Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Piracy Privacy Security IT

Kim Dotcom's Mega Fileshare Service Riddled With Security Holes 151

twoheadedboy writes "Kim Dotcom launched his new project Mega on Sunday, claiming it was to be 'the privacy company.' But it might not be so private after all, as security professionals have ripped it to shreds. There are numerous problems with how encryption is handled, an XSS flaw and users can't change their passwords, they say. But there are suspicions Mega is handing out encryption keys to users and touting strong security to cover its own back. After all, if Kim Dotcom and Co don't know what goes on the site, they might not be liable for copyright prosecutions, as they were for Megaupload, Mega's preprocessor." On this front, reader mask.of.sanity points out a tool in development called MegaCracker that could reveal passwords as users sign up for the site.
This discussion has been archived. No new comments can be posted.

Kim Dotcom's Mega Fileshare Service Riddled With Security Holes

Comments Filter:
  • by xushi ( 740195 ) on Tuesday January 22, 2013 @10:04AM (#42656239)

    "Security folk have also flagged problems with the fact that Mega uses a web browser to send encryption information, opening avenues for attackers to intercept keys by breaking SSL or by commandeering Mega's servers, some of which are said to be located in the United States."

    Err, hang on.. I could swear I read a while ago that the whole point of all this was to have servers that are OUTSIDE of US ?

    What's going on here?

  • A grain of salt (Score:5, Insightful)

    by aaaaaaargh! ( 1150173 ) on Tuesday January 22, 2013 @10:07AM (#42656255)

    While it seems likely that Mega's encryption is not exactly the creme de la creme of crypto implementations, I have also read some pretty dubious assessments of its cryptography, for example the review at Ars Technica which spreads more FUD than facts. Or take the claim in one of the above articles claims that the FBI is probably already typing their search warrants, which ignores the fact that this time not a single server is located within the US.

    Perhaps some writers on tech news sites fear about their ad revenues?

  • preprocessor?? (Score:5, Insightful)

    by 1u3hr ( 530656 ) on Tuesday January 22, 2013 @10:10AM (#42656271)
    "... Megaupload, Mega's preprocessor."

    I expect this means "predecessor". The editors are actually paid in money to click "submit" without reading or understanding the articles?

  • by Dins ( 2538550 ) on Tuesday January 22, 2013 @10:13AM (#42656299)

    He's starting to rub me the wrong way as a sort of attention whore

    No doubt. The man legally changed his name to Kim Dotcom. That's not attention whoreish at all...


  • by Melakh ( 2670043 ) on Tuesday January 22, 2013 @10:17AM (#42656349)
    Who cares if you can intercept the private encryption key (not often you get to say that) - seriously, noone with a brain is going to be uploading sensitive data to Mega and expecting them to take care of it. There are no multinationals sitting in the wings waiting to outsource storage of their customer's credit card numbers to Mega. This is just supposed to be Megaupload minus the ability for the recording industry to demand all copies of the same file get deleted and minus the ability for the FBI to be able to ask Mega a question and get an answer about what's stored.
  • by DerekLyons ( 302214 ) <fairwater.gmail@com> on Tuesday January 22, 2013 @10:25AM (#42656383) Homepage

    Sort of offtopic but why are we following this so closely?

    Because *everyone* loves a good reality show or celebrity meltdown. We all love to live vicariously, but different people chose different targets.
    Thus, the Slashdot Demographic follows Dotcom, McAfee, etc... the way the rest of the world follows the Kardashian's, or Paris Hilton, or Lance Armstrong, or whatever their personal flavor of the month is.

  • by sunderland56 ( 621843 ) on Tuesday January 22, 2013 @11:41AM (#42657337)

    But that's the point. If they can in theory, then the site is not secure.

    If they can in theory, then they can be forced to do so by a court order. Capture your password the next time you log in, decrypt your keys, then decrypt your files. If the courts can compel Mega to deliver unencrypted files as evidence, then the site is useless.

  • by JWW ( 79176 ) on Tuesday January 22, 2013 @12:02PM (#42657605)

    The security does not have to be good. The purpose of Mega is to disable the RIAA and MPAA's abilities to see what is shared.

    It doesn't matter how bad the encryption is. If the MPAA or RIAA break the encryption on Mega's files they are violating the DMCA plain and simple.

    Mega is using the RIAA and MPAA's weapons against them.

  • Re:Kim Dotcom (Score:5, Insightful)

    by Sloppy ( 14984 ) on Tuesday January 22, 2013 @12:07PM (#42657647) Homepage Journal

    I was shocked to learn how much money this guy made the first time around...I suppose he hasn't learned his lesson.

    Did the person who wrote the second half of that sentence, ever read the first part? Because the first part of your sentence says exactly what the lesson was, and Dotcom trying again is evidence that he did learn it.

  • False alarm (Score:4, Insightful)

    by davidwr ( 791652 ) on Tuesday January 22, 2013 @12:08PM (#42657667) Homepage Journal

    It's frequently wrong to assume malice when getting sloppy in a rush to deliver explains everything.

... though his invention worked superbly -- his theory was a crock of sewage from beginning to end. -- Vernor Vinge, "The Peace War"