Slashdot Mirror
Mega Defends Its Security Practices
Dangerous_Minds writes "Recently, Slashdot posted about how cloud storage company Mega was 'riddled' with security holes. Freezenet points out that Mega has issued a response to some of these criticisms including one which criticized its use of SSL. Mega responded saying that if you could break SSL, you could break things much more interesting than Mega."
January 23th is the date of the press release. Just... I guess that's minor compared to alleged encryption issues.
--Jim (me)
Assuming your security is good, because bigger people use it and they didn't run in a problem yet, doesn't mean your security is good. Also SSL is fine, however it isn't the end all be all in security. You just don't make it HTTPS and assume you are all good. Who actually reads data packets anyways nowadays?
I mean any basic network now uses switch over hubs now, So traffic is routed more cleanly to the host system with less spots for you packet sniff. Simple rookie mistakes like having your password stored in your session, where if someone has access to your PC can read you memory/cache/paging file/browser history can find it, or the DB UID for your user account is just as bad, or just a back door for your "Administrator" to gain more access.
Most developers don't really think in terms of security. That is the problem. SSL helps a little but but it isn't the end all bee all.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
Encrypt it locally, upload it to the site for storage-only. Maybe use their whatever-it's-an-option encryption as added layer and call it a day. Isn't that how people do with other services like DropBox, anyways?
From my iPhone when I click on the issued a response link, all I get is a page saying a dedicated app is coming soon. I view that as another failure on Mega's side.
Anyone have a summary or another link?
Very reassuring, objective, and clarifying rebuttal.
I'm not trying to be pedantic or a contrarian prick, instead I'm merely pointing out that in the US there is only one form of the word "practice".
in the immortal words of socrates, "i drank what?"
But the questionable storage and usage of certain cryptographic information.
The biggest security hole is the company itsself.
They have complied in the past and they will so again.
http://www.wired.com/threatlevel/2012/11/megaupload-investigation-roots/
Kim Schmitz himself(aka Kim Dotcom, aka Kim Jim Tim Vestor, aka kimble...I kid you not) caved in under pressure from the Feds and ratted out on the German hacker/cracker/warez/phreaker scene. In a double twist of irony he cooperated with Günter Freiherr von Gravenreuth who in turn was a bit of a jackal.
The self-styled His Royal Highness King Kimble the First, Ruler of the Kimpire was convicted of embezzlement. Which hardly is a hacktivist crime. More of a sleazebag move.
I wouldn't argue that the Kiwi raid on him wasn't all kinds of wrong. But that doesn't make him trustworthy either. For a cause célèbre I would honestly look elsewhere.
This guy has shady written all over himself and I'd be careful about trusting him. Especially when entrusting him with evidence for things that carry a hefty penalty(justified or no).
20 minutes into the future
He's not a keyboard jockey,he's a gamer and he's gaming!!
I can't even read the blog because it force-redirects to a mobile page that just sys "mobile app coming soon".
Kim - not all mobile hits are people trying to upload files.
Grrrrrr
You are an editor of an internationally renowned news aggregation service.
You mean Fark?
There are easier approachs. And if well that approach could work now even for government agencies, the user side is also open to intrusion (like Red October) and of course, is in Mega side to do things right too. All of that before even trying to break SSL.
You would think that if you were going to reprimand someone for not using proper grammar, you yourself would learn the difference between a verb and a noun.
In the title, the term is "security practices" therefore the noun version is applied. "Mega Defends The Security It Practises" would be the verb form and makes for a terrible article title.
Now they are saying if you don't trust their implementation of SLL, then you can't trust anything on the web. That is stilly It is like saying if you are just as well off banking with a stranger standing on the corner as a well FDIC insured bank.
I was pretty up on this new venture until all of these clearly misleading statements began to appear.
"She's a scientist and a lesbian. She's not going to let it slide." Orphan Black
It says "practices", which happens to be the correct form in this case. I opened this page 2 minutes after you posted that, so I'm not sure if you got them mixed up or if you called it and they fixed the error in the interim.
New global and high visibility service, without IPv6 service. The future is apparently briefly visiting the elsewhere.
