8. Our service may automatically delete a piece of data you upload or give someone else access to where it determines that that data is an exact duplicate of original data already on our service. In that case, you will access that original data.
Duplicate check, I get that. But, how do they do it? They say the files are encrypted on the browser, so if I upload file X and other user uploads X too, they can't know they're the same because both uploads are encrypted. So, they can check only for duplicates of the encrypted outcome of each file. But, wouldn't that be inefficient? Probability of collision in encrypted files is (AFAIK) really low, something like 2^(-N), N being the size of the file on bits... If I did it well, it'd be a collision probability of 7.458E-155 for a file of 1MB.
"A node token ("magic cookie") grants access to a subtree of the issuing user's filesystem. An associated symmetric key is required to decrypt and/or store decryptable data."
Apparently, they use unsalted symmetric key encryption which allows them to discover [hash(file), password] duplicates. By comparison, the old Megaupload would apparently deduplicate based on [hash(file)] matches.
Suppose Alice and Bob have files [D, E, F] and [F, G, H], respectively. If MEGA discovers that Alice and Bob share a duplicate file F and Alice to reveals her password (through password frequency analysis or to the Government), then all of Bob's files are compromised.
I would personally feel unsafe storing private documents on Mega due to the lack of public/private key encryption, but that's me.
> I would personally feel unsafe storing private documents on Mega due to the lack of public/private key encryption, but that's me.
It is probably worth pointing out that all of this encryption stuff is only for them. Nomatter how they brand it, the purpose is to give them plausible deniability, which they lacked with the previous Mega.
If you want encryption meant for you, then you should probably just encrypt your files yourself before you let Mega touch them.
It's pretty embarrassing that tech blogs are even covering this. Copyright law is about intent, not about technical specifics. The idea that new megaupload is ok because it encrypts illegitimate content before storing it is absurd.
Morally ok? That is subject to opinion. I don't have a problem with them now, and I never did.
Legally immune? They very well could be. Certainly any action against them is going to be much harder this time, if only because a bunch of people in New Zealand are still pissed about what happened last time without the revisions that were made. If their system works as they claim, and renders them unable to govern content, then how could they be considered culpable for content? If I start posting nasty stuff encrypted with PGP to HN, would HN be to blame for failing to recognize the nasty stuff and remove it?
However you feel about copyright, profitting off of the distribution of other peoples work, without their permission, is not something that should be encouraged or tolerated.
Hm. This makes it sound like your point stands regardless of personal ethics; as though
> profitting off of the distribution of other peoples work, without their permission, is not something that should be encouraged or tolerated
is a provable, obvious, non-debatable stance. I don't think it is.
I don't think profiting off it changes the basic ethics; if something is morally okay to do as a hobby, it should generally be morally okay to do as a business until proven otherwise.
I wouldn't agree you always need the permission of someone upstream to share ideas or content. That's something we can discuss. Don't make it sound like you have the answer sheet in front of you.
Roughly speaking I agree with you, but where do you draw the line? If I download a movie illegally right now then chances are Google and Firefox are immediately benefiting from it, and then even further away are Microsoft (OS), hardware manufacturers, etc. who profited off enabling me to do this.
Is the line about intent rather than technicality? For example how driving a bus that a drug dealer is on is not illegal, but driving the getaway car from a robbery is? If it is, then how does one prove that Dotcom wants to support copyright violation, rather than his official stance of just believing that there is a level past which he can not be expected to police his customers?
It takes some twisted logic to think thats a valid analogy. Dropbox is a perfectly valid filehosting service because they take reasonable measures to prevent copyright infringement. Megaupload(and mega) is not, because it's run by a person who has no real interest in preventing copyright infringement, and has shown that he's more than willing to profit off it, while he pretends that he doesn't know it's occurring or can't prevent it.
Define 'reasonable measures'. People use Dropbox to share copyrighted material all the time. Ditto S3, gmail, external hard drives, and any file storage method in existence.
Enforcement of the standard you're promoting would require pervasive surveillance of every data storage and transfer method in the world, and backdoor access for all forms of encryption.
Freedom of information and communication is orders of magnitude more important for a healthy and free society than copyright of digital goods, and you can't have both--they are fundamentally incompatible.
Arguing against piracy on the internet is a giant waste of my time because if you have it in your head that piracy is "good" or "ok" then you will rationalize bad arguments all day defending an incorrect position.
To address your latest spurious post, dropbox, gmail, etc. Facilitate file sharing on a small scale. Public links to megaupload listed on public aggregating websites that list the latest 'releases' are an entirely different matter. You obviously know that but are willfully blind to it to make stupid arguments.
No, you are taking a childish view of the defenders of piracy.
Let's say you are right. Explain to me how you would justify the pricing scheme we have for digital media to the average person on this planet, who most likely is Indian/Chinese/Nigerian and makes less that $5 a day.
How much should we charge this individual? Do you think they have the same right as westerners to challenging themselves and experiencing other cultures?
No, you assume that piracy is only white people that don't have a large allowance, which is a childish view perpetuated by the media. Most people don't have a computer, and if they are lucky enough to get one they should be able to have access to a large variety of the same digital goods.
Arguing against piracy on the internet is a giant waste of my time because if you have it in your head that piracy is "good" or "ok" then you will rationalize bad arguments all day defending an incorrect position.
Don't you have it in your head that danenania's position is incorrect and it's therefore a waste of time to argue the subject with you? It certainly seems so, specially since danenania isn't actually arguing for piracy, just that (s)he considers the steps of eliminating piracy to go against more important values.
As an analogy, the fact that I defend almost absolute free speech doesn't mean I'm in favor of all speech, it just means that eliminating said speech is worse than allowing it to exist freely.
First of all, MegaUpload did take preventative measures, at least that is what they argue. It's clear you don't understand how dangerous it is to take down the provider for a users actions.
