Mega's Security Appears To Be Surprisingly Bad
from the trial-by-fire dept
We were a little skeptical of Kim Dotcom’s new Mega cloud storage offering, in part because the claims of security and privacy seemed somewhat dubious upfront. We didn’t see how it would be reasonably possible to do everything the service claimed it was doing in a manner that really kept the data secret. And, indeed, it has not taken long for security researchers around the globe to raise questions. Right away there were significant questions about the security design choices, including some questions about how random the random key generation really was, as well as significant concerns about Mega’s claims that it offered deduplification (if things were really encrypted correctly, there would be nothing to deduplicate).
While Mega has responded to some of those criticisms, a whole host of other security questions have been raised, leading cryptographer Nadim Kobeissi to tell Forbes: “Quite frankly it felt like I had coded this in 2011 while drunk.” A big part of the problem is that, by doing everything in the browser, you’re really still trusting Mega, even as Mega implies that you have full control over the encryption.
And, then comes the news that when you first sign up, while Mega hashes your password, it sends you an email that includes the hash in plain text along with other data, such that one hacker has already released a tool to extract passwords from Mega’s confirmation emails:
Steve “Sc00bz” Thomas, the researcher who uncovered the weakness, has released a program called MegaCracker that can extract passwords from the link contained in confirmation e-mails. Mega e-mails a link to all new users and requires that they click on it before they can use the cloud-based storage system, which boasts a long roster of encryption and security protections. Security professionals have long considered it taboo to send passwords in either plaintext or as cryptographic hashes in e-mails because of the ease attackers have in intercepting unencrypted messages sent over Internet.
Despite that admonishment, the link included in Mega confirmation e-mails contains not only a hash of the password, but it also includes other sensitive data, such as the encrypted master key used to decrypt the files stored in the account. MegaCracker works by isolating the AES-hashed password embedded in the link and attempting to guess the plaintext that was used to generate it.
Users still need to crack the hashed password, but that’s a relatively easy brute force effort, especially for those who use weaker passwords (i.e., most people). There are, of course, much more secure ways of handling this, such as not including the plain text hash in the email.
All that said, many of these problems can be fixed, but when your whole pitch to the public is about how secure and private you are — and some have been falsely implying that such a system allows individuals to avoid copyright infringement claims — it seems reasonable to suggest that better security should be in place from the beginning.
Filed Under: encryption, kim dotcom, privacy
Companies: mega
Comments on “Mega's Security Appears To Be Surprisingly Bad”
“including some questions about how random the random key generation really was, as well as significant concerns about Mega’s claims that it offered deduplification”
The deduplication can be something as simple as a CRC checksum being generated pre-encryption. If they use a one way hash on it, generate a distinct hash key per user, and only link that to the specific users account. I do not see a problem.
If however this is system wide deduplication, it opens them up to more of the same DOJ BS they were nailed with before.
Re: Re:
I read a comment at ARS that tried to explain the dedup in a sharing context. If you upload a file and share it with a friend, it wouldn’t be physically copied and encrypted again into his Mega account. His account would just possess the key required to access that original file, and so on as it is shared.
I’m not sure if that’s really what Mega is referring to, or if they’re doing some pre-encryption analysis, but it seems a lot more reasonable and less intrusive to me.
Re: Re: Re:
I have also seen discussed a method whereby the hash of the data of the file is the key to encrypt the file. Therefore, the same file always looks the same, even encrypted, but there is still no way to tell what it is without the key.
Using this method, they could do deduplication, but still not know what they have.
Re: Re:
The problem with deduplication is that if somebody provides Mega with a file, Mega is able to determine which users have uploaded that same file. So it is not an issue if you are uploading family pictures or personal documents, but it is an issue if you are uploading anything from the internet.
Re: Re:
The problem would be collisions. A checksum (or a hash) is not guaranteed to be unique to a given dataset. if two different datasets happen to result in the same checksum or hash, then the deduplication will catastrophically fail.
