- Marianne Williams announces plan for a Department of Peace 7 Years Ago
- PewDiePie marries Marzia—and shares photos of YouTube’s royal wedding 7 Years Ago
- How to stream Club América vs. Tigres UANL in the Leagues Cup semis Today 8:17 AM
- Deadpool unmasked: Here’s everything you need to know about Marvel’s anti-hero Today 7:53 AM
- Fantasy football 2019: Your team-by-team AFC preview Today 7:45 AM
- Invader Zim is still delightfully weird in ‘Enter the Florpus’ Today 7:00 AM
- ‘Spider-Man: Far From Home’ is getting a totally unnecessary re-release Today 6:43 AM
- People are demanding the man who filmed the killing of Eric Garner be freed with #FreeRamsey Monday 7:36 PM
- Billie Eilish’s ‘Bad Guy’ unseats ‘Old Town Road’ from the No. 1 spot Monday 6:11 PM
- People think Ghislaine Maxwell was Photoshopped in those In-N-Out photos Monday 5:41 PM
- People are transfixed by a TikTok cat dancing along to ‘Mr. Sandman’ Monday 4:52 PM
- Nazi troll pretending to be antifa in Portland gets outed by internet Monday 4:15 PM
- ‘Dear White People’ season 3 reflects the exhaustion of the times—for better or for worse Monday 3:59 PM
- ‘Seinfeld’ and ‘Friends’ fans feud over which sitcom is better Monday 3:57 PM
- Anti-abortion centers are getting around Google’s misinformation policy Monday 3:45 PM
Mega Money, Mega Problems: Why Kim Dotcom’s site is a bust
Kim Dotcom’s new file-locker site has grown at an outrageous pace, but there’s some cause for concern among top security analysts.
In the five days since its launch, Mega has accomplished two major feats.
The new file-locker site has grown at an outrageous pace, having reportedly registered over 1 million users in its first 24 hours.
And two, a litany of Internet security experts have complained that the site isn’t safe.
To the first point, the promotional efforts of founder Kim Dotcom, he of the boisterous claims and wild victimization, have been an undeniable success. As of Tuesday evening, as Dotcom was proud to point out, Mega has already surpassed competitors Dropbox and Rapidshare in worldwide popularity, becoming the biggest site in its host country of New Zealand. According to Alexa.com, it’s the world’s 141 most-visited site in the past week, even considering it wasn’t open to the public for two of those days.
But then there’s those pesky safety concerns, technical issues that go far beyond the simple fact that Mega’s very popularity has made it difficult for some users to access.
As reported by Ars Technica, Mega’s encryption keys aren’t truly random and can be guessed. Moreover, Ars noted that even though Mega might encrypt files, it still searches for exact copies. Therefore, if you have the exact same file as someone else, and that person is somehow caught and that file revealed, you can be implicated as well.
Dotcom took to his blog Tuesday to address his site’s honor against both criticisms. To Ars, he noted, knocking Mega’s encryption for not being truly random was “quite a strange statement,” but said he would soon add a feature that allows users to further randomize it. He took a stronger stance against Forbes, admitting that while anyone who can hack SSL (Secure Sockets Layer, a standard encryption tool) can hack Mega, anyone with those skills “can break a lot of things that are even more interesting than MEGA.” Dotcom also called Green’s Java comments “hearsay” and requested people look at his actual code.
However, the blog fail0verflow decided to do just that, and found something even more damning. It’s technical, though writer Héctor Martín does a nice job of simplifying the issue. Anyone with access to Mega’s third-party content-delivery network (CDN) nodes could access encrypted user files.
If you were hosting one of Mega’s CDN nodes (or you were a government official of the CDN hoster’s jurisdiction), you could now take over Mega and steal users’ encryption keys. While Mega’s sales pitch is impressive, and their ideas are interesting, the implementation suffers from fatal flaws. This casts serious doubts over their entire operation and the competence of those behind it.
Dotcom has tried to shift the momentum of the debate, offering an unspecified cash-prize contest for those who find security flaws.
Screengrab via mega.co.nz
A former senior politics reporter for the Daily Dot, Kevin Collier focuses on privacy, cybersecurity, and issues of importance to the open internet. Since leaving the Daily Dot in March 2016, he has served as a reporter for Vocativ and a cybersecurity correspondent for BuzzFeed.