pouët.net

The new MEGA

category: offtopic [glöplog]
I can't understand how the "new Megaupload" (MEGA) denies that the company knows your encryption key if, when you ask for a download link, the site shows you the key in a window.

Do you?
added on the 2013-01-21 19:51:01 by friol friol
plenty of ways to abstract that away, and all of them requires you to trust them :p
added on the 2013-01-21 20:52:06 by nic0 nic0
maybe it's stored locally in sql? it's html5 after all...
added on the 2013-01-21 20:59:33 by booster booster

Could be stored "locally" on my PC, but I can't see how this can't be still stored "locally" if I change PC and access their servers.

Maybe there is a clever way of doing this, but at this time I can't get it...
added on the 2013-01-21 21:41:02 by friol friol
Not used it, but if you're logging in then your password could be used to decrypt the key - meaning your key is stored in encrypted form, and they don't know it. And your password can be stored in hash form too, meaning they don't know your key or password.

And of course, kim dotcom is totally trustable, never fucked anyone over, and never had any previous storage sites totally taken down causing lots of paying customers to lose their stuff ;)

I'd stick with sites that are more reputable. Even if you're using it for piracy.
added on the 2013-01-21 22:17:33 by psonice psonice
I wouldn't trust Kim Dotcom with a bagel let alone my files. Suck it, fatso!
added on the 2013-01-21 22:25:36 by okkie okkie

From a theorical point of view, the password seems to be the encryption key. In fact the help says:

Quote:
Unfortunately, your MEGA password is not just a password - it is the master encryption key to all of your data. If you lose it, you lose access to all of your files that are not in a shared folder and that you have no previously exported file or folder key for.


(the password can't be recovered).

So, maybe the password is encrypted client-side in a non-reversible (at least, not easily) way, and sent to the server encrypted for comparison when you log-in.

Also the files may be encrypted with this password and sent to the server.

Still, when I want to download a file, I do a GET request to the MEGA servers where the key is in the URL. So, I still don't understand how the server can't "see" that key.
added on the 2013-01-21 22:36:47 by friol friol
Your password is not among the parameters of that GET request, is it?
Then what you're seeing is probably just a hash.
If the GET key is not static, that thing might work like this:
- First registration: your browser hashes your password ( H1=hfunc(password) ), then sends H1 in the clear to MEGA. MEGA stores that value.
- The key involved in subsequent requests might be computed with key=hfunc(H1+other_stuff). As you can see, key can be computed separately by your browser and MEGA, while the latter only has to know and store H1.
added on the 2013-01-21 23:15:52 by ara ara
i guess Kim and his guys think this is a way to protect themselves and avoid what happened to megaupload : if someone complains (eg: DMCA) about hosting piracy or whatever they could say : "we are not responsible for this, since we don't even know what people are hosting, here is the proof : everything is encrypted, only users are actually able to decrypt or make some meaningful with these bytes..."
added on the 2013-01-22 00:09:29 by Tigrou Tigrou
the internet interprets censorship as damage and routes around it.
added on the 2013-01-22 03:07:47 by Defiance Defiance
I see only one possibility how the company might NOT know your key: If the key is sent to the server in encrypted form, and when the key was displayed on your screen this was due to a local script (e.g. a javascript) that decrypted your key on your local PC, but did not send the decrypted key anywhere.

I wouldn't trust that the company really doesn't know your key.
added on the 2013-01-22 09:12:32 by Adok Adok
*likes okkie's comment* :)
I'd trust Dotcom to the end of the world.
After all, he's German, and who would have any reason to distrust/dislike those cute little Germans?
added on the 2013-01-22 09:58:36 by ted ted
Yeah, and he hacked nasa, fbi, telekom AND invented blueboxing, so he must be genious!
added on the 2013-01-22 10:01:52 by chromag chromag
and he's also half finnish!
whatever asshole he might be, atleast he has courage.
added on the 2013-01-22 11:21:55 by v3nom v3nom
v3nom: heard of the term Ubermut (= overly courageous)? but then, i think he knows exactly what he's doing and there is no way in hell he would've come free without some kind of deal, if you remember how unjust the piratebay founders like peter sunde are treated.
added on the 2013-01-22 15:10:30 by vectory vectory
also: MEGA is too close to GEMA for my taste
added on the 2013-01-22 15:13:43 by vectory vectory
v3nom: a courageous piece of shit is still a piece of shit.
added on the 2013-01-22 15:21:52 by okkie okkie
Like we were saying: http://www.theregister.co.uk/2013/01/22/megaupload/
added on the 2013-01-22 15:45:00 by psonice psonice
Hahaha, once a snitch, always a snitch.
added on the 2013-01-22 15:48:39 by Gargaj Gargaj
Haha, what a terrible human being and company! Fuck them forever.
added on the 2013-01-22 17:05:39 by okkie okkie
okkie: sure, he betrayed other warez-guys back in the mailboxing days already, no wonder he does it again. he's reckless to the bone.. like a super-villian.
added on the 2013-01-22 18:44:16 by v3nom v3nom
...and he certainly looks the part, too!
added on the 2013-01-22 19:14:38 by ted ted
"insider trading" is the most boring super-villain-power ever.
added on the 2013-01-22 20:14:08 by Gargaj Gargaj

login