Earlier today, I went on to a forum I’m a member of, where users can put up links to anime episodes on cyberlockers. Someone had uploaded an episode to the new Mega, and so, I thought I’d give it a try. I thought that, what with all the talk about need keys to decrypt, that I would at best just get an encrypted mess of garbage. Turns out the key was enabled in the link, so as far as I can understand: just like with MU, all a copyright holder needs is the link, so that they can fire off a DMCA to DotCom (which by the way, I’m mightily confused over: why the fuck is he still abiding by it, given that he’s arranged things so that he has no US presence or connections at all?).
Re: Re:
Turns out the key was enabled in the link, so as far as I can understand: just like with MU, all a copyright holder needs is the link, so that they can fire off a DMCA to DotCom
When you generate a link it can include the key in the link or you can deliver the key separately. But for sharing things on a widespread nature, you’re always going to include the key — which was the point we raised in our original article about this, and why the talk of encryption is sort of overhyped.
Re: Re: Re:
Yeah, I can only imagine what it would be like having to answer emails all day asking for the decrypt key…sorta like what would happen in a world that obeyed copyright perfectly, except instead of giving a key, you’re giving permission (which is basically the same thing).
Re: Re: Re:
It would be great if the terms of service for the website forbid any officers or officials at MPAA or RIAA companies from using the keys.
That way, they’ll never be able to tell if copyrighted material has been uploaded to Mega without being in violation of the sites terms and conditions.
Then we can get the feds to throw the book at the RIAA and MPAA for hacking Mega!!!
Re: Re: Re: Re:
The problem with that is that the feds are a wholly owned subsidiary of Hollywood.
Re: Re: Re:2 Re:
No, the problem with that is that the Feds are a Hollywood parody of actual LEOs.
This is done to remove their knowledge of the content being stored.
The intent is not about preventing anyone from unencrypting the data.
Under the DMCA, circumventing ANY protection is illegal, no matter how trivial the protection is. To Identify if the content is legal, then an entity has to break the law without the encryption key. So sending a take down notice would be admitting you broke the law without thorough documentation how you gained access to the content.
They are trying hide behind the same laws that are used against them. Exactly how the game is played.
Re: Re:
All it really needs is a tool that cracks the encryption in under a minute, and then the uploader shares the link and not the shared key.
Most people could download and crack the trivial encryption, which would be illegal but of no significance to most people. That would be significant for ordinary take down notice groups though, especially troublesome when things go to court.
Re: Re:
Hadn’t thought of it that way, but I would say that it does have a certain irony in it.
Re: Re: Not really, according to the DMCA
This would be a clever use of the encryption, but it doesn’t jive with the law.
Pirates could decrypt/crack the content without violating the anti-circumvention portion of the DMCA. The DMCA defines ?effectively control[ing] access to a work? to be controlling access to a work with the authority of the copyright owner. So, the encryption added to a copyrighted work (not owned by Mega or the user) would not be with the authority of the copyright owner.
On the other hand, the copyright owner can also decrpyt his own work without violating the anti-circumvention part of the DMCA. Also, the DMCA defines to ?circumvent a technological measure? to be to circumvent without the authority of the copyright owner. So, the copyright owner can always circumvent any DRM on his own work.
Re: Re: Re: Not really, according to the DMCA
So every time they decrypt something that is not owned by them they are still breaking the law?
Re: Re: Re: Not really, according to the DMCA
Doesn’t proving they KNEW for a fact it was theirs and they would not be violating a law also provide a great argument point for lawyers?
Making life hell for each other is the driving force behind all this crap anyways, so it seems it would still achieve that point fairly well.
Re: Re:
Very much this. The encryption is not so much about user privacy or security as it is about using the law in his own favour.
Quite a clever move, I must say.
Re: Re: Re:
Agreed
Re: Re:
It would take a special kind of plaintiff to see that actually tested though.
