Feeds

Dotcom's Mega smacks back: Our crypto's not crap

'The '90s called... they want their password security back'

Internet Security Threat Report 2014

Kim Dotcom's comeback cloud storage service, Mega, has responded to criticism about its approach to cryptography and password security after security researcher Steve Thomas (@Sc00bz) released his MegaCracker tool, which cracks hashes embedded in emailed password confirmation links.

In a blog post designed to reassure users, Mega said that it uses mouse movements and keystroke timings in its key-generation process to improve randomness. It added that its deduplication feature (which eliminates duplicates of the same file being uploaded to the service) is only ever done on the already-encrypted data, reiterating its assurances that Mega has no access to raw user content. Lastly, in response to criticisms of its password security, it notes that many approaches to password-hashing are vulnerable to dictionary-based attacks. Users need to look after themselves by choosing a decent password, it said. Mega added that MegaCracker serves as "an excellent reminder not to use guessable/dictionary passwords".

Mega added that it was in the process of implementing a password change feature that would "re-encrypt the master key with your new password," as well as implement a password reset mechanism. The lack of account recovery in the first place has already been the subject of a few barbs from members of the information security community, such as Chris Boyd of GFI Security, who tweeted:

"Mega will soon let you change your password" The '90s just called. No really, I have Bart Simpson and the entire cast of TMNT on the line.

The digital storage locker service launched on Sunday on the first anniversary of a takedown against Megaupload. Kim Dotcom and his associates were arrested by New Zealand police last January in response to a request by US authorities, who alleged that Megaupload facilitated copyright violation and piracy on a grand scale. In between fighting against extradition and going to court to obtain access to frozen assets, Dotcom and his associates reinvented his business under the brand name Mega.

Cloud locker

Mega differs from Megaupload primarily through the more extensive use of encryption. Everything a user uploads is encrypted before it leaves their browser, using a master key that can be unlocked by a password only known to users. The master key unlocks the file/folder/share/private keys. When content is downloaded, it's decrypted using the same key used to encrypt it (symmetric encryption).

The approach has allowed Mega to claim that it doesn't know the content of uploaded content and to position itself as an "awesome cloud storage service that will help protect your privacy" rather than as a file-sharing service - the primary use of Megaupload. Content can still be shared through shared folders on Mega but only in cases where users share a folder-specific key.

The whole process runs through a JavaScript app running on a user's browser and doesn't require the installation of special software.

Securo-boffins: What's wrong with it

Security experts and critics quickly raised concerns about how the service was established, which broadly fall into four categories.

The first concern was over the "private" key generated in users' browsers when they first use Mega. Researchers said that its reliance on JavaScript's Math.random() function was sketchy. Software random number generators are risky because if you can guess the starting seed, it's then much easier to break the security of the crypto-system.

The second line of concern arises from Mega's terms of service. These explain that the service "may automatically delete a piece of data you upload or give someone else access to where it determines that that data is an exact duplicate of original data already on our service". Such deduplication ought to be impossible if Mega truly didn't know the contents of uploaded content, according to critics.

The third issue raised was over the confirmation email sent to users containing an AES-based hash of their master key when they sign up to Mega. This creates the possibility of an offline dictionary attack, such as the one launched by MegaCracker..

Additional lines of criticism against Mega have included its lack of account recovery options. Losing their password would leave users not only unable to log into the service but also unable to recover and decrypt any stored files.

Responding to Mega's blog post, Paul Ducklin, Sophos's head of technology for Asia Pacific, said Mega was on shaky ground with some of its assertions. "Mouse and keyboard movements aren't very good additional sources of randomness", Ducklin points out, so the random number generation issue remains a live concern. And on the deduplication issue: "Knowing that two files are the same, even without knowing the content, nevertheless leaks information about the data".

The "controversy about Mega and its perceived security" is unlikely to die off any time soon, Ducklin concludes.

Heavyweight cryptographers also appear unimpressed by Mega's early efforts.

"Mega is either artfully feigning sincerity in their inept crypto as a brilliant copyright dodge, or they truly believe it and are just inept," said Moxie Marlinspike, the creator of Convergence SSL authenticity system.

Kim Dotcom appears to relishing the attention on his new website's security, even if much of it remains negative. "We welcome the ongoing ‪#Mega‬ security debate & will offer a cash prize encryption challenge soon. Let's see what you got ;-)," he wrote on Wednesday, after earlier claiming that Mega was already catching up with Dropbox in daily usage. ®

Internet Security Threat Report 2014

More from The Register

next story
Docker's app containers are coming to Windows Server, says Microsoft
MS chases app deployment speeds already enjoyed by Linux devs
IBM storage revenues sink: 'We are disappointed,' says CEO
Time to put the storage biz up for sale?
'Hmm, why CAN'T I run a water pipe through that rack of media servers?'
Leaving Las Vegas for Armenia kludging and Dubai dune bashing
'Urika': Cray unveils new 1,500-core big data crunching monster
6TB of DRAM, 38TB of SSD flash and 120TB of disk storage
Facebook slurps 'paste sites' for STOLEN passwords, sprinkles on hash and salt
Zuck's ad empire DOESN'T see details in plain text. Phew!
SDI wars: WTF is software defined infrastructure?
This time we play for ALL the marbles
Windows 10: Forget Cloudobile, put Security and Privacy First
But - dammit - It would be insane to say 'don't collect, because NSA'
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.