20 comments

[ 2.9 ms ] story [ 55.3 ms ] thread
> "Unlike its predecessor, Dotcom's new site Mega offers secure encryption, which he says protects each user's identity and data."

I haven't kept up with Mega much lately, but does anyone know if the security issues identified after the Mega launch were ever fixed (see e.g. http://fail0verflow.com/blog/2013/megafail.html)? It seemed like the Mega launch was rushed to take advantage of the free publicity they were getting, but I would expect that they've had enough time to get their house in order by now.

At the end of the post: Update (2013-01-24): Mega has now switched to using SHA-256. They get points for fixing it quickly, but I wonder what other subtle or not-so-subtle security problems remain.
It wouldn't matter. You have no insight in whether Dotcom stores the keys to decrypt the data somewhere. Unless the entire mega fad is open sourced and we can verify the code in the repos runs on their webservers, you cannot justify using Dotcom his bussiness knowing what he has done in the past to obtain financial gain over the backs of others.
It encrypts in the browser, you can check the source code just fine.
The issue with browser-based encryption, is that you would have to check the source code every time that it's served to you.
They could release an api that let you upload with your own client (maybe they have already?)

edit: Apparently there is an API, problem solved.

Not really.

You can verify it once and generate a secure hash from it. Then the second time you could just check the hash.

It wouldn't be too difficult to write a browser extension that did it automatically, or a javascript bookmarklet for it.

But then you have to generate the hash each time the source code changes. And you also have to verify the source code each time yourself because you can't know if it's a regular update from mega (they probably update daily or weekly) or if someone compromised the source code.
That sounds like normal software to me. Nobody is forcing you to update unless the ABI changes. And you can start a mailing list that talks about updates if you like.
Many sites (like blockchain.info) offer a browser extension which does the checking for you every time automatically. Mega also has a browser extension which does downloading, but I'm unsure if it does checking.
Not really. If enough people audit the code at random times, then the host would not be able to get away with serving malicious code for very long.
In addition to oib pointing out that it was fixed same-day, that security flaw wasn't a big deal in the first place, only relevant if the CDN was compromised.
Ok, so I strongly disagree that the raid was part of a deal to film The Hobbit. It would imply some extremely poor negotiation on Warner Brother's part since the raid happened AFTER production had moved from New Zealand. If Dotcom was really such a big deal to WB, why not make filming contingent on him being raided?

Yes, there was a big brew-ha-ha around moving the production of the Hobbit offshore (from NZ). But that was due to negoations falling apart with the New Zealand actor's union[0][1]. This is the dispute that lead to negotiations with NZ's prime minister on 27 October 2010[2]. These negations take place after the film was greenlit and Peter Jackson (not Guillermo Del Toro) is confirmed as director.

The result of these negotiations is that film workers in NZ loose their right to organize.

Now if I were Warner Brothers, and had actually made this deal to have the government raid Kim Dotcom in exchange for filming The Hobbit, wouldn't I wait until the raid happened before starting filming to make sure that New Zealand holds up their end of the bargain?

But, in fact, principal photography on the Hobbit begins on 21 March 2011. Dotcom is raided 9 months later, in January 2012. By this time, all photography in New Zealand is finished.

This timeline doesn't add up. What guarantee did Warner Brothers have that New Zealand would hold up their end of the bargain?

Furthermore, there's no mention of this deal in the e-mails and memos that were released around the Hobbit filming negotiations in February 2013[3].

[0]http://screenrant.com/the-hobbit-new-zealand-peter-jackson-k... [1]http://www.nzherald.co.nz/business/news/article.cfm?c_id=3&o... [2]http://en.wikipedia.org/wiki/The_Hobbit_(film_series)#Indust... [3]http://www.3news.co.nz/Hobbit-files-released/tabid/1607/arti...

I don't really buy this story, but I think the intended narrative is that WB was just shooting for the moon. They would have been ecstatic if New Zealand delivered a takedown, but it wasn't actually so vital to them that they'd hold up everything else until it happened.
The evidence is compelling.

Edit: Oh that's right HN doesn't operate on evidence anymore.

When a journalist uses the word "alleges" it's only by accident that it doesn't mean "we know we're reporting a fabrication but it'll get page views".
No, it means, "We'll get sued if we leave those 7 letters out."
"because, no, we don't have a single shread of evidence"