Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Software Developer Says Mega Master Keys Are Retrievable

timothy posted about a year ago | from the any-mega-users-out-there-who-care-to-try? dept.

Encryption 136

hypnosec writes that software developer Michael Koziarski has released a bookmarklet "which he claims has the ability to reveal Mega users' master key. Koziarski went on to claim that Mega has the ability to grab its users' keys and use them to access their files. Dubbed MegaPWN, the tool not only reveals a user's master key, but also gives away a user's RSA private key exponent. 'MEGApwn is a bookmarklet that runs in your web browser and displays your supposedly secret MEGA master key, showing that it is not actually encrypted and can be retrieved by MEGA or anyone else with access to your computer without you knowing,' reads an explanation about the bookmarklet on its official page."

cancel ×

136 comments

Sorry! There are no comments related to the filter you selected.

JavaScript not secure? (0)

Anonymous Coward | about a year ago | (#44748157)

Who would have thought that data stored in JavaScript could be grabbed.

Re:JavaScript not secure? (4, Informative)

gl4ss (559668) | about a year ago | (#44748387)

yeah something you run on your browser.. ..that gives you access to the files.. CAN GIVE YOU ACCESS TO THE FILES.

wow what a shock! because in this case, MEGA can alter the js so that they get the keys. how this is is news I don't really get. it's just common sense.

the real question is, are there 3rd party mega clients that are not javascript or subject to changing without notice..

Re:JavaScript not secure? (3, Insightful)

tgd (2822) | about a year ago | (#44749413)

yeah something you run on your browser.. ..that gives you access to the files.. CAN GIVE YOU ACCESS TO THE FILES.

wow what a shock! because in this case, MEGA can alter the js so that they get the keys. how this is is news I don't really get. it's just common sense.

the real question is, are there 3rd party mega clients that are not javascript or subject to changing without notice..

What is common sense to anyone who understands how a service is built is not necessarily common sense to those who use it.

So it matters.

Who trusts Mega anyway (3, Insightful)

Anonymous Coward | about a year ago | (#44748165)

I don't think there are many people who would trust Mega anyway. I mean, we all pretty much feel the US (and the New Zealand) governments overreached and broke laws when they begin prosecuting Kim DotCom, but most people realize that the guy is a self-aggrandizing scam artist and charlatan. Does anyone actually trust his stuff?

Re:Who trusts Mega anyway (2, Interesting)

Joining Yet Again (2992179) | about a year ago | (#44748295)

but most people realize that the guy is a self-aggrandizing scam artist and charlatan

This. The man is just the flip side of the copyright cartel, and they're both about the same thing: getting rich by leeching off the hard work and creativity of others.

Cue a hundred Defenders of the Faith claiming that this is well-engineered incompetence, not malice, and that a hole as wide as Uranus is actually not serious.

Just look at his house.... (0, Funny)

Anonymous Coward | about a year ago | (#44748481)

If he was found in a dingy little basement with row upon row of servers. If he was still named (whatever he was called before dotcom) because he was too poor to afford the renaming fees, THEN I might distrust him a little less.

But honestly anyone with that name or house is pretty obviously trying to become part of the 1 percent, not take them down. (Or at least not without taking over their position.)

Re:Just look at his house.... (1)

Anonymous Coward | about a year ago | (#44748813)

Oh noes, the pestilent scourges, the one percent!!!!

Re:Who trusts Mega anyway (2)

FuzzNugget (2840687) | about a year ago | (#44749809)

...and that a hole as wide as Uranus is actually not serious.

Mine, I wouldn't worry about. Your mom's on other hand...

Re:Who trusts Mega anyway (4, Insightful)

denmarkw00t (892627) | about a year ago | (#44748389)

Does anyone actually trust his stuff?

For sensitive material? Of course not. But, I have used Mega a number of times for legit downloads (Android ROMs, Linux, various open-source projects). Let's not forget that MegaUpload was used for non-nefarious purposes, although people who store sensitive data unencrypted on someone else's service are always taking a risk.

Re:Who trusts Mega anyway (2)

sosume (680416) | about a year ago | (#44748565)

At least he's not lying about himself or his intentions. If anything, he's been absurdly honest. Just look at his licence plates, or one of his bragging pictures.

Re:Who trusts Mega anyway (0)

Anonymous Coward | about a year ago | (#44749133)

Even those are lies.. he gets fools to cough up money after they're impressed with his stupid stories and apparent wealth that he then uses to continue funding his self-promotion. The other day I was daydreaming on a flight and it occurred to me that it's highly likely that his gumball races and #1 ranking on xbox COD could also be somehow fraudulent... bought with money in order to extend his personality cult.

He exists by buying the attention of the next round of suckers in perpetuity.

Re:Who trusts Mega anyway (5, Insightful)

aaaaaaargh! (1150173) | about a year ago | (#44748727)

the guy is a self-aggrandizing scam artist and charlatan

However, if he wore a suit with tie and had not only fullfilled DMCA requests (which he always did) but also had proactively given away his customers data to any US authority and private copyright holders like the RIAA without any real legal basis and had additionally given money to the two leading US parties, he'd be considered quite a decent fellow in the US now. In other words, while he never did anything else than Google and thousands of other companies, including US ones today, he hasn't shown "the right attitude" and that is the main and real reason why he is being persecuted now. He doesn't act the way you are expected to act as a rich entrepreneur with a serious business. Such misbehavior is usually sanctioned. They even wondered whether they could turn an inflatable tank he had in his garden into some kind of evil plot, but didn't manage to find the right legal angle to it...

Regarding trust ... well, at least New Zealand law cannot force you to install backdoors and lie to everyone about it, but of course you cannot trust any closed source company with data security. Encrypt on your own before storing something on Mega and you're fine.