Go learn
Go and learn.
(1.21 gigawatts) / (88 miles per hour) = 30 757 874 newtons
From my iPhone when I click on the issued a response link, all I get is a page saying a dedicated app is coming soon. I view that as another failure on Mega's side.
Mega uses JavaScript local file access APIs to read and encrypt user-selected files before uploading them. Historically, Safari for iOS has been severely lacking in JavaScript local file access APIs. So if Apple doesn't give web application developers the proper tools to read and encrypt user-selected files, how should that be regarded as a "failure on Mega's side" rather than Apple's?
original A/C...
when a verb modifies a noun, it is still a verb.
The encryption is there for mega to maintain plausable deniabity about copyright infringement. If you want to keep something private don't upload it to mega. The question is not whether the encyrption scheme is sound, but whether it is reasonable in court to expect a company to break encryption (and most likely laws) to ferret out copyright violations.
I was under the impression that the "request desktop site" command only changed the user agent. Even a "request desktop site" command won't make a browser implement a JavaScript object that it doesn't implement, and a lot of older browsers don't implement APIs to read local files chosen by the user.
Use them correctly, show people you're not just a keyboard jockey.
This text fragment consists of two main clauses, separated by a comma. It's not what one might generally consider to be an actual sentence. Consider using a semicolon instead.
Or, without actually delving into their Javascript to verify their claims myself it's correct.
I still don't like the idea of them holding the key, even encrypted. It does set it up so if a government wants to figure out what files I have, they have to get Mega to capture my key after my password decrypts it, but that's not so hard.
But that sort of thing is still significantly better than most cloud storage services.
Need a Python, C++, Unix, Linux develop
From the Mega TOS*:
"8. Our service may automatically delete a piece of data you upload or give someone else access to where it determines that that data is an exact duplicate of original data already on our service. In that case, you will access that original data."
That seems to point to deduplication -- if things were actually encrypted and the keys unknown to Mega, dedupe would be impossible.
[*] - http://arstechnica.com/business/2013/01/megabad-a-quick-look-at-the-state-of-megas-encryption/
Join the Slashcott! Feb 10 thru Feb 17!
This is similar to what I've said earlier (eerily similar, in fact..).
The issues the original article raise are either false or silly, and just glancing at the JS code could tell you that.
However, there are some other potential issues with the code I noticed, and at least one of them have proven to be a problem.
I look forward to knowledgeable people looking through the site and report what they find, and hopefully Mega fixing the problems found. Right now I trust them slightly more than for example Dropbox, for no other reason that they need a bit of effort to get your data (and probably in a way you can notice / avoid if you're vigilant), instead of it happening by accident. Also, their whole legal and business defense rides on them not being (trivially) able to do that, so it's in their own best interest to keep things working properly.
It's The Golden Rule: "He who has the gold makes the rules."
Truecrypt or whatever you use to make encrypted file container + Dropbox or whatever doesn't force you to reupload the entire file after 1 byte change.
or if you are feeling lazy: zip with password.
When a noun is part of a noun phrase, it is still a noun.
If they can turn off the encryption than they have lost plausible deniability. This is bad for their survival if they want to be able to claim that they don't know what they have on their servers (a brilliant move). This puts everyone's data at stake as they can be sued or re-seized back into oblivion as before.
This may have been done to allow them to de-dupe data on their servers to save space as a practical logistical issue. This issue needs to be addressed above and beyond any other issues. Until Mega resolves this issue with a clear and unwavering answer that they /cannot/ see their data it is probably best not to upload anything confidential just yet.
The servers are now a single point of failure and the target of attack, this is a really big deal. Please fix this Kim, I want to see your service succeed.
How is "security practices" a case of a noun modifying a verb? If the word "security" wasn't there, "practices" is clearly a noun, so why does it suddenly become a verb when you stick "security" in front of it?
Let's ask Google:
+"security practises" About 10,200 results
+"security practices" About 1,070,000 results
systemd is Roko's Basilisk.
"Security practises": you've got some folks, referred to as "security", practising.
