Truth on Mega

January 31st, 2013 at 1:51 pm by David Farrar

reports:

Over the last couple of hours the usual suspects in our tired old media have cut and paste an article from Computerworld. In their efforts they report that Mega has received 150 copyright infringements since its launch. Mega have provided their flunkies at Stuff and the Herald the usual weasel words about how they are doing everything correctly and they have removed any files that are found to be infringing the law.

All good so far.

However, two points that need to be considered.

1. If Mega is fully encrypted (as an artifice to dodge the rules by the site owners maybe) how can anybody know what is in the supposed infringing files?

2. And by far the single most explosive point to this story is that Computerworld have provided further info that Stuff and the Herald chose to ignore.

If you visit www.mega-search.me you will see that the whole scheme is just like the old scheme. Mega is a file sharing service to allow you to upload data and share it. There are dozens of listings for copied and copyrighted material that are quite clearly illegal.

We are not suggesting that owns, runs, manages or even knows anything about the search site but I bet he will be trying very hard to get it closed as it clearly shows exactly what this latest business is. We note that the search utilises Mega’s logo extensively.

It will be interesting to see if further legal action eventuates on this.

Tags: ,

20 Responses to “Truth on Mega”

  1. labrator (1,850 comments) says:

    If Mega is fully encrypted (as an artifice to dodge the rules by the site owners maybe) how can anybody know what is in the supposed infringing files?

    The same way the complainant found out? By downloading it? If you make a link public on any file sharing software, it doesn’t get downloaded as an encrypted file or you wouldn’t be able to use it.

    Vote: Thumb up 4 Thumb down 0 You need to be logged in to vote
  2. Weihana (4,557 comments) says:

    It will be interesting to see if further legal action eventuates on this.

    Not really. Every site with this type of user generated content will sooner or later get a take-down notice. If and when one is received they will act presumably. My understanding is that the point of the encryption is to prevent any suggestion that Mega should be under an obligation to proactively filter what is uploaded since they can only act after the encryption key is made public and a take-down notice issued.

    Vote: Thumb up 4 Thumb down 1 You need to be logged in to vote
  3. Weihana (4,557 comments) says:

    If you visit http://www.mega-search.me you will see that the whole scheme is just like the old scheme

    I see nothing but a blank page.

    Vote: Thumb up 6 Thumb down 0 You need to be logged in to vote
  4. brucehoult (195 comments) says:

    The site (without www.) does look to have genuine stuff.

    Anyone could register this domain and upload things onto Mega, and if they did so they would of course know the contents of files they had uploaded.

    Most of the Mega story makes sense except for the ability to share files with others.

    If, as Mega say, their Javascript creates an encryption key on your computer which is not shared with Mega (or anyone else), then how can someone you give a sharing link? They can receive the encrypted file, but have no way to decrypt it.

    Vote: Thumb up 2 Thumb down 0 You need to be logged in to vote
  5. brucehoult (195 comments) says:

    Searching the index site for a popular motoring program finds https://mega.co.nz/#!AZAlWahT!S3AKcnRT6TjPKbqxX5N5xmT3C10qtSWE5yjUjhhR1oQ which does in fact appear to be the first episode of a new season.

    There are 52 characters after the #!. If, as appears to be the case, they’re using A-Z, a-z, 0-9 (62 possible codes) then they have 309 bits available. That means the URL itself could well contain a 256 bit encryption key for the file, with 53 bits left over to identify the file. Which is ample.

    So that means it could be plausible for Mega themselves to not be able to decrypt the file.

    However, that theory contradicts Mega’s claim that they are using 1024-bit encryption.

    Vote: Thumb up 2 Thumb down 0 You need to be logged in to vote
  6. brucehoult (195 comments) says:

    Just noticed there is an exclamation mark 8 characters into that URL, and indeed at the same position in all Mega URLs at mega-search.me.

    So that’s probably splitting the file ID part from the encryption key, giving 8 characters or 47 bits for the first part and 43 characters or .. surprise .. 256 bits (43*log(62)/log(2)) for the second part.

    So, yes, it seems very likely that those last 43 characters in the URL are a 256-bit encryption key.

    Vote: Thumb up 4 Thumb down 0 You need to be logged in to vote
  7. davidp (3,581 comments) says:

    Any sort of encryption is only as secure as the provider’s implementation and business processes. This isn’t a technology problem, but an issue of trust. And I don’t see how anyone can trust a guy who has fraud convictions, is on the run from the law in at least one country, and is prone to making unbelievable statements. It’s like a convicted burglar setting up a storage business and boasting about the strength of the locks on the storage units.

    Vote: Thumb up 3 Thumb down 1 You need to be logged in to vote
  8. brucehoult (195 comments) says:

    And indeed, if you just take the first part of that URL https://mega.co.nz/#!AZAlWahT then you are prompted for the encryption key. Pasting the remaining S3AKcnRT6TjPKbqxX5N5xmT3C10qtSWE5yjUjhhR1oQ into the encryption key box reveals the true name of the file and allows you to start the download.

    Apologies to those for whom this was all obvious from the start.

    Vote: Thumb up 6 Thumb down 0 You need to be logged in to vote
  9. Scott Chris (6,150 comments) says:

    Over the last couple of hours the usual suspects in our tired old media have cut and paste an article from Computerworld. In their efforts they report that Mega has received 150 copyright infringements since its launch. Mega have provided their flunkies at Stuff and the Herald the usual weasel words about how they are doing everything correctly and they have removed any files that are found to be infringing the law.

    Slater (assuming he is the author of this piece) makes two glaring grammatical errors in this paragraph. Kind of ironic considering the aspersions cast upon his fellow journalists.

