+ Post New Thread
Results 1 to 15 of 15
How do you do....it? Thread, Sending data off site. in Technical; Would people consider a passworded ZIP file, with the password being given verbally to the recepient over the phone, adequate ...
  1. #1

    maniac's Avatar
    Join Date
    Feb 2007
    Location
    Kent
    Posts
    3,087
    Thank Post
    210
    Thanked 432 Times in 312 Posts
    Rep Power
    145

    Sending data off site.

    Would people consider a passworded ZIP file, with the password being given verbally to the recepient over the phone, adequate security for sending data offsite by e-mail?

  2. #2

    X-13's Avatar
    Join Date
    Jan 2011
    Location
    /dev/null
    Posts
    9,833
    Thank Post
    668
    Thanked 2,186 Times in 1,492 Posts
    Blog Entries
    19
    Rep Power
    900
    Seems adequate to me. But it ultimately depends of what is in the ZIP file.

    I would have a word with whoever is in charge though and see what they say.

  3. #3

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    16,373
    Thank Post
    906
    Thanked 1,811 Times in 1,559 Posts
    Blog Entries
    12
    Rep Power
    468
    I wouldn't, you can get past password zipped files with software from the net.
    I would create an encrypted truecrypt container (file), that would be allot more secure.

  4. #4
    Sam_Brown's Avatar
    Join Date
    Sep 2009
    Location
    Northampton
    Posts
    610
    Thank Post
    102
    Thanked 42 Times in 40 Posts
    Rep Power
    19
    Like FN-GM says zipped files aren't the most difficult things to break into.

    The most secure way is, as FN-GM says, full encryption using something like truecrypt or axcrypt which is what we use here (personally find axcrypt easier myself). If you dont want to use those then even using WINRAR instead of a ZIP file is more secure way but would definately recommend truecrypt or axcrypt.

  5. #5

    maniac's Avatar
    Join Date
    Feb 2007
    Location
    Kent
    Posts
    3,087
    Thank Post
    210
    Thanked 432 Times in 312 Posts
    Rep Power
    145
    Quote Originally Posted by X-13 View Post
    Seems adequate to me. But it ultimately depends of what is in the ZIP file.

    I would have a word with whoever is in charge though and see what they say.
    I'm in charge, it's my call. This data has been requested in this format by an external company we use for a service. It will contain names, addresses, DOB and other data on new year 7 students, and I'm not really 100% happy with this security, but I've been informed by them that 'no one else has raised this as an issue' so I thought I'd see what the general opinion was on here.

    Mike.

  6. #6

    X-13's Avatar
    Join Date
    Jan 2011
    Location
    /dev/null
    Posts
    9,833
    Thank Post
    668
    Thanked 2,186 Times in 1,492 Posts
    Blog Entries
    19
    Rep Power
    900
    Quote Originally Posted by maniac View Post
    I'm in charge, it's my call. This data has been requested in this format by an external company we use for a service. It will contain names, addresses, DOB and other data on new year 7 students, and I'm not really 100% happy with this security, but I've been informed by them that 'no one else has raised this as an issue' so I thought I'd see what the general opinion was on here.

    Mike.

    Ah, personal information. Disregard my previous statement.


    +1 for TrueCrypt

  7. #7

    Domino's Avatar
    Join Date
    Oct 2006
    Location
    Bromley
    Posts
    4,124
    Thank Post
    217
    Thanked 1,353 Times in 826 Posts
    Blog Entries
    4
    Rep Power
    528
    Truecrypt, or use openPGP and encrypt the whole email.

  8. #8

    sonofsanta's Avatar
    Join Date
    Dec 2009
    Location
    Lincolnshire, UK
    Posts
    5,375
    Thank Post
    957
    Thanked 1,629 Times in 1,103 Posts
    Blog Entries
    47
    Rep Power
    711
    Quote Originally Posted by maniac View Post
    I'm in charge, it's my call. This data has been requested in this format by an external company we use for a service. It will contain names, addresses, DOB and other data on new year 7 students, and I'm not really 100% happy with this security, but I've been informed by them that 'no one else has raised this as an issue' so I thought I'd see what the general opinion was on here.

    Mike.
    No-one raised an issue about Sony's security issues, and their complete failure to understand the role of randomised seeds in the generation of signed certificates to prevent pirated software, right up until the point when it went wrong. Just because no-one's had a problem before, doesn't mean there isn't a problem there.

    For personal data of students - particularly those of a young age - I'd use TrueCrypt as the only way to secure it. If they're a company handling personal data and they're not familiar with TrueCrypt, they need to think long and hard about the market they're in and whether they're really up to the job.