"Security practices": you've got a practice, and another practice, and together they make practices.
Makes a lot of sense, though my fingers still reach for the s key instead of c in both cases. Whoops.
Go learn
Go and learn.
Actually, just go.
I'm a good cook. I'm a fantastic eater. - Steven Brust
Practices is not a verb in this case. It is a noun.
...sensitive to the "cloud" without encrypting it first?
I'd like to see an encrypted remote file system (or at least a backup system) that transparently uses several of these free "cloud" sevices. I'm not going to write it, though.
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
If I get a $5000 biometric lock for my door then install it horribly wrong, it's not the lock's fault. I didn't read way into the description of the flaw but it seemed to me like they just coded it like idiots and you don't need some sort of magical SSL decryptor to pull off the hack. I think, given past history as evidence, he's just a fat, stuck up, arrogant piece of shit that rushed out a crappy, half-working service to basically give the finger to the people trying to sue/arrest him and now he's trying to save face since he props up his entire ego on what he thinks people think of him and his products.
You are an editor of an internationally renowned news aggregation service. You'd think that you might learn some spelling and grammar.
Go learn how to spell the noun and verb forms of practice/practise. Use them correctly, show people you're not just a keyboard jockey.
Thanks, man. We all needed yet another good reminder that America has absolutely no monopoly on xenophobic pricks who refuse to step outside of their culture for even a second.
What is the issue here? Or are you not aware that New Zealand, the home of Mega is very early in the timezones? The day practically starts in NZ.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
Never take security advice from a guy who can't read. The static content web servers use 1024 bit keys, the encryption servers 2048. So you can spend a small fortune decrypting the content on static content web servers. Wheee!
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
The TOS is the legally binding agreement. Anything else is a salesperson saying something to you. They may in fact mean what they say entirely genuinely, but that doesn't touch anything in the TOS. By the TOS, they've given themselves the legal framework and permissions to be doing exactly the kind of de-duplication the OP you replied to imples, and they're asking us to trust them that they are doing it by another method. Given "Kim Dotcom"s track record, I am disinclined to give that trust, but others may. That's up to you.
That's good advice, but we're still arguing over British English on a US-centric site. In the US, it's always "practice." In the US, it's always "license." We spell offense, defense, and pretense differently. The only -ce/-se word we agree on, off the top of my head, is advise/advice.
The only -ce/-se word with different noun/verb spelling, I should have said.
Wow - I didn't know that. US spelling certainly is full of surprises.
From my reading of the Mega response, the crypto applied to the static content was to ensure the integrity of the files as transmitted, not the privacy.
They are free to add an arbitrary amount of additional integrity checking of the static files, both of the cryptographic and non cryptographic nature. I wouldn't be surprised if they already do because it is trivial and a normal thing to do.
I should use this sig to advertise my book ISBN-13 : 978-1501515132.
From my reading of the Mega response, the crypto applied to the static content was to ensure the integrity of the files as transmitted, not the privacy.
The crypto applied to the static content is, by definition, 1024-bit SSL. SSL, by definition, provides both integrity and privacy.
They are storing both private and public keys on their servers... but the private key is encrypted with my password, which they don't know. Even though they have the private key, it's protected and they can't use it to decrypt my files. That's all good. Standard. The password of my password.
However, I still can't wrap my head around the password change issue. They claim that changing my password will "re-encrypt" my private key, leaving my files still locked by the same key.... How exactly does that make my files "unrecoverable" ?
Unless they are using my "encrypted private key" to lock my files in the first place... which by itself is stupid and defeats the purpose.
If they have my private key "re-encrypted" with a new password -- and assuming I know my new password -- I should still be able decrypt the private key and unlock the files.
If I understood this correctly, Lastpass.com uses the exact same approach and is managing fine allowing users to change their passwords.
Did anyone figure this out? I can't quite grasp what the issue is here.
Julio Henrique Morimoto juliohm@gmail.com
SSL protects the point to point link. But unless the web site requires you to have a client certificate or other security credential, anyone can download over https and see the plaintext.
I should use this sig to advertise my book ISBN-13 : 978-1501515132.