Apparently, their service only works if it can write files from JavaScript and is thus unusable in anything other than Chrome. As long as that’s the case it will never reach the popularity of the old Megaupload.
Re: Google Driving Piracy
So, Mega.co.nz only works with Google’s Chrome browser. Once again, we see that Google is driving piracy. Google is the parasitic piracy leader, stealing copyrighted works and serving them to the world against their ads.
Re: Re: Google Driving Piracy
This came out a few days ago, but I am only now getting around to reading it.
Dotcom: Now I’m After Google | Stuff.co.nz: “‘Right now Google is linking to all this content and even though Google is a great company and I love them and their attitude, Google is the largest index of pirated content in the world and they don’t pay any licence holder and they are in business and they are doing really well,’ he said.
“‘So if my software can force companies like Google to pay their little share to content creators, it wouldn’t really hurt them.'”
Re: Re: Re: Google Driving Piracy
Somehow I’d missed that article too, thanks for sharing.
What caught my eye:
“He also repeated his willingness to help make a second undersea fibre cable from New Zealand to America a reality. However, he said it would be better placed into Panama rather than the US.”
This raises a good point – if connecting to/through the USA can be at all avoided, by all means go through somewhere else. Panama doesn’t like taking orders from the USA, so that may help protect from any filtering traffic would be subject to when routed through the USA.
Re: Re:
What are you talking about? That sentence is pure gobbledygook. I realize I’m talking to an AC, but source please?
You could solve the problem of trusting their encryption by encrypting with yours first, but that was always the case.
Dotcom has put out a challenge. check the post on Torrentfreak
Mega has a response to the issues raised.
https://mega.co.nz/#blog_3
I just want to point out that brute forcing the AES “hash” is not easy. They use 65536 iterations of the full AES block cipher. Even on Ivy Bridge CPUs with dedicated AES hardware, you still only get about 4500 guesses per second. If you use a random [a-zA-Z0-9]{10} password, it would take ~591,000 of these Ivy Bridge CPUs to crack it within 10 years. Good password hygiene and adhering to good sense should keep you safe from MegaCracker.
This is fascinating and all, but does it matter to me, the standard Mega user? All I care is that it’s Megaupload 2: The Reuploading. It’ll last for a few years, and then it’ll get taken down again; until then, I have a place to share materials that are probably illegal somewhere for some reason or the other. When it gets taken down, someone else will have something new for me to use.
If Megaupload users didn’t get sued when Megaupload got taken down, what do we care how secure Mega is? It sounds to me like encryption is just a way to give Mega some legitimacy, which it will never have, and it’s giving me some real cognitive dissonance headaches here. This is the wild west, and while someday the law might clean up the mexican standoffs, we’ll have found an entirely new medium by then.
Perhaps a bit early for this reaction?
We don’t actually know for certain they will do any deduplication, or even that they are capable of it – we only know that their T&C reserves the right to do it.
A fairly big leap.
The password hash in email is a concern (although perhaps not a massive one), but doesn’t seem to be nearly enough to say “Mega has bad security.”
Over the top, and too early.
Mega's Response
Mega has issued a response to the allegations (as previously pointed out by the AC above):
https://mega.co.nz/#blog_3
In the end, Mega remains far more secure than virtually all major cyber-lockers (e.g. DropBox, which is a security minefield) due to the fact that they are encrypting everything by default. Keep in mind though, they are doing it primarily for their own protection rather than their user’s. The fact that it helps protect the user as well is just the icing.
Basically the allegations boil down to astroturfing by people with an agenda against Kim and/or Mega. If you’re really worried about it, encrypt everything on your end before adding Mega’s layer of security.
Of course everyone is already doing the right thing and encrypting everything anyway… RIGHT!?
I think it’ll evolve with time. As for mailing the keys, well you should be protecting your e-mail too so I don’t really see a problem here…