Encryption is good.

Nono, mister big in charge man, this isn't a giant FU in your face, this is just a way for us to uh.... play by your rules yeah that's it, you like making money and so do we!

Megaupload Is Dead. Long Live Mega!


I'm actually hoping this starts to change things on the Internet in terms of getting everyone used to using encryption for all sorts of things. Emails, chats, IMs, websites, file storage, etc, it's actually really simple to encrypt most stuff and doesn't require much, if any extra work.

I already encrypt everything I can just out of practice. Trillian encrypts all my chats for me automatically just in case Google or someone else decides to buy into one of the chat services I use then read all my IMs to serve me target ads (I'm lookin' at you Facebook!). My entire hard drive is encrypted with Truecrypt just because it makes life easier when I need to dispose of a drive (no need to erase it!). The funny part about Truecrypt is it actually makes read/write operations faster than an unencrypted drive in Windows. It's a great way to store your passwords securely too.

So yeah, encryption is good! Everybody needs to learn some encryption basics.

I have a few TrueCrypt encrypted files too. I find Dropbox to be invaluable for file-sharing and for reading stuff on my iPhone on the go. My Documents and Photos folders are synced via Dropbox, so I can easily view anything I want on the go. This is mostly important for documents, as it saves me the need for printing things.

Very interesting. So it seems he's taking the "we're just supplying a service" angle, just like ISP's are doing atm. If they actually get this deal up and running then there's no doubt going to be challenges against it by many unenlightened individuals.

The way he's setting it up though, I don't think that would do anybody any good. It's plausible deniability at its best. With everything encrypted and the only key in the hands of the uploader, anything people put up there is completely out of his control. If he has no control over it, there's really not much anyone can do legally. But we'll see what happens.

What I'm hoping for is this gets everyone, even non techie people used to the idea of encryption, and then everyone can start using it everywhere. Which is good for security and privacy and such.

But it is my experience that most people don't bother with those types of things. Most people will just use excel's passwords thing for spreadsheets and not watch themselves online at all. It doesn't matter how smart you are; nobody really goes beyond what they know. If only Microsoft did a better job handling encryption within the OS.

That's why this might get more people used to using encryption though. So many people used megaupload to quickly upload files... the new service might be so well known just because of that. Maybe it will be popular right off the bat?

Not directly related to encryption, but sort of. This is a very interesting read about why passwords alone don't work to secure our accounts anymore:

http://www.wired.com/gadgetlab/2012/11/ff-mat-honan-password-hacker/all/

http://www.bbc.co.uk/news/technology-21106584

Just a little update on this. I can't seem to get access to the site atm it seems.

50gb of free storage, wow. That's a lot. I'm very interested to see how many people adopt this.

So far, though, it seems there's an enormous interest in this service since I can't access the site either. It's being completely bombarded with people wanting to register.

I'm still hoping this paves the way for other online services to adopt encryption as a standard practice as part of their privacy policies. We need more encryption!

I can't either, and it's been roughly 11 and a half hours since Wonko's last post.

Looks totally badass.

I use encryption for my flash files =3
Wouldn't want anyone to backwards engineer anything would we!

Some people are claiming Mega isn't nearly as secure as it wants to be.

http://arstechnica.com/security/2013/01/cracking-tool-milks-weakness-to-reveal-some-mega-passwords/

http://arstechnica.com/business/2013/01/megabad-a-quick-look-at-the-state-of-megas-encryption/

Security professionals have long considered it taboo to send passwords in either plaintext or as cryptographic hashes in e-mails because of the ease attackers have in intercepting unencrypted messages sent over Internet.

Despite that admonishment, the link included in Mega confirmation e-mails contains not only a hash of the password, but it also includes other sensitive data, such as the encrypted master key used to decrypt the files stored in the account. MegaCracker works by isolating the AES-hashed password embedded in the link and attempting to guess the plaintext that was used to generate it.

Yeah that's not smart. Come on guys, everybody knows e-mails are sent in plain text over the internet and readable by anyone. Don't put passwords in emails!

There's a lot of technical information in those links relating to how encryption algorithms like AES work and it may be a bit above some people's heads, so here's the tl;dr version:



They cut some corners in their implementation of a couple key aspects of the encryption technology they're using. Two main corners they cut:

First, relating to generating truly random data, which is absolutely vital to the encryption process. If any part of it is predictable (not random), it weakens the overall encryption. This is a problem, but is easily fixed and I expect they will.

Second, they also cut some corners in relation to storage, to save space, and they take some risks doing it the way they do it from a legal standpoint. Instead of creating the ideal system where they can claim complete ignorance over what people are storing (plausible deniability), they do certain things that save space, but also make it possible to tell if two people are sharing the same file. Assuming someone is using the service to share movies or music and such illegally, that could be bad. For sharing other types of files securely it's probably less of an issue though.



So, basically, it seems like the main weakness in the encryption itself can be easily fixed by generating better random data, and the algorithm they're using (AES-128) is very secure, assuming truly random data. Not sure what could be done about the other part though.

Yeah that whole bit about saving storage space did stick out to me when I got round to reading their terms of service, seemed quite fishy indeed.

I guess it's the only way they can offer 50gb to each person with the cost of storage space currently, but it just seems like a bad idea for them to do that. They've already been sued out of existence once, why would they take a chance like that again?

... unless they're secretly working for the people who sued them out of existence previously?

http://www.techdirt.com/articles/20130131/12343521844/odd-mega-removing-any-file-it-can-find-that-is-publicly-indexed-even-completely-legitimate-uploads.shtml

More oddities with Mega.

I'm not sure I understand. It says they're taking down publicly searchable content, but how does something become publicly searchable if it's all encrypted?

Is there some other website where people are posting links and the keys or something?

While I wait for Trey to come back and clarify that, I have another link that is relevant to encryption stuff.

http://zackeryfretty.com/unmasking-saved-passwords-in-any-browser-seriously-use-1password-already/

Some of you may save passwords in your browser. It's apparently a really bad idea to do that as they aren't stored securely at all. Personally, I've been using the 1Password apps that guy is talking about for years on my desktop, iPhone, and iPad, and they're fantastic. They sync, and auto-filling my passwords into a website is a keyboard shortcut away. If you don't want to pay for 1Password, though, there are free alternatives out there and I strongly recommend you use them!

Ice, what's that free password utility you use?

I don't use a free password utility...what gave you that impression? I have all my passwords on a TrueCrypt encrypted partition, but I only look at that occasionally.

Oh that must have been what I was thinking of. My bad. So that's another way of doing it, just adds some extra steps in there before you can get at your passwords.

Browser passwords were never saved securely. I use KeePass. It is less integrated than 1Password(android app can't modify your database, no autofill, etc) but its also entirely free.

Re:Mega

Yes, there was a separate site that people would upload links/keys too in order to provide a searchable database. It was briefly mentioned in the article, Mega-search.me. There probably are other similar sites, but that was the one that the author's tested.

KeePass looks pretty awesome for a free password manager. I've read about it before but I had no idea it had mobile companion apps. Even if they are limited, that's pretty sweet for free. They list six iPhone apps in the downloads page that connect to the main desktop app. No idea which one is better.

Might be something you'd want to look into switching to, Ice. Might make managing your passwords much simpler.



As far as Mega goes... looks like the guy behind it is trying to keep it a private sharing service instead of a public one. It's an interesting move... motivated by legal concerns maybe? I'm sure it won't be long before people start hiding those keys behind forum threads that require a login, if they aren't already doing that.

The iTouch app I use is MiniKeePass. I have my database file stored in dropbox to keep it in sync.

Does it autosync using the database file, or do you have to manually sync? And does it integrate with web browsers at all? For auto-filling passwords and forms and such? What about on iOS, does the app have a built in browser so you can have it auto fill forms, or do you just copy and paste?

Also, just out of curiosity, did you choose encrypt your database file using AES or Twofish?

Dropbox automatically syncs it. There are apps to integrate it with web browsers(http://keepass.info/plugins.html) but I do not personally use any of them. I just copy and paste.

My database file is encrypted with AES.