Re:Who trusts Mega anyway (2)

wagnerrp (1305589) | about a year ago | (#44749315)

All those other companies gave no illusion of being secure. Hell, they often had in their own terms and services that they would be reading your email for whatever purposes they desired. Kim Dotcom claims to be offering secure, encrypted services, yet anyone with a basic understanding of computer security can tell he's just putting up a facade for the masses. That's why he cannot be trusted. He's nothing but a blowhard.

Re:Who trusts Mega anyway (5, Interesting)

Barefoot Monkey (1657313) | about a year ago | (#44750121)

All those other companies gave no illusion of being secure.

Neither did Mega. They explain these very risks and others right in the FAQ [mega.co.nz] and since they launched have using alternatives that do not involve trusting them. Providing a interface is a significant convenience, but you can't trust anything truly secret to a script someone else can remotely replace on a whim.

Re:Who trusts Mega anyway (3, Informative)

Barefoot Monkey (1657313) | about a year ago | (#44750239)

Proof-reading fail. Sorry :(

The missing word was "recommended". They have always recommended alternatives that do not involve trusting them. Here's an example from that same FAQ page:

What if I don't trust you? Is it still safe for me to use MEGA?

If you don't trust us, you cannot run any code provided by us, which precludes opening MEGA in your browser and entering your login credentials. However, due to MEGA's end-to-end encryption paradigm, you can safely use client applications written by someone you trust.

Re:Who trusts Mega anyway (4, Insightful)

Tom (822) | about a year ago | (#44749721)

he hasn't shown "the right attitude" and that is the main and real reason why he is being persecuted now.

If you aren't a paid shill, you should change that. Your misleading and faulty argument surely qualifies, and you'd have to be an idiot to think that a multi-millionaire scam artist in the public spotlight would not have hired a PR agency to improve his online image.

Kimble is a career criminal, simple as that. He was prosecuted and even convicted before, and by several other governments. That distinct sound you're hearing is the shattered pieces of your argument falling apart.

If you are a large-scale career criminal, there are two paths you can go.

One, you can fly under the radar, like the people in the famous train robberies and serial bank breaks that many of us have heard about but almost nobody can name even one of the actual people involved.

Two, you can scale it up so much that it becomes quasi-legal by sheer scale and being-part-of-the-system, like the financial industry, the corporate corruption or the various pet-sectors of the various countries that are untouchable (Spain had a huge real estate scandal - nobody was ever convicted. Germany even has a name for the network of corporations, banks and government entities so closely connected that they all protect each other: Deutschland AG. In Greece, the shipping industry was holy for decades. In the US it is probably the military industry, and so on).

Kimble was arrogant and self-obsessed enough to think he could reach the same place simply by having an overblown ego and being audacious.

Re:Who trusts Mega anyway (5, Funny)

glassware (195317) | about a year ago | (#44749225)

I read this as "Sega Master System Keys Are Retrievable." I was sadly disappointed.

Re:Who trusts Mega anyway (-1)

Anonymous Coward | about a year ago | (#44749747)

I read this as "Sega Master System Keys Are Retrievable." I was sadly disappointed.

idem

Re:Who trusts Mega anyway (0)

Anonymous Coward | about a year ago | (#44749543)

Sounds like someone that got caught with a bunch of drugs, is picked up by the cops and quickly released without charges, the suddenly has this awesome deal for you.

Re:Who trusts Mega anyway (2)

Tom (822) | about a year ago | (#44749819)

Does anyone actually trust his stuff?

Idiots with no knowledge of history.

Kimble ratted his partners out to the FBI when he was under investigation for a previous crime some years ago. Once a traitor, always a traitor. If you think there are no closed-doors talks between Kimble who's trying to save his neck and the government, you must be very naive indeed. And the obvious thing that Kimble can offer is - the users of Mega, of course.

Re:Who trusts Mega anyway (1)

MightyMartian (840721) | about a year ago | (#44750381)

Not me. I wouldn't host anything I didn't care about on any server he had any control over, let alone something important. The guy is a crook, pure and simple.

End To End (0)

Anonymous Coward | about a year ago | (#44748199)

End to end encryption or it didn't happen.

of course they are retrievable (4, Insightful)

Noishe (829350) | about a year ago | (#44748209)

Once you enter your password into a website, the website can do anything that you can do.... Duh

Yes, mega doesn't have your key stored on their servers.
Yes, at any point while you're logged in they can change this fact, or they can just log your password, or whatever.

Doesn't matter what the website is, you have to trust it to use it.

How is this news?

Re:of course they are retrievable (0)

Anonymous Coward | about a year ago | (#44748293)

It's the same as any piece of software really. If the developer just decides to push down an update that logs your keys, you're fucked. No surprise here. People need to learn how security works before they start screaming shit like this.

Re:of course they are retrievable (2)

Joining Yet Again (2992179) | about a year ago | (#44748471)

"I don't know all the software, firmware and hardware functionality perfectly, therefore I throw my arms in the air and give up."

Security is often as much about trust as anything. It is important to expose, more than anything else, something which could suggest a breach of trust.

Re:of course they are retrievable (2)

Score Whore (32328) | about a year ago | (#44749129)

If the developer just decides to push down an update that logs your keys, you're fucked.

Well, there's your problem... Why are you letting people you don't know install and run software on your computer?

Fundamentally though, like all security, you need to make a cost benefit analysis. If you have data of a life and death nature, you shouldn't be entrusting it to anyone you can't kill. Or a little less extreme, you shouldn't be putting information in the hands of someone you can't successfully sue. That is, if you have a $50 liability limit plus $200 worth of time to "clean up" someone using your credit card without authorization, you shouldn't share that card number with anyone who wouldn't be willing to pay the $250 if they leak your card number. In the event that you don't expect to be able to sue someone, you shouldn't entrust them with any important or private data.

Another thing to consider, if your vendor (of your computer, your OS, your phone) includes a liability limitation in their agreement with you then they don't believe their shit is secure. If they don't believe that their product is secure, why should you?

Re:of course they are retrievable (2, Interesting)

Anonymous Coward | about a year ago | (#44748363)

not to troll but this may be a new tactic by Big Media or maybe the NSA to try and cripple Mega and others, I find it odd, (tho I do not make an conspiracy out of it) that the NSA is attacking owners of sites that refuse to give up there encryption, and the owners/creators are shutting there sites down.

It is possible and wouldn't be surprised to see someone or some sinister force at work here. But I am not sure if the creator of the exploit is supporting Mega, and trying to improve its security or trying to discredit the site.

Re: of course they are retrievable (0)

Anonymous Coward | about a year ago | (#44749127)

This.

Also the cheap attacks on his character.

Someone's getting nervous!

What's the big deal? (4, Insightful)

schneidafunk (795759) | about a year ago | (#44748213)

I don't get it, why is this a big deal? This just displays your local storage in your web browser.

Re: What's the big deal? (1, Interesting)

Anonymous Coward | about a year ago | (#44748397)

i fixed this problem on my project using javascript closures. your private keys are decrypted with your password. password is never uploaded to the server. you can see that by looking at the post requests. the decrypted key is stored in a local variable for activities the rest of your session. closures are secure. no program outside the function scope can access the keys or password. its tricky to get right so maybe Mega can fix it soon.

Re: What's the big deal? (1)

Anonymous Coward | about a year ago | (#44749679)

Still everyone has to trust the site to not deploy malicious javascript. That's why this concept is fucked up ...

Re: What's the big deal? (1)

vux984 (928602) | about a year ago | (#44750357)

i fixed this problem on my project using javascript closures.

How does that fix anything? Every time I visit your project, I must rely on your java script. The fact that it is correct today does nothing for me tomorrow.

A secure solution requires that there is nothing you can do to get my key.

You could simply change the java script on your site tomorrow, and slurp the key next time I visit.

Essentially one has to decouple the client from the service, so that I use a client YOU DON'T CONTROL. That is the only way I can secure the key from you.

In terms of a web service, all I can think of is to have your java script is audited by me or someone i designate and then it's signed BY ME (since I can't trust a 3rd party signer won't be NSA-coerced into signing your malware updates), and then you aren't allowed to change it, without it being re-audited by me or someone i designate.

Re:What's the big deal? (2)

denmarkw00t (892627) | about a year ago | (#44748401)

Yeah, I saw this tool was already built in to Chrome, so I guess I've had the hack for a while - even before this guy released it!

what's odd about this? Your key is local (5, Informative)

YesIAmAScript (886271) | about a year ago | (#44748223)

That's how you want it to be. It's zero-knowledge from MEGA's point of view. You generate your own key, keep it and use it to decrypt and encrypt stuff.

So of course if someone gets access to your computer they can get your key, it was on your computer all the time, by design.

His assertion that MEGA can get your key is what is a bit more surprising. But if you read it, he's simply saying it's conceptually possible that MEGA could use a script on their site to grab your key and send it to them. This is of course possible, but we have no way to know whether they've done it. If the javascript can access your key to encrypt/decrypt stuff, then it is also possible it can squirrel it away somewhere.

Re:what's odd about this? Your key is local (2)

Joining Yet Again (2992179) | about a year ago | (#44748353)

His assertion that MEGA can get your key is what is a bit more surprising. But if you read it, he's simply saying it's conceptually possible that MEGA could use a script on their site to grab your key and send it to them.

And you think this isn't serious? Every vulnerability is "conceptually possible" until it's implemented. NSA/FBI/local bobby want to see what you've been using Mega for? Slip in a one time bit of Javascript to a page delivered by Mega, and it's all theirs for the reading.

Perhaps you don't even understand what Mega has been promising up to now.

Re:what's odd about this? Your key is local (3, Informative)

amicusNYCL (1538833) | about a year ago | (#44748485)

As far as I can tell there isn't any other way to do it. If Javascript needs access to that encryption key then of course it is possible to send that key anywhere else. It sounds like there is some client-side encryption that takes place before sending files, and that encryption code presumably comes from Mega, and that encryption code uses your private key, so of course the encryption code has access to the key. How could it encrypt otherwise? The browser doesn't natively support that process, that is what would have to change in order for this to not be an issue. The promise by Mega not to store your keys is the only thing that users have, because if they are running Mega's encryption code client-side then there is nothing stopping Mega from getting your keys, or unencrypted data, or whatever else, other than their promise not to.

NSA/FBI/local bobby want to see what you've been using Mega for? Slip in a one time bit of Javascript to a page delivered by Mega, and it's all theirs for the reading.

Again, the onus is on Mega to stop that from happening, but they can only protect their own servers. If someone wants to intercept and decrypt your traffic and change the data to add new code (a man-in-the-middle attack), then that is still a threat. It's always going to be a threat as long as organizations like the NSA are capable of decrypting that SSL traffic.

Otherwise, this is not an issue that has a solution with today's browser implementations. Maybe Mega can produce their own version of Firefox or a Webkit-based browser that will natively implement their encryption without exposing the keys to Javascript, but then you would have to trust that software, don't you? It's all about trust. If you don't trust Mega, then don't use it.

Re:what's odd about this? Your key is local (1)

Joining Yet Again (2992179) | about a year ago | (#44748613)

By using a proper browser plugin rather than a crappy Javascript implementation, perhaps?

Yes, it is all about trust: companies ask you to trust them, then their reputation is built or broken. Evidence for either is welcome.

