Kim Dotcom's Mega Fileshare Service Riddled With Security Holes

twoheadedboy writes "Kim Dotcom launched his new project Mega on Sunday, claiming it was to be 'the privacy company.' But it might not be so private after all, as security professionals have ripped it to shreds. There are numerous problems with how encryption is handled, an XSS flaw and users can't change their passwords, they say. But there are suspicions Mega is handing out encryption keys to users and touting strong security to cover its own back. After all, if Kim Dotcom and Co don't know what goes on the site, they might not be liable for copyright prosecutions, as they were for Megaupload, Mega's preprocessor." On this front, reader mask.of.sanity points out a tool in development called MegaCracker that could reveal passwords as users sign up for the site.

Alert

Clearly he is helping the FBI set up a honeypot in exchange for his freedom.

Isn't Some of this Stuff Sort of Nitpicking?

[eldavojohn]

The SSL encryption being used on Mega appears to be 1024-bit encryption, which can be broken with far greater ease than 2048-bit encryption viewed as best-practice amongst experts.

Isn't this kind of nitpicking? Isn't the solution to this like changing a value in your configuration or properties files on both sides and watching performance drop a bit? I guess when you have that many users sign up at the drop of a hat, you're expected to have unblemished perfection available for all. But I don't really see this "riddled with security holes." Instead I'd say "needs improvement before you trust it with anything important." As a software developer, I'm prone to give people a break but I guess if your site isn't prepared to be hosted at DEFCON you're fodder.

I mean, some of these points are valid like I have no idea why you would choose to do this in JavaScript but I guess if you want it to run entirely contained within the browser you don't have much choice unless you start to get into platform specific things like nacl.

Sort of offtopic but why are we following this so closely? I mean, I understand he's challenging world governments by doing this again but do we have to watch every little step and misstep of Kim Dotcom? He's starting to rub me the wrong way as a sort of attention whore. The longer his fifteen minutes of fame last the bigger embarrassment he's going to have in the 24 hour news cycle's circle of hate. Ugh, and his name is something straight out of Idiocracy ... did he try to change his first name to "The Bomb" but was blocked by the TSA? :-)

Re:Isn't Some of this Stuff Sort of Nitpicking?

[Dins]

He's starting to rub me the wrong way as a sort of attention whore

No doubt. The man legally changed his name to Kim Dotcom. That's not attention whoreish at all...

/sarcasm

Re:Isn't Some of this Stuff Sort of Nitpicking?

[DerekLyons]

Sort of offtopic but why are we following this so closely?

Because *everyone* loves a good reality show or celebrity meltdown. We all love to live vicariously, but different people chose different targets.
 
Thus, the Slashdot Demographic follows Dotcom, McAfee, etc... the way the rest of the world follows the Kardashian's, or Paris Hilton, or Lance Armstrong, or whatever their personal flavor of the month is.

Re:Isn't Some of this Stuff Sort of Nitpicking?

For the longest time I thought Kim Dotcom was a woman. I mused that perhaps she is an ex-pornstar? So I wasn't surprised or bothered by the blatant attention whoring. Then I saw his picture and... I remain deeply troubled.

Re:Isn't Some of this Stuff Sort of Nitpicking?

[hpoul]

The man legally changed his name to Kim Dotcom

btw. has anyone an idea how/where he "legally" changed his name? most german sources still refer to him as "kim schmitz", and i have found nothing which states if he changed his name in germany or finland (as it seems he has both citizenships) .. the german wikipedia entry only refers to the name saying "In Neuseeland tritt Schmitz unter dem Namen Kim Dotcom auf" - does this mean he simply used a wrong name when entering NZ, or did he change his name in NZ, but not in finland/germany?

Re:Isn't Some of this Stuff Sort of Nitpicking?

[fermion]

No, because it is promoted as a secure site that protects the users privacy. If we promoted as a place where users could get 50GB free space and there was an effort using various means to provide some insurance that user data was protected that would be different. One thing we have learned is that free data storage is seldom secure.

The point of the story is to shore up the idea that many of us have had. That the encryption is not intended to to one's data secure, or to insure privacy, but to provide a means by a arms length relationship between Mega and the data that user upload. This may force any future legal battles to be between right holders and individual uploader, not right holders and mega. If you wonder what the benefit of that is to Mega and uploader, just think of how corporations hate class action lawsuits.

But the damage occurs if users believe that the site is secure and private, so upload valuable information that Mega could later, through a change in the terms of use, mine or sell. Or some may use the site as the primary depository of data, then lose access to the data through the muddled security.

This is an interesting topic because many believe security is easy. That I can put 100 combination locks on a door and make it 100 time more secure. That I can advertise a product 'uses 4096 Bozo military grade encryption', plug a product that uses this encryption into the software, and automagically have a more secure product that uses 1024 bozo encryption.