    Vote: Thumb up 2 Thumb down 4 You need to be logged in to vote
  10. Weihana (4,557 comments) says:

    bruceholt,

    So, yes, it seems very likely that those last 43 characters in the URL are a 256-bit encryption key.

    But it’s enough to claim plausible deniability which, at this stage, is probably the primary concern. But Kim Dotcom has an opportunity to capitalize on the interest in his website. Experts are beta-testing his website for him which provides the opportunity to develop a more secure site over time. I doubt anyone is putting truly important stuff on the site just yet anyway. People will not fully trust the man or his company until he wins his court battles (if he can).

    Vote: Thumb up 1 Thumb down 3 You need to be logged in to vote
  11. Paulus (2,632 comments) says:

    Looks like a good place to hide KiddiPorn from around the world.

    Vote: Thumb up 0 Thumb down 3 You need to be logged in to vote
  12. OneTrack (3,114 comments) says:

    “I doubt anyone is putting truly important stuff on the site just yet anyway.”

    Of course. Just copyrighted material that needs to be distributed to the masses. Value = $0.

    Kim Dotcom is great. Free movies and music, free firework displays and free icecreams. Dotcom for president of New Zealand.

    Vote: Thumb up 5 Thumb down 1 You need to be logged in to vote
  13. landoftime (35 comments) says:

    I really hope that Megavideo is coming back. Megavideo was a safe place to stream movies and programmes. I miss it so much. I hope he can get something new off the ground. I’ve had two viruses from streaming since Megavideo was closed.

    Vote: Thumb up 2 Thumb down 0 You need to be logged in to vote
  14. slijmbal (1,236 comments) says:

    I presume it is using public key encryption whereby one can provide a key that enables decryption – this is a well established mechanism for encryption – thus the garage for the data cannot decrypt the data without the owner of the data providing the appropriate key – should the owner of the data make that key public then it is by definition available to the public.

    As much as I have no time for this chubby german he is as guilty as Telecom for enabling telephone threats – he provides a secure mechanism to enable communication of data – he does not own the data. As long as he provides mechanisms to aid addressing of illegal activities he is not doing anything illegal.

    @Paulus “Looks like a good place to hide KiddiPorn from around the world.” – as is email, as is peer to peer software, as is posting DVDs, as is the telephone, as is TOR etc etc

    Vote: Thumb up 3 Thumb down 0 You need to be logged in to vote
  15. tristanb (1,127 comments) says:

    Paulus (1,487) Says:
    January 31st, 2013 at 5:41 pm
    Looks like a good place to hide KiddiPorn from around the world.

    Brave of you to admit that on the internet, but probably not a good idea.
    This organisation might be of use to you:
    http://www.stop.org.nz/main/adult_whofor/

    I’d encourage you to stop what you’re doing. If you’ve got spare money, perhaps see a private psychologist who might be able to teach you techniques to stop your offending before it escalates.

    Vote: Thumb up 2 Thumb down 2 You need to be logged in to vote
  16. slijmbal (1,236 comments) says:

    In order to add some perspective let’s list some example commercial organisations that not only provide facilities that enable illegal behaviour but also do it in a manner to protect such behaviour

    – Telecom – should you receive a threatening email they will actively prevent you tracking down the owner of the IP address – you can provide the threatening email, they will insist you have a warrant and ensure that the details of any non static IP addresses are not retained in reasonable timescales – this is because it used to cost them a fortune satisfying similar requests – by the time you get a warrant the details are ‘lost’

    – Every single torrent mechanism

    – Mobile carriers in NZ – should your phone be lost/stolen – despite the fact the device has a unique ID they will not assist you in tracking down the ‘new owner’

    – NZPost – provide cash only visa cards

    – BitCoins – used to perform anonymous purchases on the internet

    Vote: Thumb up 1 Thumb down 0 You need to be logged in to vote
  17. Barnsley Bill (983 comments) says:

    Marvelous, so we have a few KDC fanboi’s, a few techies and one grammar Nazi.
    The simple fact is that this new Mega is no different from the old one. A safe harbour for thieves and perverts.

    Vote: Thumb up 3 Thumb down 6 You need to be logged in to vote
  18. Johnboy (16,651 comments) says:

    I think we should make Kim President before Antigua and Barbuda make him an offer he can’t refuse! :)

    Vote: Thumb up 2 Thumb down 1 You need to be logged in to vote
  19. expat (4,050 comments) says:

    Hey Barnsley ya moaning old pervert!!

    Vote: Thumb up 4 Thumb down 0 You need to be logged in to vote
  20. JayMal (28 comments) says:

    Firstly the search-mega site contains user-submitted links. Something any journo worth half their salt would have realised. This means the encryption is secure and people have gone to that site and posted links to their files and the decryption keys. This can be done with any major file storage site (dropbox, box, google drive, skydrive, sugarsync, etc…).

    Secondly, there has been no fact checking on what a normal number of copyright notices would be for this type of site. For example how many does Youtube (albeit a much larger site) get on a daily basis, how many does Dropbox process, how many does Mediafire process? In addition with the focus on Mega its hardly surprising both pirates and rights holders will have an initial flurry, but this is not proof of anything illegal by the owners of Mega.

    Finally, I am not defending Mega. I think the jury should still be out on whether it is a good service or not. I am also dubious of claims it is designed to offer Mega complete legal protection for the future (I dont think such a thing exists and even if it did I think Mega can still be found to have both actual and constructive knowledge of infringement in the right fact scenario).

    However, I do have a problem with poor and muck raking journalism, which doesn’t attempt to give a balanced or fully informed report.

    Vote: Thumb up 5 Thumb down 0 You need to be logged in to vote