Yep, exactly .... (1)

King_TJ (85913) | about a year ago | (#44748795)

I'd agree that this is not really a vulnerability in the traditional sense.... but under the circumstances, Mega should (IMO) do more to convince customers the data they store there isn't going to be viewed by any 3rd. parties.

Ultimately, I suppose a custom browser plug-in could be written which would divulge your secret personal key, too. But I'd rather see a less trivial process to upload a user's key than some basic javascript making it possible. (Otherwise, it's too easy to trick a user into visiting what he/she thinks is a landing page for Mega, but is actually a site designed to capture keys.)

Re:what's odd about this? Your key is local (1)

girlintraining (1395911) | about a year ago | (#44748717)

The promise by Mega not to store your keys is the only thing that users have, because if they are running Mega's encryption code client-side then there is nothing stopping Mega from getting your keys, or unencrypted data, or whatever else, other than their promise not to.

It is likely that this was an intentional design flaw, introduced at the behest of one or more government agencies (I didn't say which government, and you shouldn't assume!). You'd be surprised what threats of torture, destitution, or prison, can do -- especially to someone like kim dot com, who is used to a higher standard of living. You can't really threaten a poor person; Government long ago learned to forget that strategy and instead go after their family and/or lover. But a rich person? oooh, so very many juicy blackmail possibilities.

It's very easy to create encrypted and secure file storage / cloud storage. Most modern computers have a dedicated hardware AES implimentation that'll generate and store keys, and will do encryption/decryption on the fly. I believe there's even java methods out there to access these hardware functions. You can also 'lock' the key using your TPM so it cannot be accessed directly -- in effect, you simply say "Load key 0x0F and attach it to stream 0x01"... and it just craps out the decrypted data.

It goes without saying then, that the decision not to do this was not an accidental oversight.

Re: what's odd about this? Your key is local (0)

Anonymous Coward | about a year ago | (#44749347)

And you trust this hardware AES implementation? Why?

Re:what's odd about this? Your key is local (1)

Anonymous Coward | about a year ago | (#44749609)

Except who owns the TPM MASTER KEY?

TPM is not and never will be a secure method of key storage. It's just another form of Key Escrow.

Re:what's odd about this? Your key is local (3, Informative)

swillden (191260) | about a year ago | (#44748969)

As far as I can tell there isn't any other way to do it. If Javascript needs access to that encryption key then of course it is possible to send that key anywhere else.

At present, this is true. There's a W3C WebCrypto spec in progress (being developed by Google and Mozilla, IIRC) that will change it, though. It will not only provide native implementations of ciphers accessible from Javascript (rather than performing expensive calculations in Javascript), but will also provide a client-side key store so Javascript code can create and use keys without ever seeing their value, and hence be unable to send the values anywhere.

I think the Javascript code would still have access to the decrypted data.

Caveat: It's been a while since I looked at the in-progress spec. It may have changed, and I guarantee my memory is faulty in at least some respect.

Re:what's odd about this? Your key is local (5, Insightful)

bluefoxlucid (723572) | about a year ago | (#44748523)

The issue is that it's 'conceptually possible' for Ubuntu to ship a package in the base system that uploads your keys to Canonical's servers. I can give you a script that you run on RHEL and it'll show decrypted ssh, ssl, and gpg keys (if you've entered the password). I can put a package on your system and show that RHAT could put a modified gpg that logs all your shit and passwords and everything to their server. And so on.

This isn't a vulnerability. It's like saying it's conceptually possible for a thief to steal your car after you've put the key in the ignition.

is it serious? More how serious are you. (1)

YesIAmAScript (886271) | about a year ago | (#44748731)

It's not a question as to whether it's serious. It was always the case and could be assumed to be the case. If the JavaScript can get to your key to use it to encrypt/decrypt, it can also possibly upload. It's part-and-parcel of the design.

I pointed this out when MEGA was first announced. There always is the possibility of a system squirreling away your keys. You cannot design it out in software. The software reconstructs your key at some point, you then have to trust it discards after using it only for the use you requested it be used for.

I think the problem may be that you (and others) don't really understand what MEGA can promise and what they can actually deliver.

Anyway, you've now entered the realm of security paranoia. The only way to survive in this area is to review all the code you are going to put on your machine and to compile it yourself because if you don't, you don't know the delivered object matches the sources you reviewed. And don't forget to review all the code in the compiler(s) or interpreter(s) in play, because you verify they aren't inserting backdoors too.

After you get through all that, you only have to worry about whether your hardware (CPU) is inserting backdoors. There's no way to prove the CPU is actually executing the object code according to the spec unless you review every transistor in the CPU.

Re:what's odd about this? Your key is local (0)

Anonymous Coward | about a year ago | (#44748421)

That's how you want it to be. It's zero-knowledge from MEGA's point of view. You generate your own key, keep it and use it to decrypt and encrypt stuff.

So of course if someone gets access to your computer they can get your key, it was on your computer all the time, by design.

His assertion that MEGA can get your key is what is a bit more surprising. But if you read it, he's simply saying it's conceptually possible that MEGA could use a script on their site to grab your key and send it to them. This is of course possible, but we have no way to know whether they've done it. If the javascript can access your key to encrypt/decrypt stuff, then it is also possible it can squirrel it away somewhere.

I'm sure the NSA backup service [slashdot.org] is involved somehow.

Re:what's odd about this? Your key is local (1)

OverlordQ (264228) | about a year ago | (#44748427)

So of course if someone gets access to your computer they can get your key, it was on your computer all the time, by design.

Or at any time Mega can sneak in a bit of extra javascript to send them your key too. How many people actually audit the javascript every time they visit the page. It's the main reason why client-side encryption is bullshit. It just adds extra vectors of attack, rather than makes things more secure.

