encryption issue

Hello,

I have the demo version of TI 11 Home, and have performed a backup (disk to disk, same machine, and SMB file share, across LAN). The backup works fine, however, it does not seem to honor my request to encrypt the backup.

I have seen this behavior at a friend's office; they are currently using Echo workstation on 2 workstations, to back up to a file server. I saw an option I didn't have, dealing with AES levels, when he showed me his system.

I can see into his file (on a USB key he provided) and he took one of my sample backups as well, and could browse it. I am using a sixteen character test password while evaluating this, but I'm not sure why it won't encrypt. I can't test the Echo version, but I can work with any hints for the TI 11 Home variant.

Any ideas? Thanks!

 

AFAIK, the Home version only lets you put password protection on the archive; it does not encrypt the contents of the archive.

 

Ahh thanks. What scares me is there is no password needed to read the contents of either backup file; i.e. using either version, we can see the contents of c:\boot.ini for instance.

If the home product does not actually encrypt the backup file it creates, how the heck is it realistically secured?

 

If you are saying you can get into an archive file that is password protected without the password then something is seriously wrong. Granted, password protection isn't the greatest thing in the security world but it should make it more difficult to read than just opening the archive normally.

Perhaps some TI users who actually use passwords can shed some light on this.

 

You bet, that's exactly what I'm saying.

I've been told by another fellow that he saw the same thing, but that his home version 10 does not exhibit the same flaw, going to try to do some testing if he will do a short sample backup file for me. Tnx!

 

It sounds like the same issue I discovered here:

https://www.wilderssecurity.com/showthread.php?p=1104596#post1104596

I stopped replying to the thread because it was easier for me to change to a different Acronis product rather than prove my point; and I realised the Home version is bloated crap.

 

Dare I ask what you switched to? I do have a need to secure my backup data.

I am still in the Try period on the Home product, so haven't committed any funds yet; I'd rather purchase an appropriate TI solution.

 

By all means; the next line up, TI Workstation. Funny way for a company to acheive an up-sell, but hey!

 

The password is just a lock that ATI HOME respects--other software, like file viewers, can poke around--they don't need to show no stinkin' badges.;-)

ATI Home doesn't encrypt any data--contrary to what the Acroinis web pages used to say. All locks are imited in how well they protect, even the one on your home's front door. The program-specific password is one of the weakest; where it falls short is where encryption becomes valuable.

sh

 

While that's true, shieber, this bug still makes the idea flawed because it means even casual snoopers gain entry. It's the same as locking the door but the lock company turn up and leave a key for anyone to use (strange lock company, admittedly!).

Also, if you used Acronis's compression then even a third party file viewer wouldn't be able to view these files without knowing the compression used.

 

I think you missunderstood me. It's not a bug, it's jsut the level of security that's built into ATI Hoem. It's not flawed, it's just a really crappy lock. It's not like Acronis promised something better. Well, okay, they did, they promised encryption but that claim was false and they probably removed if from the web pages by now. In any event what ATI's password prtoection does is protect against ATI users from opening tibs that aren't theirs.

That's something; it's not much but it's something. It won't; stop anyone determined enough to try to reverse code the compression ATI uses. Additionally, you could hold your tibs in a Secure Zone, but similarly, that would stop only the casual user.

If you want protection you can sink your teeth into, then you want a highly secure level of encryption (large bit number, alpha numeric alphabet, SES standards or better, etc) and ATI11 home doesn't have any of that. Zip zero nada encyption. But even if it did, encryption isn't the last word in security. If you want even better protection than mere encryption, you physcally move the data to another location where it can be physically locked away with a "pick-proof" lock that uses dead bolts and tamper-triggers, etc.

Of course, how secure that "other place" is, depends on construction materials and methods.

There's virtually no limit to how poorly or how well you can secure your data. A program specific password is like have a 2-pin keylock (like the lock on most office desks) and no paper clips around handy to an intruder lest they pick the lock in about five seconds. With software, the best you can do is encryption, but you can't do that with ATI Home. Hide the paper clips.

 

No I'm talking about this bug this thread started off with which is obviously flawed (because it's a bug, duh) - not the idea of password-only protection, which is limited but not 'flawed'!

Although, since AT11 Home was targeted at the casual non-PC expert user, I think they'd have reasonable grounds to expect password-protection to mean something better than just 'only stops ATI looking at the file, not other programs'; for example, Microsoft Word has password protection, but this also encrypts the file somewhat, simply because MS appreciated that if it doesn't do this the password protection is pointless.

Anyway, this keeps taking us off topic. The password protection in the version the original poster mentions, and in the one I pointed to in my own thread, don't work at all.

Lol

 

No version of ATI Home encrypts. From the 1st message it soulnded like that was the issue, that using a password wasn't encrypting in ATI Home. It's true, ATI Home doesn't encrypt, password or not.

 

You just aren't getting this are you?

THE PROBLEM IS IT LETS YOU EXPLORE .TIBS WITHOUT HAVING TO ENTER THE PASSWORD.

 

This problem (or a similar one) has been posted in this thread: Acronis True Image Home 11.8101 archive passwords ignored

Acronis responded:

In some cases, it seems that TI completely ingores the password. I wonder if you backed up a partition that didn't change between backups (from the TI CD, for example), one with a password and one without, if they would be identical (assuming, of course, that two repeat backups using the same options would be identical).

 

Yep, it completely ignored the password. I ran a new "full" backup each time (of a small partition, and also in file mode of a subset of those files), being careful there were no .tib files in the target directory.

There is a Secunia security alert I found that mentions security failures under the remote FTP option. http://secunia.com/advisories/30856/ While I realize that's a different product . . .

I was not sure if this involved all remote targetted backups via the current generation Acronis engine, so I tried both of the above backups first - to both a local drive, and second - to a remote (SMB windows share) drive. None of the four backup sets required a password to browse.

Oh well, it sounds like I'll need to "upgrade" to the Echo workstation product to get actual encryption anyway.

I came to Acronis, fleeing in terror from the crapware that Norton Ghost has become. I'm hoping for better things from Acronis, as DriveImage XML is not quite feature rich enough yet. Thanks for looking . . .