Mega Defends Its Security Practices

Dangerous_Minds writes "Recently, Slashdot posted about how cloud storage company Mega was 'riddled' with security holes. Freezenet points out that Mega has issued a response to some of these criticisms including one which criticized its use of SSL. Mega responded saying that if you could break SSL, you could break things much more interesting than Mega."

That is an ignorant response.

[jellomizer]

Assuming your security is good, because bigger people use it and they didn't run in a problem yet, doesn't mean your security is good. Also SSL is fine, however it isn't the end all be all in security. You just don't make it HTTPS and assume you are all good. Who actually reads data packets anyways nowadays?
I mean any basic network now uses switch over hubs now, So traffic is routed more cleanly to the host system with less spots for you packet sniff. Simple rookie mistakes like having your password stored in your session, where if someone has access to your PC can read you memory/cache/paging file/browser history can find it, or the DB UID for your user account is just as bad, or just a back door for your "Administrator" to gain more access.

Most developers don't really think in terms of security. That is the problem. SSL helps a little but but it isn't the end all bee all.

levels of trust

[fermion]

Mega seems to be trying to exploit either the misunderstanding or the ambiguity of trust and security. In Liars and Outliers Bruce Schneier discuss how we depend on a basic level of trust to efficiently live our life, but we still have levels of trust. So while we may well trust Mega to hold pictures of cat, do we trust Mega enough to store our bank accounts or business records? Some will.

Now they are saying if you don't trust their implementation of SLL, then you can't trust anything on the web. That is stilly It is like saying if you are just as well off banking with a stranger standing on the corner as a well FDIC insured bank.

I was pretty up on this new venture until all of these clearly misleading statements began to appear.

JavaScript local file access APIs

[tepples]

From my iPhone when I click on the issued a response link, all I get is a page saying a dedicated app is coming soon. I view that as another failure on Mega's side.

Mega uses JavaScript local file access APIs to read and encrypt user-selected files before uploading them. Historically, Safari for iOS has been severely lacking in JavaScript local file access APIs [caniuse.com]. So if Apple doesn't give web application developers the proper tools to read and encrypt user-selected files, how should that be regarded as a "failure on Mega's side" rather than Apple's?

Re:The biggest security hole

[aaaaaaargh!]

Trust is a relative measure. I would trust Mega with storing personal copies of my favorite TV show, so I can e.g. access them on my tablet elsewhere. I wouldn't trust Mega with all my banking details, trade secrets, or highly sensitive government secrets, and would dare to say Mega has not been invented for that purpose...

Re:That is an ignorant response.

[Havokmon]

The biggest part of security is risk.

Mega needs to balance risk with usability and cost. Once you get beyond a certain point, every additional security layer will either cost more than it will benefit, or increase complexity so much as it make it unfeasible to use for their average user.

Maybe I've read too many KimDotCom tweets, but the referenced articles seem like government astroturfing just trying to keep customers from using the Mega site. If you want your data THAT secure, just freaking host it yourself with your own locks in place behind double biometric VPNs or whatever and shut the hell up. Jeeesus.
They're selling a product, not a theoretical 100% secure system that will never exist.

Its not about confidentiality.

[jzilla]

The encryption is there for mega to maintain plausable deniabity about copyright infringement. If you want to keep something private don't upload it to mega. The question is not whether the encyrption scheme is sound, but whether it is reasonable in court to expect a company to break encryption (and most likely laws) to ferret out copyright violations.

This rebuttal is clear, concise and correct

[Omnifarious]

Or, without actually delving into their Javascript to verify their claims myself it's correct.

I still don't like the idea of them holding the key, even encrypted. It does set it up so if a government wants to figure out what files I have, they have to get Mega to capture my key after my password decrypts it, but that's not so hard.

But that sort of thing is still significantly better than most cloud storage services.

Re:Keep using the old method?

[Dekker3D]

50 gigs, for one-... like the AC said. AND this thing seems like a sort of personal payback from Dotcom towards the copyright mafiaa. It's not reckless enough to go down easily, but it does seem heavily motivated by that. Which means providing a good service is aligned with his interests.. where every alternative focuses on squeezing the most money out of people.

His personal agenda seems to be counteracting the default business mindset enough to make it worthwhile. I'm intrigued :D

Re:Keep using the old method?

[Tom]

where every alternative focuses on squeezing the most money out of people.

Uh... I don't think Kimble paid for his mansion, cars and other luxuries with good will and motivation. If you think this is motivated by revenge, not money, you need to visit the real world more often.