Kim Dotcom's 'Mega' Storage Site Arrives

An anonymous reader writes "After months of hype riding the coattails of the MegaUpload controversy, Kim Dotcom's new cloud storage site, Mega, is finally going live. After being available to early adopters briefly, it's now open to the public with 50GB of free storage and end-to-end encryption. Several outlets have posted early hands-on reports for the service, including Ars Technica and The Next Web. In an interview, Dotcom spoke about how Mega's encryption scheme benefits both the users and the company: 'The Mega business plan will be a distributed model, with hundreds of companies large and small, around the world, hosting files. A hosting company can be huge or it can own just two or three servers Dotcom says—just as long as it's located outside the U.S. "Each file will be kept with at least two different hosters, [in] at least two different locations," said Dotcom. "That's a great added benefit for us because you can work with the smallest, most unreliable [hosting] companies. It doesn't matter because they can't do anything with that data." More than 1000 hosts answered a request for expressions of interest on the Mega home page. Dotcom says several hundred will be active partners within months.' On top of that, the way it's designed will protect Mega from legal problems: 'It's all about the plausible deniability. Mega doesn't know what you're uploading. ... Mega isn't so much securing your files for you as it is securing itself from your files. If Mega just takes down all the DMCAed links, it will have a 100 percent copyrighted material takedown record as far as its own knowledge is concerned. It literally can't know about cases that aren't actively pointed out to it, complete with file decryption keys.'"

Honeypot

[Quakeulf]

This will obviously be watched very closely by some fellows with a lot of power.

Re:Honeypot

How is it a honeypot though?

Re:Honeypot

[gandhi_2]

It keeps the powers that be busy.

Re:Honeypot

[sco08y]

This will obviously be watched very closely by some fellows with a lot of power.

Yes it's obvious that unknown persons with an unquantified amount of indeterminate influence will be watching a public website with an unspecified degree of closeness through some unmentioned mechanism.

Re:Honeypot

[Quakeulf]

Since you couldn't understand what I meant: The feds, the music industry, the movie industry, the porn industry, the gaming industry and the software industry to name a few.

Re:Honeypot

[modmans2ndcoming]

and all they will see is a bunch of encrypted files.

Re:Honeypot

and all they will see is a bunch of encrypted files.

Will they steal my photographs again? I don't know which trees in the background of my photos are copyrighted.

Re:Honeypot

[SuricouRaven]

The site can't be monitored directly. That's the whole point. I'm sure they will be watching, but not directly. Were I in their place, I'd be looking for sites that link to files uploaded to Mega. A few careful google queries, a custom crawler, even entering into a few sneaky agreements with ISPs to do DPI and see where people are going. The idea not being to catch all the pirates, but to catch all the highly-visible pirates and the communities they form around. So only private, invite-only forums can survive.

Re:Honeypot

> It keeps the powers that be busy.

it allows them to request bigger budgets.

Re:Honeypot

[six025]

> It keeps the powers that be busy.

it allows them to request bigger budgets.

We can only hope that the screws are turned so tight the system blows up in their faces. Nothing else has worked so far in how many thousands of years? :(

Peace,
Andy.

Re:Honeypot

[Tumbleweed]

This looks like a great place to store a large number of heavily encrypted psuedo-random garbage files.

Re:Honeypot

Can't they use our taxpayer money to do something other than ruin the lives of people who copy files? Even the companies waste taxpayer money in court by filing lawsuits...

Re:Honeypot

I'd be looking for sites that link to files uploaded to Mega. A few careful google queries, a custom crawler, even entering into a few sneaky agreements with ISPs to do DPI and see where people are going. The idea not being to catch all the pirates, but to catch all the highly-visible pirates and the communities they form around. So only private, invite-only forums can survive.

You party-pooping bastard! Thanks for destroying my new business. I shall be coming around to your mum's basement to sit on your head.

Kim Dotcom

Re:Honeypot

[Jane+Q.+Public]

"Since you couldn't understand what I meant: The feds, the music industry, the movie industry, the porn industry, the gaming industry and the software industry to name a few."

Echo the other responses so far.

But also: it doesn't much matter until it actually starts working; it appears to have been Slashdotted. Sample upload is frozen; doesn't work in any browser tried so far.

Re:Honeypot

[elucido]

The site can't be monitored directly. That's the whole point. I'm sure they will be watching, but not directly. Were I in their place, I'd be looking for sites that link to files uploaded to Mega. A few careful google queries, a custom crawler, even entering into a few sneaky agreements with ISPs to do DPI and see where people are going. The idea not being to catch all the pirates, but to catch all the highly-visible pirates and the communities they form around. So only private, invite-only forums can survive.

None of that will be useful when you consider the cost vs benefit. Sure if they invest a billion dollars a year in every country and treat it like the War on Drugs then they will initiate an arms race but what is the point?

Re:Honeypot

Depends on what you mean by monitor. To get full use of the site you still have to provide an email address and have an account, so anybody "watching" the site can still work out a rich social graph of users and extrapolate identities and activities from this. It's not as much as completely transparent traffic, but it's a lot of useful information.

Re:Honeypot

[F.+Lynx+Pardinus]

Then why didn't you just say that?

Re:Honeypot

What do you mean? Like, bombing brown people? Check.

Re:Honeypot

The site can't be monitored directly. That's the whole point. I'm sure they will be watching, but not directly. Were I in their place, I'd be looking for sites that link to files uploaded to Mega. A few careful google queries, a custom crawler, even entering into a few sneaky agreements with ISPs to do DPI and see where people are going. The idea not being to catch all the pirates, but to catch all the highly-visible pirates and the communities they form around. So only private, invite-only forums can survive.

Un-necessary to go to all the trouble. http://torrentfreak.com/verizons-six-strikes-anti-piracy-measures-unveiled-130111/ The relavent information will likely be automatically reported to them.

Re:Honeypot

[icebraining]

Since Mega, like any other sensible site with personal data, uses HTTPS, Verizon can't even know what URLs the user is accessing, much less the file contents. They only know the domain.

Re:Honeypot

[mrmeval]

When you say it that way it's down right creepy! Hey wait, were you that person who would whip up the skeer on the frightwing boards during the 1990s? HRMMMMMMMMMMMM?

Re:Honeypot

[jamstar7]

It keeps the powers that be busy.

You say that like it's a bad thing. Half a sec, this torrent is finishing... :D

Re:Honeypot

[jamstar7]

Can't they use our taxpayer money to do something other than ruin the lives of people who copy files? Even the companies waste taxpayer money in court by filing lawsuits...

Copyright infringers tend not to shoot back.

Re:Honeypot

[jamstar7]

Keep in mind that if they monitor the bandwidth used by the endusers, they'll know they're getting something. After all, using massive amounts of bandwidth that's not coming from Netflix/Redbox/Youtube means you're moving something, and in today's climate in the US, that means copyrighted files, especially if the origination point is obscured. Not quite a smoking gun, but with enough campaign contributions, possibly enough to get a warrant from a media-friendly judge...

Re:Honeypot

[jamstar7]

This looks like a great place to store a large number of heavily encrypted psuedo-random garbage files.

Definitely. Let the Feds waste tons of computer processor cycles trying to make sense of it to figure out whose media file is 'stolen'. It'll keep 'em outta trouble, especially if you allude to a mysterious decrypting program that's passed around by sneakernet to 'decode' the garbage files.

Re:Honeypot

[icebraining]

Meh, I don't think the RIAA/MPAA are interested in any more warrants or lawsuits; on average, they lose a lot of money on them. The Verizon deal is great to them because it cuts all those "due process" requirements and it's therefore much cheaper per user.

Re:Honeypot

[ganjadude]

you sign up with a pre-paid CC and use a new email address you only use with mega? Seems pretty trivial to me

Re:Honeypot

[jamstar7]

Meh, I don't think the RIAA/MPAA are interested in any more warrants or lawsuits; on average, they lose a lot of money on them. The Verizon deal is great to them because it cuts all those "due process" requirements and it's therefore much cheaper per user.

Why should they care? It's not their money. The whole point of the *AAs getting copyright infringement redefined as a criminal act rather than a civil act was so the taxpayer foots the bill for prosecution, not the *AA. Once the complaint is signed in a criminal case, it's up to the government to investigate, serve warrants, make arrests, haul defendants in front of a judge, etc. In civil cases, it's up to the plaindiff to do all that gruntwork, without the benefit of arrest powers and police backup.

Re:Honeypot

[EngnrFrmrlyKnownAsAC]

It's already an arms-race and now it's their move. And who has the money to do a cost/benefit analysis nowadays?

Re:Honeypot

[icebraining]

Has any regular Joe file sharer (that is, people not involved in commercial and/or "distribution teams" (like IMAGiNE)) ever been convicted of criminal copyright infringement? As far as I know, they still need to be sued under a civil court.

Re:Honeypot

[elucido]

It's already an arms-race and now it's their move. And who has the money to do a cost/benefit analysis nowadays?

If it's an arms race then they already lost. The smartest minds in the field already know that. This is a political and legal batter but if it becomes a technological arms race there is no way they will be able to win there. That is why they are trying to use the law to ban certain technology and suppress certain companies from becoming profitable such as the case with Kim Dot Com.

The more they fight the technology the faster they lose because the people who make technology, who write code, virtually all the best hackers, all the best programmers, and the majority of the young people, all are against them. Time and technology are against them.

It's more important to most of us to be able to store our files in the cloud and access entertainment online unrestricted than it is to keep the old anachronistic industries alive. Those industries which think they are too big to fail just aren't useful like they once were.

Re:Honeypot

Actually, I'm sure "all they will see" is a bunch of pirated movies, pirated music, pirated books, child pron and anything else that their closed little minds want them to see.

Of course they won't be able to say *which* encrypted file is *which* pirated music file, but I'm sure they believe the entire mega site is full of illegal content.

And once again they'll waste lots of our tax dollars attacking it all in defense of the music & movie industry's outdated business models.

Re:Honeypot

[tehcyder]

That is why they are trying to use the law to ban certain technology and suppress certain companies from becoming profitable such as the case with Kim Dot Com.

And what, precisely, is wrong with stopping people like Kim Dotcom making money off copyright infringement?

You can make all the high-minded "information wants to be free" arguments you like, but the fact remains that Kim Dotcom is a parasite who can only make money because of the existence of copyright and the willingness of people to pay him to get round it.

Any one else with registration problems?

Just registered and activated accounts are inaccessible. No, no typo, no failed memory, no caps lock on.

Anyone else or just me?

Re:Any one else with registration problems?

[sugarmotor]

me too

Re:Any one else with registration problems?

[mister_playboy]

I can't even get the homepage to load.

Slashdotted, I'm sure... :P

Re:Any one else with registration problems?

[dmbasso]

Coincidentally today all my torrents stopped working, all tracker addresses are resolving to 127.0.0.1... anyone else having the same problem?

Re:Any one else with registration problems?

[Tubal-Cain]

Had to allow Javascript to get past the SSL error.

Re:Any one else with registration problems?

[sugarmotor]

Now got through, first upload failed. Not really important, for sure.

Re:Any one else with registration problems?

[Mike+Frett]

I know you posted this Yesterday but It loads now, but sort of slowly, probably due to the nature it was coded. For me at least. =)

hmm

Seems more like the way it's marketed is "piracy market, just don't make it known"

It may take some time before it's a viable alternative to dropbox, but at the same time, I can feel the "ohshitdosomething" gears spinning at the RIAA, MPAA, BSA and so forth.

Re:hmm

[K.+S.+Kyosuke]

OR, perhaps it's like a storage solution where you don't have to trust the storage company. If you store sensitive papers in a safety deposit box in a bank, you still have to trust the bank that nobody else will peek inside. With this, your privacy will be guaranteed by laws of nature.

Re:hmm

No. This is a lot better than Dropbox. Dropbox has your files, knows what they're called, and knows what's in them. It is a basic, fairly bad, cloud storage service. All your data is subject to search and seizure.

On an audit of the code from Mega - which looks pretty solid - Mega has your files, but does NOT know what they're called or what's in them. Your data may still be subject to seizure - as MegaUpload very obviously demonstrated - but is NOT subject to search.

It's not the very first cloud storage service to do this, but so far as my audit shows, it's the first big one to do it properly. Seriously, look at the legit usage for this: This is the first really big cloud storage service you don't really have to trust to not leak your data. The risks are reduced: to seizure or other loss (which is ALWAYS a possibility, especially the way the US is being at the moment), or if they were made to backdoor it (though people might notice, as the JS would have to change, and that wouldn't affect client applications).

Re:hmm

How do they do they encryption before upload? If the file goes to the unencrypted initially, then surely they'd have a record of it.

Re:hmm

Encrypt on client, then send to server? The difficulty would be in verifying that this took place, but if this is done in JS, anyone should be able to verify that it is doing it (if they have the knowledge).

Re:hmm

[Kjella]

How do they do they encryption before upload? If the file goes to the unencrypted initially, then surely they'd have a record of it.

Well, there are AES implementations for JavaScript.... not if I know that's what they're using or what the performance is like, but it's certainly possible to do it client side...

Re:hmm

They could encrypt it using Javascript in the browser.

Re:hmm

[icebike]

It's not the very first cloud storage service to do this, but so far as my audit shows, it's the first big one to do it properly.

Take a look at Spideroak and explain why you think they did it wrong.

Re:hmm

[icebike]

If they did ti correctly, they could provide the source code for the client side encryption, and let you build your own client from it.

After all, the best encryption is the kind that even if they tell you exactly how it works and show you the code, you STILL can't break it in any reasonable time frame.

Re:hmm

[minderaser]

I've been using SpiderOak instead of Dropbox for a while now for just the reasons you mention.

Re:hmm

megaupload lets you share individual files or folders with others while still keeping the contents hidden from megaupload. SpiderOak uses one encryption key for everything, which only you hold and gives only you access to your data.

SpiderOak is zero-knowledge encrypted cloud backup/storage/remote disk, MegaUpload is a an encrypted Dropbox/fileshare/(future)collaboration tool. They occupy slightly different application spaces.

Re:hmm

2gb vs. 50gb free for starts....

Re:hmm

[icebraining]

To add to that, they do have API and let you build clients with it, although you need to have it approved with them.

Re:hmm

Hello. I'm not sure if that's an approach to professionally engage my services, perhaps? :) Like I said, MEGA is not the very first cloud storage service to do this, but they are already bigger than Spideroak on the very first day (albeit a wobbly, capacity-limited day given the size of the launch), and will probably end up much, much bigger, given that its spiritual predecessor MegaUpload represented ~4% of all internet traffic worldwide at its peak, and MEGA is substantially better architected and designed, and may have more "staying power" (albeit that its existence and ownership is likely to prove controversial with some).

I do have four initial comments right off the bat, however:
1. Spideroak is headquartered in Illinois in the United States of America. Why is that? (As Kim Dotcom himself says - for well-learned reasons - and many of my professional colleagues have previously echoed: for political reasons, the United States is regrettably and demonstrably an unsuitable jurisdiction for a secure cloud storage site - and, indeed, a jurisdiction that many of my clients and professional colleagues explicitly wish to avoid for secure services, for various reasons.)
2. AES-256 is slower than AES-128, but actually slightly weaker. Why, specifically, was AES-256 chosen?
3. What cipher modes are used, and where? I skimmed the site briefly but though some other details were disclosed, mention of this was curiously absent. The most suitable modes for file encryption like this would include OCB (which MEGA considered, and almost chose except for its US patent, which doesn't affect them directly and has a GPL patent grant, but they didn't want to limit all potential client software to being GPL-only, paid, or avoiding the US as avidly as they did), or GCM (surprisingly slow unless you have an Intel chip which supports the PCLMULQDQ instruction - and JavaScript clearly does not!). XTS and similar tweakable modes can also be good candidates if handled as blocks, but require higher overhead (again, a similar issue as GCM). CTR mode works great with a MAC. CBC has some subtle quirks which can make it highly undesirable sometimes (see BEAST). ECB mode is to be avoided, except in certain specific cases.
4. Key management. Again, some of the details require a bit more clarity to comment, but the entropy collection is one thing I might raise.

-akr
___
1. https://lirias.kuleuven.be/bitstream/123456789/314284/1/aesbc.pdf

Re:hmm

[jimmyfrank]

So it's Amazon S3, neat.

Re:hmm

maybe it's just me but I would encrypt anything I store in the cloud, regardless.

I don't use teh clowd preferring NFS on an old p4 as my idea of a NAS :o/ but still, people trust this cloud business a bit much IMO, but I am bit of a dinosaur so YMMV.

Re:hmm

[Kalriath]

No they couldn't. Javascript has no access to the file system, so could not encrypt a file.

Re:hmm

No. This is a lot better than Dropbox. Dropbox has your files, knows what they're called, and knows what's in them.

ZOMG!!! Dropbox somehow unencrypted the encrypted stuff I uploaded? How can they do that?

Re:hmm

He said 'big'.

Re:hmm

For client-side encryption through a locally-compiled command-line interface, check out 'tarsnap': http://www.tarsnap.com/

Re:hmm

[mpilsbury]

2. AES-256 is slower than AES-128, but actually slightly weaker. Why, specifically, was AES-256 chosen? 3. What cipher modes are used, and where? I skimmed the site briefly but though some other details were disclosed,

From the API documentation (at https://mega.co.nz/#developers):

"All symmetric cryptographic operations are based on AES-128. It operates in cipher block chaining mode for the file and folder attribute blocks and in counter mode for the actual file data."

Of course their own client may work differently.

Re:hmm

[allo]

seems like you do not know the new html5 file-api.

Re:hmm

During the press conference today the "encryption expert" stated that all of the client/encryption code was open source and encouraged others to try and find vulnerabilities.

Re:hmm

There is also Boxcryptor, which works with Dropbox and other providers that does exactly what Mega does.

Re:hmm

[Kalriath]

Indeed. Only works in Chrome or IE10. Not exactly "standard" though.

Re:hmm

[ralph.corderoy]

It's an encrypted cloud-backup service rather than plain cloud-storage, but http://tarsnap.com/ makes the client's source available for your inspection.

Re:hmm

[allo]

like most of the html5 stuff ... nice draft, but nothing you can expect from every browser.

Megaupload?

[Janek+Kozicki]

I wonder when/if he will be able to get back all the content from megaupload...

Re:Megaupload?

[DanielRavenNest]

I'm still waiting for final resolution of fallout from the 2007 financial meltdown. A mutual fund I had shares in lied about the value of mortgage-backed securities they held. The legal process is slow, so you can expect it to take several years for the return of user data.

Re:Megaupload?

[whoever57]

I'm still waiting for final resolution of fallout from the 2007 financial meltdown. A mutual fund I had shares in lied about the value of mortgage-backed securities they held.

At this point, I think that it is pretty clear that almost no-one is going to be held to account for the illegal activities that led to the financial meltdown. If you are waiting for restitution from the mutual fund, I suggest that you give up.

Re:Megaupload?

There have already been billions of dollars of settlements for mortgage-related fraud and securities fraud during the financial crisis. Not everything in reality fits into the paradigm you seem to enjoy believing in.

Re:Megaupload?

[jamstar7]

Pennies on the dollar return for those fraud cases, minus legal fees, of course. All the mortgage meltdown did was make a bunch of lawyers a ton of money.

In-browser encryption?

[edelbrp]

Anybody poke around yet to see how they do the client-side encryption w/o a plugin? I suppose it could be done in Javascript. Another thought I had is maybe using the SSL stream its self and storing that. I would hope they are at least not using Java or Flash.

In any case, I would imagine that this would attract a lot of attention to see just how secure the mechanism is.

Re:In-browser encryption?

There are a few libraries...

http://code.google.com/p/crypto-js/

http://crypto.stanford.edu/sjcl/

Re:In-browser encryption?

I *assume* the encryption might be working two-fold:

One server-based and one simple SSL-based for all transmissions. It seems to make sense. You send your url and key to the server, which decrypts the data for you and then sends the file to you over SSL. The same for upload -> SSL, the server then encrypts and sends the key back to you.
Does this seem like Snakeoil to you? Not really, you're still getting a cloud-sharer that cannot look into your files and no one can bulk-steal them for anything useful. It is not as strong as advertised? Well, keep in mind their 2048 bit RSA encryption is basically for THEM so THEY can claim to law enforcement and copyright holders not to be able to open the stuff. Your security is the normal SSL transmission.

I am not saying it works like that but it would be a rather simple setup without ausing too many headaches. It could very well be the entire encrytion does indeed happen in the browser.

Also note the browser is just a temporary solution or one for the Quick and Dirty accesses. They plan to open an full API and I bet all the legit *cough* users this service will draw will soon have custom clients that satisfy all requirements you could think of.

Re:In-browser encryption?

AES implemented completely in javascript. No idea what the performance is like.
I wonder if there is some kind of check that it performs server-side to ensure that the upload has been encrypted, i.e. to make sure that you haven't changed the client-side javascript to purposely upload plaintext files (so as to incriminate mega).

Re:In-browser encryption?

[sco08y]

Anybody poke around yet to see how they do the client-side encryption w/o a plugin? I suppose it could be done in Javascript. Another thought I had is maybe using the SSL stream its self and storing that. I would hope they are at least not using Java or Flash.

In any case, I would imagine that this would attract a lot of attention to see just how secure the mechanism is.

SSL wraps the entire HTTP session, so by the time your Javascript is running, everything is arriving as clear text.

There are any number of Javascript crypto libraries, and for small files it's probably Good Enough.

Re:In-browser encryption?

[mwvdlee]

I don't think Javascript alone can intercept uploaded files. They could use a flash tool to intercept the file and pass to javascript for encryption.

Re:In-browser encryption?

Regardless of how encryption is done, Mega controls the code so it could be corrupted or compromised. If Hollywood wants to inspect someones archive they could just get legal order to have the company change the code and reveal the persons files .... and if Mega doesn't comply then they can't do business in the US. (and also, helicopters)

Re:In-browser encryption?

[icebike]

You send your url and key to the server, which decrypts the data for you and then sends the file to you over SSL.

That would be silly. Why do server side decrypton/encryption when you can do that on the client side and truly have ZERO knowledge of file content.

You want to download your file, they send you gibberish that only your client can decrypt because only it has your private key.

Even directory listings and indexes to your files could be maintained on the client, encrypted and uploaded to the service. Then when you want to fetch, add or erase a file, you ask for the encrypted directory, find the name of the particular file and the server sends it.

The server wouldn't have to know anything.

Re:In-browser encryption?

[icebike]

Regardless of how encryption is done, Mega controls the code so it could be corrupted or compromised. If Hollywood wants to inspect someones archive they could just get legal order to have the company change the code and reveal the persons files .... and if Mega doesn't comply then they can't do business in the US. (and also, helicopters)

Ah, no.

Even with public key encryption, you can't program your way around a missing private key.
If done right, with a warrant in hand, and a gun to their head, they still could not decrypt your files.

Re:In-browser encryption?

[martin-boundary]

If done right, with a warrant in hand, and a gun to their head, they still could not decrypt your files.

Duh. You're missing the crucial ingredient: a gun to the head and a blowjob at the same time. That makes every kind of encryption crackable in 5 minutes.

Re:In-browser encryption?

[monkeyhybrid]

Javascript can access and process file data directly with the HTML5 File API which is supported by recent versions of most major browsers.

Re:In-browser encryption?

[monkeyhybrid]

a gun to the head and a blowjob at the same time

Gives a whole new meaning to blowing your brains out.

Re:In-browser encryption?

[icebraining]

They can't decrypt the files right at that moment, but they can wait for you to log in and copy your private key then (since you need to provide it to them to decrypt the files yourself).

Re:In-browser encryption?

[ChunderDownunder]

Machine Gun Fellatio

Re:In-browser encryption?

[ChunderDownunder]

Well as someone else noted, they had to enable JS to get the site to work, by which some would regard as opening an attack vector in running untrusted scripting.

Wouldn't it be nice if someone wrote a browser plugin to whitelist only trusted free software scripts ?

With RMS as an unlikely guardian angel, Kim DC could use existing crypto libraries at least ensure the integrity of client-end encryption. If "They" were to try and inject covert monitoring code into the process, tampered scripts would refuse to run...

Re:In-browser encryption?

[icebike]

Nope. Your private key need never leave your machine.
You encrypt the file before you upload it. And you decrypt it only after you retrieve it.

They never need to possess your private key for even a second.

Your login key maybe, but that isn't even important. They can't do a thing with it.

Re:In-browser encryption?

[jamstar7]

Meh, just create a botnet to do SETI@Home style keycrunching and infect every smartphone out there with it. Throw enough processors at a private key, it'll fall.

Re:In-browser encryption?

[icebraining]

The fact that they don't need to possess your private key doesn't mean they can't if they want or are compelled to. How do you know if the JS code you get from them the next time you login won't just post the key to them?

Re:In-browser encryption?

[icebike]

You're not using your head.

They don't WANT to know you key or the content of your files.
If they knew, they would immediately become liable for harboring any pirated content.

What would be point of that? Why attract trouble? The whole point of the business model is to not know.

They are perfectly happy not being able to decrypt your porn.

Re:In-browser encryption?

More interested in how the keys are generated/used.

They don't make it clear when you create your account if your password is going to be used as (part of) your encryption key or if you are going to create a separate key later. If it is your password then how is that password used to authenticate you with their server? Hashed client side? Hash of the hash stored server side? How are the individual file keys generated? Random? The file keys must then also be encrypted using your password-based encryption key. When you share a file you share the raw key to that file. So an attacker has no basis to test for recovery of the original user's password assuming keys are random. If the account password is part of the basic encryption key then the user cannot change the account password lest he lose his decryption ability (unless all his random file keys are re-encrypted with the new password after being decrypted with the old password). Accounts could be forced to temporary two-factor authentication w/ an emailed key in cases of suspicious login attempts.

Re:In-browser encryption?

[cerberusss]

Why do server side decrypton

Decrypton sounds like a cool Transformer I haven't heard of!

Re:In-browser encryption?

[johanw]

They do not even WANT to do business in the US. They even refuse to do business with other companies that are US based.

Re:In-browser encryption?

[icebraining]

Mind the context.

You replied to a comment that said:

If Hollywood wants to inspect someones archive they could just get legal order to have the company change the code and reveal the persons files .... and if Mega doesn't comply then they can't do business in the US. (and also, helicopters)

To which you replied:

If done right, with a warrant in hand, and a gun to their head, they still could not decrypt your files.

My point was that the way the system is set up (with server controlled JS code doing the de/encryption, they can always decrypt the files.

Why would they want to do that was already defined in the context of this conversation (i.e., they would be compelled to do so).

Re:In-browser encryption?

[icebike]

Oh, sorry, missed that part.
But I'm not aware of any law that would authorize a judge to issue a court order forcing anyone to commit a crime of theft and breaking encryption technology by stealing private keys from your computer.

Other posters have stated that the source code for the client side is open source. So that means users would be in full control of the encryption methodology and keys.
That makes your scenario seem pretty far fetched.

Re:In-browser encryption?

[icebraining]

But I'm not aware of any law that would authorize a judge to issue a court order forcing anyone to commit a crime of theft and breaking encryption technology by stealing private keys from your computer.

I don't either; I was just discussing the technical component of the issue.

Other posters have stated that the source code for the client side is open source. So that means users would be in full control of the encryption methodology and keys.

But the problem is that you never know if you're getting the same client that was reviewed by the community, since they can ship an altered version any time they want. It's a fundamental problem with JS encryption (except browser extensions, of course).

Re:In-browser encryption?

[tehcyder]

But I'm not aware of any law that would authorize a judge to issue a court order forcing anyone to commit a crime of theft and breaking encryption technology by stealing private keys from your computer.

It wouldn't be stealing, would it, if they just copied it?

Mega Conz

Really, that's the name?

Re:Mega Conz

Really, that's the name?

He had a different domain, but they gave him the boot at the last minute.... so it's .co.nz now.

Re:Mega Conz

[lennier]

Really, that's the name?

It's as legit as everything in .co.nz, and we're generally a law-abiding bunch here of hobbits here in New Zealand.

  Australia is the country you're probably thinking of that's entirely populated by criminals.

Piracy

[physlord]

"Legal Piracy: Take advantage of legal system loopholes!" seems to be the marketing strategy.

Well... I love it! :D

Re:Piracy

[icebike]

"Legal Piracy: Take advantage of legal system loopholes!" seems to be the marketing strategy.

Well... I love it! :D

Don't be daft.

The piracy is your problem.
Mega only holds your encrypted files which even they can't look at.

If you rob a gas station, escape in your get away car, launder the funds through a few transactions and deposit the funds in your Bank, is the bank at fault?
Is Ford at fault for selling you the car?

Re:Piracy

[physlord]

Come on. Don't be naive. Of course they know what they service might and will be used for, and somehow they are encouraging it by making a harder-to-track and safe file-sharing service (yes, I know, per se, is not a file-sharing service), also they covering their backs in the process.

In that line of easy analogies: If you sell radioactive materials to terrorists, and they use it to build a bomb an blow an entire building and kill a lot of people. Would you say you shouldn't share any part of the guilt?. You sold a material that could be used for good or bad. Even though you knew they were prone to "bad behavior".

Re:Piracy

Of course they know what they service might and will be used for, and somehow they are encouraging it by making a harder-to-track and safe file-sharing service

WTF are you talking about?? Did you just write that every hosting provider is liable and encouraging piracy?? Every hosing company hosts random files by random people too.

In that line of easy analogies: If you sell radioactive materials to terrorists, and they use it to build a bomb an blow an entire building and kill a lot of people.

Wow. I'm literally speechless.

Re:Piracy

[physlord]

There's no point in arguing. Seems we are not talking about the same thing here and we are not understanding each other's ideas, That's not what I meant and I apologize for not making myself clear. :D

Re:Piracy

[tehcyder]

The piracy is your problem.

Yeah, just as long as Mr Dotcom makes lots of money, who fucking cares?

Seriously, I'm getting fed up with people on slashdot treating Kim Dotcunt like he's some brave hacker standing up to The Man. He's just another shady twat who thinks that anything is justified as long as you make money from it. He's a Randian fucking wet dream.

Re:Piracy

[icebike]

This from the guy that thinks it not stealing when someone copies someone else's private encryption key.

If you want to stand up there on that soap box, better make sure your feet aren't made of clay.

Willlful ignorance is a crime

The internet police will be knocking on his door soon enough.

Re:Willlful ignorance is a crime

[BlueStrat]

Willlful ignorance is a crime...

The internet police will be knocking on his door soon enough.

Not to mention taking deliberate steps to avoid prosecution by hosting exclusively outside the US, in addition to obstructing justice by having mirrored servers in different countries, making it nearly impossible for the US DoJ/ICE to take down.

He's a "digital terrorist"!

Cue the drone strikes and SEAL raids.

Strat

Re:Willlful ignorance is a crime

[flayzernax]

And this may be one of the first cases for the Great Firewall of the USA to go up.

Re:Willlful ignorance is a crime

[gmuslera]

Too bad that for US, the great firewall is like the one in this joke. Most of internet is in, or you access it thru US, and even for things that are outside have enough power in a way or another to show down them remotely, how they did i.e. with megaupload or a lot of torrent sites overseas.

Re:Willlful ignorance is a crime

[icebike]

How does having backup servers in multiple jurisdictions make him a terrorist?
How is one of the most recommended best practice in IT suddenly obstructing justice?

Re:Willlful ignorance is a crime

[MichaelSmith]

Willlful ignorance is a crime...

The internet police will be knocking on his door soon enough.

Not to mention taking deliberate steps to avoid prosecution by hosting exclusively outside the US

So what does that make me? I have no connection to the US and I took deliberate steps to host all my stuff at my place.

Re:Willlful ignorance is a crime

[renojiin]

Because he's fucking with some company's (imaginary) profits, and once you do that, you just call on your lapdogs (the US government) to fabricate reasons? What better to hide behind other than terrorism? Everyone understand it. Terrorist=bad, so kill him already and put him out of our misery. Or something like that.

Re:Willlful ignorance is a crime

It is not at all difficult for the U.S. to enforce copyright laws against people in other countries, with few exceptions like Cuba.

Re:Willlful ignorance is a crime

Drones, you say? http://instagram.com/p/UnQsl6MkcM/

Re:Willlful ignorance is a crime

[cheater512]

You can't obstruct US justice when you aren't in the US.

And he is avoiding a legally unfavourable country. Many legit companies refuse to host in the US because doing so would break say EU privacy laws.
E.g. A doctor in France couldn't store patient records in the US.

One reason why Amazon opened in Australia was because of the resistance of Australian businesses to offload their data overseas, especially the US.

Re:Willlful ignorance is a crime

[BlueStrat]

You can't obstruct US justice when you aren't in the US.

And he is avoiding a legally unfavourable country. Many legit companies refuse to host in the US because doing so would break say EU privacy laws.
E.g. A doctor in France couldn't store patient records in the US.

One reason why Amazon opened in Australia was because of the resistance of Australian businesses to offload their data overseas, especially the US.

Perhaps I should have added a "/sarc" tag to my OP.

I was pointing out through sarcasm precisely that kind of overreach, intrusiveness, and corruption you describe when it comes to the US and it's actions and policies, both domestic & foreign, regarding the 'net and commercial "imaginary property" and data privacy/security.

Strat

Re:Willlful ignorance is a crime

you forgot child pornography!

Re:Willlful ignorance is a crime

That's easy, in the eyes of the US, you're a terrorist.

Mega.co.nz

[Zeroblitzt]

More like Mega... Conz.

Re:Mega.co.nz

[inamorty]

Before you pat yourself on the back, have a quick look at how many times that particular gem has cropped up before...

...and this will make money how?

[Lordfly]

Just wondering. If it's advertising, I don't see it lasting long.

Re:...and this will make money how?

[Lordfly]

For once I should have read the article. Pricing tiers. Still 50GB is a lot to give away.

Re:...and this will make money how?

Well that is how he afforded these two along with his humble home. I'm sure he knows how to make money with advertising.

Re:...and this will make money how?

1. Setup a big, encrypted cloud storage. Make a loud rumble so everyone looks at it.
2. Charge for a) "Pro accounts" with more bandwidth and storage and b) advertising.
3. Profit.

The business plan is really no miracle or something.

Re:...and this will make money how?

[kthreadd]

I don't think they store the data on DVDs.

Re:...and this will make money how?

Of course they don't. But you could. There are differences, but basically this is the value proposition they are offering.

I might make sense for some people, because, for example, you can't stuff 6 dvds in a smartphone. But for others, putting your stuff on a dvd is as good as putting it in the cloud. Perhaps more so, since you have control of it, and it not subject to legal scrutiny unless the police raid your house.

Re:...and this will make money how?

[mwvdlee]

Somehow I don't think they'll be using DVD's to store the files. To be fair, they'll use whatever harddrive solution their hosting providers can get for the least amount of money, whatever that may be.

You don't calculate the cost of an internet connection by calculating the power consumption of all the '1' bits either.

Re:...and this will make money how?

[Zorpheus]

I don't know about others, but I store data on hard discs. DVDs ae just too small and impractical, and haddiscs so cheap nowadays.

Re:...and this will make money how?

why mod that down to -1? it's a legit post even if you don't agree with it. for shame.

Re:...and this will make money how?

[MichaelSmith]

The other idea I saw is that to use their free service you have to install their ad-blocker which replaces normal advertisments on web pages with their advertisments. Its shonky as hell but I can see it working for them.

Re:...and this will make money how?

No, most people store data on DVDs. Whenever I run Firefox, I put in the Firefox DVD. Most of us don't even bother with HDDs or SSDs - just DVDs.

Re:...and this will make money how?

[cheekyjohnson]

Most of us don't even bother with HDDs or SSDs - just DVDs.

Most of who? I somewhat doubt that.

Re:...and this will make money how?

[Kalriath]

The sad part, is that the mansion was constructed with the profits from a fucking Christmas Hamper company.

Think about that next time someone offers you Christmas club stamps.

Re:...and this will make money how?

[MoaDweeb]

Dotcom wanted to buy the house but was rejected as 'an unfit person' as he had previous convictions and had not been domiciled here long enough. Now having lived in NZ for over a year as a Resident he can purchase it.

Re:...and this will make money how?

DId you only read the first sentence, or did you intentionally take this out of context, or do you not know sarcasm when you see it?

Re:...and this will make money how?

[cheekyjohnson]

Given the fact that I quoted the third sentence, the first possibility you listed seems doubtful.

or do you not know sarcasm when you see it?

It's sometimes difficult. I've seen people say some things that I believed were extremely absurd, and they were completely serious.

Swiss Bank Accounts

[brit74]

So, basically, he's taken the "Swiss Bank Account" model that allows tyrants, dictators, and thieves to keep their money hidden and applied it to uploading illegal content. One major problem with KimDotcom's new model is the fact that Megaupload used to allow users to search for content (read: mostly copyrighted, illegally uploaded content). The search functionality is broken with the new model because your average user can't know the encryption key. This means most users will ignore megaupload and they will suffer from a lack of users. (Because, let's face it: the real reason Megaupload was *ever* popular was as a conduit for piracy. Kim Dotcom knows this, which is what his new move is about: enabling the piracy that makes his site popular, but trying to evade legal liability.)

Re:Swiss Bank Accounts

[mister_playboy]

The old MU didn't have any search functionality. None of the filehosts do. That's the reason 3rd part search sites which scraped the 'Net for filehost links appeared. RapidSearch, dealing with RS links, was the first I recall seeing.

Re:Swiss Bank Accounts

[Hadlock]

Once everything is up and running, this is going to beat the hell out of dropbox for actual file usage. Now I can just mirror my mom's entire home directory across her desktop and two laptops, rather than just 2gb of storage for her my documents folder.

Re:Swiss Bank Accounts

[Lisandro]

You can include the key with the download URL, afaik.

Re:Swiss Bank Accounts

Yeah, but I think the point is that third party indexer type sites will start popping up, allowing people who are members of such sites to traffic in digital information. As long as where it is hosted isn't liable for anything, there will be no real, long-term and effective way of preventing people from sharing information with a computer & the internet.

This is just the beginning of the evolution of information transfer (don't want to call it "piracy" - that word has been co-opted to mean something it does not - let's call a spade a spade here and use the term information transfer).

Re:Swiss Bank Accounts

[DriveDog]

That's it. Somebody gets it.

Re:Swiss Bank Accounts

Speaking from experience, I never searched Megaupload. I always attained the links at third party sites.

Re:Swiss Bank Accounts

[Lucky_Norseman]

The Swiss Bank Account model is also what allowed jews in Germany to keep some of their family fortune out of the claws of the Reich.
Is that so evil?

Re:Swiss Bank Accounts

So 50 gigs free, and i can finally store stuff without worrying about privacy? How are they going to suffer for users?

Re:Swiss Bank Accounts

A Jew stashes the money in the Swiss Bank Account.
A Jew dies in a concentration camp
Bank keeps the money.
What's not to love?

Re:Swiss Bank Accounts

yes, that is exactly what this is. And your problem is?

Re:Swiss Bank Accounts

Godwin!

Re:Swiss Bank Accounts

[AmiMoJo]

So, basically, he's taken the "Swiss Bank Account" model

No, he has just make a cyberlocker the way it should have been from the start - a private storage facility for controlled groups of people. The uploaders are not anonymous, that they have to be registered with the site, and the T&Cs make it clear MEGA will hand over any registration data if compelled to by law.

The search functionality is broken with the new model

It was useless anyway because people didn't upload public files with names that gave away the copyright infringing contents, instead they linked to the obfuscated names on forums.

This means most users will ignore megaupload and they will suffer from a lack of users.

Except all those people who like services such as Google Drive, Skydrive, Dropbox etc. but want more privacy. Oh, and all the pirates who used to use MegaUpload because it was less crappy than most of the other cyberlocker services.

enabling the piracy that makes his site popular, but trying to evade legal liability

Or maybe it's just that the MAFFIA controls the FBI now and the US has become the World Police, capable of sending agents of foreign countries to do the bidding of its corporations. Why else would he even bother to mention the DMCA when MEGA is deliberately staying well away from any US territory and laws? He should have no reason to respond to any DMCA request because it isn't law in New Zealand or anywhere MEGA operates or has servers, but he is forced to because the US thinks its laws are universal.

Re:Swiss Bank Accounts

[gmuslera]

The Swiss Bank Account model also prevented tyrants, dictators and (in government/power positions) thieves to stole, take advantage, extort, etc you for having that money.

With information in the open by all accounts for governments (at least, the US one, and its agencies, and the people that "finance" both), and the problems lacking a secure alternative, the potential for abuse is high. As it make it difficult to be used for piracy, you should see what else is interesting to put elsewhere in an very secure way with anonimity for the people that access it. The wikileaks insurance files is the first example that comes to my mind.

Re:Swiss Bank Accounts

[interkin3tic]

OP was only commenting on the legality of what he was doing. He wasn't saying it was immoral.

Just because we agree with the laws that swiss banks are enabling people to break and disagree with the laws that mega is enabling people to break doesn't mean there aren't parallels.

Re:Swiss Bank Accounts

[elucido]

Yeah, but I think the point is that third party indexer type sites will start popping up, allowing people who are members of such sites to traffic in digital information. As long as where it is hosted isn't liable for anything, there will be no real, long-term and effective way of preventing people from sharing information with a computer & the internet.

This is just the beginning of the evolution of information transfer (don't want to call it "piracy" - that word has been co-opted to mean something it does not - let's call a spade a spade here and use the term information transfer).

The poser was trying to compare information to currency as if it's money. It's not money. It's not the information, it's the content. Content has to be generated continuously.

Re:Swiss Bank Accounts

[gmhowell]

A Jew stashes the money in the Swiss Bank Account.
A Jew dies in a concentration camp
Bank keeps the money.
What's not to love?

Burma-Shave

Re:Swiss Bank Accounts

I keep my personal data in a TrueCrypt encrypted file on Dropbox, but I don't know which type of encrypted data user I am. Can you help me work out if I am a tyrant, a dictator or a thief?

Thanks for your help.

Re:Swiss Bank Accounts

[lennier]

It's not the information, it's the content. Content has to be generated continuously.

And that's hopefully where the Kickstarter model can help.

1. Crowd-source the funds needed to make a bunch of content.
2. Release the content to the Intertubez with an open licence that allows copying but preserves attribution.
3. Let the tubez do all the work of distribution and the social media do all the work of publicity.
4. Sit back and accumulate fame (but not money) for your work
5. Go back to 1 and leverage your newly increased fame to crowd-source more money for more content. Repeat until rich, dead, or you start charging too much for too low quality product and your audience hates you.

I don't see why this wouldn't work, and it would completely invert the piracy "problem" into a solution.

Re:Swiss Bank Accounts

[tehcyder]

4. Sit back and accumulate fame (but not money) for your work

5. Go back to 1 and leverage your newly increased fame to crowd-source more money for more content. Repeat until rich, dead, or you start charging too much for too low quality product and your audience hates you.

A couple of points:

First, if you can only accumulate fame (but not money) (4) how are you ever going to get rich (5)?

Second, unless Kickstarter mug punters are generous enough to fund your living expenses, all you're going to get is the money to pay for materials, equipment, or whatever. The charming idea that all artists should either starve or work full time as waiters to pay the bills is probably not one that you'd want to apply to your own work if you're a professional developer, lawyer or engineer.

Third, what is wrong with getting paid according to how good your current product is, rather than how good your next one may be?

Re:Swiss Bank Accounts

[tehcyder]

Speaking from experience, I never searched Megaupload. I always attained the links at third party sites.

And for Mega to be any use, people will have to publish the encryption keys too.

It just protects Kim Dotcom, since he can say that Mega don't know the encryption key: it does nothing for the average punter who clicks on a link to download a pirated version of a movie.

Re:Swiss Bank Accounts

[tehcyder]

So 50 gigs free, and i can finally store stuff without worrying about privacy? How are they going to suffer for users?

It's when you want to share your "private data" with fellow Hollywood film enthusiasts that you'll realise by giving out the encryption key publicly you're still just as liable to be caught by the copyright holders. It's just Kim Dotcom who thinks he's cleverly got round their attentions.

Re:Swiss Bank Accounts

[tehcyder]

enabling the piracy that makes his site popular, but trying to evade legal liability

Or maybe it's just that the MAFFIA controls the FBI now and the US has become the World Police, capable of sending agents of foreign countries to do the bidding of its corporations. Why else would he even bother to mention the DMCA when MEGA is deliberately staying well away from any US territory and laws? He should have no reason to respond to any DMCA request because it isn't law in New Zealand or anywhere MEGA operates or has servers, but he is forced to because the US thinks its laws are universal.

Obviously it's nothing to with the fact that a lot of the big copyright holders are US corporations? Or that the vast majority of popular films are made in Hollywood, which is in the US?

Site under massive load

it took 3 times to get it to send me a email to register. Cant get link from email to load. Site seems very overloaded

Re:Site under massive load

oh.....i'm in. its generating massive 2048-bit key as we speak

Re:Site under massive load

cant get anything to upload to the site now....seems pointless at the moment

Re:Site under massive load

[fuzzytv]

That seems rather like a spamfilter-related issue. I had the same problem (not receiving the activation e-mail on my primary e-mail), so I tried a different e-mail and the link arrived almost immediately.

Re:Clever

[sco08y]

Sounds more like an acknowledgment that, 'Yes, we KNEW we were hosting pirated binaries before, but now we're much more clever at it".

It's more, "it's not our job to police our members and we've made it computationally impossible for us to do so."

Not all user agents support the File API

[tepples]

As far as I know, the ability to use JavaScript crypto libraries on an uploaded file relies on browser support for the File API, which isn't available in Internet Explorer before version 10 or Safari for iOS before iOS 6. This means it's not available in Internet Explorer for Windows XP, Internet Explorer for Windows Vista, or Safari for the first-generation iPad.

Re:Not all user agents support the File API

[kthreadd]

or Safari for iOS before iOS 6

That's because Safari for iOS did not support uploading files before iOS 6, at all.

Re:Not all user agents support the File API

Mac users don't need to upload things. They consume, rather than create stuff, so all of their apps are already on the cloud.

Re:Not all user agents support the File API

As opposed to windows and linux users who I hear write some pretty neat "hello world" apps.

Re:Not all user agents support the File API

[bearded_yak]

It's just so precious to see someone who doesn't watch movies, watch television, listen to music, or participate in any of the other large variety of things very often created on Macs.

I thought trolls live under bridges, not under rocks.

Re:Not all user agents support the File API

Spoken like one of those Mac users that takes himself too seriously.

Re:Not all user agents support the File API

[bearded_yak]

Actually, spoken as someone who uses and supports a number of industrial and consumer operating systems and is tired of fanboyism on all sides. The Mac zealots and the Windows drones are just the most public of the stick-the-fingers-in-the-ears crowd.

Anybody who totally discounts the usefulness of any major OS seems, to me, intensely closed-minded. I couldn't live without any one of the six different operating systems I use, and I would never substitute one of them for the other, because they all have their strengths and purposes. And to use a completely non-OS topic as a platform to spew OS bigotry just happened to hit my buttons yesterday.

Then again, I myself am off-topic, so I guess I'm just as bad.

Mega vs. Dropbox

[tepples]

So if it's online file storage with no search, then what makes it any different from, say, Dropbox or SkyDrive or Google Drive, other than that Mega offers a lot more, well, megabytes? (50,000 for Mega vs. 2,000-odd for Dropbox, assuming a reasonable number of rewards earned)

Re:Mega vs. Dropbox

[Blue23]

Dropbox, like any service that has servers based in the US, could have everything seized fairly easily. Or just turn it over to a proper law enforcement request, like their TOS stipulates. Given the antagonistic relationship between Kim Dotcom and US law enforcements, Mega would probably would resist much harder. That's got to appeal to some.

hears a lever crank

ROFL

Google Chrome only?

"While other browser vendors are still struggling to implement the full spectrum of HTML5’s functionality, Google Chrome has it all - today. To enjoy MEGA's full power (such as automated batch up - and downloading), we strongly suggest abandoning your current, outdated browser and upgrading to Chrome as soon as possible."

That's with Firefox nightly.

Re:Google Chrome only?

[peawormsworth]

does chrome support a master key for website login credentials yet? Or are they still promoting the lie "a master key provides users with a false sense of security"? Otherwise, although Chrome may be more advanced in some ways, it is a very "open" and thus insecure option who perfer to use login passwords that cannot be remembered inside our head... ie: strong passwords encrypted with weak memory passphrases.

Let us remember...

[blahplusplus]

... american corporations and their complaint criminal government have no credibility. Any society that allows such insane acts to be passed over and over again is not a country who's laws and businessmen should be taken seriously.

http://en.wikipedia.org/wiki/Copyright_Term_Extension_Act

Re:Let us remember...

[blahplusplus]

"Is it really insane folks?"

Yes it is. Why can't I repair games or get access to source code? Why don't videogames and their source-code and art assets go into a library (being a cultural work like books)? I could go on and on about all the people who's ability to create and solve problems are constrained by such criminal laws.

The current laws are merely rent seeking protectionist conservative nanny statism for corporations. Anyone who disputes this is naturally not very bright.

In economics, rent-seeking is an attempt to obtain economic rent by manipulating the social or political environment in which economic activities occur, rather than by creating new wealth.

And what is copyright? Government enforced monopoly pushed by big business. How is preventing people from using non-scarce ideas a good idea over the long term? You can't justify it at all rationally. You're creating huge amounts of inefficiency because it puts up barriers to creativity and problem solving by anyone who is not fairly wealthy.

Re:Let us remember...

If you have no business interest and just want to consume shit, you don't really have skin in the game. Why should copyright be shortened just for entertainment purposes? That is insane.

I'll pay $80,000+ in PERSONAL taxes alone this year (nevermind the additional taxes as a small business part-owner).

I'm funding the military and diplomatic regime that asserts ever-expanding IP rents across the globe.

I got fucking skin in the game, it was peeled off me, asshole.

Re:Let us remember...

[guttentag]

... american corporations and their complaint criminal government have no credibility.

I'd like to file a slashdot-compliant complaint about your misspelling of the word compliant in your complaint.

Re:Let us remember...

You seem to have forgotten what copyright was meant for. It was the right to copy after giving the content creator the opportunity to earn money from his content. However, big media have corrupted governments so much that it has become the opposite, and often the content creator himself doesn't even benefit from it because he had to sell his rights in order to make a buck at all.

Re:Let us remember...

[DNS-and-BIND]

Wow, did you actually just say "anyone who disagrees with me is stupid"?

Maybe you're not as smart as you think you are.

Re:Let us remember...

[blahplusplus]

"Maybe you're not as smart as you think you are."

Or perhaps you're incapable of understanding that not all opinions are created equal and yes there are some issues that are pretty cut and dry, like software repair. Not to mention orphaned works which cannot be updated because the source is allowed (by law) to be confiscated / lost / destroyed. It's a special kind of insanity that allows such wasteful bullshit.

So yes people who disagree and say software repair shouldn't be allowed are in fact stupid.

Re:Let us remember...

[metrix007]

He has a valid point and since you seem to have a kneejerk reaction to that phrase while being unable to understand his argument, it is your intelligence that should doubted, not his.

Re:Let us remember...

The "source code" of books (the writers notes and research) is not avalible to you when you buy a book and you do not get the blue prints for a car when you buy it. You do get the program code (which is the same as the finished book or the built car) for the game when you buy the game, just learn assembler.
What needs to be fixed is the reverse engineering laws. Anything you buy you should be allowed to take apart and modify as you wish. (This is NOT the same as getting the blue prints for everything you buy)

Re:Let us remember...

[tehcyder]

Why can't I repair games or get access to source code?

Because they're not yours?

Why don't videogames and their source-code and art assets go into a library (being a cultural work like books)? I could go on and on about all the people who's ability to create and solve problems are constrained by such criminal laws.

Why don't all economic assets go into a library that everyone's allowed to access according to their needs, and contributes to according to their abilities?

Seriously. If you want a free and equal communist society, it should apply to everything, not just digital files. There is nothing special about them, whatever people on slashdot might like to think. A $100m Hollywood movie is not in any sane sense a "free" piece of culture, any more (or less) than a $100m yacht, plane or house.

Re:Let us remember...

[tehcyder]

You seem to have forgotten what copyright was meant for. It was the right to copy after giving the content creator the opportunity to earn money from his content.

Copyright means that the content belongs to the author, and he is allowing you to copy it under his terms and conditions, generally involving a payment, but also limiting your ability to change the ending of a book, for example, or palm it off as your own.

Re:Let us remember...

[tehcyder]

So yes people who disagree and say software repair shouldn't be allowed are in fact stupid.

It's good that there's at least one (essentially trivial, but still...) area of human experience that is completely black and white, and on which everyone can agree.

If we keep this up we'll soon have world peace, an end to hunger and a cure for cancer!

Re:Let us remember...

[blahplusplus]

Look software licensing is fine when you apply it to things like say CAD software (for when the company is still in business) but it breaks down for videogames which are products people own and use. The idea that copyright *as it exists for games* makes any kind of sense is bullshit.

Re:Let us remember...

[blahplusplus]

"Because they're not yours?"

Why isn't the game I've bought mine? This is the whole fucking problem with people like you on slashdot. You can't understand the law was passed by criminal assholes IN THEIR FAVOR and having taken advantage of public ignorance and illiteracy. You would never accept not being able to repair your car or having your cars functionality taken hostage over the internet (needing permission to use a product YOU HAVE PAID FOR) or having your game broken/compromised like modern software is. (i.e. shutting down centralized servers for say halo 2 PC because asshole corp stopped making dedicated servers people could own and use to play their games whenever they like).

Companies use laws to remake society so there is no 'free market' anymore they can use government lackeys to take away your rights, period just because they have all the money and even without government (if your a small government moron), you then have the problem of a government not strong enough to enforce the laws. (aka the law has no teeth because the government has no resources to stop criminal corporate behavior).

There is this ridiculous double standard where you side with assholes and criminals just because you grew up with laws that were always there instead of asking whether they were made patently unfair to begin with because no one would understand the kinds of problems it would cause for many other people.

wrong

they will acquire the keys the same way they goto torrent sites and become members, then with said encryption keys YOUR PWNED
and mega says in there terms that they come after the user for there legal fees.
YA thats the way to instill me with confidence to use that....

Re:wrong

[icebike]

Why would MEGA know your encryption keys?
Why would you give them to anyone?

Re:wrong

[tehcyder]

Why would MEGA know your encryption keys? Why would you give them to anyone?

Oblig xkcd.

Re:Google Chrome

Yes, seriously.

MEGA needs some advanced HTML5 JavaScript APIs to be able to work effectively, and so far only Chrome and IE10 have implemented them in a release version yet (and IE10 has a memory leak in one).

http://caniuse.com/#feat=filesystem

"Mega doesn't know what you're uploading"

[rsmith-mac]

Mega doesn't know what you're uploading... but they definitely care. Ad impressions will pay regardless of whether content is legitimate or not, but just like Megaupload their paid subscriptions (starting at 10EUR/month) will only sell if there's illegal content on the service.

Re:"Mega doesn't know what you're uploading"

Some businesses might use it. Say you need to get 100MB to/from your customers within the hour. What do you use? Email typically doesn't work for that.

Dropbox etc might be too insecure (go explain to a typical customer how to use encryption on top of dropbox). If the Mega UI is easy enough for my customers to use then 10EUR/month is nothing for a business.

I also wonder if pirates were really paying for the old megaupload service - most of them want free stuff so why would they pay? Maybe other people with illegal data to shift might be using their service, but legitimate businesses were also using it.

Re:"Mega doesn't know what you're uploading"

[peawormsworth]

Mega doesn't know what you're uploading... but they definitely care. Ad impressions will pay regardless of whether content is legitimate or not, but just like Megaupload their paid subscriptions (starting at 10EUR/month) will only sell if there's illegal content on the service.

Thats highly speculative. Besides in most countries, sharing owned content with people you know is not distribution and not illegal. Your country may have convinced you that what they decide is legal is also moral. But reality to share is to be human and compasionate. Massively distributing content to strangers is more murky. In either case, there is value and reason for their service. Specifically for those who would like to bipass the closed group of profit sucking distribution companies. For example, those selling content they own directly to consumers. 50GB is nothing to sneaze at and encryption isnt so bad either. I like what they are trying to do and I dislike what happened to them in the past. I wish this company success, because I think massive consumption and sharing of legal content will drive the value of illegal content down to a price people are willing to pay for through legal channels.

Re:"Mega doesn't know what you're uploading"

[tehcyder]

I think massive consumption and sharing of legal content will drive the value of illegal content down to a price people are willing to pay for through legal channels.

I believe you meant:

I think massive consumption and sharing of illegal content will drive the value of legal content down to a price people are willing to pay for through legal channels.

If you don't want to pay the price for something through legal channels, don't fucking buy it. Contrary to what your friends at school may tell you, you are not entitled to anything you want for whatever price you feel like paying.

If movie companies are charging too much for buying a copy of their movies, people should stop buying copies. Simples.

There is no piece of music, film, TV or anything else that it will do you any harm not to consume. There are plenty of other, free, cheap or simply better alternatives to anything that is pushed out by the big copyright holder organisations.

Re:Uses for Mega

[DanielRavenNest]

I have plenty of use for a service like this, for:

* Offsite backup of my content creation and personal files. I have a backup external drive at home, but it's nice to have another copy offsite.
* Distributing technical data, which is all open-sourced. My home PC is bandwidth limited and not turned on all the time.

Note that with his distributed hosting, he can get along with a small number of users. It would just mean using fewer hosting providers to match the demand.

Is there a standalone app?

[grahamsaa]

I really have no interest in just uploading or downloading files through my browser. When this was announced I heard that they were going to support mounting / folder syncing, but I'm not seeing anything like that yet. Am I missing something?

Re:Is there a standalone app?

[RedHackTea]

https://mega.co.nz/#developers
As far as their future (at bottom), it looks like they'll just be developing this for the browser, but the API appears to be fully open for developers.

Re:Is there a standalone app?

According to their FAQ they intend to support this in the future. But access to their servers is done through HTTP and JSON, and the CRUD functions map to a subset of POSIX filesystem API. so it should be possible to make a FUSE driver for Linux or a synced folder implementation for any platform.

Right now their site only really fully supports desktop version of Google Chrome, less complete support for other major browsers, and no mobile platform apps. But because their service is written in unobfuscated Javascript on their site and doesn't seem to rely on any hidden moving parts, I expect we'll see more apps show up pretty quickly. I am excited, this service actually seems to be competently constructed.

Re:Is there a standalone app?

[X.25]

I really have no interest in just uploading or downloading files through my browser. When this was announced I heard that they were going to support mounting / folder syncing, but I'm not seeing anything like that yet. Am I missing something?

Windows "virtual drive" thingie will be coming soon.

I also expect quite few new tools being developed in coming weeks/months, by 'outsiders'.

Re:Is there a standalone app?

[tehcyder]

You're missing the obvious point, which is that Megaupload was successful because it was easy to use and popular with illegal filesharers whose whole idea of the internet is their web browser, and for whom BitTorrent is too much like hard work.

Kim Dotcom didn't make millions by providing niche FTP alternatives to nerds.

DDoSed

[MouseTheLuckyDog]

Someone told me that it is being DDoSed. All I know is that I can't get it yet.

Re:DDoSed

Try to access with https://

Re:DDoSed

[MouseTheLuckyDog]

Oh the embarassment.

back to "how secure can it be if it's deduped"

from their TOS : "Our service may delete a piece of data you upload or give someone else access to where it determines that that data is an exact duplicate of original data already on our service"

http://cl.ly/image/3E1c260l1w2F

This is secure / plausibly deniable how, exactly, if they're capable of deuping across accounts?

Re:back to "how secure can it be if it's deduped"

so add a nfo file
and it wont be the same
gee do i need to teach you to be a pirate, did you learn how to use a spoon form mommy?

Re:back to "how secure can it be if it's deduped"

[OdinOdin_]

dedupe doesn't need to understand what the data is only that the data is identical. so now the 2 copies of data they make are now shared by 2 or more accounts (for that block allocation unit at least). The likelihood of duplication occurring however is small, as any cryptographic file storage system when reformatted by the same user to store inside exactly the same data will have completely different encrypted data. This is due to the session key and block perturbation scheme.

I can only think that this is a clause to cover some kind of legal angle maybe due to the way someone else might claim gained access to your (private) data, when really all they did was have access to an encrypted block of data that both you and the other guy happened to upload that happened to be identical. With copy-on-write when one of you changes that block of data you would presume the system unshares the data. The most obvious case for deduplication would be blocks of zeroed data.

Re:back to "how secure can it be if it's deduped"

[SuricouRaven]

Making a wild guess, they might be keeping the hash of the unencrypted file. That way if someone else tries to upload the same file they can still detect it, and just supply a link to the already-encrypted file.

Re:back to "how secure can it be if it's deduped"

But they don't have the encryption key. Not having the encryption key is a crucial part of their plausible deniability defence against hosting copyright infringing files. And if they don't have the encryption key they can't point someone at another copy of the same encrypted file since the user won't have the encryption key to decrypt it.

Re:back to "how secure can it be if it's deduped"

No my mom is dead.

My Dad taught me to use a spoon.

Re:back to "how secure can it be if it's deduped"

[kiddailey]

If you go to a download page for a file, you will see that they have 2 options: download, or import into your Mega account.

I suspect that importing into you account will simply create a reference rather than duplicating the file.

Re:back to "how secure can it be if it's deduped"

When they respond to a dcma notice they must take down a file. So a pirate would need to upload it again. That can be a slow process. To avoid that, the pirate could upload a file that is not shared, and then copy that to an acount that is shared. Mega would no need to actually copy anything in that case. And after a dcma takedown it would take seconds to make a new copy from the unshared file.

Re:back to "how secure can it be if it's deduped"

It could all be done in the browser, i.e.: You paste a link which contains the key as part of the hash (not sent to server)

The Mega web-site loads some HTML, which can extract the hash and then do the decryption in the browser as the file downloads.

i like breaking the search

now it makes it really really really hard for hollystupid or anyone for that matter to screw around
AWWW did he make it safer to use?

now why do they do this
"We keep records of IP addresses used to access our services."

Do I have this right?

"I Kim am not going to prison for you pirates again but the process have gained me some powerful insight. Take heed, we're logging user info and will sell you out if necessary just like ALL other legit cloud services. The encryption means we can't see your shit so we're not responsible and thus don't care what you store here. No hashing a db and files disappearing mysteriously. Unlike those other services, we’re warning you in plain English instead of confusing legal jargon; use tor, a disposable email address, prepaid CC, fake name and strip identifying metadata from all content if you plan on using this service for shady purposes. Enjoy and welcome to Mega!”

So, it won't be the Megaupload of old but will make for a good sneaker net alternative or, as difficult as it might seem to accept, a legitimate and safe service for your private and public data.

Deletion of duplicate files

[HighlyIrregular]

They mention in their TOS that they retain the right to delete duplicate files when more than one user uploads exactly the same file, which is sensible of course. But can anyone tell me how they can do this if they don't have the encryption key?

Re:Deletion of duplicate files

Seems like it would be easy enough to create a checksum prior to encryption that is stored specifically for this purpose.

Re:Deletion of duplicate files

[MouseTheLuckyDog]

Yes but then how do you decrypt the file if it was encrypt with a different key. More likely they mean same post encryption.

Re:Deletion of duplicate files

[HighlyIrregular]

Seems like it would be easy enough to create a checksum prior to encryption that is stored specifically for this purpose.

That was the only method I could think of. Suddenly your files aren't quite so private. If the code is open source, it will be possible to see if this method is used though.

Re:Deletion of duplicate files

If you encrypted two identical files with the same encryption key wouldn't you end up with two identical encrypted files? That wouldn't require a checksum nor decryption.

Re:Deletion of duplicate files

hashsums compared with database along with with the encrypted data?

Re:Deletion of duplicate files

Yes, but if everyone is using the same encryption key, the protection is gone.

Re:Deletion of duplicate files

I just checked this and discovered two identical files encrypted with the same key are not the same (tried it with GPG on my home machine). So it looks like a pre-uploaded checksum would probably be required.

Re:Deletion of duplicate files

[Bitsy+Boffin]

Nope, doesn't work, think it though

User A uploads file encrypted with his keys, and hash of unencrypted file
User B uploads same file encrypted with his keys, and same hash of unencrypted file

Mega sees hash are same and deletes User B's file, linking to User A's
... time passes ...
User B downloads the file.... now what? User B doesn't have A's keys, he can't decrypt it. Mega doesn't have A's keys, they can't decrypt it for him. There is no way for B to get the decrypt the file.

I would say that particular item in the terms and conditions is either;
1. a mistake, added in by a lawyer copy-pasting
2. referring to duplicate encrypted files, if somehow the same file is encrypted with the same keys, by 2 people who both upload it (or 1 person gives the pre-encrypted file to another and they both upload it), then that's possible.

Re:Deletion of duplicate files

I can only see two scenarios for this:

1. they really mean filesystem block-deduplication like ZFS does. No security risk here, it may be less compressible than knowing the data, but if they have a zillion terabytes of data it would still save a ton of space.

2. The service has a dropbox facility so that others can securely send you files unauthenticated. they do this by having your browser create an RSA keypair, and a person that wants to send you a file first has to encrypt the file using your RSA key. Depending on how this encryption is done, it may be possible to de-duplicate files inside a single user's dropbox without them ever knowing the contents. They could not deduplicate the same file across different users though.

Re:Deletion of duplicate files

[mwissel]

If they'd do it that way, then all prosecutors would need to do is to compute checksums of copyrighted material and check it against this database. Comprises the whole concept of the client-side encryption, therefor I would suspect this is not what they are referring to in the TOS.

I could imagine that it pertains to shared files not being kept seperately in two accounts but only linking to the same encrypted container - then the decryption keys would need to be shared too of course.

Re:Deletion of duplicate files

If user As and user Bs encrypted files are bit for bit exactly the same, wouldn't the key work in either case? If you have 2 files that are identical, but encrypted with a different key, you would no longer have identical data.

For example, I just rar'd a test file (non-lossy data) with some passwords. Same source file, used the same password for both files. Results in identical files (excluding date/time stuff, etc). Do the same test with the same source, use a different password for each, I now have 2 different files.

The only way user A and user B could have intermingling files in the first place was if all the data (source AND key) was completely identical to begin with.

Is my thinking wrong?

Re:Deletion of duplicate files

[Bitsy+Boffin]

The only way user A and user B could have intermingling files in the first place was if all the data (source AND key) was completely identical to begin with.

Exactly.

Posters previously were suggesting the mega client may hash the file before encryption, and submit that along with the encrypted file. If you hash the same unencrypted data twice, you get the same hash so you can identify the duplicate files without knowing the contents.

But I pointed out in the post you replied to, that it doesn't mean you can just ditch one of the encrypted files and substitute the other, because the encrypted files are, as you correctly understand, absolutely dependant on the key, which only one of the parties will have.

So, in other words, the de-duping, either doesn't happen (lawyer insertion into the terms by mistake), or it's only to cater for a VERY limited circumstance where somebody encrypts/uploads the same file, with the same key, which, is extraordinarily unlikely --- unless the two uploaders have previously exchanged the key(s) between themselves.

Or maybe a mega developer just didn't quite think his plan through far enough ;-)

Re:Deletion of duplicate files

No I think this refers to an idea I had when I saw this thread. Assume unlimited storage space, so it is cheap to store 10 copies of a file. Set up a separate server that is a "dupeset manager" ("DM") to manage the set of identical copies. User 1 uploads a file X to mega and tells DM where it is, but never posts the link anywhere else. DM periodically makes dupes of X in mega. User 1 asks DM to generate a link for posting it somewhere, and if the link ever dies (is deleted from mega) DM can automatically or on demand create additional dupes in mega. If DM started out and made 10 dupes from the start, a later dupe can be vivified when an earlier one dies, but also they can be used to for traffic analysis (posting a different link or alias to different sites can tell you which are being tracked). The problem of different keys does not come up because DM manages the keys. Anyway, having DM upload a new file (perhaps slightly modified so hash is different) when a link is killed in mega is fine but create 10 or 100 copies of the same file is going to use too many resources. Of course you could run DM on your own machine but having a safe DM in some untracked country will make it harder, though not impossible, for traffic analysis to link to your ip.

Re:Deletion of duplicate files

data deduplication at the storage level

Re:Deletion of duplicate files

[maxm]

If a file is copied on their internal network between users they can basically just make a softlink. Pirates can also have a secret stash and then copy from that to a public acount. So after a dcma takedown they just make a new "softlink" from their private stash to the public account. Naturally they will need security when they make the public acount.

Re:Deletion of duplicate files

retaining the right to do something is not a claim that they are able to

Re:Deletion of duplicate files

Alternatively the key for the file can be a function of the file itself. Thus if A encrypts the same file as B then they both have the same key for that file. This of course has the drawback that an encrypted file can be matched to an unencrypted file and so A can no longer deny having the file if B accuses them removing one of the reasons for the encryption.

Re:Deletion of duplicate files

[coofercat]

Could it just be that if you upload the same file twice that it deletes the second one?

As others have said, it would seem impossible to do this across users, although I suspect you might be able to do it at the block level. It's possible the TOS wording was lawyer-speak for "we'll use block level dedupe", or it could be included to insulate Kim Dotcom from future legal issues about deleting illegal content.

Re:Deletion of duplicate files

[jedwidz]

And it should be possible to use a hacked Mega client that lies about the pre-encryption hash.

Re:Google Chrome

[RedHackTea]

Works fine for me on Opera.

I have quite a lot of legitimate data

[symbolset]

This looks like a good service for me. Reasonable prices and strong encryption, universal cloud access. Heck of a deal. And it won't hurt my feelings to support the cause.

And geo-load-balanced, too!

