank class=ftalternatingbarlinklarge href="https://www.foldershare.com/info/aboutFoldershare.php?"><a target=_blank class=ftalternatingbarlinklarge href="https://www.foldershare.com/info/aboutFoldershare.php?"><a target=_blank class=ftalternatingbarlinklarge href="https://www.foldershare.com/info/aboutFoldershare.php?"><a target=_blank class=ftalternatingbarlinklarge href="https://www.foldershare.com/info/aboutFoldershare.php?">https://www.foldershare.com/in............p?</a></a></a></a></a></a></a></a></a>

 

[shortylickens]

www.slyck.com

You could use DC++ and just make a private hub. Dont advertise it and utilize passwords.

 

[drag]

setting up your own ftp is going to be the best way. and then use winrar and make a very a very larger alpha-numeric different case password. sure it might take a bit longer, but if your data is that important i woudn't worry abou it.

ftp is a bad choice if you want the ability to upload stuff. It's only usefull for anonymous downloads and even then it's very tricky as ftp is much more complex then you may imagine at first glance.

usernames and passwords are transmitted over the internet in plain text making it trivially easy for anybody owning the dozens of machines between you and the ftp server to extract your username and passwords for your server.

If the server is Linux or BSD then it would be trivially easy to use OpenSSH and SFTP to do what he wants. (in this case it's ssh's ftp emulation). There are a veriaty of sftp clients and many ftp clients support it. Full encryption for everything and strong authentication methods are supported, such as private keypairs with passphrase.

The downside is that you would have to setup shell accounts for his friends to use, but if they are trustworthy then it's not a problem.

But if he has no desire to run his own server then encrypted zip or rar is easy to do and he can use email or any sort of file transfer service aviable to anybody. Just choose a encryption sceme that is good.

 

[bob4432]

Originally posted by: drag
ftp is a bad choice if you want the ability to upload stuff. It's only usefull for anonymous downloads and even then it's very tricky as ftp is much more complex then you may imagine at first glance.

have you used serv-u? or any ftp server for that matter? only useful for anonymous d/ls??? sorry, you are sadlly incorrect. ftp is only the protocol made for file transfer and setting up serv-u is extremely easy as are many others. and i suggested the password protected rar so he doesn't have to worry about sftp.

 

[waitman]

http://www.tirminal.com/ looks pretty nifty, you might want to check it out.

 

[kamper]

Originally posted by: bob4432
sorry, you are sadlly incorrect. ftp is only the protocol made for file transfer

lol. ftp is a stupid protocol.

 

[bob4432]

Originally posted by: kamper

Originally posted by: bob4432
sorry, you are sadlly incorrect. ftp is only the protocol made for file transfer

lol. ftp is a stupid protocol.

do you come in here just to make ridiculous comments? ftp is the best way to transfer files especially of any size, period and when propoerly configured, securely.

 

[eelw]

Hamachi and private BT tracker FTW

 

[kamper]

Originally posted by: bob4432

Originally posted by: kamper

Originally posted by: bob4432
sorry, you are sadlly incorrect. ftp is only the protocol made for file transfer

lol. ftp is a stupid protocol.

do you come in here just to make ridiculous comments? ftp is the best way to transfer files especially of any size, period and when propoerly configured, securely.

Ftp is fundamentally insecure because of a lack of encryption. That's no biggie for anonymous downloads but it is for uploads. The use of multiple ports is also completely braindead and makes firewalling and natting far too complex. As drag suggested, sftp is much nicer except that microsoft is the only operating system vendor that doesn't think users deserve something better than ftp

For one-way, anonymous downloading, I greatly prefer http because it's much easier to work with. I actually do have an ftp server set up, for windows using friends who want to send me files, but it chroots into its own partition, has firewall rules that only allow data connections to ports bound to the ftp upload user and scripts to block it entirely with the firewall so that its only open when I know people need to send me stuff. Really the extra data ports are the biggest hassle.

 

[bob4432]

Originally posted by: kamper

Originally posted by: bob4432

Originally posted by: kamper

Originally posted by: bob4432
sorry, you are sadlly incorrect. ftp is only the protocol made for file transfer

lol. ftp is a stupid protocol.

do you come in here just to make ridiculous comments? ftp is the best way to transfer files especially of any size, period and when propoerly configured, securely.