Re:what's odd about this? Your key is local (2)

DarkOx (621550) | about a year ago | (#44750045)

When the method is javascript in the browser; sourced from the very same service you are sending the encrypted data off to than yes; client side encryption is BS and probably offers so much attack surface it reduces security.

The fundamental problem here is you are running 'untrusted code' to handle sensitive information. There is a solution here. A small simple OSS program easily audited. Probably needs to be real real basic command line utility using few if any external libraries so people can post the md5sums of the output generated on their favorite platform by their favorite compiler and linker; that way everyone can compare, notes.

This would be too difficulte for 99% of Mega's users to deal with though.

Re:what's odd about this? Your key is local (1)

sjames (1099) | about a year ago | (#44748469)

I it can display it to you, it can post it to the server.

Re:what's odd about this? Your key is local (-1)

Anonymous Coward | about a year ago | (#44749083)

That's how you want it to be. It's zero-knowledge from MEGA's point of view. You generate your own key, keep it and use it to decrypt and encrypt stuff.

So of course if someone gets access to your computer they can get your key, it was on your computer all the time, by design.

His assertion that MEGA can get your key is what is a bit more surprising. But if you read it, he's simply saying it's conceptually possible that MEGA could use a script on their site to grab your key and send it to them. This is of course possible, but we have no way to know whether they've done it. If the javascript can access your key to encrypt/decrypt stuff, then it is also possible it can squirrel it away somewhere.

Yeah, this article is stupid. The number one rule of computer security is that if a bad guy gets physical access to your computer it isn't your computer anymore. This is a completely pointless piece of fluff that seems more designed to boost the authors visibility than anything else.

AlphaA

Summary (5, Insightful)

LordLimecat (1103839) | about a year ago | (#44748233)

Unless Im misreading it, this can be summarized as follows:
  * Coder has discovered that, in order to encrypt data, your computer must have access to the encryption key
  * Further, if someone has root access to your machine, they can get your encryption key.

Wow. What a discovery.

MEGA and anyone else with access to your computer can see this, and use it to decrypt any file you upload.

Wait, someone with access to my computer has access to things that my computer has access to? WOW!

Re:Summary (0)

Joining Yet Again (2992179) | about a year ago | (#44748323)

Only if you define "someone with access to my computer" to include "anyone who runs a web server I visit".

Re:Summary (1)

LordLimecat (1103839) | about a year ago | (#44748337)

Pretty sure such an attack would qualify as a cross-site scripting vulnerability.

Re:Summary (1)

JesseMcDonald (536341) | about a year ago | (#44748413)

Only if you define "someone with access to my computer" to include "anyone who runs a web server I visit".

The article doesn't say that any web site can access the key, just the browser itself (via bookmarklets or third-party extensions) and Mega. Both of which are obvious.

The browser prevents sites from accessing other sites' local data. It would be interesting if they managed to find a way around that protection, but they didn't. The system is working as designed.

Re:Summary (1)

Joining Yet Again (2992179) | about a year ago | (#44748655)

Eh, you could easily write a plugin which doesn't allow any Javascript to access its private data. It might involve platform+browser-specific implementations, but doing things right isn't always easy.

Re:Summary (1)

JesseMcDonald (536341) | about a year ago | (#44749261)

I don't disagree. My own preference would be an open-source native client with no ties to the browser, something stable which can be audited and won't be replaced every time Mega updates their web site. However, the existing system isn't exactly handing the key out to every web site you visit, just the components which are expected to have access to it. It's about as secure as can be expected of a plain web app.

Re:Summary (0)

Anonymous Coward | about a year ago | (#44750277)

It might involve...

So you do not know how to do it, but you know that it is easy?

Or is it hard? Or have you made up your mind?

...you could easily write...

...but doing things right isn't always easy

Do you have any idea what you are actually talking about?

Re:Summary (1)

Arker (91948) | about a year ago | (#44748429)

"Only if you define "someone with access to my computer" to include "anyone who runs a web server I visit"."

That definition works, if you are foolish enough to enable javascript.

Re:Summary (1)

LordLimecat (1103839) | about a year ago | (#44748539)

And foolish enough to run a browser which doesnt prevent cross-site scripting attacks.

Hey, if your browser allows random websites to pull all of your cookies, your login sessions could be compromised! Except, they do restrict that.

Re:Summary (1)

Arker (91948) | about a year ago | (#44748737)

I dont allow cross-site scripting without whitelisting myself, but it's important to realize this is a compromise that reduces vulnerabilities but does not eliminate them. In this case, it's NOT cross-site scripting we are worried about.

Re:Summary (1)

wagnerrp (1305589) | about a year ago | (#44749417)

The Mega site runs javascript. If you do not enable javascript, you cannot use Mega. Of course in that scenario, this whole discussion is moot.

Re:Summary (1)

Arker (91948) | about a year ago | (#44750047)

"If you do not enable javascript, you cannot use Mega."

And that is indeed my point. If it wont work when you turn javascript off, it isnt a webpage, and it definitely cannot be trusted.

Re:Summary (2)

Laxori666 (748529) | about a year ago | (#44748329)

Well. The whole point of Mega was that not even Mega would know what you are storing on their servers. "The end to end encryption means that Mega pretty much can't narc on you, no matter how much pressure it's under. It won't know what you're storing on its servers, by design." gizmodo [gizmodo.com] . Thus there's a reasonable expectation that Mega cannot find out what you are storing on its servers. Now it turns out there is a ridiculously easy way for Mega to find out what you're storing there: all Mega has to do is run some JavaScript on your computer. Which it does anyway.

I suppose either way you'd have to trust that the website is only uploading encrypted stuff to Mega and not the file itself. But now it turns out even if they're doing that, they can still decrypt your stuff. And also any website on the internet.