  9. #9

    Join Date
    Apr 2006
    Posts
    390
    Thank Post
    23
    Thanked 95 Times in 61 Posts
    Rep Power
    45
    @maniac, it's YOUR data, so you're in the driving seat. If they were halfway decent they should be asking you what *your* standards are, and how they can accommodate *you*. Shoddy. Just because none of their other customers have raised this as an issue (they say!) doesn't mean that it isn't one, just means that you're ahead of the game.

    If you're feeling uncomfortable about it now, imagine how you'd feel if it all goes pear shaped and you find yourself having to answer questions about what happened in the aftermath. At this moment in time all you're having to do is explain to your boss why a supplier is ****, if the worst happens you're potentially explaining why you went against your better judgement . . . . .

  10. #10


    Join Date
    Sep 2007
    Location
    UK
    Posts
    5,463
    Thank Post
    1,462
    Thanked 892 Times in 573 Posts
    Rep Power
    647
    I take it there's a reason for an outside company having this information? I'd use Safehouse but that's just a personal thing. It needs to be encrypted along with some sort of disclaimer saying the data should not be removed or transmitted from their site in an unencrypted format.

  11. #11

    maniac's Avatar
    Join Date
    Feb 2007
    Location
    Kent
    Posts
    3,087
    Thank Post
    210
    Thanked 432 Times in 312 Posts
    Rep Power
    145
    There's every chance quite a few of you reading this will deal with the same company, and have had the data requested from you in the same format.

    Mike.

  12. #12
    Sam_Brown's Avatar
    Join Date
    Sep 2009
    Location
    Northampton
    Posts
    610
    Thank Post
    102
    Thanked 42 Times in 40 Posts
    Rep Power
    19
    vivo miles?

  13. #13
    Pete10141748's Avatar
    Join Date
    Nov 2007
    Posts
    1,366
    Thank Post
    107
    Thanked 221 Times in 131 Posts
    Rep Power
    87
    TrueCrypt all the way, no data should leave site in something as relatively weak as a passworded ZIP folder, let alone sensitive personal information about pupils!

  14. #14
    Galway's Avatar
    Join Date
    Jun 2007
    Location
    West Yorkshire
    Posts
    1,461
    Thank Post
    9
    Thanked 343 Times in 238 Posts
    Rep Power
    107
    i would snail mail and encrypted cd/DVD, signed on reciept.

    Easy to trace, easy to audit.

  15. #15


    Join Date
    Dec 2005
    Location
    In the server room, with the lead pipe.
    Posts
    4,714
    Thank Post
    288
    Thanked 788 Times in 615 Posts
    Rep Power
    226
    Are we talking a decent Zip program with AES-256 encryption and a strong password?

    With regard to the "no-one else has raised this as an issue" problem, guess how many local goverment-related organisations / companies / quangos in Lincolnshire think it's acceptable to require a) default simple password for use with every encrypted file sent to them b) use the first line of their postal address as that password? c) Send pupil data in the clear?

    More than you'd think, even in this cynical forum.

    Guess how many schools have said GTFO sonny-jim, you get it securely or not at all?

    Apparently, we were the first.

    And the reason? "Different passwords are too tricky to handle".

    Nobody with the clout to enforce it seems willing to:

    a) teach them how to do it properly
    b) make them do it properly and prosecute when they don't.
    c) give them access to (say) securedatatransfer.teachernet.gov.uk* so it's easier to do it properly than not.

    *I am aware S2S has been unavailable for much of this week. My point is that existing methods that are sufficiently secure are readily available - there's no need for each little quango/org to dream up their own half-baked system.



SHARE:
+ Post New Thread

Similar Threads

  1. Problem with a Drivestation - cannot get data off
    By sidewinder in forum Hardware
    Replies: 6
    Last Post: 8th November 2010, 03:06 PM
  2. [SIMS] Sending data to Capita
    By matt40k in forum MIS Systems
    Replies: 10
    Last Post: 11th June 2009, 03:21 PM
  3. query on/off site technicain
    By ltunstall in forum School ICT Policies
    Replies: 3
    Last Post: 19th June 2008, 10:50 AM
  4. query - on/off site installation
    By ltunstall in forum General Chat
    Replies: 1
    Last Post: 23rd May 2008, 05:02 PM
  5. Off-site backup
    By danIT in forum Recommended Suppliers
    Replies: 18
    Last Post: 28th January 2007, 12:23 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •