PCFormat Forum Archive

MEGA.co.nz wrote:We are a dedicated group of technologists who were given the time, opportunity and Internet access to build an awesome cloud storage service that will help protect your privacy. We have programmed this Internet service from scratch in Auckland, New Zealand. Unlike most of our competitors, we use a state of the art browser based encryption technology where you, not us, control the keys. Our design group includes Kim Dotcom, Mathias Ortmann, Bram van der Kolk, and Finn Batato. Our CEO, industry veteran Tony Lentino, has experience running a renowned global domain registry. We hope you like it.

ars wrote:The upload and download speeds appear to be comparable to rival sites—the main advantage being that Mega keeps end-to-end encrypted data under a 2048-bit RSA key (and theoretically away from the prying eyes of government authorities).

Once you create an account, the first thing the site does is generate that crypto key for you. As a Firefox user, Mega also warned me to switch to Google Chrome, as not doing so would “adversely affect [my] file transfer performance." A browser switch later, and I was faced with a blank “file manager,” which was practically begging me to upload files.

GreyWolf wrote:Careful rusty.. you are treading the fine line that borders "promotion of piracy". The admins are gonna get ya!

Ron2K wrote:

GreyWolf wrote:Careful rusty.. you are treading the fine line that borders "promotion of piracy". The admins are gonna get ya!

Erm... how?

KALSTER wrote:That Dotcom dude sure is a shady character!

hamin_aus wrote:Justin Bieber

hamin_aus wrote:Bieber se grooste treffers the soundtrack to the shower scene?

rustypup wrote:

hamin_aus wrote:Bieber se grooste treffers the soundtrack to the shower scene?

"umashimi wami" in the same musical styling as marilyn's "happy birthday mr president"?

rustypup wrote:

KALSTER wrote:That Dotcom dude sure is a shady character!

in what way could we characterise him as "shady"?

overly optimistic activist,maybe... but "shady"?

Megabad: A quick look at the state of Mega’s encryption
Puzzling design choices and potential holes make the service a mixed bag.

The news this past weekend was all Mega, Mega, Mega. We've covered the launch of the new "cyber locker" service (and I swear that's the last time I'll ever use the prefix "cyber") and we've talked with Kim Dotcom himself, but the shiniest feature—the encryption methodology—has remained unexplained.

Mega has an entire page dedicated to explaining to developers how its API works, and the page contains some high-level details of what encryption methods the service uses and where they're used. There are actually several different things going on, and it's not as simple (or as secure) as it appears at first blush.

Block object storage

...

KALSTER wrote:I read his Wiki page.

rustypup wrote:much like those chumps spouting on about "the [magical] cloud" these days... it's like they're begging to be fleeced...

Cracking tool milks weakness to reveal some Mega passwords
Dotcom's Mega aids crackers by sending password hashes in plain-text e-mail. Really!

Yet another security researcher is poking holes in the security of Mega, this time by pointing out that the confirmation messages e-mailed to new users can in many cases be cracked to reveal their password and take over their Mega accounts.

Steve "Sc00bz" Thomas, the researcher who uncovered the weakness, has released a program called MegaCracker that can extract passwords from the link contained in confirmation e-mails. Mega e-mails a link to all new users and requires that they click on it before they can use the cloud-based storage system, which boasts a long roster of encryption and security protections. Security professionals have long considered it taboo to send passwords in either plaintext or as cryptographic hashes in e-mails because of the ease attackers have in intercepting unencrypted messages sent over Internet.

Despite that admonishment, the link included in Mega confirmation e-mails contains not only a hash of the password, but it also includes other sensitive data, such as the encrypted master key used to decrypt the files stored in the account. MegaCracker works by isolating the AES-hashed password embedded in the link and attempting to guess the plaintext that was used to generate it.

...

Wait for it... select files from Mega now indexed on third-party site
It was only a matter of time before users found Mega-search.me, and started sharing files.

by Megan Geuss - Jan 31 2013, 7:50am -200

Looking to share some files with the general public? Whether those files are of the legal or illegal kind, a website has cropped up to index files on Kim Dotcom's brand new cloud-storage site. Mega.co.nz, meet Mega-search.me.

When Kim Dotcom's “Mega” site launched January 20, 2013—one year to-the-day after the FBI shut down his Megaupload file locker on accusations of copyright infringement and wire fraud—the ostentatious file-sharing guru promised 50GB of free, encrypted storage to users. In a pre-launch interview Dotcom told Ars, “This startup is probably the most scrutinized by lawyers in the history of tech startups.” Hopefully that scrutiny will hold up, because Mega-search is revealing a few things copyrights holders may not be too happy with.

...