[Rob_Bryerton]

I seem to be connected to the Utah facility.... it's very fast!

Re:And geo-load-balanced, too!

[TheP4st]

Anything but fast for me, my 138 KB test file have been uploading at a whopping 0 B/s for the last 12m30s. Originally I started out with a 700MB file and had the same experience and thought that it might have been due to the size but apparently that was not the case.

Re:And geo-load-balanced, too!

Pretty much same for me--started with 41GB file which went nowhere. Cancelled that, and my 2MB test file has been languishing for 8 minutes now. If the "status indicator" is to believed, it keeps going one step forward and two steps back at dial-up modem speeds.

Comcast

[onyxruby]

On Comcast they appear to be blocking uploads to the website. I can access and interact with the site but all uploads are completely blocked.

Re:Comcast

Same behavior here, but not comcast. I assume it's because the site is being hammered.

Re:Comcast

[Rob_Bryerton]

I'm seeing the same thing in Charlotte, NC on Time Warner. Not sure where the blockage is, or if the upload service is completely overloaded...

Re:Comcast

Uploads blocked in Portland, OR. Comcast?

50 GB?

[DogDude]

50 GB? I know this guy's famous, but other than that, is there any other reason I should care? I measure my storage in TB, these days. 50 GB is only about 10 movies (or less).

Re:50 GB?

[s1lverl0rd]

I highly doubt that your internet connection is fast enough to make good use of terabytes of cloud storage.

Re:50 GB?

Oh, so where do you store your TB of encrypted files on the internet for free?

Re:50 GB?

[countach]

Last I checked, Dropbox gives you 2gb free, so 50gb free is pretty impressive, yes.

Re:Uses for Mega

[drolli]

backups: you heard about amazon glacier, did you?
hosting: you heard about dropbox,amazon s3 or any other provider you like?

Not Encrypted?

"8. Our service may automatically delete a piece of data you upload or give someone else access to where it determines that that data is an exact duplicate of original data already on our service. In that case, you will access that original data."
If they can determine exact duplicates of original data your data is not encrypted. (by modern definitions.)

Re:Not Encrypted?

What if each file was encrypted using its own hash as the key?

Two people upload the same file. They both generate the same hash and, therefore, the same encrypted blob. They each store the hash locally or encrypt it with their own key and store it on the server.

Re:Not Encrypted?

> Two people upload the same file. They both generate the same hash and, therefore, the same encrypted blob.

They would NOT have the same encrypted blob since they will use different private keys to encrypt. I can understand how Mega can detect sameness if the hash of the unencrypted file is known to them. But I do not understand how they can use an existing encrypted file of someone else in place of the new one since the downloader will need public keys of the original to decrypt than the one the second user would have privately shared with.

I am not a crypto expert. Any explanations are welcome.

Re:Clever

[crankyspice]

Sounds a lot like the "willful ignorance" that Aimster tried to pull off, and got smacked down for. https://bulk.resource.org/courts.gov/c/F3/334/334.F3d.643.02-4125.html

Site is down

I'm on comcast.
What garbage.
Still up for you guys?

Piracy accusations vs common carrier defense

[Morgaine]

Sounds more like an acknowledgment that, 'Yes, we KNEW we were hosting pirated binaries before, but now we're much more clever at it".

They know full well that this is just a fight between vested interests, with no a priori right or wrong (if you see an inherent right or wrong it's because you've already picked a side).

What we're witnessing here is the next skirmish in the copyright wars: "You play the piracy card, we play the common carrier card".

Re:Piracy accusations vs common carrier defense

I'm looking forward to Kim Dotcom being the first actual casualty in the copyright wars. Next time, they should send in the New Zealand SAS and make sure he doesn't walk out alive from his house if he tries to resist. Although I don't suppose they could do a burial at sea like OBL, as it would cause a tsunami.

Re:Clever

No, it's really not their job to police their users. These greedy companies think they guy force everyone to do their dirty work for them and occasionally send DMCA notices (which are easily exploitable and prone to mistakes). Disgusting. I don't care what the law is; that's disgusting.

Here in New Zealand we love him

Because he is a guy who takes from the rich and gives to the poor.
And New Zealand economy is totally not dependant on movie production
And our guys at Weta Studios totally love to work for free and see fruits of their labor stolen.
Pass me a TUI, will ya?
A criminal dick with good PR is still a criminal dick and I for one would love to see his criminal fat arse thrown to jail or deported.

Re:Here in New Zealand we love him

[skaag]

And how exactly is Kim related to the stealing of movies? After all, files can be saved anywhere. He is not the only person offering a file sharing service.

Ultimately, the thieves are people who rip movies and distribute them to others for free or worse, for a fee! I don't remember Kim dotcom ever being accused of ripping and distributing movies for a fee?

There are double standards here: Just like the Gun industry is not held responsible for lunatics killing innocent people with guns, file sharing providers should not be held accountable to the actions of people sharing recipes of how to build your own uranium enrichment facility, or the latest LOTR movie.

Re:Here in New Zealand we love him

Ultimately, the thieves are people who rip movies and distribute them to others for free or worse, for a fee!

Neither of those sound like thieves, actually.

Javascript-infestd site

[aNonnyMouseCowered]

The old Mega-Upload did use Flash for some functions, such as directories for multiple file downloads. I believe the architecture was up- or downgrade, take your pick, to Javascirpt just before the Big Raid.

However, what made the old Mega a popular download site was that it was perfectly possible to download using simple non-browser based tools, including the commandline hacker's download manager of choice, wget. And Mega's files where infinitely resumable, even across different IP addresses even using the non-paying downloaders. You just pointed wget to the new URL, and assuming the remote and local file's name are the same, wget resumes the partially downloaded file.

Few file hosts now allow this functionality for free users.

yeah, right

[Tom]

If Mega just takes down all the DMCAed links, it will have a 100 percent copyrighted material takedown record as far as its own knowledge is concerned.

Yeah, right. Because judges are stupid and fall for even the most transparent and obvious front. *facepalm*

You'd think his n-th run-in with the legal system would've made him a bit smarter. I feel sorry for the next bunch of naive folks he'll take down with him when they bust Mega and folks lose their data again.

Bullshit, technologically not possible.

[elucido]

If it's using public key cryptography then there is no way for it to be a honeypot. The prive encryption key determines the security of your files and the public key determines who can access your files. PKI.

Re:Clever

[Tom]

No, you are missing the GP's point.

The legal system doesn't fall for these lame attempts at "hack the law". They've been dealing with creative interpretations, weasel-wording, finding-of-loopholes and everything else we techies think we're masters of for more than two milennia. Ourt "brilliant hacks" are barely worth a yawn in the area of law.

GP is completely right. A judge will look at this and basically say "dude, seriously?". The prosecution will have to prove its case, sure. But Kim and most techies think that's a problem of mathematics, and by adding a tiny variable of unknown value to the equation, they can make it impossible to solve.

But that's not how the law works. At all.

Disclaimer: I'm a techie, not a lawyer. But through business I've had more then ample contact with the legal system, including many court cases.

Just encrypt yourself prior to upload then.

[elucido]

But encrypting by them makes it secure for THEM.

Are you the copyright police?

[elucido]

It sounds like you're reading from a script buddy. How much stock do you own in Disney?

Already under SSL surveillance

[skaag]

It appears the "powers that be" are already working on hijacking SSL traffic to mega.co.nz judging by the SSL errors I'm now getting. They must have some major SSL decryption hardware if they plan on routing and decrypting all SSL traffic of files uploaded to mega.co.nz.

Because remember, they don't need to inspect what's on mega's storage if they successfully inspect & grab the files that people upload, in order to catch "t3rr0r1sts" in "the 4ct".

But for people like me who just store family photos and backups of word documents, it's a great service, and with 50 gigs of space, that's absolutely fantastic. I just hope Kim manages to make money from this so that the project won't succumb under the weight of a flawed business model.

Re:Already under SSL surveillance

[Kalriath]

Or, more likely, it's just flakey as fuck. What would you expect from Australians?

Re:Already under SSL surveillance

[tehcyder]

But for people like me who just store family photos and backups of word documents, it's a great service, and with 50 gigs of space, that's absolutely fantastic.

Yes, but (assuming you're not stupid enough to pay Mr Dotcome any money) you're not really the core of his business model, are you?

Takedown notices

All you have to do is find the link sites, which will contain both the links and the keys. Public will be easier, but don't doubt they wont worm their way into private sites too.

Get enough files to convince a judge its worthwhile, and here we go again. Or they can still take him down due to hassle, like was done last time.

They can't even see they are photographs

[SuperKendall]

Will they steal my photographs again?

Since as stated all the files are encrypted, they can't do anything with your photos.

Now we need a mufs

A kernel module for the mu filesystem anyone?

Neither a good example

[SuperKendall]

glacier, dropbox, s3

None of those encrypt your data by default.

MegaUpload does so automatically.

Sure you can encrypt yourself and store to S3 but it's just simpler to use a pre-packaged solution, and it seems to make sharing only fragments of things easier (for instance how would you upload a whole tree of data to S3 but share only one subdirectory while leaving the other directories unable to be accessed, without requiring complex authentication?).

Re:Neither a good example

[dj245]

glacier, dropbox, s3

None of those encrypt your data by default.

MegaUpload does so automatically.

So does Crashplan. But with Crashplan I can find a buddy in another part of the country who I actually *trust* and swap encrypted deduplicated backups with them automatically. And why stop with just one buddy? I have over 2TB of mirrored local storage, but the irreplacable files are only about 200GB. If I play the "I give you 200GB of backup space for your 200GB of backup space" I can have backups all over the place for free and without trusting people who have a habit of having their servers seized. Crashplan friend backups are FREE.

I use the Crashplan paid cloud backup too, but I would not have bought it if it had not been dirt filthy cheap on Black Friday weekend. Its OK but transfer speeds to friends are faster. If I can't renew it next year at the filthy cheap price I won't be renewing.

Re:Neither a good example

[SuperKendall]

But with Crashplan I can find a buddy in another part of the country who I actually *trust* and swap encrypted deduplicated backups with them automatically.

If you trust them why are the backups encrypted?

I don't need to back up with a friend. I just need a reliable backup. And I trust a real datacenter to do that far more than any friend, who like me is simply not going to have 100% uptime (or even close) on all the computer equipment they own.

Crashplan is fine but what if you also want to share some of those files openly? Frankly I see MegaUpload as a great cross between CrashPlan and S3.

I'd bet Dropbox is still better at synching directories across systems though (don't think MegaUpload does that?)

Re:Neither a good example

If you trust them why are the backups encrypted?

The other guy's computer could still be stolen, or hit with a virus that uploads files.

Crashplan is fine but what if you also want to share some of those files openly?

So share them from your computer. Why would you expect your friend to have to share them from his?

As for me, when I needed to send about 150 jpegs to a customer, to show work I had done, I set up an acount on adrive.com, uploaded the photos, and sent an email with directions on logging in and downloading the files. They had requested the photos be emailed, but I doubted that their email server would allow the attachments.

PS. Captcha is Chromium, which happens to be my favorite of the Elder Dragons.

I don't get it.

Why in the holy mother mary of dump sites does anyone Even Care about these services if you need access to your files on the road any crap linksys that does vpn can get you into your own network and thus your files..,

Re:I don't get it.

Yeah hard to get for those living in it's own holy candy world. Many many too many people has 20:1 dl/ul adsl or worse. With 320kbps uplink on your network if lucky your on the road linksys vpn won't do shit.

Re:I don't get it.

[Jmc23]

and if you're traveling for months or have no fixed address? Also, what a waste of energy, you should be ashamed of yourself.

backdoors

[sugarmotor]

Are backdoors like with hushmail (at least technically) possible?

