Kim Dotcom's Mega plan

Forums › IT Pro and developers › Kim Dotcom's Mega plan

1 | ... | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | ... | 23

459 posts

Ultimate Geek

#748551 21-Jan-2013 23:14

Wow its slow strugling to upload any file.... My backups's taking too long to upload not worth useing at this stage.
Ranging between 5 and 8kbps and I have 1.9mbit upstream unused.... :(

One of the IP's I'm sending data too.........

thanks for making the previous page unreadable!

Kyanar

4089 posts

Uber Geek

ID Verified

Trusted

#748552 21-Jan-2013 23:15

freitasm: And no password change fields?

Hmmmm.

Makes sense - if the password is used as part of the key for decrypting the files, then changing the password would invalidate all your uploaded files.

Nebbie: Wow its slow strugling to upload any file.... My backups's taking too long to upload not worth useing at this stage.
Ranging between 5 and 8kbps and I have 1.9mbit upstream unused.... :(

One of the IP's I'm sending data too...
bevin@ceres:~$ traceroute 154.53.225.106 

You sure about that IP? WHOIS shows it as being assigned to a US company, which completely flies in the face of Kim's statement that no part of MEGA would be hosted within the US...

ptinson

677 posts

Ultimate Geek

Trusted

#748569 22-Jan-2013 06:16

You missed my earlier post then:)
GEO IP has them all in the US pretty much (from max mind)

meat popsicle

freitasm

BDFL - Memuneh
79270 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#748585 22-Jan-2013 07:22

Kyanar:
freitasm: And no password change fields?

Hmmmm.

Makes sense - if the password is used as part of the key for decrypting the files, then changing the password would invalidate all your uploaded files.

Correct, and that's the reason I'm pointing it out. Security is not that much in my view. Anyone with your password can get access to your files now.

It would be a lot more secure if a private/public encryption was used, providing you with a private certificate to be used with your password. In this case you could change the password at any time and still have access to the files.

Linuxluver

5828 posts

Uber Geek

Trusted

Subscriber

#748602 22-Jan-2013 08:37

gzt: In account settings upload speed is set to 'automatic' by default. There is a greyed out 'fixed' option which is set at 50KBs by default. That could be the source of the confusion here.

Yes. I took that at face value.....adding "automatic" to the un-alterable 50KB/sec. If it really is 50KB/sec then that's still about 512kbps...which is about half of the upstream speed on a classic ADSL connection anyway. So not too shabby.

But if automatic just means whatever the system can bear / spare...then that's a bit better. Do we know this?

_____________________________________________________________________

I've been on Geekzone over 16 years..... Time flies....

decourl

1 post

Wannabe Geek

#748609 22-Jan-2013 08:54

freitasm:
Kyanar:
freitasm: And no password change fields?

Hmmmm.

Makes sense - if the password is used as part of the key for decrypting the files, then changing the password would invalidate all your uploaded files.

Correct, and that's the reason I'm pointing it out. Security is not that much in my view. Anyone with your password can get access to your files now.

It would be a lot more secure if a private/public encryption was used, providing you with a private certificate to be used with your password. In this case you could change the password at any time and still have access to the files.

I think they went for usability (portability from desktop to desktop without you needing to take any secrets with you, besides your password) over security. As you point out, the only security in the system is the password, which the system doesn't seem to allow to be changed.

Right now, even if you do keep your password secret, a "hashed" version of the password is apparently shared with Mega. The documentation seems to state this, and this would jive with how they're likely doing enduser authentication day-to-day: your system hashes the password that you enter, sends it to Mega, and they compare it to the hash that they have on file.

The problem that I see is, it seems like Mega could easily obtain your password (in a few seconds CPU time, probably) using a brute-force attack against the password hash. At which point they can decrypt your master key and all of your data. Or if they're raided, or if they're ordered to turn over copies of the raw encrypted data, etc...

freitasm

BDFL - Memuneh
79270 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#748612 22-Jan-2013 09:01

Hence my previous suggestion that using your password as part of the encryption algorithm, while they keep both the password and encryption key is dumb.

If they were serious about security and about not looking at files they should have created a private/public pair, you would be the only one with the private key in your own computer.

In classical mode it would means all encryption would be made with the public key before uploading and decryption would be only possible with the private key that only the user has.

So things I still think aren't up to scrutiny:

- encryption
- password management
- overall system performance
- content traffic speeds

Every single blog around the planet say how great it is they have one million users. No one comments on uploading problems - basically "look a new service we can milk page views in our blog posts from" but not one of them came back with "we tested it and here are our findings".

Equinox IT

Cloud spending continues to surge globally, but most organisations haven’t made the changes necessary to maximise the value and cost-efficiency benefits of their cloud investments. Download the whitepaper From Overspend to Advantage now.

gzt

17122 posts

Uber Geek

Lifetime subscriber

#748618 22-Jan-2013 09:18

I listened to Paul Spain's NZ Tech podcast of the Mega pre-launch press conference. Dotcom does 95% of the talking. Some very general technical details are provided. It covers more than the launch. There is some interesting discussion about movie studios current licensing model around 23:00. The discussion covers a lot of ground everywhere including nz customs giving a_lot of attention to travelers intending to visit him.