Re:Isn't Some of this Stuff Sort of Nitpicking?

[NoSleepDemon]

One likes to be ridden while high, the other likes to ride while high, and the third is just a skank.

Re:Isn't Some of this Stuff Sort of Nitpicking?

[Terrasque]

ALL of it is nitpicking, or just plain out wrong.

Lemme see, SSL part. Well, main site use 2048 bits, and the JS on that page loads and verifies all other resources. And file upload / downloads are already encrypted before SSL even touches them. So that point is completely moot.

And the "Mega server could send bad code" is already covered in Mega's own FAQ - well,duh. I doubt it comes as a shock to anyone.

As for the deduplication, I don't know. But there are ways to do that (like using file content hash as encryption key, for example - no idea if they actually do this - or just try to dedup the actual encrypted content. There is a (well, small) chance that two encrypted files have same data in a block). We just don't know, and making wild assumptions from it is .. just wrong.

Also, Mega does in fact NOT use JS random function. It use time sampling from user generated events, with RC4 as mixing function.

The whole article is just stupid. It makes wild assumptions, doesn't understand how (parts of) the site works, repeat things the site already informs users about, and are just plain wrong on some parts.

Is this yet another troll article by some attention hungry ad pushers?

Re:Isn't Some of this Stuff Sort of Nitpicking?

[Terrasque]

Dedupe update:

"Deduplication is done based on the entire encrypted file and only happens if you either upload the same file encrypted with the same key twice (unlikely) or if you copy or import an existing file in your file manager (more likely)."

I was saying something about wild assumptions... Yep..

Re:Isn't Some of this Stuff Sort of Nitpicking?

[Terrasque]

You haven't read their own FAQ I take it?

They're actually upfront about threats to the user's security.

Is my stored data absolutely secure?

All security is relative. The following attack vectors exist - they are not specific to MEGA, but we want you to know about the risks:
Individual accounts are jeopardized by:
- Spyware on your computer. A simple keylogger is enough, but session credentials and keys could also be extracted from memory or the filesystem.
- Shoulder surfing. Do not type your password while someone could watch your keystrokes.
- Password brute-forcing. Use strong passwords.
- Phishing. Always confirm the security status of your connection (https://) and the correct domain name (mega.co.nz) before entering your password.

Large-scale attacks could be mounted through:
- A "man in the middle" attack. Requires issuing a valid duplicate SSL certificate in combination with DNS forging and/or attacks on our BGP routes (a DigiNotar-style scenario).
- Gaining access to the webservers hosting https://mega.co.nz/index.html and replacing that file with a forged version (this would not affect access through the installed app base). Note that manipulating content on our distributed static content CDN does not pose a security risk, as all active content loaded from index.html is subject to verification with a cryptographic hash (think of it as some kind of "secure boot" for websites). This type of attack requires sending malicious code to the client and is therefore detectable.
- Gaining access to our core server infrastructure and creating forged key requests on existing shares. This type of attack only affects data in shared folders and is detectable on the client side as well.

What if I don't trust you? Is it still safe for me to use MEGA?

If you don't trust us, you cannot run any code provided by us, so opening our site in your browser and entering your password is off limits. If you still want to use MEGA, you have to do so through a client app that was written by someone you trust.

Doesn't that look pretty reasonable? What more do you want them to do? They created a pretty impressive webclient-driven easy-to-use file locker system, and they clearly spell out the problems with that approach.

Many of the article's points are pretty moot, btw. It does not use JS random function, they have extra verification for the 1024 bit SSL encrypted data, and the deduplication only works for shared files ("copy to my locker" functionality is mentioned - same data, same key, same place on the storage servers).

The part about mega.co.nz being able to send malicious code stealing your password is explicitly mentioned in their FAQ, and in a better way too. They even cover other attack vectors the article didn't.

They made a decent system, and they're upfront and honest about it's limitations. The article is at best FUD.

Re:Isn't Some of this Stuff Sort of Nitpicking?

[Tom]

Isn't this kind of nitpicking?

I'm not sure. The difference between 1024 bit and 2048 bit is that 2048 bit is this times as much as 1024:

17976931348623159077293051907890247336179769789423065727343008115773\
26758055009631327084773224075360211201138798713933576587897688144166\
22492847430639474124377767893424865485276302219601246094119453082952\
08500576883815068234246288147391311054082723716335051068458629823994\
7245938479716304835356329624224137216

(had to split it up due to the lameness filter. doh!)