Well I suppose that the JS client could also have just sent the keys it generated to Mega as soon as it generated them.

Ok, basically there's no way this security model can work. I just feel a bit foolish now. But I'm glad TFA made me think about it for the two minutes it took to figure out that there's no real expectation of security here. Other articles (like that gizmodo one) painted quite the misleading picture.

Re:Summary (1)

amicusNYCL (1538833) | about a year ago | (#44748497)

Indeed. If you want to store encrypted files, then encrypt them locally before uploading them.

Re:Summary (1)

LordLimecat (1103839) | about a year ago | (#44748547)

That is what is happening here. Just from reading the article, I can see that the key is using local browser storage, which is used to encrypt the data and upload to Mega. Mega is NOT doing the encryption (thats the entire point of doing it in JavaScript).

Re:Summary (1)

Hatta (162192) | about a year ago | (#44748929)

Just from reading the article, I can see that the key is using local browser storage

Which is about as secure as storing the key in /var/www.

Re:Summary (1)

amicusNYCL (1538833) | about a year ago | (#44749071)

What I'm saying is that if you don't want your files to be seen, then you encrypt them outside of the browser before uploading them. If you're encrypting them in the browser then that's a vulnerability. The browser can encrypt the already-encrypted file if it wants to, if anyone decrypts it they're just going to get another encrypted file back.

Wrong. Mega is doing it. (2)

cbhacking (979169) | about a year ago | (#44749123)

If you want to store encrypted files, then [you must] encrypt them locally before uploading them.

Emphasis and clarification added. The problem isn't that the files aren't getting encrypted before upload, it's that *you* aren't doing it. Your browser, executing JS code from mega.co.nz, is doing it. You aren't even running the encryption program yourself; it's all automatic. You are handing Mega an un-encrypted file, and trusting them to securely encrypt it against themselves. Does this sound stupid yet? Let me be a little clearer: what does it matter whose actual CPU executes the crypto code, when Mega owns (and can change at any time) that code?

While Mega's approach is very convenient, it also throws all security guarantees out the window. From the user's perspective, they are giving an untrusted site ("untrusted" here is used in the security sense, as in "we are not absolutely sure that this site will not attempt to rat us out, so we are never going to let it see the unencrypted data") access to... unencrypted data. See the problem here? Yes, the version of the site's JS that you downloaded on this visit probably doesn't contain anything that leaks your decryption key to Mega, but there's no guarantee of that unless you audited the code yourself. Even then, it could be different next time...

Let me reiterate those points one more time:
1) You are handing Mega access to your plain-text data. It doesn't matter whose CPU modifies the data; Mega controls the code that runs on the CPU.
2) Because of item #1, all of Mega's guarantees are bullshit. The next time you visit their site, they could steal your keys and decrypt all your data; you can't stop them.
3) The only way to do this securely is, as amicusNYCL points out, encrypt them yourself. That means *not* using Mega's code, or the code of anybody else you are attempting to encrypt *against*.

Re:Summary (1)

bluefoxlucid (723572) | about a year ago | (#44748553)

Yes, basically there's no way this security model works. Their promise is that they give you client side software (java script), the software does all the magic on your end, then gives them impenetrable black boxes. That's it.

Microsoft EFS promises that Windows doesn't upload your encryption keys to microsoft.com. Apple's encryption tools, same. PGP and GPG, same. We really really promise we don't send your private keys to home base, then add back doors to your computer and come snooping your filez.

Re:Summary (0)

Anonymous Coward | about a year ago | (#44748419)

Yes, yes, of course, EVERYONE knew that. Except all those people who bought (and probably still buy) into these morons "WE CAN'T EVEN KNOW WHAT YOU'RE STORING" crap. Those didn't know, or care, or connect the dots, or have the technical expertise, or &c &c &c.

This exploit is an obvious one, of course, but it's one that needed to be made, because nothing short of a publicly available easy to use exploit will ever cut through any companies bullshit about security. Often, not even that.

Re:Summary (0)

Anonymous Coward | about a year ago | (#44748451)

There's a fundamental problem in all of this generation's encrypted storage: the server should never know the key, but the software now used to transport the file to the client is also the decryption software and is made by the company operating the server, so you have to trust that they aren't just phoning home your key and reading your precious files.

A secure solution would be open-source (do you even know what method Mega uses for transport?) and separate the transport and encryption/decryption steps into different executables. This would be a pain in the ass without some third-party integration. On the other hand, has anyone ever tried to mount an encrypted file system (like cryptofs) on Dropbox? That would help with the separation some (but does Dropbox still have some sort of root access?).

Re:Summary (1)

bluefoxlucid (723572) | about a year ago | (#44748603)

Mega uses an open-source java script thing, you can check the source. It's not free, but you can see the source.

TPM is supposed to cover this--if you can audit the TPM design and say that this model TPM is secure, and can guarantee that the TPM in there is of that model and not another model. We can narrow the threats down to hardware or software--an operating system service that manages keys, for example, and must be communicated with to act. That means that whoever wrote the service could be a bad guy--instead of DropBox and Mega supplying an encryption program that uses your keys, DropBox and Mega would access an API that says "Create a key" "Use key XXX to encrypt/decrypt this file" in a program supplied by someone else. DropBox and Mega couldn't be malicious after the fact: if they used that service for a key store, they couldn't one day transparently extract keys; and a second program could check the key store and verify that retrieved data is in fact stored with that key.

That all gets you down to a single vendor (hardware TPM or software service) who might be evil.

Re: Summary (0)

Anonymous Coward | about a year ago | (#44749421)

How do you audit a deployed TPM chip which is soldered to the motherboard?

Querying the chip itself? Hah.
Relying on a fancy diploma with a hologram? Hah.
Reputation of the designers? Hah.

