Help
Post your comments for Doubt cast on the security of Kim Dotcom's Mega service here
Page 1 of 1
Doubt Cast On The Security Of Kim Dotcom's Mega Service
#2
jugghead3 
- Member
-
- Group: New Member
- Posts: 19
- Joined: 04-July 12
Posted 22 January 2013 - 11:51 AM
Forget javascript security! Dotcom has been convicted of computer crimes, avoids extradition to the US where he's wanted for piracy and is a self- labeled hacker.
But ya, I don't see why you shouldn't trust him with your files..
But ya, I don't see why you shouldn't trust him with your files..
#3
ldecoursey
- Newbie
-
- Group: New Member
- Posts: 3
- Joined: 22-January 13
Posted 22 January 2013 - 12:00 PM
Claiming that Mega's weak for relying on SSL is just inviting claims of FUD-mongering. "Banks rely on SSL" will be the answer.
Yeah Javascript isn't how serious crypto ought to be done, code should be signed, etc. These are bad mistakes and will be difficult to correct. Actually, they appear to be deliberate design choices, albeit questionable ones.
A main problem I see right now, one that perhaps can be fixed, is that Mega has weak password security. In your confirmation email when you sign up, the hyperlink includes a hash of your password. So they have a hash of your password on file. And they've made a poor choice of hashing algorithm. There's already a program out there for recovering the password from the hash, and it's fast.
So Mega themselves, or anybody who seizes their servers, or anybody who compels Mega to hand over the raw data that they have on you, or anybody who gets hold of your confirmation email, any of these people can gain access to your data relatively easily.
Yeah Javascript isn't how serious crypto ought to be done, code should be signed, etc. These are bad mistakes and will be difficult to correct. Actually, they appear to be deliberate design choices, albeit questionable ones.
A main problem I see right now, one that perhaps can be fixed, is that Mega has weak password security. In your confirmation email when you sign up, the hyperlink includes a hash of your password. So they have a hash of your password on file. And they've made a poor choice of hashing algorithm. There's already a program out there for recovering the password from the hash, and it's fast.
So Mega themselves, or anybody who seizes their servers, or anybody who compels Mega to hand over the raw data that they have on you, or anybody who gets hold of your confirmation email, any of these people can gain access to your data relatively easily.
#5
boooooo
- Newbie
-
- Group: New Member
- Posts: 2
- Joined: 22-January 13
Posted 22 January 2013 - 02:10 PM
Quote
Forget javascript security! Dotcom has been convicted of computer crimes, avoids extradition to the US where he's wanted for piracy and is a self- labeled hacker. But ya, I don't see why you shouldn't trust him with your files..
Yawnnnnnnnn troll.......
Computer Crimes!!!!!!!! AHHHHHHH
Hacker aaaaahhhhh
so stupid
#6
MichealCKG
- Newbie
-
- Group: New Member
- Posts: 2
- Joined: 22-January 13
Posted 22 January 2013 - 02:11 PM
@jugghead3
Fabulous B.S. slandering skills.
You should see if Faux News is hiring.
Fabulous B.S. slandering skills.
You should see if Faux News is hiring.
#8
MichealCKG
- Newbie
-
- Group: New Member
- Posts: 2
- Joined: 22-January 13
Posted 22 January 2013 - 02:21 PM
Although I do like to see the security of any website scrutinized, I find it interesting that anyone would call Mega's use of SSL a security flaw just because it's possible to hack an SSL connection.
Every one of my online business accounts, including my major banking accounts, uses SSL connections.
This appears to be one person's effort to seize an opportunity to point out the security flaws of SSL combined with another person's agenda to hurt Mega.
Every one of my online business accounts, including my major banking accounts, uses SSL connections.
This appears to be one person's effort to seize an opportunity to point out the security flaws of SSL combined with another person's agenda to hurt Mega.
#9
ldecoursey
- Newbie
-
- Group: New Member
- Posts: 3
- Joined: 22-January 13
Posted 22 January 2013 - 03:53 PM
Actually, one thing about Mega, it's finally working now, and it's a pretty cool little file locker. 50 GB for free is pretty nice.
I'm hoping that some additional client (front end) options will come out for it, maybe some options for advanced users to tweak up the encryption strength a bit, but the stock web interface is pretty cool already.
These Mega people are definitely pretty brazen to be doing all of this - authorities saying don't do it, security experts saying you're doing it wrong, etc. But now that it's working it's looking pretty cool. Just don't trust anything to it that you wouldn't normally trust to a cloud provider or put behind basic password security.
I'm hoping that some additional client (front end) options will come out for it, maybe some options for advanced users to tweak up the encryption strength a bit, but the stock web interface is pretty cool already.
These Mega people are definitely pretty brazen to be doing all of this - authorities saying don't do it, security experts saying you're doing it wrong, etc. But now that it's working it's looking pretty cool. Just don't trust anything to it that you wouldn't normally trust to a cloud provider or put behind basic password security.
#10
thewazak
- Expert
-
- Group: Members
- Posts: 2,079
- Joined: 29-January 08
Posted 22 January 2013 - 05:02 PM
While folks are all having a go at Kim for having the b*lls to get up and start again, can someone convince me that ANYTHING on the Internet is really secure?
And while they are beating up DotCom, maybe their credit card number is being stolen from their fancy six million levels of protection cloud sever ......
I guess they must be jealous of Dotcom's clearly affluent and extravagant lifestyle - and that he is in the news - and not them.
And while they are beating up DotCom, maybe their credit card number is being stolen from their fancy six million levels of protection cloud sever ......
I guess they must be jealous of Dotcom's clearly affluent and extravagant lifestyle - and that he is in the news - and not them.
To disagree without being disagreeable is the art of debate. Simply because one has a strong opinion, it does not necessarily make an alternative opinion less valid.
#11
jugghead3
- Member
-
- Group: New Member
- Posts: 19
- Joined: 04-July 12
Posted 23 January 2013 - 08:43 AM
Quote
Forget javascript security! Dotcom has been convicted of computer crimes, avoids extradition to the US where he's wanted for piracy and is a self- labeled hacker. But ya, I don't see why you shouldn't trust him with your files.. Yawnnnnnnnn troll....... Computer Crimes!!!!!!!! AHHHHHHH Hacker aaaaahhhhh so stupid
Am I the only one who does a little Internet searching before writing? A quick googling of wikipedia and kim.com will verify what I've said.
I'm just saying that people should think well beyond SSL encryption strength and about the implications of trusting a guy who makes his money by outfoxing laws and disregarding ethics. A year from now, we'll have some sad hipster blogger out here crying about how all the pictures of his baby are lost because Mega changed directions, didn't give a rat's azz about his files and left him in the cold. Would you honestly be stunned if that happened?
Share this topic:
Page 1 of 1