1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Security Experts Say Kim Dotcom's MEGA is "fatally insecure" !

Discussion in 'BlackHat Lounge' started by Tensegrity, Jan 23, 2013.

  1. Tensegrity

    Tensegrity Jr. VIP Jr. VIP Premium Member

    Joined:
    Apr 22, 2009
    Messages:
    1,845
    Likes Received:
    976
    http://www.informationweek.com/secu...insecure-kim-dotcom-defends-reboote/240146801

    "Chief among the security sins, Marcan said, is the hashing of files using the cryptographic technique known as cipher block chaining message authentication code -- better known as CBC-MAC - which, as the name implies, is meant to authenticate messages rather than be used as a hashing function. "A few people have asked what the correct approach would've been here," he said. "The straightforward choice would've been to use SHA1, though MD5 or SHA256 -- for the more paranoid -- would also have worked well."Thanks to using CBC-MAC, however, the Mega service is vulnerable to having uploaded files intercepted. "If you were hosting one of Mega's CDN [content delivery network] nodes (or you were a government official of the CDN hoster's jurisdiction), you could now take over Mega and steal users' encryption keys," Marcan said. "While Mega's sales pitch is impressive, and their ideas are interesting, the implementation suffers from fatal flaws. This casts serious doubts over their entire operation and the competence of those behind it."
    "


    I'd like to say I'm not surprised but it is rather shocking.
     
  2. Roparadise

    Roparadise BANNED BANNED

    Joined:
    May 25, 2011
    Messages:
    786
    Likes Received:
    1,417
    He doesn't give a flying fuck about the users,but how much money he can make from them. Hell he would openly come out in support of SOPA if he found a way to make more money off it then if it wasn't around.
     
  3. BlueZero

    BlueZero Power Member

    Joined:
    Jul 6, 2011
    Messages:
    505
    Likes Received:
    261
    Occupation:
    Webdeveloper, Project Manager
    Location:
    Byte in the Net
    Home Page:
    ROFL a security guy saying "use SHA1, though MD5 or SHA256 -- for the more paranoid" :D
    He disqualifies himself hardly ;-).

    MD5 is crackable, its proven. Not talking about the huge amount of hash tables which exist.
    SHA1 not crackable at the moment.

    Anyway Kim doesnt care about how secure it is. He just want to be safe against the law. And this gives him all he needs. Users take care about the security of the content.
     
    • Thanks Thanks x 1
  4. Oblivion13

    Oblivion13 Regular Member

    Joined:
    Sep 7, 2011
    Messages:
    459
    Likes Received:
    250
    I know I couldnt upload any files there yesterday. It was just reseting itself for some reason . Like I was at 60% then it dropped down to 2% so I went elsewhere.
     
  5. ShadeDream

    ShadeDream Elite Member

    Joined:
    Nov 27, 2008
    Messages:
    2,209
    Likes Received:
    5,237
    Location:
    He who laughs last, laughs longest.
    "Mega" + "security flaw" aka "Mega security flaw" goes well together... lol
     
  6. Tensegrity

    Tensegrity Jr. VIP Jr. VIP Premium Member

    Joined:
    Apr 22, 2009
    Messages:
    1,845
    Likes Received:
    976
    I think the point is not whether MD5 is crackable but rather the security MEGA chose to use is.
     
  7. phpbuilt

    phpbuilt Jr. VIP Jr. VIP

    Joined:
    May 16, 2011
    Messages:
    1,651
    Likes Received:
    5,240
    Occupation:
    $ from websites I own.
    Location:
    putting monkeys in paypal
    Who the heck is going to bother sniffing packets and hacking to intercept someone's TV show or porn upload, far easier ways to get them. After mega went down the first time, anyone would be stupid to stick anything on mega's service that is actually important for fear of loss.