Slashdot Mirror
Software Developer Says Mega Master Keys Are Retrievable
hypnosec writes that software developer Michael Koziarski has released a bookmarklet
"which he claims has the ability to reveal Mega users' master key. Koziarski went on to claim that Mega has the ability to grab its users' keys and use them to access their files. Dubbed MegaPWN, the tool not only reveals a user's master key, but also gives away a user's RSA private key exponent. 'MEGApwn is a bookmarklet that runs in your web browser and displays your supposedly secret MEGA master key, showing that it is not actually encrypted and can be retrieved by MEGA or anyone else with access to your computer without you knowing,' reads an explanation about the bookmarklet on its official page."
Unless Im misreading it, this can be summarized as follows:
* Coder has discovered that, in order to encrypt data, your computer must have access to the encryption key
* Further, if someone has root access to your machine, they can get your encryption key.
Wow. What a discovery.
MEGA and anyone else with access to your computer can see this, and use it to decrypt any file you upload.
Wait, someone with access to my computer has access to things that my computer has access to? WOW!
The issue is that it's 'conceptually possible' for Ubuntu to ship a package in the base system that uploads your keys to Canonical's servers. I can give you a script that you run on RHEL and it'll show decrypted ssh, ssl, and gpg keys (if you've entered the password). I can put a package on your system and show that RHAT could put a modified gpg that logs all your shit and passwords and everything to their server. And so on.
This isn't a vulnerability. It's like saying it's conceptually possible for a thief to steal your car after you've put the key in the ignition.
Support my political activism on Patreon.
the guy is a self-aggrandizing scam artist and charlatan
However, if he wore a suit with tie and had not only fullfilled DMCA requests (which he always did) but also had proactively given away his customers data to any US authority and private copyright holders like the RIAA without any real legal basis and had additionally given money to the two leading US parties, he'd be considered quite a decent fellow in the US now. In other words, while he never did anything else than Google and thousands of other companies, including US ones today, he hasn't shown "the right attitude" and that is the main and real reason why he is being persecuted now. He doesn't act the way you are expected to act as a rich entrepreneur with a serious business. Such misbehavior is usually sanctioned. They even wondered whether they could turn an inflatable tank he had in his garden into some kind of evil plot, but didn't manage to find the right legal angle to it...
Regarding trust ... well, at least New Zealand law cannot force you to install backdoors and lie to everyone about it, but of course you cannot trust any closed source company with data security. Encrypt on your own before storing something on Mega and you're fine.