There isn't even a name for this order of magnitude. When cryptographers say that "1024bit can be broken with far greater ease than 2048bit", that is the understatement of the year. For comparison, the number of atoms in the observable universe is estimated to be around:

10000000000000000000000000000000000000000000000000000000000000000000\
000000000000000

I have no idea why you would choose to do this in JavaScript

Because Javascript is inherently insecure for cryptography. Never do any serious crypto in Javascript. Unless you want it to be broken.

but do we have to watch every little step and misstep of Kim Dotcom? He's starting to rub me the wrong way as a sort of attention whore.

And that's exactly what he is. He's playing /. and everyone else in a bid of either a) selling them out to the FBI - again (he's done it before, check his history) or b) getting out of his current predicament thanks to publicity and public pressure.

Ugh, and his name is something straight out of Idiocracy ... did he try to change his first name to "The Bomb" but was blocked by the TSA? :-)

No, he's an attention whore. His actual name is Kim Schmitz. He's from Kiel, a small northern german city less than a hundred miles from where I live. He left Germany after a criminal conviction and because the hackers and geeks here had caught on to his game and he was widely despised.

Servers located where ?

[xushi]

"Security folk have also flagged problems with the fact that Mega uses a web browser to send encryption information, opening avenues for attackers to intercept keys by breaking SSL or by commandeering Mega's servers, some of which are said to be located in the United States."

Err, hang on.. I could swear I read a while ago that the whole point of all this was to have servers that are OUTSIDE of US ?

What's going on here?

A grain of salt

[aaaaaaargh!]

While it seems likely that Mega's encryption is not exactly the creme de la creme of crypto implementations, I have also read some pretty dubious assessments of its cryptography, for example the review at Ars Technica which spreads more FUD than facts. Or take the claim in one of the above articles claims that the FBI is probably already typing their search warrants, which ignores the fact that this time not a single server is located within the US.

Perhaps some writers on tech news sites fear about their ad revenues?

Re:A grain of salt

[hcs_$reboot]

Talking about Ars, there is an interesting article about Mega encryption

Re:A grain of salt

[Terrasque]

Update : Regarding the random source, this is the code they use, and it's from this project. It use mouse and keyboard events (not all, math.random is used to decide which ones), with rc4 as mixing function.

And it seems to be running since page load (started in crypto0001,js) - AES function is from Stanford Javascript Crypto Library btw, and RSA code is from this project.

preprocessor??

[1u3hr]

"... Megaupload, Mega's preprocessor."

I expect this means "predecessor". The editors are actually paid in money to click "submit" without reading or understanding the articles?

Re:preprocessor??

[coldsalmon]

They're using Megaupload as a preprocessor? Clever - that way there's no copyright infringement at compile time.

Re:preprocessor??

[tgd]

"... Megaupload, Mega's preprocessor."

I expect this means "predecessor". The editors are actually paid in money to click "submit" without reading or understanding the articles?

Your reply generated another ad view.

The editor's job was done.

All about deniability

[Melakh]

Who cares if you can intercept the private encryption key (not often you get to say that) - seriously, noone with a brain is going to be uploading sensitive data to Mega and expecting them to take care of it. There are no multinationals sitting in the wings waiting to outsource storage of their customer's credit card numbers to Mega. This is just supposed to be Megaupload minus the ability for the recording industry to demand all copies of the same file get deleted and minus the ability for the FBI to be able to ask Mega a question and get an answer about what's stored.

Re:All about deniability

[Tom]

You should care.

One, if what the idiot co-founder said in the update is true, Mega can decrypt your data. Which means their deniability just died and they will be on the hook, which means they are very likely to give your data to law enforcement in order to get out of everything.

Two, a fantastic and fairly neutral german article outlines the impact on the markets and musings on some more philosophical backgrounds. The TL;DR version is that Kim is pretty much the same as the banksters we want to see in jail for the financial crisis - he takes an artificially scarce commodity he doesn't own (data in his case, money for the banksters) and creates a mechanism through which it gets artificially inflated (sharing / bubble of complex financial products) with the purpose of making a profit for himself, ignoring the devastating effect that inflation has on the base value for small market participants.

Or if even that is too long for you: Kim will make money, big musicians, movies, etc. won't really care, small artists and smaller movies will suffer.

As much as the truth hurts, but if you want to support small artists, then iTunes does more for them then Mega will. You'll need to do a bit of research to verify that, but it'll be enlightening. I applaud the Pirate Bay for realizing their effect and trying to undo it with their recent initiatives.

Re:Bullshit

This is waht it looks like. The same thing has never been said about rapidshare, uploaded, bitshare, dropbox or sugarsync, and Mega hasn't realy been out yet, has already about a million registered users, and it already is the target of a disinformation campaign that no other service has been subjected to date.

It does smell fishy and it looks like Kim DotCom does scare some people.

Re:Meh

[GameboyRMH]

http://www.i2p2.de/bittorrent.html

Re:Security hole 1, Kim Dotcom

[sunderland56]

You can encypher your data before uploading on *any* site. At that point they are all equally secure. Kim's claim was that Mega was more secure by design.

