Slashdot Mirror
Software Developer Says Mega Master Keys Are Retrievable
hypnosec writes that software developer Michael Koziarski has released a bookmarklet
"which he claims has the ability to reveal Mega users' master key. Koziarski went on to claim that Mega has the ability to grab its users' keys and use them to access their files. Dubbed MegaPWN, the tool not only reveals a user's master key, but also gives away a user's RSA private key exponent. 'MEGApwn is a bookmarklet that runs in your web browser and displays your supposedly secret MEGA master key, showing that it is not actually encrypted and can be retrieved by MEGA or anyone else with access to your computer without you knowing,' reads an explanation about the bookmarklet on its official page."
That's how you want it to be. It's zero-knowledge from MEGA's point of view. You generate your own key, keep it and use it to decrypt and encrypt stuff.
So of course if someone gets access to your computer they can get your key, it was on your computer all the time, by design.
His assertion that MEGA can get your key is what is a bit more surprising. But if you read it, he's simply saying it's conceptually possible that MEGA could use a script on their site to grab your key and send it to them. This is of course possible, but we have no way to know whether they've done it. If the javascript can access your key to encrypt/decrypt stuff, then it is also possible it can squirrel it away somewhere.
http://lkml.org/lkml/2005/8/20/95
Unless Im misreading it, this can be summarized as follows:
* Coder has discovered that, in order to encrypt data, your computer must have access to the encryption key
* Further, if someone has root access to your machine, they can get your encryption key.
Wow. What a discovery.
MEGA and anyone else with access to your computer can see this, and use it to decrypt any file you upload.
Wait, someone with access to my computer has access to things that my computer has access to? WOW!
the guy is a self-aggrandizing scam artist and charlatan
However, if he wore a suit with tie and had not only fullfilled DMCA requests (which he always did) but also had proactively given away his customers data to any US authority and private copyright holders like the RIAA without any real legal basis and had additionally given money to the two leading US parties, he'd be considered quite a decent fellow in the US now. In other words, while he never did anything else than Google and thousands of other companies, including US ones today, he hasn't shown "the right attitude" and that is the main and real reason why he is being persecuted now. He doesn't act the way you are expected to act as a rich entrepreneur with a serious business. Such misbehavior is usually sanctioned. They even wondered whether they could turn an inflatable tank he had in his garden into some kind of evil plot, but didn't manage to find the right legal angle to it...
Regarding trust ... well, at least New Zealand law cannot force you to install backdoors and lie to everyone about it, but of course you cannot trust any closed source company with data security. Encrypt on your own before storing something on Mega and you're fine.
I read this as "Sega Master System Keys Are Retrievable." I was sadly disappointed.
All those other companies gave no illusion of being secure.
Neither did Mega. They explain these very risks and others right in the FAQ and since they launched have using alternatives that do not involve trusting them. Providing a interface is a significant convenience, but you can't trust anything truly secret to a script someone else can remotely replace on a whim.