Dotcom still plans to go ahead with the advertising client and says there are big misunderstandings about this. He is talking about replacing only a few ads from major sites or major publishers. I didn't quite get it. Possibly just google search ads. This is interesting strategy. Particularly if google ads are the only ones replaced. He mentions a figure around replacing 10% of advertising a user will see. He gives a kind of justification for this based on moral grounds that google is benefiting from users searching for 'illegal' content and this replacement will redirect revenue directly to artists.

http://content.blubrry.com/nztechpodcast/nztechpodcast108.mp3

freitasm

BDFL - Memuneh
79270 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#748619 22-Jan-2013 09:20

gzt: Dotcom still plans to go ahead with the advertising client and says there are big misunderstandings about this. He is talking about replacing only a few ads from major sites or major publishers. I didn't quite get it. Possibly just google search ads. This is interesting strategy. Particularly if google ads are the only ones replaced. He mentions a figure around replacing 10% of advertising a user will see. He gives a kind of justification for this based on moral grounds that google is benefiting from users searching for 'illegal' content and this replacement will redirect revenue directly to artists.

What kind of "moral grounds" does he have to justify replacing the ads showing on my web pages with his own, depriving myself and my family of my income?

He's not sticking it to the big man only, he's crippling the revenue people make for a living, you know?

ubergeeknz

3344 posts

Uber Geek

Trusted

Vocus

#748620 22-Jan-2013 09:20

freitasm: Hence my previous suggestion that using your password as part of the encryption algorithm, while they keep both the password and encryption key is dumb.

If they were serious about security and about not looking at files they should have created a private/public pair, you would be the only one with the private key in your own computer.

In classical mode it would means all encryption would be made with the public key before uploading and decryption would be only possible with the private key that only the user has.

So things I still think aren't up to scrutiny:

- encryption
- password management
- overall system performance
- content traffic speeds

Every single blog around the planet say how great it is they have one million users. No one comments on uploading problems - basically "look a new service we can milk page views in our blog posts from" but not one of them came back with "we tested it and here are our findings".

Yep, the Reg did. http://www.theregister.co.uk/2013/01/20/mega_launch_fail/

Kyanar

4089 posts

Uber Geek

ID Verified

Trusted

#748621 22-Jan-2013 09:26

gzt: Dotcom still plans to go ahead with the advertising client and says there are big misunderstandings about this. He is talking about replacing only a few ads from major sites or major publishers. I didn't quite get it. Possibly just google search ads. This is interesting strategy. Particularly if google ads are the only ones replaced. He mentions a figure around replacing 10% of advertising a user will see. He gives a kind of justification for this based on moral grounds that google is benefiting from users searching for 'illegal' content and this replacement will redirect revenue directly to artists.

Unless he intends to ensure that people like myself and Mauricio who run sites which just happen to use those "major publishers" get our share of this revenue, then what he intends to do is immoral and criminal. Where does he get the right to profit off other people's work?

Oh, wait. That's the MEGA business model.

gzt

17122 posts

Uber Geek

Lifetime subscriber

#748622 22-Jan-2013 09:26

freitasm:
gzt: Dotcom still plans to go ahead with the advertising client and says there are big misunderstandings about this. He is talking about replacing only a few ads from major sites or major publishers. I didn't quite get it. Possibly just google search ads. This is interesting strategy. Particularly if google ads are the only ones replaced. He mentions a figure around replacing 10% of advertising a user will see. He gives a kind of justification for this based on moral grounds that google is benefiting from users searching for 'illegal' content and this replacement will redirect revenue directly to artists.

What kind of "moral grounds" does he have to justify replacing the ads showing on my web pages with his own, depriving myself and my family of my income?

He's not sticking it to the big man only, he's crippling the revenue people make for a living, you know?

That's the thing. He appears to be talking only about replacing ads only on one or two major sites/pages like google itself so that is not actually an issue. Your criticism is still very valid of course if you were making a living from paid search advertising on the google search result pages themselves.

Noodles

487 posts

Ultimate Geek

#748623 22-Jan-2013 09:28

@freitasm Initially I thought the way they were doing the encryption was dumb as well, private keys should always be stored on the client. But if you think about it this has to be user friendly as well as "secure". No amount of customer service can recover a private key if a user deletes their key or moves computer (or computer is stolen etc).

By storing the private key encrypted with the password they get around this problem. It also means that when the user changes computers the private key follows them. I'm not sure how they get around the problem of reseting forgotten passwords though.

ChevronX

280 posts

Ultimate Geek

#748624 22-Jan-2013 09:29

Was just able to register an account - fine. But unable to upload a 1MB picture. Remaining time seems stuck at: "Infinity".

"The Atlantis base, brings greetings from the pegasus galaxy, you may cut power to the gate!."- Dr Weir (Rising) New Zealand · Luke.Geek.NZ

amanzi

Amanzi
1292 posts

Uber Geek

ID Verified

Trusted

Lifetime subscriber

#748625 22-Jan-2013 09:29

freitasm: What kind of "moral grounds" does he have to justify replacing the ads showing on my web pages with his own, depriving myself and my family of my income?

He's not sticking it to the big man only, he's crippling the revenue people make for a living, you know?

From what I've read he won't be replacing any ads on any websites - only search pages from the major players (Google, Yahoo, etc), and possibly only search pages that contain links to piracy sites. So you can make up your own mind about "moral grounds" but at least he won't be taking anything from sites like Geekzone that rely on the advertising revenue. I can't remember where I read this - I think it was either on Ars or Wired.

1 | ... | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | ... | 23