Disclaimer first: I just translated this article from german to english, because I personally believe it is relevant to everybody cruising the internet these days. I don’t want to take credit for it in any kind and just hope it is more accessible to the non-german community this way. The original was licensed under CC-BY-NC-SA and so is this.
We took a look at the brand new MEGA Platform and worked together with somebody that has a really good understanding of computer security - and try to find answers to the most pressing questions.
Is MEGA because of its encryption really secure?
MEGA claims that only the user has the key to the file. MEGA states in their Terms of Service that nobody without that private key can access the files. And MEGA says that they have no copy of this key, because it is generated inside the browser. There is an ongoing debate about whether this is a good idea, because the key for decryption and encryption is coming from the same source as the file. This technique is just a good start, nothing more. The cryptographic routines can be manipulated through man-in-the-middle or cross-site-scripting (XSS) attacks and last but not least by MEGA itself.
And: reportedly there is such a XSS vulnerability. This means, an attacker can push code through MEGA to its victim, which than could extract the private key for example.
Are users of MEGA protected from criminal prosecution?
No, MEGA is explicit logging the users IP addresses. Based on this the users can be tacked down. Nobody is protected against official written warnings if copyright is violated once user groups of unknown size get access to these files. Or in the words of gizmodo:
One could argue Mega’s even being proactive about copyright protection that way. You’re the one sharing file keys; Mega couldn’t share your keys even if it wanted to. Mega is ostensibly a “cloud storage service.” You’re the pirate. Remember that TOS you agreed to, scumbag? Oh, and you’re personally identifying information like name and IP? Those aren’t encrypted. This won’t protect big-time “share it with the world” pirates. People who go around sharing links and keys at the same time are just as vulnerable as they are anywhere else.
Does MEGA offer anonymity?
No, not at all: Users are supposed to register and their IP address is being logged.
How does Kim Dotcom protect himself?
Because the files are stored encrypted, MEGA basically does not know what they have on their servers. The principle behind this is called plausible deniability. By doing so, MEGA puts all the responsibility on the users. A smart move - first and foremost Dotcom is protecting himself.
Will MEGA circumvent copyright for good?
Hard to say. But it is safe to say that this is an easy, user friendly and ready for the masses system to share files with other people. This in itself is a challenge for copyright, but this kind of challenge was present before MEGA.
Is the functionality of MEGA comparable to Dropbox?
Yes, their structure and user interfaces are very similar. MEGA is lacking the desktop client, that is running in the background, which makes Dropbox so exciting. MEGA’s approach, to encrypt files by default, is good and should be adopted by cloud services in general, but then the encryption should lie in the hands of the users, too. This is the case with the Dropbox add-on Boxcryptor. It encrypts your files in a decent way - and on your own hard drive, too.
What other ways of securely sharing files with my friends do I have?
Again, the cloud is not the right place for private files. Sharing movies in small circles does work (better) over Dropbox. If you encrypt the files first and exchange the key over a different channel, you are doing it right. Owncloud is another good option, in which case everything runs on your own server.
What happens, if I upload movies or music to MEGA and share them (and the key) with my friends?
This should not be a problem, as long as the circle is limited and your friends don’t pass on the links and keys. But the real fun with file sharing begins once everything is indexed and searchable. This won’t be possible on MEGA without liable users in the middle, that publish download links and the associated keys. Once the links are out in the open, it is known that the files you have uploaded are protected by copyright - and MEGA has your IP, and the ToS state that they will pass it on when requested.
Should I host my private Files on MEGA?
No, Kim Dotcoms projects are considered less respectable. People that had their files on Megaupload, never got them back because everything was confiscated. Hosting private files on the cloud is not a good idea to begin with, especially with MEGA because it is uncertain whether there is a back-door in the encryption.
What are the good aspects of MEGA?
The default encryption is a step in the right direction, in this case the implementation is lacking consistency and thus can’t be recognized as satisfactory. In the realm of web-based services MEGA has come quite far, but not nearly far enough to be regarded as a solution for carefree end-to-end encryption.
Kim Dotcom the internet hero?
Kim Dotcom wants to be seen as an internet hero somewhere between Julian Assange and Aaron Swartz. This can be criticized, as Wikipedia knows:
In 1994, he was arrested by German police for trafficking in stolen phone calling card numbers. He was held in custody for a month, released and arrested again on additional hacking charges shortly afterwards. He was eventually convicted of 11 counts of computer fraud, 10 counts of data espionage, and an assortment of other charges. He received a two-year suspended sentence – because he was under age at the time the crimes were committed. The judge in the case said the court viewed his actions as “youthful foolishness.”
Translators notice: the english wikipedia article is lacking the most interesting fact, but it can be found on the Talk page:
According to the linked German Wikipedia article Schmitz operated mail- and voicebox systems mainly populated by hackers and phreakers. He systematically analyzed the contend provided by his users in order to gain access to high quality information on hacking and phreaking. German sources make it very clear that during this time hundreds of stolen credit cards were found on his system by the police. When the German police targeted him, he decided to provide them with a vast spectrum of information on his users.
Later he cooperated with Günter Freiherr von Gravenreuth an infamous German lawyer specialized in the Abmahnung (a very German way of generating significant amounts money, mainly from naive kids by sending a legally relevant letter and reimbursing hundreds of Euros of attorney’s fees in eache case) of users, most of them teenagers, sharing copyrighted software. According to German Wikipedia Schmitz functioned as a decoy for von Gravenreuth in several cases. According to the article this cooperation was later one of the reasons that his two-year sentence was suspended.Nemissimo (talk) 10:45, 20 January 2013 (UTC)
Many people are interested in Kim Dotcom because of his fondness for grand orchestrations - this is entertaining in any case.
Update 21.01.2013: Arstechnica attested that MEGAs encryption is not good. The developer of Cryptocat tweets: “Analysis: Mega can selectively disable crypto for targeted users without them noticing. Crypto also uses insufficient sources of randomness”. ZDnet also points out security problems.
John F. Nebel
John F. Nebel began writing at a now discontinued city magazine as a nightlife columnist. At Metrona ut his topics are fundamental rights, freedom, surveillance, net politics, public relations and everything else, he is interested in.
ich war mal so frei und hab den Fly BerMuDa Timetable in iCal umgemünzt.
Hier die links direkt zum subscriben/angucken/downloaden:
alles ohne Gewehr versteht sich.
Tatsächlich mal was gewonnen und Sticker gab’s auch noch. Yeeey :D
Danke Pokerflat Recordings !
Just favorited “Sammy_-_Salt&Sugar_mix_-_Goodvibe Records [march 2011]” by goodviberecords on Mixcloud.com