Security Experts Say Kim Dotcom's MEGA is "fatally insecure" !

Tensegrity

Elite Member
Joined
Apr 22, 2009
Messages
1,849
Reaction score
988
http://www.informationweek.com/security/encryption/mega-insecure-kim-dotcom-defends-reboote/240146801

"Chief among the security sins, Marcan said, is the hashing of files using the cryptographic technique known as http://en.wikipedia.org/wiki/CBC-MAC -- better known as CBC-MAC - which, as the name implies, is meant to authenticate messages rather than be used as a http://www.informationweek.com/security/encryption/sha-3-secure-hash-algorithm-new-face-of/240008394. "A few people have asked what the correct approach would've been here," he said. "The straightforward choice would've been to use SHA1, though MD5 or SHA256 -- for the more paranoid -- would also have worked well."Thanks to using CBC-MAC, however, the Mega service is vulnerable to having uploaded files intercepted. "If you were hosting one of Mega's CDN [content delivery network] nodes (or you were a government official of the CDN hoster's jurisdiction), you could now take over Mega and steal users' encryption keys," Marcan said. "While Mega's sales pitch is impressive, and their ideas are interesting, the implementation suffers from fatal flaws. This casts serious doubts over their entire operation and the competence of those behind it."
"


I'd like to say I'm not surprised but it is rather shocking.
 
He doesn't give a flying fuck about the users,but how much money he can make from them. Hell he would openly come out in support of SOPA if he found a way to make more money off it then if it wasn't around.
 
ROFL a security guy saying "use SHA1, though MD5 or SHA256 -- for the more paranoid" :D
He disqualifies himself hardly ;-).

MD5 is crackable, its proven. Not talking about the huge amount of hash tables which exist.
SHA1 not crackable at the moment.

Anyway Kim doesnt care about how secure it is. He just want to be safe against the law. And this gives him all he needs. Users take care about the security of the content.
 
I know I couldnt upload any files there yesterday. It was just reseting itself for some reason . Like I was at 60% then it dropped down to 2% so I went elsewhere.
 
"Mega" + "security flaw" aka "Mega security flaw" goes well together... lol
 
I think the point is not whether MD5 is crackable but rather the security MEGA chose to use is.
 
Who the heck is going to bother sniffing packets and hacking to intercept someone's TV show or porn upload, far easier ways to get them. After mega went down the first time, anyone would be stupid to stick anything on mega's service that is actually important for fear of loss.
 
Back
Top