No artist is ever paid when Vevo displays an artists music video on Vevo. Yet, google pays artists who post their own work. That means Gangnam Style has probably make over a million dollars from advertising on Youtube. So who is stealing more? The distributors or Google. The answer is: they are all stealing. The largest portion always goes to the content manager. Pulling distribution from the hands of companies and putting it back into the artist control will see a much fairer distribution of wealth. Thus the conflict and artificial moral discussions we see pushed from media about this. Sharing is a moral act.
Gmail shows me ads related to the content of my email. Worse, it shows ads related to the content of emails sent by my friends and family.Some of which have no relationship or agreement with Google. Google does this to maximize advertising revenue. Google is profiting off the original works of my friends and family without their permission and provides them absolutely nothing in return. Now you may complain about the moral and ethical practice of distribution rights. But sharing with people you know is not distribution. Most countries have different laws for sharing then distribution. In my country it is naturally legal to share music and other recorded content. Your country may convince you that this immoral, but in the natural sense, sharing is never immoral. In fact it is compassion.
What do you have to say to those of us who disagree completely and fully with the entire concept of intelectual property?
With the way I feel about copyright, I believe distribution of other peoples work, with permission or otherwise is something that should be actively encouraged and praised.
Whether they profit off of it or not is completely irrelevant.
As soon as a file goes public and anybody can get it, then it seems to me irrelevant that its encrypted on mega servers. They'll have to respond to takedown requests because the contents are known.
And if mega is de-duping content then that could technically eliminate "whack a mole" for the copyright holders (except for people re-encoding the file and re-uploading). I had heard in the past that mega would only take down one link.
> They'll have to respond to takedown requests because the contents are known.
And presumably, unless they think they can legally get away with ignoring it, they will.
What they won't be able to do is respond to a request that says "Delete all copies of [Big movie of the year], and continue to delete all of our movies as they pop back up."
This is the important bit. Files can be shared between private groups, using Mega as an intermediary, without them ever becoming indexed on the public web. Previously, files shared in this manner could still be a target of a takedown, because Megaupload would know they had them, even if nobody else did. Now Mega can make a stronger guarantee about keeping this kind of sharing "safe", because they have no idea whether they're hosting this kind of file or not.
Tell that to the valid copyright holders hosting their content on MegaUpload. Regardless of whether the system is used for legal or infringing purposes, the reality is that distribution companies have the ability to take down both when they claim some are using it to infringe. The concern for copyright holders is not the encryption per say, but the ability for big business to NOT be able to take down their legal content under the guise of a moral cause.
I dont think the content can be accessed by mega without the full URL. The URL probably contains the information about the location of the data plus a passphrase to unlock the key to decrypt the data. In this way mega could hold the data without knowing the URL to access and decrypt it. The full URL would only be retrievable through the user interface, which mega would not have access to unless their servers are storing your login password. Which I assume they are not for legal reasons. I am making assumptions here.
Copyright law can absolutely hinge on technical specifics. Look at network DVR services being forced to store a copy of a show per user in order to be found legal in the US.
In order to maintain the plausible deniability, Mega cannot store an decryption passphrase. Meaning they will not have the links to the unencrypted files. As the URL will contain the passphrase within it. The only thing required to make this private is to plug a Tor hidden service onto the front end. That way the direct link to the data is not known by the download user and Mega will not store this link without losing plausible deniability. Win win. Bad part is that all downloads now have to go through Tor (slow).
I'm not entirely sure what they mean by a "magic cookie" here.
The document does say it uses public/private keys for data transfer. You would not usually use public/private for data storage because of the huge keysizes required.
I think the cookie bit is just an authorization credential.
If they use asymmetric encryption for data transfer, then how does that work as part of a convergent encryption scheme? Wouldn't all of the file hashes be different at that point?
I would assume the asymmetric crypto is just for the transfer. In other words you encrypt the data and then send it wrapped in another layer of public/private crypto. Not entirely sure though.
Possibly convergent encryption, basically when you encrypt the file you use a hash of the file as the key.
This key can then be encrypted with several different passwords meaning that several people can decrypt this file.
Yes, there's exactly the same problem as with Freenet. Because same plaintext encrypts to same ciphertext there is huge problem with that. If I really don't anyone want to know that I got this data, that's failed scenario. It makes things easier for service provider, they don't want to know what they're storing. Just like Freenet's data cache. But if I know what I'm looking for, I can confirm if my cache contains that data or not. Therefore this approach doesn't remove need for pre-encrypting sensitive data. Otherwise it's easy to bust you for having the data.
Edit: GNUet quote:"The gnunet encryption scheme is remarkable in that it allows identical files
encrypted under different keys to yield the same ciphertext, modulo a small
block of metadata. These files can then be split into small blocks and distributed
(and replicated if need be) across hosts in a gnunet system to balance load."
This means that if there's a commonly available plaintext version of a file, then you can encrypt it, compute the hash of the encrypted version and then serve it to Mega along with a DMCA takedown notice.
They wouldn't really want that, would they? So as clever as it is, I doubt they do it this way.
>then serve it to Mega along with a DMCA takedown notice.
The thing with copyrighted content, though, is that even if the file you're checking might be infringing on copyrights in certain cases, in other cases it might as well be completely legit. I wrote about this on some earlier MU submission[1], so I won't repeat all that here, but all in all, even if you knew that file X existed on Mega's servers, it would be pretty damn haphazard to just outright delete it, because you might be hurting many legitimate users by doing so.
Anyway, I think Mega could secure user's files simply by encrypting the locator keys they have with the user's own key, and this data only gets decrypted and parsed client-side when the user uses Mega with the user's own key. This way you could only prove that a file exists on Mega's servers, but had no way to check which user(s) it belongs to without cracking the individual user data one by one. And of course, if you don't have any exact files to check against Mega, then you wouldn't be able to even figure out whether "content X" is hosted there somewhere, and neither could Mega (since they'd naturally only store locator hashes and encrypted data itself).
