It’s funny how things work out. Entrepreneur Kim Schmitz changed his name to “Dotcom” in respect for the technology that made him filthy rich. However, his newest website doesn’t end in dotcom. He doesn’t dare use that top level domain because that would be an open invitation to the U.S. authorities to mess with him. I think Mr. Dotcom would like to be through dealing with the American government if he can. So he’s using .nz, the top level domain code for New Zealand where he resides.
Actually, his new site is a double dot–mega.co.nz, or Mega. Originally, he planned to use the too trippy url Me.ga, using the domain country code for Gabon, a plan that was derailed because the government of Gabon didn’t want to be party to “violating copyrights.” Mr. Dotcom might be excused for suspecting the United States for being an outside instigator in this matter.
But he’s done it–risen from the ashes and all that. Good for him, I say. According to him he signed up over a million subscribers within 24 hours of going online this weekend. I admit to being a little jealous of that. If we get five thousand visits in a day here at FOSS Force, we celebrate.
Here’s what you get for free on Mega, according to the folks at Mashable:
“The free plan gives users 50GB of file storage. There are no hard limits on file size, meaning users can use Mega as a way to back up photos, documents and other data. Obviously, this means users can use Mega as a way to store media content — video files, music, DVD images — as well.”
Although the service works primarily with desktop browsers, optimized for Chrome, we are told there are plans for client side apps that will evidently make the site usable by smart phones and such.
There are serious problems, however.
Mega is billing itself as “The Privacy Company” and is pushing the fact that everything stored on the site is encrypted using a 2,048-bit RSA key. Although this sounds good, it appears that this angle is only half-baked and is really Dotcom’s way of keeping the enforcers for the copyright trolls off his back.
Encryption on Mega is tied to the user’s password. According to the site, a lost password means permanent loss of access to anything that isn’t in a shared folder. If this isn’t bad enough, it’s also impossible to change a password without losing what’s already been stored. In other words, if someone hacks an account, the user can’t reset the password and move on. Oddly, when opening a new account the user isn’t prompted to repeat the password. A typo here could mean no access to the account from the start.
Since going online this weekend, security experts have been busy punching holes in the site’s security. On Monday, Forbes quoted Nadim Kobeissi, creator of the secure chat program Cryptocat, as saying:
“It’s a nice website, but when it comes to cryptography they seem to have no experience. Quite frankly it felt like I had coded this in 2011 while drunk.”
Problems abound. Since encryption keys are tied to the user’s browser, if a black hat gains entry to Mega’s server they can “change their code to force your browser to send them your Mega encryption keys, or change the code to disable crypto from the get-go” according to Kobeissi.
Indeed, the site seems to already be vulnerable to the black hats, according to Michael Lee on ZDNet:
“Users have already found cross-site scripting vulnerabilities on the site, which could be used, for example, to send off session cookies to an attacker so that they can log in as they please. Someone with a more malicious imagination can come up with better, but I can easily see the potential for a social engineer to create a form that requires the user to log in again before they can upload or download files. From here, they could gather Mega log-in details or even request that the user ‘link’ accounts with other services, such as Facebook, or PayPal, if they’re daring enough.”
It looks as if Mr. Dotcom has rushed this project to completion–which is too bad as this might be his only chance to redeem a reputation that would seem to have been unfairly tarnished by overzealous politicians. I certainly wouldn’t recommend anyone use the service for anything mission critical–at least not until the security issues have been addressed.