- Father of mega-popular Ace Family YouTube channel accused of rape 7 Years Ago
- This Italian town ‘banned’ Google Maps after people kept getting lost Today 1:31 PM
- Fornite emerges from black hole with Chapter 2 Today 1:21 PM
- Everything Google announced at today’s Pixel event Today 1:12 PM
- Netflix sued over line about interrogation technique in ‘When They See Us’ Today 12:52 PM
- Twitch streamer says racist trolls got her banned for ‘suggestive’ outfit Today 12:47 PM
- Everything you need to know about Google’s new Pixel phones Today 12:47 PM
- ‘Portrait of a Lady on Fire’ is a transcendent, lesbian period romance Today 12:32 PM
- Where to stream ‘Zombieland’ before ‘Double Tap’ comes out Today 12:04 PM
- ‘Deadpool’ screenwriter says that Disney sequel will still be R-rated Today 11:45 AM
- #DeleteFacebook trends amid report of Zuckerberg meeting with prominent conservatives Today 11:45 AM
- The Pixelbook Go is Google’s first attempt at a mid-range Chromebook Today 11:33 AM
- All the games coming to Google Stadia Today 10:49 AM
- Google just announced a line of Nest-branded smart home products Today 10:36 AM
- ‘Fake news’ is helping conspiracy theorists deny Turkish atrocities Today 10:15 AM
Mega Money, Mega Problems: Why Kim Dotcom’s site is a bust
Kim Dotcom’s new file-locker site has grown at an outrageous pace, but there’s some cause for concern among top security analysts.
In the five days since its launch, Mega has accomplished two major feats.
The new file-locker site has grown at an outrageous pace, having reportedly registered over 1 million users in its first 24 hours.
And two, a litany of Internet security experts have complained that the site isn’t safe.
To the first point, the promotional efforts of founder Kim Dotcom, he of the boisterous claims and wild victimization, have been an undeniable success. As of Tuesday evening, as Dotcom was proud to point out, Mega has already surpassed competitors Dropbox and Rapidshare in worldwide popularity, becoming the biggest site in its host country of New Zealand. According to Alexa.com, it’s the world’s 141 most-visited site in the past week, even considering it wasn’t open to the public for two of those days.
But then there’s those pesky safety concerns, technical issues that go far beyond the simple fact that Mega’s very popularity has made it difficult for some users to access.
As reported by Ars Technica, Mega’s encryption keys aren’t truly random and can be guessed. Moreover, Ars noted that even though Mega might encrypt files, it still searches for exact copies. Therefore, if you have the exact same file as someone else, and that person is somehow caught and that file revealed, you can be implicated as well.
Dotcom took to his blog Tuesday to address his site’s honor against both criticisms. To Ars, he noted, knocking Mega’s encryption for not being truly random was “quite a strange statement,” but said he would soon add a feature that allows users to further randomize it. He took a stronger stance against Forbes, admitting that while anyone who can hack SSL (Secure Sockets Layer, a standard encryption tool) can hack Mega, anyone with those skills “can break a lot of things that are even more interesting than MEGA.” Dotcom also called Green’s Java comments “hearsay” and requested people look at his actual code.
However, the blog fail0verflow decided to do just that, and found something even more damning. It’s technical, though writer Héctor Martín does a nice job of simplifying the issue. Anyone with access to Mega’s third-party content-delivery network (CDN) nodes could access encrypted user files.
If you were hosting one of Mega’s CDN nodes (or you were a government official of the CDN hoster’s jurisdiction), you could now take over Mega and steal users’ encryption keys. While Mega’s sales pitch is impressive, and their ideas are interesting, the implementation suffers from fatal flaws. This casts serious doubts over their entire operation and the competence of those behind it.
Dotcom has tried to shift the momentum of the debate, offering an unspecified cash-prize contest for those who find security flaws.
Screengrab via mega.co.nz
A former senior politics reporter for the Daily Dot, Kevin Collier focuses on privacy, cybersecurity, and issues of importance to the open internet. Since leaving the Daily Dot in March 2016, he has served as a reporter for Vocativ and a cybersecurity correspondent for BuzzFeed.