There'll be plenty of cases when the content is inherently infringing. Cam copies, for example. Additionally, if there's a jurisdiction where a DVD rip of Dora The Explorer is not considered a fair use, they may start pounding Mega to limit this jurisdiction's access to the file. This sort of thing.
But when someone uploads the same file with a different password, if they want to de-duplicate on content alone, they need to be able to put that new encrypted file hash alongside the original.
One solution to that would be to have two hashes of the file, and to use one as the key and one as the index.
Well, they could have. Unless you're generating original content. This is the problem if you are sharing nothing something which is not 100% original on block level.
This is just the reason, why sensitive data needs to be encrypted before deduplication.
Well, you said "encrypt", what do you mean by encrypt? What's the key? In the Freenet's solution, they encryption key for the data is the data, not any random or user provided key. So the same plaintext is always turned in to same ciphertext. Which we all know, it's very bad idea, it ruins encryption. In this case, it's quite easy to spot out all of the users having the same content in their account.
This is only reasonable method when ever you can assume that every plaintext is unique, which also makes point of deduplicationg data absolutely pointess.
Convergent encryption sounds great. But if Mega is using this, do they have any way of finding out which users have a specific file?
Example: Alice and Bob both upload the same file to Mega. Alice is raided by the MAFIAA. They get a court order telling Mega to list all users having a copy of that file. Can Mega comply? Or does not even Mega know that Bob has the same file too?
Related question: Is there any way for Bob to share his uploaded file with friends?
I guess that is generally done using "convergent encryption". There are many variations and they were done by some peer-to-peer DHT filesystem (I was kinda involved in some "skunk" projects developing it).
The idea is simple: if you have data, then you can generate the key from data itself to encrypt and decrypt than data. Then you use hash of encrypted data to look up if server (or just other side) has the same data. If hash exists, no need to send to server - just tell server to bump references. If hash does not exists, just upload data. The key derived from data needs to be stored locally - if you lose it, you will lose data too.
Which is to say that every file has a globally 1-to-1 mapping to its encrypted version. I'm not sure how they are storing the (User, [(Filename,Key)]) data, but this is ideally encrypted on a per user basis, making any sort of per-user lookup attacks moot.
Perhaps, a much simpler possibility than the other proposed in this thread, is that, in addition to uploading the encrypted file, the service uploads hashes of chunks of plaintext data. That way the service can just compares hashes of data, just like a regular dedup implementation.
Maybe they use block deduplication on the storage arrays? Particularly looking at the "our service may automatically delete a piece of data you upload". In other words, you already uploaded it encrypted and they're just serving out the de-duplicated bits.
Encrypted data is indistinguishable from random data, so it is incompressible. The chances of finding anything significant to deduplicate are so low that it's not worth trying.
Read Freenet documentation. They encrypt everything, yet they use very efficient deduplication. I really like Freenet's design. Encryption key is based on the payload, so if you don't know what he payload is, you can't decrypt the packet. Of course decryption keys can be delivered using different encrypted tree of keys, which is used when you deliver download link.
For that reason, when ever I'm sharing anything I usually encrypt files with my recipients public keys before sending those out. Just to make sure that data is really private and keys are known only to my selected peers. In some cases when I want to make stuff even more private, I encrypt data separately with each recipients public key, so you can't even see list of public key ID's which are required to decrypt the data.
I also have 'secure work station' which is hardened and not connected to internet. That's the workstation I use to decrypt, handle and encrypt data. Only encrypted and signed data is allowed to come and go to that workstation.
"Each file and each folder node uses its own randomly generated 128 bit key. File nodes use the same key for the attribute block and the file data, plus a 64 bit random counter start value and a 64 bit meta MAC to verify the file's integrity."
Not sure I understand this, how can you deduplicate if every file is encrypted via a random key?
Maybe on file upload, they encrypt it with the file hash then chunk those encrypted files and store those with dedup.
Then, on the user side, they store an per-user encrypted index (random, counter, MAC) to those individual chunks to represent the file.
That way, they can only see giant encrypted blocks of data, and per-user encrypted indexes to data. But it is all encrypted.
They would need to hack into accounts by keylogging passwords to decrypt the indexes and see what files users can actually access.
Public links could be shared by giving out a key in the URL that is a file containing indexes to other blocks. So whoever knows the URL, knows the index, and can get the data.
Ok, so I try to upload a.exe to Mega. They make a hash, detect someone has already uploaded it. They don't upload my file, and instead they place a link in my account to that "a.exe" of some other user. How can I access it then? Because it's encrypted with a key which is not mine.
The hashing is done by the client before upload.
So if all clients use the same hash algo they will generate the same hash for the same file. So it is encrypted with a key that you know because you have the original file.
Ah I see this was in reference to your convergent encryption post above. Point taken.
Assuming that it works this way, it would allow Mega to figure out if you own a known "bad" file. Just take something like "New_Jay-Z_Album.zip," hash it, and try the hash against your encrypted files. It seems like Kim is trying to avoid this problem.
Note that they are likely to use something like 4MB chunks of the file rather than whole files. This prevents things like metadata/name differences creating a different hash for the whole file.
Got to wonder if this is a bit of copy and paste from the old terms, although you would think they would have checked this quite thoroughly! Good spot.
Something doesn't smell right regarding the browser-based private key encryption. What I think is happening is that they could theoretically decrypt all your content, but the fact that they dont, and would have to jump through some technical hoops to do so, is maybe enough for them to argue that they don't know what is being uploaded?
From dev docs it looks like file integrity (and thereby duplicate check) is done with CBC-MAC:
"File integrity is verified using chunked CBC-MAC. Chunk sizes start at 128 KB and increase to 1 MB, which is a reasonable balance between space required to store the chunk MACs and the average overhead for integrity-checking partial reads."