Ftp is fundamentally insecure because of a lack of encryption. That's no biggie for anonymous downloads but it is for uploads. The use of multiple ports is also completely braindead and makes firewalling and natting far too complex. As drag suggested, sftp is much nicer except that microsoft is the only operating system vendor that doesn't think users deserve something better than ftp

For one-way, anonymous downloading, I greatly prefer http because it's much easier to work with. I actually do have an ftp server set up, for windows using friends who want to send me files, but it chroots into its own partition, has firewall rules that only allow data connections to ports bound to the ftp upload user and scripts to block it entirely with the firewall so that its only open when I know people need to send me stuff. Really the extra data ports are the biggest hassle.

what extra data ports? i have 21 and then 10 others open for pasv connections. using serv-u i just set it so that if somebody hammers away at it even in the slightest they get banned for a long time, so if my machine is on a month, i might get 10people try to hammer the site and they always break the rule and get ip banned. i don't rely on sftp due to the extra config but use the encryption of winrar to encrypt the actual data if needed. for large files i can't think of a better setup. if using http and you lose connection for some reason there is usually not any type of resume like ftp offers.

if somebody wants to send me something i just have them use winrar and have a pssword too.

plus with serv-u and filezilla you can use sftp.

are you talking about the ftp program that comes with a flavor of windows server? if that is the case than i agree, there version is a pain in the arse, but the aftermarket stuff is not too bad....

 

[HiME]

Sorry for the late reply.

OK, here's the case. I was used to run FTP servers but my ISP banned it last year. Is there any way I can get around it? Otherwise FTP wouldn't be an option for me.

On the other hand, I'm not sure whether HTTP will work for me since my ISP blocked FTP. Since HTTP uses port 80 they can't block it can they? If they can't block it, then which software do you recommend for HTTP?

 

[Lord Evermore]

An ISP can block any INCOMING ports they want. They could also block outgoing ports if they were known security risks, like a worm that always used 12345 or something like that, but then they get into legally grey territory, since they're then effectively providing you with less than complete Internet access. Blocking incoming ports only stops someone from making a connection to your machine on that port, it doesn't affect you making outbound connections on it. If they blocked port 80, there'd be no Web traffic whatsoever.

Most FTP server software can be made to listen on any port, so you can just pick any port over 1023 up to 65535 (though technically you're only supposed to use 49152 to 65535; 1023 and below are standard and well known ports, and which an ISP might be blocking; 1024 to 49151 are registered ports, which are used for specific applications from specific people/companies, instead of generic stuff like Web or FTP).

http://www.iana.org/assignments/port-numbers

When your friends connect, they just have to set their client to connect on that port instead of the standard 21. The same can be done with a web site, or most other applications, it's just a configuration in the server software.

Running the server could technically violate your ISPs terms of service, as many ban running any server of any kind (which could include just hosting a video game). However in order to find out you're running it, they'd have to portscan you. If you're only running it at specific times, the odds that they'll see it within that time are very low, since they aren't continuously scanning. Most ISPs don't care much about piddly things like a game server, but they'd probably warn you or cancel your service if they noticed you had a 24x7 FTP server constantly using your entire upload bandwidth.

 

[kamper]

Originally posted by: bob4432
what extra data ports? i have 21 and then 10 others open for pasv connections.

Uh yeah, those 10 ports. How many protocols do you know that use more than one port? As far as I know (I should look this up), there's no authentication on the data ports which makes them very open to timing attacks. A decent ftp server could mitigate that to a certain degree by watching for failed attempts but it's just not a hole that needs to be there. Plus firewalling non-wellknown ports is a pain on both the inbound and outbound sides and you can't really tunnel it over ssh to make up for the lack of security.

using serv-u i just set it so that if somebody hammers away at it even in the slightest they get banned for a long time, so if my machine is on a month, i might get 10people try to hammer the site and they always break the rule and get ip banned. i don't rely on sftp due to the extra config but use the encryption of winrar to encrypt the actual data if needed.

It's not so much about encrypting the data (although that's good of course). It's the idea that you're vulnerable to unauthorized people (think password sniffing) uploading unknown content onto your machine.

for large files i can't think of a better setup. if using http and you lose connection for some reason there is usually not any type of resume like ftp offers.

You've got a point there, although I've never run into a problem with http. Does sftp support resumes? Theoretically, it'd be easy to add resuming to http although of course that'd be non standard.

if somebody wants to send me something i just have them use winrar and have a pssword too.

plus with serv-u and filezilla you can use sftp.

sftp as in port 22, single port, part of the ssh suite? That's definitely a good thing except, of course, that windows doesn't have a built in client. Really, it ought to be a protocol that explorer supports.

are you talking about the ftp program that comes with a flavor of windows server? if that is the case than i agree, there version is a pain in the arse, but the aftermarket stuff is not too bad....

Sure, properly implementing a good ftp server should be trivial, it's just the outdated protocol that makes it so bad.