Hushmail To Warn Users of Law Enforcement Backdoor: http://www.wired.com/threatlevel/2007/11/hushmail-to-war

Encrypted E-Mail Company Hushmail Spills to Feds: http://www.wired.com/threatlevel/2007/11/encrypted-e-mai

Re:backdoors

[icebraining]

They actually cover that in their Help:

What if I don't trust you? Is it still safe for me to use MEGA?

If you don't trust us, you cannot run any code provided by us, so opening our site in your browser and entering your password is off limits. If you still want to use MEGA, you have to do so through a client app that was written by someone you trust.

So, yeah, it's possible if you use the site.

Re:backdoors

You would need to define 'backdoor', look even if you had access to the storage it would mean nothing to you.
https://mega.co.nz/#developers Ref: 1.4 Cryptography

[...] symmetric cryptographic operations are based on AES-128 [...] Ok no big deal there, DES replacement! but then it goes on.. [...] cipher block chaining mode randomly generated 128 bit keyplus a 64 bit random counter start value and a 64 bit meta MAC In addition to the symmetric key, each user account has a 2048 bit RSA key pair to securely receive data. [...]

Then it all falls down; ... encrypted with a hash derived from the user's login password. (So this is the weakness but its at YOUR end)

So basically they have covered all their bases as, there is no way that they can know what you have uploaded to their Storage. Meaning that, well in theory that they can'y be liable! Like a giant encrypted cloud or apparently random data. LOVE IT!

Technical details?

[manu0601]

Do we know what distributed filesystem they are using? Is it a special purpose development, or did they reuse some software?

Re:Clever

[countach]

If the only reason for the technical measures is to get around the law, then sure. But that's not really the case here. Anyway, nobody will know till it hits the courts.

Re:Clever

Hey, no offense, but I don't trust anyone with a 3 digit user ID.

Re:Google Chrome

[EricJ2190]

I understand that it may benefit from features in Chrome, and it is fine that they want to let me know. What bothers me is that it is calling my browser "outdated" just because it doesn't support their favorite draft HTML5 feature. It comes off to me as more of a Chrome advertisement than a helpful notification.

Re:Clever

[thej1nx]

Let us argue it this way. US Govt is responsible for preventing crimes/murders/corruption etc. across the nation. People *still* commit those. Have any bureaucrats been jailed lately for *others* committing such acts? Better still, we all know that it is possible to outright buy senators and thus laws, via lobbying, leading to corruption of the entire US democratic process. Has the senate or any of the CEOs of lobbying corporates been jailed for such acts? It is interesting how one party can be made "morally responsible" for actions of others and punished, and people get brainwashed with THAT argument, while turning a blind eye to EXACTLY the same stuff pulled off those in power. If you argue that mega somehow has a responsibility for actions of others, then so do our senators. Since they want extra-ordinary powers like the PATRIOT act, and a super-bloated budget, it follows that a single incident of someone still managing to sneak in on an airplane with explosives, should similarly result in everyone who votes for the laws and budgets being prosecuted with similar over-zealousness. Accepting this kind of hypocrisy is precisely why your "freedoms" in USA, are the mess they are today. And worse, you are exporting the madness abroad with your IP/trade treaties etc.

Re:Clever

[thej1nx]

Problem here is that you will have to outright ban encryption to solve this problem. Here is a PERFECT analogy. Let us say you run a private company that provide lockers storage space at subways/bus stops etc. This is being abused by drug cartels to store drugs. A case may be made that since it is your company's property, it is your duty to go and check each and every locker periodically for drugs etc.and you can be held responsible(just because police/govt thinks your business is a nuisance for them). Will you be willing to go to jail in this case, for actions of the users of the said lockers? Or are you arguing for empowering the govt. to shutdown any business that are not technically illegal, but are "inconvenient" for them and their "sponsors"?

What exactly is the difference between a public lockers providing company and what mega is doing? Via encryption, they have made their business exactly like public lockers. If you think they are doing something illegal, you will have to ban public lockers too, since they are providing an identical service.

You might not be a lawyer, but as a techie you are expected to utilize your brain a bit. And you are expected to know that a bought judge can be made to rule whichever way you want, and it will have nothing to do with actual justice and having fair and just laws.

Nazi claws vs. Swiss claws

[jjohn_h]

>>> The Swiss Bank Account model is also what allowed jews in Germany to keep some of their family fortune out of the claws of the Reich.
  Is that so evil? >>>

State your reply after considering that those accounts went then into Swiss claws, they were lost anyway.

Re:Nazi claws vs. Swiss claws

[Lucky_Norseman]

>>> The Swiss Bank Account model is also what allowed jews in Germany to keep some of their family fortune out of the claws of the Reich. Is that so evil? >>>

State your reply after considering that those accounts went then into Swiss claws, they were lost anyway.

If Death had asked each jew killed in a camp: DO YOU WANT YOUR MONEY TO GO TO THE NAZIS OR TO ANYONE ELSE? The answer would in 99.999 % be "anyone in the whole world except the nazis"

And that is ignoring all those who either were able to get away earlier or who managed to survive. They got their money back.

NoScript goes insane with this site

Do you trust them? Will you run all this code on your computer?

https://eu.static.mega.co.nz/
https://mega.co.nz/mobile/
https://mega.co.nz/json.js
https://mega.co.nz/lang/
https://mega.co.nz/.json
https://mega.co.nz/functions.js
https://mega.co.nz/countries.js
https://mega.co.nz/rsa.js
https://mega.co.nz/base64.js
https://mega.co.nz/hex.js
https://mega.co.nz/mouse.js
https://mega.co.nz/keygen.js
https://mega.co.nz/extjs/ext-all.js
https://mega.co.nz/cleartemp.js
https://mega.co.nz/crypto0001.js
https://mega.co.nz/swfobject.js
https://mega.co.nz/user0001.js
https://mega.co.nz/upload.js
https://mega.co.nz/download.js
https://mega.co.nz/filedrag.js
https://mega.co.nz/lang.js
https://mega.co.nz/jquery.min.js
https://mega.co.nz/tool.js
https://mega.co.nz/filetypes.js
https://mega.co.nz/pages/top.html
https://mega.co.nz/pages/topl.html
https://mega.co.nz/pages/chrome.html
https://mega.co.nz/pages/investors.html
https://mega.co.nz/pages/investors.js

https://eu.static.mega.co.nz/mobile/
https://eu.static.mega.co.nz/json.js
https://eu.static.mega.co.nz/lang/
https://eu.static.mega.co.nz/.json
https://eu.static.mega.co.nz/functions.js
https://eu.static.mega.co.nz/countries.js
https://eu.static.mega.co.nz/rsa.js
https://eu.static.mega.co.nz/base64.js
https://eu.static.mega.co.nz/hex.js
https://eu.static.mega.co.nz/mouse.js
https://eu.static.mega.co.nz/keygen.js
https://eu.static.mega.co.nz/extjs/ext-all.js
https://eu.static.mega.co.nz/cleartemp.js
https://eu.static.mega.co.nz/crypto0001.js
https://eu.static.mega.co.nz/swfobject.js
https://eu.static.mega.co.nz/user0001.js
https://eu.static.mega.co.nz/upload.js
https://eu.static.mega.co.nz/download.js
https://eu.static.mega.co.nz/filedrag.js
https://eu.static.mega.co.nz/lang.js
https://eu.static.mega.co.nz/jquery.min.js
https://eu.static.mega.co.nz/tool.js
https://eu.static.mega.co.nz/filetypes.js
https://eu.static.mega.co.nz/pages/top.html
https://eu.static.mega.co.nz/pages/topl.html
https://eu.static.mega.co.nz/pages/chrome.html
https://eu.static.mega.co.nz/pages/investors.html
https://eu.static.mega.co.nz/pages/investors.js
https://eu.static.mega.co.nz/pages/chrome.js

I doubt this will help

[terec]

Last time around, Dotcom also seems to have been legally safe, in theory. Yet, US prosecutors still managed to wreck his business. I'd be surprised if this technical detail would stop them.

Re:Clever

[Tom]

Problem here is that you will have to outright ban encryption to solve this problem.

You're thinking techie again, not legalese.

The law is quite familiar with seemingly shizophrenic approaches. For example, they have an odd thing that is neither OR nor AND nor XOR - a lawyer can claim that his client wasn't even near the crime scene at that time, but if he was he didn't do it, and if he did then he was intoxicated and not in his right mind. He can claim all of these three as true at the same time, and nobody in the courtroom will even raise an eyebrow, except for the techie whose brain has just shut down with a long list of logic errors.

What exactly is the difference between a public lockers providing company and what mega is doing?

The difference is that the law deals with humans and motivations, something you ignore entirely. If I were to set up that locker company, the case would probably be shut down. But if a formerly convicted criminal who is currently on trial for drug deals did it, and if he had made a public statement basically saying "only our company uses opaque steel doors instead of the glass doors other companies use, so even we won't know if you store, say, drugs, in them, hint hint" he would very likely be convicted if there is even the slightest bit of evidence.

And that can easily be done without making lockers illegal. It's how the law works. I've been in enough court rooms to understand that a judge will judge the particular case in front of him. Only the high courts consider the broad implications of their judgements, for good reasons. And you would be surprised how capable these people are. Kim and many techies is guilty of arrogance. You, too, seem to think that only geeks have brains. Most of the judges I've met were very smart people who can easily blow a big hole into your whole circumvention scheme.

Never forget that these people meet someone new who had a brilliant idea to get away with his crime every week. It's like your lawyer friend coming to you and saying something like "I've had this brilliant idea yesterday. Your web application you've been complaining about, it would run so much faster if you only ... (insert old idea you've heard 1000 times before here)".

Re:Clever

[johanw]

That's a US sentence, Dotcom will certainly never go to the US out of his free will. I don't know what the law in New Zealand says about this.

FUSE module?

Provide a FUSE module, and this will take off.

Mega.co.nz is down?

[firecode]

Cannot access mega.co.nz from Finland.

Traceroute seems to get all the way to the target IP thought.

Re:Mega.co.nz is down?

[icsx]

Read the story next time

Controversial file storage tycoon, Kim Dotcom, is launching his new encrypted cloud storage site MEGA in the U.S. tomorrow (note: link not currently active.)

mega.co.nz SSL protocol error.

"Error 107 (net::ERR_SSL_PROTOCOL_ERROR): SSL protocol error."

Why care about the DMCA?

[wvmarle]

They deliberately keep all their stuff outside the US. The DMCA is a US internal affair.

It's quite sickening that the US considers their laws and regulations to apply to the rest of the world, so much that even people with no links to the US consider themselves bound by those laws.

will be outlawed

won't be long before someone works out terrorists could use this and new laws will appear to prevent it. It's simply not responsible to have unmonitored private communications between random people in the world. Same reason I never published my ultra-fast billion-bit encryption scheme - some things you just don't want in the wrong hands.

Re:Clever

[joelville]

It's more, a numbered Swiss bank account for bytes with ATMs worldwide.

Re:Google Chrome

I'm using Opera 12.12 and I'm getting the same message from the site pushing Chrome.

Re:Clever

[tehcyder]

What exactly is the difference between a public lockers providing company and what mega is doing?

If the authorities found drugs (or whatever illegal thing you choose) in the lockers 99 times out of 100 they checked them, they would have a very good case for closing down the public lockers providing company.

I've heard the phrase "plausible denial" bandied about by Kim Dotcom. He appears to think this means "as long as there is some not-actually-impossible explanation for something, everyone has to accept it's true". Well, they don't.

If the police raid a house and find hydroponic equipment, special lights wired directly into the mains supply, blacked out windows, scales, bundles of cash and the rest, they are going to work on the assumption that they have found a marijuana farm whose contents have just been shifted. If as the owner of the house your defence is "I was just growing rare orchids, which on a whim I sold yesterday to an eccentric collector on a gram by gram basis, who has now disappeared to North Korea" no one's going to say "oh, all right then". Especially if you've already been convicted of drug dealing.