Re:Summary (1)

LordLimecat (1103839) | about a year ago | (#44748719)

There's a fundamental problem in all of this generation's encrypted storage: the server should never know the key, but the software now used to transport the file to the client is also the decryption software and is made by the company operating the server, so you have to trust that they aren't just phoning home your key and reading your precious files.

Thats true, but I believe that horse has already been beaten to death.

The claim HERE is that anyone can grab the key, which is just a stupid point to make: Its only true in situations where all security bets are off anyways (ie, youve already been rooted).

Re:Summary (0)

Anonymous Coward | about a year ago | (#44749233)

I believe mega uses an asymetic key system so you don't need access to the PRIVATE key in order to encrypt data. Basically kim did a shoddy job as usual and may even be collecting people's private keys as part of a plot for his next round of self promotion. I'm sure he could find a new round of suckers who take him seriously if he claimed he was in touch with a high highly elite group of hackers who were leaking confidential information evidenced by embarrassing private data he released. He exists by constantly staying in the spotlight.

Anything he can ever offer as evidence of his specialness.

Setup? (0)

Anonymous Coward | about a year ago | (#44748241)

So, the gnome-underwear schematic for Kim Dotcom:

1) Operate MegaVideo etc.
2) Get busted by massive international intel/police operation.
3) ???
4) Start new Mega supposedly-über-safe filesharing system, taking advantage of your new anti-establishment credibility that you earned in step (2) to convince everyone that you're fighting for privacy against the incursions of the Man.
5) Compromise all the accounts on Mega.

Mega ... what? (0)

Anonymous Coward | about a year ago | (#44748257)

Not relevant. Not because it isn't timely, but because mega hasn't been important since ... megaupload.

Great summary (0)

Anonymous Coward | about a year ago | (#44748311)

Mega is? A bookmarklet is? This summary reads as gibberish to me.

Re:Great summary (1)

Russ1642 (1087959) | about a year ago | (#44748771)

What the hell is mega, other than a prefix?

Re:Great summary (1)

interval1066 (668936) | about a year ago | (#44749241)

Other people will comment, but just to run over the carcass in my new LandRover s'more; Mega is Kim Dotcom's new file storage site.

Re:Great summary (1)

cbhacking (979169) | about a year ago | (#44749311)

The bright thing in front of you is called a computer monitor. It displays information from your computer. Your computer is a machine which can execute instructions, called "programs", to compute or manipulate data. The output of these programs is typically displayed on the monitor. The inputs to these programs, and most of the programs themselves, come from a variety of sources outside of your computer. These sources include yourself, other computers which your computer is connected to, and data storage devices which can be written to by one computer, moved to your computer, and then read from. Let's start with the first source, yourself. You interact with the computer via various mechanisms, typically called "input devices". The most common input devices are the mouse (usually fits in one hand, has a few buttons on one end) and the keyboard (typically placed directly in front of you, it is wide and has many buttons, most of which are labeled with letters or numbers).

... I could go on like this for a week without getting to bookmarklets, much less Mega.co.nz. You're on the Internet. Try acting like it (the "my web browser can access a search engine" part, not the "I am a blithering idiot, and need to share that fact with anybody who can read my drivel" part). I'd give you step by step instructions, but we haven't even gotten to the concept of the mouse controlling a little arrow (called the "pointer") on the screen (the stuff displayed by the monitor) yet; working all the way up to telling you how to perform a web search is well beyond the scope of this post.

Re:Great summary (1)

wagnerrp (1305589) | about a year ago | (#44749517)

"Mega" is a file sharing site, started in place of the now-defunct MegaUpload, purported to be secure against even themselves. This article is to show that there is exactly zero effective security against data breaches by Mega.

A "bookmarklet" is a bookmark that rather than storing a URL, stores a snippet of javascript, which gets run in-place on the currently loaded web page, altering it in some fashion. Think GreaseMonkey, but without the framework to automatically run the scripts on certain sites.

Federal Reserve creating magnittude inflation? (1)

JoeyRox (2711699) | about a year ago | (#44748359)

Two back-to-back /. articles with the superlative "Mega" in the title. The next scientific discovery will need to be ÃoeberMega to reach the front page of /.

Re:Federal Reserve creating magnittude inflation? (1)

93 Escort Wagon (326346) | about a year ago | (#44748531)

Did you hear about the Mega Man reboot?

Re:Federal Reserve creating magnittude inflation? (1)

Russ1642 (1087959) | about a year ago | (#44749561)

I find it extremely annoying too.

Problem is dedupe (1)

onyxruby (118189) | about a year ago | (#44748383)

The problem with storing data in the cloud with encryption from the providers standpoint is that you can't use dedupe on it. Dedupe can make an extremely large difference in the amount of storage that you have to buy and run. From an operational costs standpoint the difference between running a data repository with and without dedupe could easily be the difference between running at a profit or a loss.

The service provider has a very strong financial incentive to use dedupe technology. The problem is that there is no way to run dedupe on crypto without having the key and being susceptible to having your data be accessed by third parties. If you don't have the key than you can honestly say that you have no idea what is in a users data set or ability to decrypt it, but you then lose the ability to dedupe the data and save a fortune on operational costs.

In a nutshell what you really need is a cloud provider that offers dedupe free storage. Their costs (read your costs) would be higher to offer this of course, but for many people that's more than reasonable when your asking them to incur additional expenses to actually keep your data private. I can't speak for Mega of course, but the dedupe question is one that could nail this down one way or another.

All backup sites have this problem (1)

Anonymous Coward | about a year ago | (#44748431)

I worked for a company that wanted to offer secure cloud backup. A crucial requirement was that the company would never have the encryption key, and we went to significant lengths to do that. But the users wanted a way to download their files from the web. Well, how were we supposed to send the user a decrypted file if we didn't have the decryption key? Solution: The user must enter the key into the web app, then the server decrypts the file and sends it to them. So now, in theory, the company could simply store your key.