However, the claim is completely broken. Mega is using a public/private key pair - generated by the web site - and so their servers actually *do* know both your keys, and *can* decrypt your data. So, basically, it is no more secure than dropbox.

Password overuse

There is a global shortage of passwords as we have reached peak passwords. It is time to find alternative ways to secure our security.

Re:Security hole 1, Kim Dotcom

[IRWolfie-]

According to http://arstechnica.com/business/2013/01/megabad-a-quick-look-at-the-state-of-megas-encryption/ it uses javascript. Which would be client side.

Re:Security hole 1, Kim Dotcom

[nschubach]

It says on their developer page:

This master key is stored on MEGA's servers, encrypted with a hash derived from the user's login password. ... In addition to the symmetric key, each user account has a 2048 bit RSA key pair to securely receive data. Its private component is stored encrypted with the user's symmetric master key.

According to that, the keys are stored on the server, but it's encrypted with a hash of your password... I understand that all they would have to do is store the generated key somewhere and have full access to all your files if they wanted. I'm not debating that.

The part I'm trying to figure out is:

The cryptographic integrity of MEGA's user data is important to us. We can therefore not allow you to distribute or make available your client application without going through us. We will perform a code audit of your product and promote/distribute it on our site.

So they want full access to the source of your client "to ensure the integrity of MEGA's user data" but for some reason I keep reading that as though they know the properly coded application could damage their site.

Re:Security hole 1, Kim Dotcom

[sunderland56]

But that's the point. If they can in theory, then the site is not secure.

If they can in theory, then they can be forced to do so by a court order. Capture your password the next time you log in, decrypt your keys, then decrypt your files. If the courts can compel Mega to deliver unencrypted files as evidence, then the site is useless.

Re:Meh

[V+for+Vendetta]

Size aside - it's not like there aren't (client-side) encrypted services out there already: Spider Oak or Wuala, for example.

No one really gets it

[JWW]

The security does not have to be good. The purpose of Mega is to disable the RIAA and MPAA's abilities to see what is shared.

It doesn't matter how bad the encryption is. If the MPAA or RIAA break the encryption on Mega's files they are violating the DMCA plain and simple.

Mega is using the RIAA and MPAA's weapons against them.

Re:Kim Dotcom

[Sloppy]

I was shocked to learn how much money this guy made the first time around...I suppose he hasn't learned his lesson.

Did the person who wrote the second half of that sentence, ever read the first part? Because the first part of your sentence says exactly what the lesson was, and Dotcom trying again is evidence that he did learn it.

False alarm

[davidwr]

It's frequently wrong to assume malice when getting sloppy in a rush to deliver explains everything.

Re:Security hole 1, Kim Dotcom

[ThatsMyNick]

Wait, I take that back. The private key is indeed stored on the server. So the only thing it, sort of, prevents is mass analysis of data (assuming they dont pull data analysis on the client side)

Re:Security hole 1, Kim Dotcom

[decourl]

Nevermind where the keys are generated. Obviously all of the pertinent keys are stored server-side. How else can you move to a new computer and still access all of your data with just your Mega login and password? Basically your password is the key. And the password security is abysmal. During signup, the confirmation link that they send you contains a hash of your login password, among other things. There is a password cracker program freely available that will recover your password from this hash value in a matter of a short while. Obviously they have all of this information stored (they're the ones who sent you the confirmation email, they're the ones who validate your password day-to-day when you login). So their claim that they can't access your data or be compelled to turn over your data is just nonsense. The encryption is basically a toy because it's designed incorrectly. It's not just FUD.

Re:Security problems? surely you jest!

[spire3661]

Because the other side isnt constantly moving to goal posts? IMHO any work that doesnt fall back into the public domain as the law was written when the work was created is FRAUD. Save your righteousness for people who deserve it.

Re:Security hole 1, Kim Dotcom

[fuzzytv]

Not true. Have you actually checked the code, or do you just repeat the nonsense mentioned on many sites?

I haven't done a thorough analysis of the code / traffic so far, but from what I've seen so far the key is generated on the client-side using this Javascript, namely SJCL (Stanford Javascript Crypto Library). For example this is the keygen: https://eu.static.mega.co.nz/keygen_0.js, this is the RSA implementation https://eu.static.mega.co.nz/rsa_0.js and so on. Once the key is generated on client, the private key is encrypted with the user's password (which is also kept on client-side only), and this (public and encrypted private key) is sent to Mega server. On the next login the server sends the encrypted key (after some initial handshake, described in the developer docs) and the key is decrypted on the client-side again.

Please, explain to me how the server knows both my keys, how can they decrypt the data?

Obviously, there could be a malware, or they could send the password to the server, but let's suppose that's not the case.