MEGA is a new, encrypted cloud storage system founded by [Kim Dotcom] of MegaUpload fame. They’re selling privacy in that the company won’t have the means to decrypt the data stored by users of its service. As with any software project, their developers are rapidly making improvements to the user interface and secure underpinnings. But it’s fun when we get some insight about possible security problems. It sounds like the issue [Marcan] wrote about has been fixed, but we still had a great time reading his post.
The article focuses on the hashes that the website uses to validate data being sucked in from non-SSL sources using some JavaScript. Those insecure sources are a CDN so this type of verification is necessary to make sure that the third-party network hasn’t been compromised as part of an attack on the MEGA site. The particular security issue came when the hashes were generated using CBC-MAC. [Marcan] asserts that this protocol is not adequate for the application it’s being used for and goes on to post a proof-of-concept on how the messages can be forged while retaining a hash that will validate as authentic.
[Thanks Christian]
didnt understand anything of that post, this goes beyond my realm of expertise
good to know
now i’m curious as to what your realm of expertise IS… maybe catching seals with your hands?
/polarbearjoke
It is very strange living in new zealand with all the kim dotcom stuff happening.
The simple fact is that if you really care about your data security on some one elses server, you have to encrypt it your self. Also use mutiple layers of encryption with different long pasphrases, long is better than good! You should also encrypt everyting you can, important or not. That way any attacker has to spend time without knowing what they are going to get.
Agreed. Anyway, Mega is not really interested in security, they only want to cover their asses.
Quite.
When Mega matures and allows you WebDAV or equivalent functionality, the only thing that will matter is the free 50GB. They could even drop the encryption, unless they need it to paper their arses with.
The two big questions are whether that is a viable business model, and whether NZ’s small number of international Internet links will be able to cope, assuming the Kiwis can stay away from their beer’n’barbies long enough to notice.
“cover” their arses, I think you meant!
But yeah. Basically Kim wants to run a giant piracy site, without being held legally liable. Having everything properly encrypted should cover that.
File sharing’s how he made his money, it’s what he’s good at and all he needs to do.
File sharing sites are very useful. I just worry that this is setting up a fight between the little-known right of people to use encryption, vs the enormous Hollywood $$$ that inevitably get thrown at these things. Like Sony’s rootkit proved, media barons are not honorable or ethical people, it’s strictly and massively about enormous sums of money.
Putting that against the public’s rights and interests, will be a difficult fight. The media industry like to steamroller thru cases like this, then salt the earth afterwards, just in case.
The public don’t really know or care about encryption. And will easily believe it’s just something for hackers and paedophiles. Especially if the media tell them that.
I worry the laws about all this kind of stuff are being made too quickly and without enough insight. All of these laws will become a hundred times more important in years to come. Governments are allowed to change their minds on mistakes. They just tend not to ever do it.
I tried to set up an account using my @Outlook Email. It wont accept it it I never get the validation email, works for Gmail just fine go figure??
Check the spam folder it probably got filtered.
Options > More Options > Safe and blocked senders > Safe Senders
Add hostmaster[at]mega[dot]co[dot]nz to the list.
Try setting up an account again, now you’ll receive the validation email instantly. I almost went nuts for two days because of that, after having set up an account with a gmail address in less than 5 minutes.
Good work once again Marcan.
Incredible. I *just* narrowly grasped his explanation, but understood enough to realize the flaw. I hope Marcan gets some job offers after this post! Or a raise!
This is only funny if you know where they got the developers from…
Using a insecure padding generator is just idiotic and boring…
By the way it’s funny kim dot com is considered a hacker because he contracted developers years back to do BHSEO and spyware..
Do you some learnin’
http://www.wired.com/threatlevel/2012/10/ff-kim-dotcom/all/
@Le Samourai: Make me look like an idiot by showing me stuff on mega-upload.. take your own advice kiddy…
You’re making Dotcom sound like an over-celebrated script kiddie while he clearly a brilliant/slightly devious person. Give the guy some credit.
Also, you are the fastest reader evar.
FYI: He was rich before he started doing marketing around file hosting and none of it was based around programming or electronics, except sales in some cases…
One of his old partners was a weapons dealer for the Russian mafia… still is actually
But then again so is george hotz and others who mostly represent the work of Russians…
What the &^#@! is the URL for this MEGA site?
https://mega.co.nz
Which is also the first search result on google, for “mega”.
Let’s see how long this lasts for!
I like how obvious it is that file host business models are based around piracy, and the only thing governments can enforce is cease and assist…. imagine if there were complex problems…