Kim Dotcom's Mega Fileshare Service Riddled With Security Holes 151
twoheadedboy writes "Kim Dotcom launched his new project Mega on Sunday, claiming it was to be 'the privacy company.' But it might not be so private after all, as security professionals have ripped it to shreds. There are numerous problems with how encryption is handled, an XSS flaw and users can't change their passwords, they say. But there are suspicions Mega is handing out encryption keys to users and touting strong security to cover its own back. After all, if Kim Dotcom and Co don't know what goes on the site, they might not be liable for copyright prosecutions, as they were for Megaupload, Mega's preprocessor." On this front, reader mask.of.sanity points out a tool in development called MegaCracker that could reveal passwords as users sign up for the site.
Servers located where ? (Score:2, Insightful)
"Security folk have also flagged problems with the fact that Mega uses a web browser to send encryption information, opening avenues for attackers to intercept keys by breaking SSL or by commandeering Mega's servers, some of which are said to be located in the United States."
Err, hang on.. I could swear I read a while ago that the whole point of all this was to have servers that are OUTSIDE of US ?
What's going on here?
A grain of salt (Score:5, Insightful)
While it seems likely that Mega's encryption is not exactly the creme de la creme of crypto implementations, I have also read some pretty dubious assessments of its cryptography, for example the review at Ars Technica which spreads more FUD than facts. Or take the claim in one of the above articles claims that the FBI is probably already typing their search warrants, which ignores the fact that this time not a single server is located within the US.
Perhaps some writers on tech news sites fear about their ad revenues?
preprocessor?? (Score:5, Insightful)
I expect this means "predecessor". The editors are actually paid in money to click "submit" without reading or understanding the articles?
Re:Isn't Some of this Stuff Sort of Nitpicking? (Score:4, Insightful)
He's starting to rub me the wrong way as a sort of attention whore
No doubt. The man legally changed his name to Kim Dotcom. That's not attention whoreish at all...
/sarcasm
All about deniability (Score:5, Insightful)
Re:Isn't Some of this Stuff Sort of Nitpicking? (Score:5, Insightful)
Because *everyone* loves a good reality show or celebrity meltdown. We all love to live vicariously, but different people chose different targets.
Thus, the Slashdot Demographic follows Dotcom, McAfee, etc... the way the rest of the world follows the Kardashian's, or Paris Hilton, or Lance Armstrong, or whatever their personal flavor of the month is.
Re:Security hole 1, Kim Dotcom (Score:5, Insightful)
But that's the point. If they can in theory, then the site is not secure.
If they can in theory, then they can be forced to do so by a court order. Capture your password the next time you log in, decrypt your keys, then decrypt your files. If the courts can compel Mega to deliver unencrypted files as evidence, then the site is useless.
No one really gets it (Score:5, Insightful)
The security does not have to be good. The purpose of Mega is to disable the RIAA and MPAA's abilities to see what is shared.
It doesn't matter how bad the encryption is. If the MPAA or RIAA break the encryption on Mega's files they are violating the DMCA plain and simple.
Mega is using the RIAA and MPAA's weapons against them.
Re:Kim Dotcom (Score:5, Insightful)
Did the person who wrote the second half of that sentence, ever read the first part? Because the first part of your sentence says exactly what the lesson was, and Dotcom trying again is evidence that he did learn it.
False alarm (Score:4, Insightful)
It's frequently wrong to assume malice when getting sloppy in a rush to deliver explains everything.