Forgot your password?
typodupeerror
Cloud Security IT

Mega Defends Its Security Practices 165

Posted by Unknown Lamer
from the excuses-excuses dept.
Dangerous_Minds writes "Recently, Slashdot posted about how cloud storage company Mega was 'riddled' with security holes. Freezenet points out that Mega has issued a response to some of these criticisms including one which criticized its use of SSL. Mega responded saying that if you could break SSL, you could break things much more interesting than Mega."
This discussion has been archived. No new comments can be posted.

Mega Defends Its Security Practices

Comments Filter:
  • by cseg (253752) on Wednesday January 23, 2013 @09:43AM (#42669021)

    Encrypt it locally, upload it to the site for storage-only. Maybe use their whatever-it's-an-option encryption as added layer and call it a day. Isn't that how people do with other services like DropBox, anyways?

  • by bfandreas (603438) on Wednesday January 23, 2013 @09:52AM (#42669131)
    The biggest security hole is the company itsself.
    They have complied in the past and they will so again.
    http://www.wired.com/threatlevel/2012/11/megaupload-investigation-roots/ [wired.com]

    Kim Schmitz himself(aka Kim Dotcom, aka Kim Jim Tim Vestor, aka kimble...I kid you not) caved in under pressure from the Feds and ratted out on the German hacker/cracker/warez/phreaker scene. In a double twist of irony he cooperated with Günter Freiherr von Gravenreuth who in turn was a bit of a jackal.
    The self-styled His Royal Highness King Kimble the First, Ruler of the Kimpire was convicted of embezzlement. Which hardly is a hacktivist crime. More of a sleazebag move.
    I wouldn't argue that the Kiwi raid on him wasn't all kinds of wrong. But that doesn't make him trustworthy either. For a cause célèbre I would honestly look elsewhere.
    This guy has shady written all over himself and I'd be careful about trusting him. Especially when entrusting him with evidence for things that carry a hefty penalty(justified or no).
  • by aaaaaaargh! (1150173) on Wednesday January 23, 2013 @10:06AM (#42669327)

    Mega's response is quite reasonable and not ignorant at all. They adequately address all the incorrect claims and FUD that has been spread about their security, and do so in a timely manner.

    Your response, however, makes less sense. You say: "SSL is fine, however it isn't the end all be all [sic!] in security" Who claimed so? Certainly not Mega. They are a file storage service, not Fort Knox! (The rest of your post has nothing to do with Mega's security, so we can skip that.)

  • Just as expected (Score:5, Informative)

    by Terrasque (796014) on Wednesday January 23, 2013 @10:24AM (#42669587) Homepage Journal

    This is similar to what I've said earlier [slashdot.org] (eerily similar, in fact..).

    The issues the original article raise are either false or silly, and just glancing at the JS code could tell you that.

    However, there are some other potential issues [reddit.com] with the code I noticed, and at least one [fail0verflow.com] of them have proven to be a problem.

    I look forward to knowledgeable people looking through the site and report what they find, and hopefully Mega fixing the problems found. Right now I trust them slightly more than for example Dropbox, for no other reason that they need a bit of effort to get your data (and probably in a way you can notice / avoid if you're vigilant), instead of it happening by accident. Also, their whole legal and business defense rides on them not being (trivially) able to do that, so it's in their own best interest to keep things working properly.

  • by jkflying (2190798) on Wednesday January 23, 2013 @10:48AM (#42669811)

    Dedupe is only implemented on a same-file-same-key basis. So if *you* upload the same file twice it will be deduped, but it won't share the data backend with anybody else.

  • by LordLimecat (1103839) on Wednesday January 23, 2013 @11:00AM (#42669967)

    I mean any basic network now uses switch over hubs now, So traffic is routed more cleanly to the host system with less spots for you packet sniff

    Well, except for ARP poisoning, mirror ports, and in-line sniffers, sure.

    Who actually reads data packets anyways nowadays?

    You might be suprised. What do you suppose DPI is? You might be interested to know that even low-end firewalls like SonicWalls have a module for MITM-ing SSL on a network where you control cert installation. And rogue WiFi APs arent exactly rare.

    And as for "who", I might start with "China, a lot of middle-eastern countries, and probably a couple of US 3 letter orgs under certain circumstances". This stuff isnt hypothetical.

    I generally agree with your point-- that you cant just slap SSL on it and call it secure-- but you would be suprised how common packet inspection is.

  • by Anonymous Coward on Wednesday January 23, 2013 @11:56AM (#42670639)

    "sic" is short for sic erat scriptum which is Latin for "thus was it written".

    You don't change what someone wrote and then say [sic]. You write what they originally wrote and say [sic]. You didn't even just change "bee" to "be" either, you paraphrased his entire sentence and then put it in quotes FFS. When being pedantic, try to get these things right.

"Out of register space (ugh)" -- vi

Working...