 

[Lord Evermore]

Originally posted by: kamper
Ftp is fundamentally insecure because of a lack of encryption. That's no biggie for anonymous downloads but it is for uploads. The use of multiple ports is also completely braindead and makes firewalling and natting far too complex. As drag suggested, sftp is much nicer except that microsoft is the only operating system vendor that doesn't think users deserve something better than ftp

For one-way, anonymous downloading, I greatly prefer http because it's much easier to work with. I actually do have an ftp server set up, for windows using friends who want to send me files, but it chroots into its own partition, has firewall rules that only allow data connections to ports bound to the ftp upload user and scripts to block it entirely with the firewall so that its only open when I know people need to send me stuff. Really the extra data ports are the biggest hassle.

You're aware that pretty much every web browser supports FTP right in the browser window, giving you a simple directory listing for all the files and folders? And this person is the one hosting the server, his friends are going to be downloading, so by your reasoning FTP is perfectly acceptable because they could just do anonymous downloading.

For the vast majority of people, having to set up full FTP/SFTP/SSH access and server software is beyond their capabilities. If somebody really wants sftp on a Windows box, they can get the software themselves. MS already charges enough for Windows, don't give them an excuse to up the price by adding in (another) something hardly anybody needs. Simple free FTP server software is nearly plug and play, all you have to do is point it to the folder to use and create an account for people, or allow anonymous login. Who cares if somebody could, in the vastness of the Internet, intercept the login name and password which you're only using for this one application for a short period, and can easily change, and which they probably couldn't do any damage with?

Do you send your email encrypted?

 

[Lord Evermore]

Originally posted by: bob4432
if using http and you lose connection for some reason there is usually not any type of resume like ftp offers.

I've found that pretty much all servers that allow you to download large files also support resume for HTTP transfers (although a free one you use just to host files like this may not). If you're downloading with a browser it may not always support it properly, IE6 seems to only once in a great while manage to resume a file. But download managers are much better at it. A great many websites don't even have FTP options anymore.

 

[kamper]

Originally posted by: Lord Evermore
You're aware that pretty much every web browser supports FTP right in the browser window, giving you a simple directory listing for all the files and folders? And this person is the one hosting the server, his friends are going to be downloading, so by your reasoning FTP is perfectly acceptable because they could just do anonymous downloading.

Sure, ftp is fine for anonymous downloading from a security perspective (just the extra ports are a bit of a hassle). I was reacting to the completely incorrect statement that "ftp is only the protocol made for file transfer" and I was assuming we were talking about traffic in both directions by that point.

For the vast majority of people, having to set up full FTP/SFTP/SSH access and server software is beyond their capabilities. If somebody really wants sftp on a Windows box, they can get the software themselves. MS already charges enough for Windows, don't give them an excuse to up the price by adding in (another) something hardly anybody needs.

All I'd really care about is client support and that couldn't possibly take that much time given that there are free implementations out there to be had. Server support would be nice with the server and pro versions, after all, IIS includes ftp and smtp.

Simple free FTP server software is nearly plug and play, all you have to do is point it to the folder to use and create an account for people, or allow anonymous login.

And why couldn't there be simple free sftp software? It'd be even more simple than ftp because you wouldn't have to fuss with extra ports and passive vs. non-passive connections. I guess there's the extra hassle of seeing messages about unknown certs but at the very least, you're no less secure than with ftp then.

Actually my sftp server is even easier than most ftp servers. I just answer 'y' during the os install when it asks me if I want ssh enabled It doesn't need to be complicated.

Who cares if somebody could, in the vastness of the Internet, intercept the login name and password which you're only using for this one application for a short period, and can easily change, and which they probably couldn't do any damage with?

You're right of course, within the scope of what the op was asking. Again, I was just referring to the protocol issue in general, as previously mentioned. Sftp ought to be as simple as ftp and at that point I don't think there's any conceivable reason to continue to use ftp.

Do you send your email encrypted?

No, and of course that's not ideal but it's a slightly harder problem to fix when you don't control all the servers in between. That's not a valid excuse to keep on using ftp though.

 

[bob4432]

Originally posted by: kamper

Originally posted by: Lord Evermore
You're aware that pretty much every web browser supports FTP right in the browser window, giving you a simple directory listing for all the files and folders? And this person is the one hosting the server, his friends are going to be downloading, so by your reasoning FTP is perfectly acceptable because they could just do anonymous downloading.

Sure, ftp is fine for anonymous downloading from a security perspective (just the extra ports are a bit of a hassle). I was reacting to the completely incorrect statement that "ftp is only the protocol made for file transfer" and I was assuming we were talking about traffic in both directions by that point.