Perhaps they de-duplicate using smaller block sizes? Something like 256 bytes.
Also, if you believe Microsoft Outlook, there's something called "compressible encryption", which implies there are encryption schemes that aren't exactly random, meaning in turn that not all N-bit blocks are equally likely.
This is exactly how megaupload used to work. They use file hashes, i heard reports of some hash collisions meaning entirely different files were identified as duplicates...that was gamed though i believe, real life collisions less likely
maybe they store a hash along your strongly encrypted file. this way they could go after copy-righted files accross the system once reported at the cost of quasi-decrypting some of your files. your really unique files would still be save although you might not want them to be able to timestamp proof your possession of these neither.
To everyone asking about the encryption, it isn't really about protecting your data its about protecting themselves. They have created a service that is billed as a drop box competitor but it's not. This is megaupload2, they just need it to not look like they are marketing it as that.
They needed a way to deny any knolage of file sharing and have found a two pronged attack. The encryption means they can deny any knowledge of what they are serving, and marketing it as a drop box type tool means that they aren't marketing it as a blatant tool for illegal file sharing.
Yes, megavideo was a large part of their platform. I think it is only a matter of time before we see them build a video player on top of mega. I suspect there are technical hurdles to over come with decrypting and then playing the video using javascript though.
That doesn't mean you can't use it like a Dropbox service with more free space, surely? Dropbox also doesn't encrypt your data to any meaningful degree AFAIK.
Does anyone understand how their implementation of client-side encryption is actually supposed to make my data safer? After logging in for the first time, a 2048-bit RSA key pair was generated, but it seems that every time I log in I just use a username (email) and password. Does that mean the RSA private key is stored on MEGA's servers? If so, doesn't that render the whole "client side encryption" bit moot? If MEGA has the private key, they can decrypt the data or am I missing something?
The service seems to have ground to a halt, and I am not able to upload anything, so perhaps this all becomes clear once one starts using the service, but I'm curious about how the encryption is used in practice.
Edit: Found a bit more detail in the developer documentation: https://mega.co.nz/#developers
According to this, they use the symmetrical AES-128 to encrypt files, so why do I need an (asymmetrical) RSA key pair? It also says there that the private part of the RSA key is stored encrypted with the symmetrical AES key, but MEGA has that key, so what good does that do in case of an FBI raid?
One of the things that I was most curious about regarding MEGA was to see how they would manage to make encrypted file storage safe but user friendly. It seems like this is user friendly, but not safe at all, or am I wrong?
| Each user account uses a symmetric master key to ECB-
| encrypt all keys of the nodes it keeps in its own trees.
| This master key is stored on MEGA's servers, encrypted
| with a hash derived from the user's login password.
The key is stored encrypted on their servers, but is unlocked with your password. Technically they could capture your password and unlock the key, gaining access to the files.
MEGA servers store the hash of the password, not the password itself.
Unlocking a key requires a real password but the server knows only the hashed version. This way they can't capture the real password to unlock. The trick would be to make sure server always gets only the hashed password. Even at website login, the password must be hashed before sending!
We used similar crypto for http://timegt.com product where everything is end-to-end encrypted with a keypair generated by the user yet stored at the server. But it's stored at the server in a locked form that can be opened with a password that user entered. But this password is never sent to the server, only the password hash is and is used only to make sure that it's ok to send this locked key to the user. Hopefully this didn't sound too confusing now...
As long as the logins go via normal web page hashing the passwords before sending them does not really add that much security. If the security of the server is somehow compromised, it would be trivial to put up new Javascripts that send the cleartext password to server. Users are not likely to go through the Javascript to check what it is actually doing.
This is how similar services have responded to warrants. They voluntarily alter javascript for some ip addresses in order to capture passwords to use for decryption of the user's files.
It would probably be easy to write your own login page or a browser toolbar that would either do the hashing on a page you control or check that the javascript was what it should be.
At that level of distrust however you might as well encrypt the stuff yourself (and send the decryption keys to the people you want to share with in some other, more annoying but secure, way)
What if I don't trust you? Is it still safe for me to use MEGA?
If you don't trust us, you cannot run any code provided by us, so opening our site
in your browser and entering your password is off limits. If you still want to use
MEGA, you have to do so through a client app that was written by someone you trust.
Fully agreed on the server compromise risk. Fortunately this attack vector would compromise only users who log in after the attack. Users who don't are still safe.
Improving this situation could involve keeping a browser extension that takes care of the hashing algorithm and makes sure the real hash is sent. As long as the extension is not updated, the hashing would be safer.
In my eyes, it's not secure because the AES key is stored, albeit encrypted by a password, on the server side along with a file of the password hashes. Even when best practices are followed, it's still relatively easy for an attacker to recover passwords from their hashes via a brute force attack.
If the goal was actually to create something very secure, I would say that the keys would need to stay entirely on the client side, but this of course has its own usability problems. As it is, I'm curious as to how password resets can be carried out.
That being said, it's probably relatively secure as long as the cloud provider isn't raided or coerced to act badly. They can reasonably say that the data is encrypted and that they don't have access to the key.
I would be interested to see what the crypto looks like when the site is used for file sharing (e.g. I upload once, then post a link for many to download). Or am I just assuming that there's an option for this use case?
EDIT: The senario in the posts above sound more likely. The exact text of the help is "No usable encryption keys ever leave the client computers (with the exception of RSA public keys)." So they probably store an encrypted version of the keys server side.
According to Ars, the public sharing works by bundling the encryption key with the link to the data [1]. I don't have reliable access to the site, so I don't want to speculate too much, but I suppose there must be a way to export your keys so you can view your files from different computers.
I agree with the sentiment, though, that this is security theater. It's subject to the same problem as Hushmail, where they could be forced to snoop on their customers by modifying client code.
Ok, just my guess, not sure if that's what they do.