Whoops!

Ultimately, there really is no solution here other than to encrypt the files yourself. Whenever something is "secure" you have to ask "secure from whom?"

Obvious (2)

TheSpoom (715771) | about a year ago | (#44748435)

So this is obvious to anyone with knowledge of encryption. I believe Mega's claim is that because the encryption is done on the client side, they don't know the key. This could be true, but you still have to take their word for it.

But even though it's obvious, it's something to consider. Mega claims that they could not decrypt your files. This is demonstrably false. So what's to stop the government from serving them with a National Security Letter that forces them to add code to the login process, logging all keys upon login, without any advance warning to their customers?

There's essentially no way to trust a third party on the internet now without an alternate, reliable channel of communication to exchange keys in the first place.

Re:Obvious (1)

PRMan (959735) | about a year ago | (#44749491)

So what's to stop the government from serving them with a National Security Letter

He's not in the USA and never has been?

So what's a "mega master" key anyway? (0)

Anonymous Coward | about a year ago | (#44748455)

It might be helpful if you told your readers what a "mega master" key is so they know what it is you're so worried about. Googling Mega Master turns up a company in South Africa that sells heating equipment, a transportation company in Houston, TX, an online radio station, but nothing seems relevant.

Re:So what's a "mega master" key anyway? (0)

Anonymous Coward | about a year ago | (#44748507)

I understand when people don't RTFA, but you didn't even RTFS! It should be abundantly clear that it's referring to the user's master key to the Mega service.

Re:So what's a "mega master" key anyway? (0)

Anonymous Coward | about a year ago | (#44748907)

Ha, funny. :) But that doesn't really help if someone doesn't know what "mega" means in this context does it? Mega is such a common word, it's unlikely someone could discover the specific meaning referred to this in this article by using Google. Is it a compromise of security at the MEGA millions lottery service? A problem with the Molecular Evolutionary Genetics Analysis (MEGA) tools, the MEGA android app, the Arduino MEGA, etc. Mega is not a unique term; it's used in a lot of different applications, many of which involve security and encryption. The context of a three sentence article is likely not enough to tell anyone who doesn't already know what's being talked about. A decent article would have provided an explanation of what the "mega service" is and maybe even provided a link to the service or a wikipedia site with more information about it.

Re:So what's a "mega master" key anyway? (1)

interval1066 (668936) | about a year ago | (#44749221)

Its fucking Kim Dotcom's new site. If you don't know what "Mega" means in this context you don't need to know.

Fuck it (0)

ciderbrew (1860166) | about a year ago | (#44748545)

my luggage number is 742. One less thing to worry about.

Re:Fuck it (0)

Anonymous Coward | about a year ago | (#44749547)

Is that a `Mega Master Luggage' perhaps?

Wow... (1)

interval1066 (668936) | about a year ago | (#44749209)

...thanks for the huge back door up my ass, Kim.

I cannot be the only one (2)

ArcadeMan (2766669) | about a year ago | (#44749247)

I read the title as "Software developer says Sega Master keys are retrievable".

Re:I cannot be the only one (1)

CaseCrash (1120869) | about a year ago | (#44749627)

I was really excited to read something about the Sega Master System and was bummed out when I realized my mistake.

That's why (1)

santosh.k83 (2442182) | about a year ago | (#44749613)

All the files I store on the Cloud are encrypted locally on my machine by GPG before being uploaded to Google Drive, Mega or whatever. Now it is possible that a backdoor/exploit of my OS's code or GPG's code or hardware could leak my keys, but that's significantly more difficult to accomplish than simply changing a few lines of JavaScript the next time my browser pulls down the uploader's page.

christopher ``ambient empire'' abad == lame (0)

Anonymous Coward | about a year ago | (#44749757)

http://redd.it/1lnun3

I killed christopher 'aempirei' abad with my 5" dick

Cowabunga, dude!

And now you're going to die wearing that stupid little hat. How does it feel!?

You got caught with the seat of your pants flying down and now everyone laughs at your little picopenis on a daily basis.

Microchipping a fellow hacker just because you can't sniff out your own? Hilariously inept.

Throwing a well-known, contributing veteran of the hack/trollscene into a mental institution just because you had a hangover and forgot to take your klonopin? Over the top.

Having a wanton disregard for the history of the internet, the hackscene, trollscene and everything about humanity in general? Get a clue. Your holier-than-thou attitude can screw back off to the 1980's.

Yes, folks, christopher 'ambient empire' abad has been bitchtagging and torturing anyone that walks by him just because, well, "I feel like it!"

Yes, folks, christopher 'ambient empire' abad fails to understand the first rule of the U.S. system: you can always just buy people off with cash.
'
We've been talking to your friends, coworkers and they've been telling us what a lazy, unappreciative little shit you are. Not to mention a sociopath of the lowest order.

You won the birth lottery and coasted your way to the top of the U.S. system on a skateboard. Now it's going to be a fun ride when we push your little deck the way back down.

You are nothing but a barking little dog who got caught sneaking up the backstairs into the big people's club and now you're being thrown out the window.

Your last thought as you realize nothing of value will be lost when your head cracks on the floor of a 12x12 supermax prison cell: "I like to copy from my 1337 civics textbook."

Sayanora, sucker!

Malaclypse the Younger

http://pastie.org/8295259

people stop complaining already (0)

Anonymous Coward | about a year ago | (#44749899)

they have developer documentation, and a c++ sdk as source code
https://mega.co.nz/sdk.zip
https://mega.co.nz/#dev

now stop posting and make a client!

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>