Kim Dotcom Mansion: Press conference 2013-01-19 GMT

[tvbcof]

...
After many time-outs, I got on enough to get a test account.  After many time-outs on the e-mailed link, I got signed in.  Now I'm playing with it a bit, but my test upload has not gone through.  Understandable if this really is the most successful 'start-up' of all time, and I would not rule it out.
...

Update on Mega:  Tonight, from my satellite connection (and BSD box with chrome built from source) I got logged in after about 1/2 and hour.  This time I managed to get a 44 byte file uploaded.  Took about a minute at 1 byte per second.  So, it's 'working'.  Sorta.
...

Test/Update.  Things are working better today.  A long way from usable, but better.

If anyone is interested, here is a URL to an image with the key embeded.  Optionally, up to the bang could be given and the remainder (the decryption key part) could be sent via e-mail (or, say, single sideband radio for instance.)

https://mega.co.nz/#!Z8tQgbpC!Nv3Hlnxlh6p7tl3jGPU5Rlgsw4w7Cl4OOPdsMnkjDOQ

At the risk of (further) spamming the forum, I just want to see if I could make this an image:



edit: another test:

https://mega.co.nz/#!Z8tQgbpC!Nv3Hlnxlh6p7tl3jGPU5Rlgsw4w7Cl4OOPdsMnkjDOQ

[tbcoin]

[Monster Tent]

Encryption is the new gun.

[tvbcof]

Encryption is the new gun.

Not really all that new though.  The magic will (hopefully) be making it easy, solid, and most importantly, default.  There was something of a push to try to get people to encrypt their mail and such when the big PGP brew-ha was going in the 90's.  It was to cumbersome and only a few people do it.  Alas, although encryption did take hold a long time later (and fairly recently) it did so in a way that was not protecting uses fully...and the US government is spending many billions of my tax dollars to exploit the situation.

I am really excited by the mega.co.nz thing insofar as it seems to be a model for how encryption should work...in a general sense.  If they can prove that it is workable it may be difficult for the competition to not follow suite.  I think that more and more people are getting a little bit fed up and suspicious about just how much they are being spied on these days and are starting to ask questions about why, exactly, it is so goddamned important to the powers that be that they are so anxious to be able to do this.

[molecular]

Encryption is the new gun.

Not really all that new though.  The magic will (hopefully) be making it easy, solid, and most importantly, default.  There was something of a push to try to get people to encrypt their mail and such when the big PGP brew-ha was going in the 90's.  It was to cumbersome and only a few people do it.  Alas, although encryption did take hold a long time later (and fairly recently) it did so in a way that was not protecting uses fully...and the US government is spending many billions of my tax dollars to exploit the situation.

I am really excited by the mega.co.nz thing insofar as it seems to be a model for how encryption should work...in a general sense.  If they can prove that it is workable it may be difficult for the competition to not follow suite.  I think that more and more people are getting a little bit fed up and suspicious about just how much they are being spied on these days and are starting to ask questions about why, exactly, it is so goddamned important to the powers that be that they are so anxious to be able to do this.

+1, good analysis. I agree.

Maybe gmail could incorporate encryption.

Another big area is chat/videocall (skype). We need to move off this piece of shit, but the lock-in is tight. I can't help but think that M$ buying skype has had some gov. agency backing/pressure behind it.

EDIT: this goes in the right direction https://silentcircle.com/, but how to achieve widespread use?

EDIT2:

• Freedom of economic interaction
• Freedom of speech

I don't know which is more important.

Is there a right to encrypt? If not: we need that.

[2weiX]

gmail offering encryption goes against their business model.

you can use redphone for calls and text already.

silent suite looks good, tho - but i dont think a pay-solution will catch on.

[herzmeister]

Researchers Warn: Mega's New Encrypted Cloud Doesn't Keep Its Megasecurity Promises

just not do-able with javascript alone still these days i guess

[molecular]

Researchers Warn: Mega's New Encrypted Cloud Doesn't Keep Its Megasecurity Promises

just not do-able with javascript alone still these days i guess

This is essentially the same problem blockchain or any other javascript-based wallet suffers from.