They can store the encrypted key on their server and send the encrypted key to the client whenever the client requests it. The client decrypts the key locally and use the decrypted key to decrypt the data.
With this scheme, the user can use a client on any machine to download his encrypted key and use it locally.
Regardless of what you may think about KimDotCom he certainly has persistence. You'd think anyone would quit after a FBI raid and being sued into oblivion.
So what if the service falls flat? I don't really plan to use it until the kinks are hammered out anyway. The fact that he got it out there though is a statement on to itself.
I see Kim Dotcom as a stereotypical gangster who makes money by delivering illegal products. He has the narcissistic personality and lifestyle trappings to go with it. He even wants to buy protection from New Zealand itself by bringing free fibre optic cable to the island!
It's just hard for me to respect the man, because he's not fighting for information freedom, he's fighting for as much cash, status, and power as he can get his hands on.
How are his products illegal? It's not like Skydrive and Google Drive are devoid of pirated content. Also Megaupload was a very valuable service back in the day when there wasn't many upload providers around..
Megaupload was selling access to content, not ability to store data. The users who downloaded data were the ones that had to pay. Only way this type of service is profitable is when it has "stuff" that is wanted by masses of people. And since Megaupload didn't produce/resell anything, illegal content is the only other option.
Also, during the time megauplaod existed, there always were upload providers. Megaupload came quite late into the game.
Of course.... but who pays (and for what, exactly) is somewhat immaterial. You're able to post public links to files and get (effectively) unlimited downloads via Dropbox too. It was a counter-example to your Google.com/yourdesiredfile
Who pays (and why) is hardly immaterial when it has a defining effect on how the site is actually used. There's a good reason as to why Google and Dropbox can easily claim legitimacy while Mega has to struggle.
Maybe I'm cynical but every file locker service makes money selling access to downloadable material that doesn't belong to them, mega was just honest/stupid about it.
I completely agree that there is a distinction, and one I also feel strongly about. But really the only distinction between the pirate bay and megaupload from that point of view is maturity and technical/political savvy. I feel I have to draw the line at a place where selling access to a file locker that you know is mostly used for infringement is ok or I'm a hypocrite. Especially when you look at from a "what should be legal" point of view where you have to consider enforceability rather than a hypothetical ethical question.
Totally agree. He just makes money from other people's work. And manipulate public mind by acting like martyr (for freedom). He is basically a swindler.
They're not caching any of their static resources, that might explain the amount of bandwidth use Dotcom is apparently seeing.
Edit: They're not gzipping any of the 2.5MB in static resources either. I realise that probably doesn't impact their API calls that are failing, but it's still a big oversight.
If you are opening their app for the first time, it doesn't matter since you are going to download the content anyway. He has only one page, so navigation doesn't reload the content.
>Not using Gzip is obviously a big part of his marketing plan.
I think this is the only time I would use the words "FTFY" on HN, but I do think it's obvious, that with kim's bragging about bandwidth usage, gzip has been disabled intentionally.
He could just as easily make up a fake bandwidth usage number for marketing purposes rather than actually put unnecessary load on his servers by not using Gzip.
It's most likely down to him hiring sloppy developers. And judging by the source code on the site this is exactly the reason.
I thought these top bandwidth usage lists are compiled by ISPs, not site owners themselves.
In any case i don't think climbing those lists would be reason to disable gzip. In that case an easier method would be to just add lots of not rendered junk at the end of your html to beef up the data usage.
The interface is very slick.. almost feel like a native application. Just the fact of being able to resize the various section of the window is very cool. Congrats for the launch, this takes lot of guts to start a service like that.
Site is getting completely hammered as of 15 minutes ago, Kim posted this on his twitter (https://twitter.com/KimDotcom): "Wow. I have never seen anything like this. From 0 to 10 Gigabit bandwidth utilization within 10 minutes."
His theory appears to be that by sharing keys via links to access encrypted files, instead of before which was exactly the same except to access unencrypted files, he will somehow be immune from persecution this time even though he still has the ability to identify infringing material by the traffic sources and bandwidth usage of individual files.
The tie in with web hosting companies adds an ounce of legitimacy to the affiliate program that originally led sites like the defunct tv-links.co.uk etc to throw traffic at their paywall last time but it won't be even close to enough if tomorrow there's millions of mega links on all the streaming and download indexing sites.
The Javascript for Mega looks very messy; all resources loaded via XHR, loading jQuery but using `document.getElementById` all over the place, using client-side Javascript to validate the integrity of all these XHR-loaded resources...
They say that this is their first Javascript coding; they should really get some talent on board to clean this up.
If you been using both browsers for a while, you could (at least IMHO) feel the increasing slowness of FF comparing to Chrome, at lest within last 2 years.
Further, the site looks very much polished in Chrome and its hard to find anything to blame for. If they did benchmark testing and realized Chrome works the best for decryption/encrypting/etc, I don't blame them for giving up on other browsers.
> If you been using both browsers for a while, you could (at least IMHO) feel the increasing slowness of FF comparing to Chrome, at lest within last 2 years.
Chrome starts a lot slower for me. It seems to really hit the disk a lot more than Firefox.
Reading the comments about de-duping,I think one can identify a very attractive monetisation path for mega. The largest percentage of traffic mega achieves, which is largely supported by the huge free space, the biggest the incentive for ISPs to resort to a service from mega for de-duping and caching mega traffic. It would not be unexpected if a "mega appliance" comes up in a few months for "distributed", high-performance mega usage. I do not remember the statistics exactly, but megaupload used to have a significant percentage of global traffic. Albeit, anyone could cache that traffic. Now, mega holds the keys to that. Some strategic and gradual approach is required, though, before ISPs take notice of that and pro-actively degrade mega's services (the other article about Google paying Orange for preferential QoS is relevant) before it gets the required momentum. Just a thought. What do you think? Is mega really holding a lock on this kind of information?
