Mega's Security Appears To Be Surprisingly Bad
from the trial-by-fire dept
We were a little skeptical of Kim Dotcom's new Mega cloud storage offering, in part because the claims of security and privacy seemed somewhat dubious upfront. We didn't see how it would be reasonably possible to do everything the service claimed it was doing in a manner that really kept the data secret. And, indeed, it has not taken long for security researchers around the globe to raise questions. Right away there were significant questions about the security design choices, including some questions about how random the random key generation really was, as well as significant concerns about Mega's claims that it offered deduplification (if things were really encrypted correctly, there would be nothing to deduplicate).While Mega has responded to some of those criticisms, a whole host of other security questions have been raised, leading cryptographer Nadim Kobeissi to tell Forbes: "Quite frankly it felt like I had coded this in 2011 while drunk." A big part of the problem is that, by doing everything in the browser, you're really still trusting Mega, even as Mega implies that you have full control over the encryption.
And, then comes the news that when you first sign up, while Mega hashes your password, it sends you an email that includes the hash in plain text along with other data, such that one hacker has already released a tool to extract passwords from Mega's confirmation emails:
Steve "Sc00bz" Thomas, the researcher who uncovered the weakness, has released a program called MegaCracker that can extract passwords from the link contained in confirmation e-mails. Mega e-mails a link to all new users and requires that they click on it before they can use the cloud-based storage system, which boasts a long roster of encryption and security protections. Security professionals have long considered it taboo to send passwords in either plaintext or as cryptographic hashes in e-mails because of the ease attackers have in intercepting unencrypted messages sent over Internet.Users still need to crack the hashed password, but that's a relatively easy brute force effort, especially for those who use weaker passwords (i.e., most people). There are, of course, much more secure ways of handling this, such as not including the plain text hash in the email.
Despite that admonishment, the link included in Mega confirmation e-mails contains not only a hash of the password, but it also includes other sensitive data, such as the encrypted master key used to decrypt the files stored in the account. MegaCracker works by isolating the AES-hashed password embedded in the link and attempting to guess the plaintext that was used to generate it.
All that said, many of these problems can be fixed, but when your whole pitch to the public is about how secure and private you are -- and some have been falsely implying that such a system allows individuals to avoid copyright infringement claims -- it seems reasonable to suggest that better security should be in place from the beginning.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: encryption, kim dotcom, privacy
Companies: mega
Reader Comments
Subscribe: RSS
View by: Time | Thread
The deduplication can be something as simple as a CRC checksum being generated pre-encryption. If they use a one way hash on it, generate a distinct hash key per user, and only link that to the specific users account. I do not see a problem.
If however this is system wide deduplication, it opens them up to more of the same DOJ BS they were nailed with before.
[ link to this | view in chronology ]
Re:
I'm not sure if that's really what Mega is referring to, or if they're doing some pre-encryption analysis, but it seems a lot more reasonable and less intrusive to me.
[ link to this | view in chronology ]
Re: Re:
Using this method, they could do deduplication, but still not know what they have.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
The problem would be collisions. A checksum (or a hash) is not guaranteed to be unique to a given dataset. if two different datasets happen to result in the same checksum or hash, then the deduplication will catastrophically fail.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
When you generate a link it can include the key in the link or you can deliver the key separately. But for sharing things on a widespread nature, you're always going to include the key -- which was the point we raised in our original article about this, and why the talk of encryption is sort of overhyped.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re:
That way, they'll never be able to tell if copyrighted material has been uploaded to Mega without being in violation of the sites terms and conditions.
Then we can get the feds to throw the book at the RIAA and MPAA for hacking Mega!!!
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re:
[ link to this | view in chronology ]
The intent is not about preventing anyone from unencrypting the data.
Under the DMCA, circumventing ANY protection is illegal, no matter how trivial the protection is. To Identify if the content is legal, then an entity has to break the law without the encryption key. So sending a take down notice would be admitting you broke the law without thorough documentation how you gained access to the content.
They are trying hide behind the same laws that are used against them. Exactly how the game is played.
[ link to this | view in chronology ]
Re:
Most people could download and crack the trivial encryption, which would be illegal but of no significance to most people. That would be significant for ordinary take down notice groups though, especially troublesome when things go to court.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Not really, according to the DMCA
Pirates could decrypt/crack the content without violating the anti-circumvention portion of the DMCA. The DMCA defines “effectively control[ing] access to a work” to be controlling access to a work *with the authority of the copyright owner.* So, the encryption added to a copyrighted work (not owned by Mega or the user) would not be with the authority of the copyright owner.
On the other hand, the copyright owner can also decrpyt his own work without violating the anti-circumvention part of the DMCA. Also, the DMCA defines to “circumvent a technological measure” to be to circumvent *without the authority of the copyright owner.* So, the copyright owner can always circumvent any DRM on his own work.
[ link to this | view in chronology ]
Re: Not really, according to the DMCA
[ link to this | view in chronology ]
Re: Not really, according to the DMCA
Making life hell for each other is the driving force behind all this crap anyways, so it seems it would still achieve that point fairly well.
[ link to this | view in chronology ]
Re:
Quite a clever move, I must say.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re: Google Driving Piracy
[ link to this | view in chronology ]
Re: Re: Google Driving Piracy
Dotcom: Now I'm After Google | Stuff.co.nz: "'Right now Google is linking to all this content and even though Google is a great company and I love them and their attitude, Google is the largest index of pirated content in the world and they don't pay any licence holder and they are in business and they are doing really well,' he said.
"'So if my software can force companies like Google to pay their little share to content creators, it wouldn't really hurt them.'"
[ link to this | view in chronology ]
Re: Re: Re: Google Driving Piracy
What caught my eye:
"He also repeated his willingness to help make a second undersea fibre cable from New Zealand to America a reality. However, he said it would be better placed into Panama rather than the US."
This raises a good point - if connecting to/through the USA can be at all avoided, by all means go through somewhere else. Panama doesn't like taking orders from the USA, so that may help protect from any filtering traffic would be subject to when routed through the USA.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
https://mega.co.nz/#blog_3
[ link to this | view in chronology ]
[ link to this | view in chronology ]
If Megaupload users didn't get sued when Megaupload got taken down, what do we care how secure Mega is? It sounds to me like encryption is just a way to give Mega some legitimacy, which it will never have, and it's giving me some real cognitive dissonance headaches here. This is the wild west, and while someday the law might clean up the mexican standoffs, we'll have found an entirely new medium by then.
[ link to this | view in chronology ]
Perhaps a bit early for this reaction?
A fairly big leap.
The password hash in email is a concern (although perhaps not a massive one), but doesn't seem to be nearly enough to say "Mega has bad security."
Over the top, and too early.
[ link to this | view in chronology ]
Mega's Response
https://mega.co.nz/#blog_3
In the end, Mega remains far more secure than virtually all major cyber-lockers (e.g. DropBox, which is a security minefield) due to the fact that they are encrypting everything by default. Keep in mind though, they are doing it primarily for their own protection rather than their user's. The fact that it helps protect the user as well is just the icing.
Basically the allegations boil down to astroturfing by people with an agenda against Kim and/or Mega. If you're really worried about it, encrypt everything on your end before adding Mega's layer of security.
Of course everyone is already doing the right thing and encrypting everything anyway... RIGHT!?
[ link to this | view in chronology ]
[ link to this | view in chronology ]