For the vast majority of people, having to set up full FTP/SFTP/SSH access and server software is beyond their capabilities. If somebody really wants sftp on a Windows box, they can get the software themselves. MS already charges enough for Windows, don't give them an excuse to up the price by adding in (another) something hardly anybody needs.

All I'd really care about is client support and that couldn't possibly take that much time given that there are free implementations out there to be had. Server support would be nice with the server and pro versions, after all, IIS includes ftp and smtp.

Simple free FTP server software is nearly plug and play, all you have to do is point it to the folder to use and create an account for people, or allow anonymous login.

And why couldn't there be simple free sftp software? It'd be even more simple than ftp because you wouldn't have to fuss with extra ports and passive vs. non-passive connections. I guess there's the extra hassle of seeing messages about unknown certs but at the very least, you're no less secure than with ftp then.

Actually my sftp server is even easier than most ftp servers. I just answer 'y' during the os install when it asks me if I want ssh enabled It doesn't need to be complicated.

Who cares if somebody could, in the vastness of the Internet, intercept the login name and password which you're only using for this one application for a short period, and can easily change, and which they probably couldn't do any damage with?

You're right of course, within the scope of what the op was asking. Again, I was just referring to the protocol issue in general, as previously mentioned. Sftp ought to be as simple as ftp and at that point I don't think there's any conceivable reason to continue to use ftp.

Do you send your email encrypted?

No, and of course that's not ideal but it's a slightly harder problem to fix when you don't control all the servers in between. That's not a valid excuse to keep on using ftp though.

all these extra ports....don't use them and have your buddies use port mode, there only 1 port to set up

free sftp - filezilla, done

maybe you are moving data that i would not be moving but you seem a bit paranoid. the chances of someibody doing all that you say they are going to do to my unencrypted data is about 0. on the ohter hand, if i was moving extremely sensitive or illegal data i might be more concerned.

but i will still be using a regular ftp connection on my rig for many years to come, like i have for many years and not stress abou stuff that isn't going to happen.

and kamper i said "ftp is only the protocol made for file transfer" not "ftp is only the protocol made for file transfer"....slight difference

you keep talking about ftp being so outdated and inferior, but yet is still so extremely popular. how else do you thing people get their data to their websites? more than liikely ftp, and there are quite a few websites....

HiME - just reinstall your ftp software and connect via port 49155 and have your buddies make the change too if your isp blocked 21.

 

[kamper]

Originally posted by: bob4432
all these extra ports....don't use them and have your buddies use port mode, there only 1 port to set up

Doesn't work if they're behind a firewall, and who isn't these days?

and kamper i said "ftp is only the protocol made for file transfer" not "ftp is only the protocol made for file transfer"....slight difference

Ouch, major misinterpretation on my part, sorry I thought it sounded a little crazy

you keep talking about ftp being so outdated and inferior, but yet is still so extremely popular. how else do you thing people get their data to their websites? more than liikely ftp, and there are quite a few websites....

Oh well, just because everyone else is doing it... Personally, I upload to a website on my university's system and if anybody picked up that password, I'd be in a hell of a lot more trouble than just having my website wrecked. Fortunately the server runs ssh and sftp is no harder to use. For my own webserver, ssh/sftp is easier to set up so no ftp for me

Anyways, sorry for having pulled the thread so far off topic

 

[nweaver]

lol....


FTP versus SFTP, there is no comparison, unless you have bound yourselves to windows. SFTP is already set up out of box on almost all linux distros.


Run a sniffer, and see how easy it is to grab ftp passwords. It's insanely easy. Windows is behind the curve on remote management, because SSH >>>>>>RDP (It's probably the most important tool to me in my admin jobs)

 

[bob4432]

Originally posted by: kamper

Originally posted by: bob4432
all these extra ports....don't use them and have your buddies use port mode, there only 1 port to set up

Doesn't work if they're behind a firewall, and who isn't these days?

yes it does....you can just set up port 21 to be forwarded in the router and it work fine in port mode....

 

[kamper]

Originally posted by: bob4432

Originally posted by: kamper

Originally posted by: bob4432
all these extra ports....don't use them and have your buddies use port mode, there only 1 port to set up

Doesn't work if they're behind a firewall, and who isn't these days?

yes it does....you can just set up port 21 to be forwarded in the router and it work fine in port mode....

Maybe I'm not following what you mean by 'port mode'. As I understand it, either they've got to make an additional connection to your server (your 10 additional ports) or your server has to make an additional connection to their client machine. I always get confused as to which one 'passive mode' on or off means but I haven't heard the term 'port mode' before. Are you suggesting that clients open up a port on their firewall?