Comments on: Where Kim Dotcom and Mega have the edge on Dropbox and Box.net

By: Dheeraj

Dheeraj — Thu, 07 Feb 2013 17:16:10 +0000

Does anyone know what “store keys locally” means?

Because as far as I can see, Mega is not locked to one computer, and the user has only one key – his password.

What are these multiple ‘keys’? How are these stored locally if the user go to another computer and also login with only the user name and password?

By: SG

SG — Wed, 06 Feb 2013 16:19:13 +0000

I really recommend you guys to try BoxCryptor (www.boxcryptor.com). It offers true client-side encryption because the software is always installed locally on the user’s device and the user keeps the control of the security of his data in any cloud. BoxCryptor works with all major cloud storage services and provides an independent source of trust where the cloud storage provider is not responsible for the encryption nor the secure handling of the keys (note: BoxCryptor has no access to the files). Mega’s security has various drawbacks which were discovered by security researchers in the past days such as weak random number generator, weak key derivation easy injection of wrong code, among others … so the combination of serious implementation flaws and the fact that you still have to put all your trust in Mega, as they will have your files and are in charge of the encryption, makes it a no-go to store sensitive files.

By: John Tucker

John Tucker — Tue, 05 Feb 2013 17:20:10 +0000

Clients keeping their own keys are nothing new. Many services did it long before MEGA. SpiderOak, Mozy, CrashPlan all offer private keys that stay with the user.

By: Sandy Mckinnon

Sandy Mckinnon — Tue, 05 Feb 2013 16:15:52 +0000

Andy – If you are interested in scalable next-gen Key management – Please check out SkyKEY and SkyPIN from CertiVox – http://www.certivox.com – they are currently in Las Vegas launching their SSO solution for the Parallels APS framework as part of the Parallels 2013 Summit – which will allow hosting vendors to offer their services federating the SSO from APS – and with CertiVox’s SkyKEY service handling all the key distribution and management – and SkyPIN giving simple secure multifactor authentication.

It’s coming – you can try it currently at PrivateSky – they can provide this for all cloud & mobile services (including data in motion and at rest somewhere…) Check them out at RSA if you are going at the end of the month.

By: Andy Manoske

Andy Manoske — Mon, 04 Feb 2013 08:29:35 +0000

Thanks for the comment! A few comments have touched on this, but the novelty in Mega’s cryptography is in key management. Mega has worked particularly hard to design an architecture where users keep their own keys and leave the host with as little information as possible to recover the plaintext from the remotely-stored ciphertext.

Many of the other approaches on the market employ cryptography where either the key is shared with the host (even if only for a short period of time), information that could be used to recover the key is shared with the host, or the key is generated in a way that could possibly be exploited in a partial information attack by someone with visibility into the host / the host itself.

By: me

me — Mon, 04 Feb 2013 03:12:28 +0000

There were employees of the US government using Megaupload for file storage. You should tell them that their files were illegal. They probably have no idea. I had legitimate files on megaupload, but according to Jill I guess my files were illegal too. Too funny.

Anyway, as for illegal files, simple Google searches will find that for you very easily and quickly. I wonder when the US govt will take Google down.

By: Rich

Rich — Sun, 03 Feb 2013 17:10:47 +0000

Come on, Jill. GigaOm (or actually, the author Andy Manoske) cannot say that the original metaupload site had copyrighted software, because that would expose the author to a legal liability for accusing someone of unlawful activity. That is why publications use the word “alleged,” or similar terms. Your comment is a little naive.

By: Nhick

Nhick — Sun, 03 Feb 2013 14:44:31 +0000

Hmm, so we should expect another blockbuster hit on this one aight?

By: notthefbi

notthefbi — Sun, 03 Feb 2013 14:12:18 +0000

Jill, how much do you make per comment?

By: Chad

Chad — Sun, 03 Feb 2013 12:18:39 +0000

According to Mega, they are only deduplicating post-encryption, so that part of their TOS functionally only applies to duplicate files uploaded by the same person or files that are shared from one account to another.

http://mega.co.nz/#blog_3