I think maybe Kim is a little smarter this time by not having his servers easily accessible by the US authorities, exactly where those servers are remains to be seen.
For me, mega.co.nz is at 154.53.224.166, which is Africa allocated, administered by afrinic.net who seem to be on a small island off the coast of Madagascar.
The big red button is beautiful. But adding just a
cursor:pointer;
would have made a HUGE difference to the button itself and to the User's experience, clicking on it. Sigh, when will start-ups start paying attention to UX?
I have a question..maybe it has already been answered. From what I know of security we have hash and other collisions in Virtual Machine systems and obviously that can be used to gain access. with Mega using always two hosts for a a piece of data assuming that they might be using some cloud structure how would this type of attack be prevented?
Seems like people who care about encryption when using the service are essentially putting their faith in Kim Dotcom's hands. If the FBI, e.g. were to break the encryption, people would probably lose trust in the service. Dotcom is carrying a lot of weight on his shoulders in acting as the security agent.
How exactly does this work, if they don't have access to the original?
> 8. Our service may automatically delete a piece of data you upload or give someone else access to where it determines that that data is an exact duplicate of original data already on our service. In that case, you will access that original data.
They take a hash of every X MB of your data before upload. If the hash already exists, then they don't upload it. You just get added to the access list for that particular chunk along with the others who have uploaded it.
That can't be the whole story. If Megaupload gives you access to the ciphertext encrypted with a key that neither you nor Megaupload has access to, that is useless.
Just signed up; was quick, smooth and has a nice interface.. was expecting it to get tonnes of visitors and be down for the next few hours but either noone is there yet or they've been very prepared
Not really sure about the quick part. I'm still trying to get to the website. The loading animation on start up was incredibly slow and now the site isn't responding at all.
Edit: I'm trying to access it from EU if that makes any difference. Seems like http 500 error is returned for assets hosted on eu.static.mega.co.nz.
which makes it no different to before, except this time they're hoping deniability is better than openly facilating piracy in their internal communications.
It appears you can upload a file without creating an account. So without generating a key first. Or at least without generating a key that is somehow protected by a password.
After signing up, MEGA suggested that I download Google Chrome to use the service (I was using Safari). I was expecting some affiliate link there, but there wasn't any.
On visiting a download link in Firefox (latest) posted in this thread (https://mega.co.nz/#!jFlzGQiZ!CL2dMi5IAYLUp3ZQ5JS7nmW0sYtudf...) I got the same message - however I can't click anywhere to hide the modal. If you are gonna have such a message at least let me close it!
I use it because it supports proper continuous zooming with pinch-to-zoom on a trackpad (exactly like Safari on iOS devices). Chrome does a weird step-by-step increment that seems to involve re-laying out the page at each step. The multi-touch interaction with Safari is just better in general, IMO.
I use Safari because in my experience Chrome is rather buggy on a Mac. Particularly with regard to Spaces. E.g., if I move a Chrome window to a different Space, all of my other Chrome windows will tag along for the ride. It makes using Chrome rather unbearable. Additionally, Safari's interface for managing bookmarks is much nicer.
I use Chrome on a Mac with a half dozen spaces with multiple monitors and have never had problem moving between spaces. Out of curiosity are you using the release, beta or dev channel?
I just use the standard release of Chrome. I Googled about the problem several times and all I could find out is that some people experience this issue and others don't, and no cure was known. The problem did not go away via numerous upgrades of Chrome, so I eventually gave up.
Perhaps he should have launched it like Gmail: Gradual launch with invites. Launching a file sharing site with this much media attention is surely going to crash it.
It's not "not nice", I like the design. What I didn't like was the loading and that reminded me the era of full-flash sites. Maybe the loading took much longer because the site is overloaded and it will be OK later.
The site claims safer but it doesn't feel safer. The first click opens my files for me to select one to upload, yet why am I going to upload a file to a completely unknown entity? Who is/are Mega? What gives user confidence to entrust (confidential / personal / business) file uploads to Mega? There are a few steps missing here, I would work on building customer confidence. Unless you are aiming for uploads within a network of people who know and trust you for other reasons. Good luck.
completely not intelligent comment, but i read the url as Mega CONS. as in mega con-artist. never before had a NZ domain triggered that reaction in my mind.
Apparently some 100 million users found his previous file sharing service to be of some value, until it was shutdown that is. What's difficult to see, however, is what value your pointless dig brings to this discussion.
Huh? If I were keeping it truly completely private then only I would have the private key. So presumably it generated one with Javascript stored in my session so I would need to back it up in order to login later and access my data.
However, that's not how Mega works. They're still storing a symmetric key on their server. They're just encrypting before storing for deniability reasons. https://mega.co.nz/#developers
Separate from the realm of rights, witholding credit is a dick move. I mean, the guy can afford a dozen cars and a helicopter, but he won't hire a decent copywriter?
What do I want? For him to be thrown in jail. I honestly don't care about people swapping media between themselves. But setting up an exchange to do that, and paying for it by selling space to advertisers? That's not "sharing". That's business. And that business would collapse if he had to pay the copyright holders he depends on.
In general, audiences have NO idea how much time, effort, etc. it takes to produce decent work. Partly, that's by design, since good work should look effortless. But when you count the time getting good, a decent album may represent a decade of someone's life (10,000 hours, etc.) And the thousands of names in the credits of major films represent actual work, by real people. There's no reason these people should be expected to "find a business model" that doesn't rely on some form of legal protection when protection is the backstop of every viable business model in existence (not always legal, in the case of drug cartels; and where there's no protection at all, what you're really talking about is good luck and charity).
That said, I think enforcing copyright at the individual level is a fool's errand. No one writing the law - which evolved over centuries - ever imagined that it would be applicable on such a global scale, in such a granular way. Barring radical change in the law, I think individuals should be exempt from prosecution under something that is so spectacularly unsuited to free individuals and the democracy that depends on their liberty.