I'm guessing third-party plugins will pop up that verify the mega javascript code.

[tvbcof]

Researchers Warn: Mega's New Encrypted Cloud Doesn't Keep Its Megasecurity Promises

just not do-able with javascript alone still these days i guess

The critiques I've seen so far strike me as mainly FUD and bunk.  If someone hacks into Mega's servers they can do a lot less damage than to almost anyone else's systems.  If people can attack https via mitm attacks and such, a lot of institutions have some big problems.  As for delivering javascript, seems to me that if this turns into a big problem Mega will be able to publish certified checksums or have some trusted third party do it which will make such an attack that much more difficult.

I personally am looking forward to accessing the service sans browser and javascript at all and as best I can deduce so far, this should be quite doable.  IOW, I think (hope) that delivery of the javascript in real-time is more of a convenience thing than a necessary function and the code could be implemented in a more simple, static, and auditable form.  I never had any confidence in browser plugins (for no particularly well researched reason though.)

[pof]

Test/Update.  Things are working better today.  A long way from usable, but better.

If anyone is interested, here is a URL to an image with the key embeded.  Optionally, up to the bang could be given and the remainder (the decryption key part) could be sent via e-mail (or, say, single sideband radio for instance.)

https://mega.co.nz/#!Z8tQgbpC!Nv3Hlnxlh6p7tl3jGPU5Rlgsw4w7Cl4OOPdsMnkjDOQ

At the risk of (further) spamming the forum, I just want to see if I could make this an image:



edit: another test:

https://mega.co.nz/#!Z8tQgbpC!Nv3Hlnxlh6p7tl3jGPU5Rlgsw4w7Cl4OOPdsMnkjDOQ


[/quote]

Why it doesn't ask me the key for decrypting? If the key is embedded in the link, how mega could act as it doesn't know the key?

[hazek]

+1, good analysis. I agree.

Maybe gmail could incorporate encryption.

Not going to happen.

Just look at hushmail.com and how they were dealt with. As far as I know they did in fact offer actual embedded encryption meaning a user didn't need to do anything outside of merely logging in and sending an email to another hushmail user in order to have his correspondence encrypted. And while this still holds true for the contents of an email account they were since forced by LEAs (I believe at least that this is the case) to add algos that spy on emails in the moment before they are encrypted and sent out.

The only way this will become an industry standard is if some rouge companies around the world like Mega, not in anyway connected with the US, decide to take on and resist huge pressure by various states grasping for power and engage in a constant legal battle of survival and you can call me a pessimist but I don't see many people lining up to voluntarily seek a beating like Kim Dotcom is even though I sincerely wish there were..

[hazek]

Researchers Warn: Mega's New Encrypted Cloud Doesn't Keep Its Megasecurity Promises

just not do-able with javascript alone still these days i guess

This is essentially the same problem blockchain or any other javascript-based wallet suffers from.

I'm guessing third-party plugins will pop up that verify the mega javascript code.

Are plugins once peer reviewed actually secure?

[CIYAM]

Are plugins once peer reviewed actually secure?

Of course there will always be problems even with this (and am going to be using the same approach as blockchain.info for CIYAM Open) but it is a starting point that can be worked on for improvement (setting up a whole new system of *trust* is not going to be anything easily solved).

[gusti]

Why it doesn't ask me the key for decrypting? If the key is embedded in the link, how mega could act as it doesn't know the key?

I'm not an expert, but I think that when you share a link of your file, you are basically giving the recipient your public key , and he will decrypt the file using his own private key.

[TTBit]

Why it doesn't ask me the key for decrypting? If the key is embedded in the link, how mega could act as it doesn't know the key?

I'm not an expert, but I think that when you share a link of your file, you are basically giving the recipient your public key , and he will decrypt the file using his own private key.

You don't have to share the decrypt key in the link. You can provide just the link, and it will ask for the decrypt key (for that file). It is not publc/private keypair.

[tvbcof]

Why it doesn't ask me the key for decrypting? If the key is embedded in the link, how mega could act as it doesn't know the key?