But corporations are another story. They're tools, not people, and tools have no rights. Shareholders have rights, employees have rights, citizens whose governments issue corporate charters have rights. But corporations themselves? No rights whatsoever. There's no threat to democracy in making them secure permission - by paying for it on fairly negotiated terms - or getting sued into oblivion. Indeed, that's the exact expectation around which the law and industries that pay for copyrights both developed. The Internet's appearance doesn't change the premise that anyone building a business around material they didn't produce, should include the properly negotiated price of their inputs in the prices they charge to others. Obviously, that's my own standard. It's not reflected in law. But I think it's a fair break. If it were reflected in law, I think we could put the copyright wars behind us for the foreseeable future.
As far as Kim Dotcom goes, it's clear he made his money on the wrong side of this line. That's why I'd like to see him jailed under law which should make jailing him a no brainer. I have no idea how he's going to pay for his current venture, but I'm pretty sure he says "safer" not "safe" for good reason. You'd have to be an idiot to give Mega the same level of trust that Dropbox enjoys.
> In general, audiences have NO idea how much time, effort, etc. it takes to produce decent work.
I stopped listening to commercial music and watching commercial movies when industries started suing private individuals. I was surprised how easy it was. The only time I hear or see commercial content is when it is pushed on me through advertising and other expensive marketing techniques. I wish hollywood and big distribution would vanish tomorrow. Do you really think that talented artists would simply disappear and stop producing quality work if they're wasnt the possiblity of becoming a star behind it? Nonsense. Art is from the heart. I hear quality all the time from local street buskers and playing in bars in my city. Everywhere in the world there is great quality work that is having money taking out of there mouths by big industry who would rather have a huge fan base for a minimal set of artists. The reason it costs so much to produce what you consider 'decent work' is because that is what you have been convinced to believe. Quality is not expensive, and yet its rarely paid because most of the money is being funnelled through distribution companies who simply cannot possibly handle the many millions of people around the world who deserve a piece of the entertainment revenue pie.
I listen to Jamendo, Soundcloud and CCmixter. I watch videos on youtube and vimeo. I am entertained. So when megaupload was taken down... for me it had nothing to do with losing the ability to break someone's copyright, but rather it was simply another example of big distribution shutting down an alternate channel of distribution.
For me, the sooner distribution companies die, the better. They have no purpose anymore because distribution costs are $0. We all pay for distribution ourselves when we pay our ISP for bandwidth. The only remaining purpose for distribution companies is to sue for their lives in order to limit the number of artists who receive income for their work.
"Uses" people by creating products other people are willing to pay for. Just like your local pig farm "uses" the animals to provide you food you are willing to pay for.
Mega is just being a midleman here. What's so wrong about it, really? If an industry goes down because it can't compete with "free", then maybe it should go down because technology makes the business model unprofitable? Big players go down and small ones come to rule the game, it's not like people stop caring about entertainment. But of course this all whining about piracy is exactly about securing people's own position and ability to survive in the competitive market. After all, an industry-wide collapse could very well mean loss of a job(not for a single person, but also for co-workers etc) or at least huge cut in income.
In the end it's just everyone playing for themselves. Hopefully in a few decades we have machines creating superior content for us(at least to some degree), so we can finally start getting rid of the publishing/content providing industries which hinder technological progress and start to focus on consuming whatever we find most suitable for us, without legal or ethical barriers. Everyone wins if we don't let bullshit legislation hinder the progress.
No, it's not "just like" at all. And that's for the not-difficult-to-discern reason that people and pigs are not interchangeable, which why you can have bacon for breakfast without being charged as an accessory to murder. And I'm sorry that think that getting the artists out of art and just handing the satisfaction of the human intellect to machines is a situation where "everyone wins."
A liberal education may not get you a job, but it'll save you from embarrassing yourself with stuff like this.
> No, it's not "just like" at all. And that's for the not-difficult-to-discern reason that people and pigs are not interchangeable
You're arguing against something I never even claimed. However, what you said still doesn't change the fact that pigs are being used. Problem?
> And I'm sorry that think that getting the artists out of art and just handing the satisfaction of the human intellect to machines is a situation where "everyone wins." I mean, that's just embarrassing.
What's the problem with this? People who are creative can stil create things as much as they like, while people who prefer consuming things can get the said things for cheaper and for less effort. Of course this sounds like a dystopian future for an artsy person who would love to get paid for their hobby. But just as radio amateurs with their love for analog electronics have gone underground, so will happen for those who can't adapt to the ever-accelerating technological progress we're going through. And the fact that we can now share information so effortlessly is a great sign of that.
Of course it would be ideal that I could create X, set it a price Y and then people would pay for it if they consider my product worth it's price. However, because of the way the world changes, it isn't possible in a strict sense. It will never be possible during this digital era, at least not without sacrificing liberties and creating some godlike authority over information sharing. Now how would that not be a dystopian future!?
Comments such as these never cease to astonish me; I'm not sure what musicians/artists have done to warrant your unremitting contempt, but it is that which oozes out of every statement you make.
- "People who are creative can stil create things as much as they like": no, they are constrained by their budget and time. Piracy destroys the potential for remuneration on the back of e.g. recorded music, thus restricting the ability of the artist to create. Stop pretending like all worthwhile (by which I mean to say in-demand, whether legally or not) art can be made on a Sunday afternoon by a single person.
- "Artsy person...": I resent your suggestion that art is axiomatically a hobby, and those that create it -- "artsy persons", really? -- are all mere hobbyists. You seem to value music/film/etc. enough to unilaterally grant yourself unlimited rights to it, yet you use belittling terms, the better to convey your perceived superiority (presumably because you think programming requires more intelligence?) when discussing it. Not cool.
- "who can't adapt to the ever-accelerating technological progress we're going through": Yes, we musicians are all such idiots, we simply don't get revolutionary rockstar technologies like node.js and mongodb.
- "we can now share information": Please stop invoking lofty principles like liberty and the right to information to justify your consumption of the latest hollywood-made blockbuster movie or pop single without compensation the artists who created it.
- "Of course it would be ideal that I could create X, set it a price Y and then people would pay for it if they consider my product worth it's price. However, because of the way the world changes, it isn't possible in a strict sense."
"Of course it would be ideal for me not to whack you on the head with a club and take your possessions, but it's just not realistic in a strict sense; at least not without sacrificing vital liberties and the creation of a police force with godlike authority."
> ""People who are creative can stil create things as much as they like": no, they are constrained by their budget and time. Piracy destroys the potential for remuneration on the back of e.g. recorded music, thus restricting the ability of the artist to create. Stop pretending like all worthwhile (by which I mean to say in-demand, whether legally or not) art can be made on a Sunday afternoon by a single person."
I never said anything about piracy in my reply nor I implied it. I guess I can assume machine learning and AI advancements pose a similar threat? So it would be wrong if there was something which would make creating art less profitable, such as for example computer aided creation of things? I mean of course that would put a few useless people out of their jobs when machines can increase the productivity enough. Horrible? Not really, cheaper art for people and increased amount of "indie" art in circulation. I'm all for it.
> "- "Artsy person...": I resent your suggestion that art is axiomatically a hobby, and those that create it -- "artsy persons", really? -- are all mere hobbyists. You seem to value music/film/etc. enough to unilaterally grant yourself unlimited rights to it, yet you use belittling terms, the better to convey your perceived superiority (presumably because you think programming requires more intelligence?) when discussing it. Not cool."
I guess the word artsy carries a negative tone, it wasn't my intention to imply that. Bear with me for not being a native English speaker. However, my whole point has been that the whole discussion about piracy revolves around people who are not doing art as a hobby but who are reliant on being paid for what they are doing.
> "- "who can't adapt to the ever-accelerating technological progress we're going through": Yes, we musicians are all such idiots, we simply don't get revolutionary rockstar technologies like node.js and mongodb."
Interesting, "we musicians". Spot on. However, again it seems that you are purposefully(?) missing the point. If we can recreate art with ease and as such we need less producers and distributors, what's the big deal? They go out of job because technology makes their work obsolete? It's a shame, but if there's something we can learn from the past, it's that you can't stop technology from advancing. My friend as a cab driver will lose his job once self-diriving cars become mainstream. My friend as a cashier already lost her job because of automation. Millions are going out of work at Foxconn during the next few years because of advanced robots. It's everywhere, technology reigns supreme and people go out of jobs at exponential rate from now on. Things change.
> "- "we can now share information": Please stop invoking lofty principles like liberty and the right to information to justify your consumption of the latest hollywood-made blockbuster movie or pop single without compensation the artists who created it."
Justify my what? Your assumption is completely false. Even if it were true and I actually did consume mainstream entertainment and especially without compensating the artists the fact that we can now share information easier than ever before holds true, and will (hopefully) hold true in the future too. After all services like youtube, dropbox, Mega etc. are here to stay and for obvious reasons. Oh and there's an increasing number of truly anonymous content sharing sites in Tor network. It's pretty fascinating where we're going IMO.
> "Of course it would be ideal for me not to whack you on the head with a club and take your possessions, but it's just not realistic in a strict sense; at least not without sacrificing vital liberties and the creation of a police force with godlike authority."
Your comparison is completely flawed and you know it. Do you understand the implications of total surveillance of the Internet in regards of freedom of speech for example? Or do you not care, as long as you get paid for your job?
Anyway, in case you haven't noticed it yet, we're moving towards a world where the copyright laws have less and less implications in our actions. Not only will the laws be reformed to make more sense, content sharing and distribution will increase just as it has to this day. Some people will lose their jobs, some artists will get less compensation for their work(for other reasons than piracy though) and so on. It's only natural. If this scares you, then just maybe it would be better for you to work in a different field? Because as I've said, you can't stop technology from advancing, and it advances at an accelerating rate. Exponential growth is a bitch.
> "Comments such as these never cease to astonish me"
You're arguing the wrong point completely. No one here objects to breaking down barriers, and giving more creators access to a market. Commercial piracy like Megaupload is a hindrance to that.
It's clear that you have great admiration for artists, but really, they're only slightly more magnanimous than the rest of us. Not making any money incentivizes no one. If you think Western culture would be as rich and diverse as it is without copyright and capitalism, check again.
What certainly should be avoided is admiring a convicted repeat-criminal who's business it is to exploit people at every opportunity. People who support Kim are like people who vote for Berlusconi. They are literally the problem in this world. Have some fucking values.
I'm waiting for machines to build the next Mega and put Mr. Dotkom out of a job. Afterwards, machines can replace all the layers and sue us for pirating the content they create.
He doesn't create the products he is selling access to and he doesn't have a license to be a middleman. I agree that the creators have a broken business model, but his business model of exploiting that brokenness is not a replacement for it. In fact, it depends on it.
I don't believe that machines will replace artists either, because I believe art is the expression of personal human experience.
8. Our service may automatically delete a piece of data you upload or give someone else access to where it determines that that data is an exact duplicate of original data already on our service. In that case, you will access that original data.
Duplicate check, I get that. But, how do they do it? They say the files are encrypted on the browser, so if I upload file X and other user uploads X too, they can't know they're the same because both uploads are encrypted. So, they can check only for duplicates of the encrypted outcome of each file. But, wouldn't that be inefficient? Probability of collision in encrypted files is (AFAIK) really low, something like 2^(-N), N being the size of the file on bits... If I did it well, it'd be a collision probability of 7.458E-155 for a file of 1MB.
[1] https://mega.co.nz/#terms
EDIT: Added example.