I'm not an expert, but I think that when you share a link of your file, you are basically giving the recipient your public key , and he will decrypt the file using his own private key.

You don't have to share the decrypt key in the link. You can provide just the link, and it will ask for the decrypt key (for that file). It is not publc/private keypair.

Good clarification.

I would also add that Mega did not send the link.  I did.  The decryption key (again, NOT public/private keypair or 'asymetric' crypto) was generated by me on my own computer using javascript code which Mega delivered to me when I logged on.  Part of the input that this code needed was my password.  Mega could not have generated that key because they don't know my password.

So far, I have not been able to even download the file.  I either get the temporarily unavailable message, or things seemingly start and never complete.

I have played with things enough to figure out how folder sharing seems to work.  It seems that in order to share a hierarchy of files, one needs to input the recipient's e-mail addy (which, presumably, means the recipient needs a Mega account.)  I had hoped that there was some magic by which this was not necessary (like, say, encrypting all files within with a 'folder key' or something along those lines.)  Oh well.

---

I do share Hazek's pessimism that these guys will be attacked on all fronts by the state(s) who will and always have gone to great lengths to make sure that they at least can monitor all of their subjects.  The US has bumped 'can' up to the level of 'do' much much more than I am compfortable with.

I find it noteworthy that Mega has chosen as a centerpiece of their efforts a universal statement of human rights, and one that I believe in fiercely.

Cribbed from Mega's web page:  'Universal Declaration of Human Rights, Article 12'

  "No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence. Everyone has the right to the protection of the law against such interference."

Bitcoin would do well to lean on this more than they already do IMHO.  Bitcoin, and crypto-currencies generally, are as much a moral thing to me as anything else.  To be honest, I was almost completely unaware of this 'universal declaration' thing until the Mega goings-on brought it to my attention but generally it is one of those things that one can just sense in their bones is 'right'.  Or at least it is to me.

[pof]

I would also add that Mega did not send the link.  I did.  The decryption key (again, NOT public/private keypair or 'asymetric' crypto) was generated by me on my own computer using javascript code which Mega delivered to me when I logged on.  Part of the input that this code needed was my password.  Mega could not have generated that key because they don't know my password.

Thanks, now i have understood!

[tvbcof]

I would also add that Mega did not send the link.  I did.  The decryption key (again, NOT public/private keypair or 'asymetric' crypto) was generated by me on my own computer using javascript code which Mega delivered to me when I logged on.  Part of the input that this code needed was my password.  Mega could not have generated that key because they don't know my password.

Thanks, now i have understood!

I might mention to anyone thinking about creating a Mega account to put more thought than normal into the password.  It is not just a typical web-site access thing (like bitcointalk.org, for instance.)

The password one chooses becomes an integral part of how access to all files that one stores.  I read somewhere that there is some protection against guessing attacks, but I don't know how it works and I am pretty sure that if one choose 'test123' that would render one's files readable by many many parties.

Currently the ability to change passwords is not implemented.  What one chooses one is stuck with.  I usually default to a non-trivial and unique password for anything I sign up for and did in this case, but had I realized how critical it was I would have been much more careful in choosing the Mega one.

That said, until the service becomes vaguely usable it's a bit of a moot point (unless one is silly enough to upload critical or important data in this early period where there are so many questions swirling around.)

[herzmeister]

and I am pretty sure that if one choose 'test123' that would render one's files readable by many many parties.

maybe that's the point 

[tvbcof]

and I am pretty sure that if one choose 'test123' that would render one's files readable by many many parties.

maybe that's the point 

"You can lead a horse to water, but you cannot make it drink" so they say.

If Mega were terribly interested in subverting their advertised inability to access user's files, or were in cahoots with other parties who had such an interest, a) this is not the most reliable way to do it, and b) we've got other more significant things to worry about.

That said, the appropriate way to deal with any security issue is always to assume the worst as a starting point.  It well could be that Dotcom has copped a plea to get him off the hook on his past indiscretions and has agreed to run a monster honey-pot or something of that nature.  Again, that should be assumed to be the case by anyone playing with the service.  As time goes by, evidence supporting or going against this hypothesis will crop up.