Kim Dotcom takes issue with critics taking issue with his new MEGA service

The party-time news of the past weekend was the launch of Kim Dotcom’s comeback file sharing service, Mega.

If you’ve been out of touch with security shenaningans for the past twelve months, Kim Dotcom is a larger-than-life German-Finnish entrepreneur currently based in New Zealand.

He was born Kim Schmitz, and was variously known as Kimble and by the Goonshowesque moniker of Kim Tim Jim Vestor before changing his name to Dotcom and settling flamboyantly into the digital storage locker business with his company Megaupload.

Things got a bit wild last year, when the FBI enlisted the help of Kiwi law enforcement to try to take him down for piracy and racketeering.

The allegations seemed fairly straightforward: a huge proportion of Megaupload’s stored content was pirated material. Yet the company had annual revenues of nearly $200,000,000 per year, and Dotcom lived in New Zealand’s most expensive house. (As he had a criminal record, he wasn’t able to buy it, but had to rent it instead.)

Dotcom was dragged out of a safe room in the house, arrested, managed to make bail, was in and out of court fighting against extradition and for access to his frozen assets…and also found time to to reinvent his business under the brand name Mega.

The launch took place last weekend because it was the anniversary of his controversial arrest.

The difference this time is that the service has been designed to shield Mega from allegations of knowingly hosting and profiting from rampant piracy. That’s been done using cryptography.

Everything you upload is encrypted before it leaves your browser, using a key that is only ever known to you. When you download it, it’s decrypted at your end of the connection.

So, the theory goes, it’s not a file sharing service, because Mega itself is ignorant of your folders, files and contents. In its own words, it’s:

An awesome cloud storage service that will help protect your privacy.

Put another way, all it does is to store a giant pile of shredded cabbage on your behalf.

So that you don’t need to install any specialised software or drivers on your computer, Mega is driven by JavaScript (not Java!) inside your browser.

Writing crypto services in JavaScript doesn’t give you the fastest software around, but it does make your service much easier and therefore, you might argue, safer to use.

(The crooks have known this for years, with online malware toolkits like Luckysploit using JavaScript-based public key cryptography so that sniffed copies of its HTTP payloads can’t be decrypted once the attack is over.)

But critics have already taken issue with some aspects of Mega’s implementation, notably including the following observations:

1. The private key generated in your browser when you first use Mega relies on JavaScript’s Math.random() function.

Software random number generators are notoriously risky.

If you can guess the starting seed that was used, you can repeat a previously-issued sequence and attack the security of the cryptosystem that used it.

As the famous mathematician and computer scientist John von Neumann is supposed to have said:

Any one who considers arithmetical methods of producing random digits is, of course, in a state of sin. For, as has been pointed out several times, there is no such thing as a random number. There are only methods to produce random numbers, and a strict arithmetic procedure ... is not such a method.

2. Mega’s terms of service explicitly state that the service “may automatically delete a piece of data you upload or give someone else access to where it determines that that data is an exact duplicate of original data already on our service.”

But critics want to know why this possibility is even entertained, if Mega really does encrypt every uploaded object uniquely for each user in a fashion that makes its name and content invisible to Mega’s servers.

Deduplication ought to be impossible.

Indeed, Mega’s FAQ explains that you won’t see thumbnails or video previews on the service precisely because its end-to-end encryption model “precludes any server-side manipulation of your data”.

Even if the duplicated content can’t be retrieved, merely knowing that user A and user B have the same stuff is a privacy problem, because a leak by user A (or a confession to law enforcment) then turns into a leak for user B.

3. The Mega signup service sends a confirmation email containing an AES-based hash of your master key, thus allowing an off-line dictionary attack.

A online cracking tool has already appeared for these confirmation emails.

It’s rather slow, but critics point to it as evidence of a cryptographic design decision that ought to have been avoided.

The company has responded with some rebuttals and reassurances on its blog, notably:

1. The key generation stage uses mouse movements and keystroke timings to improve randomness slightly, and a feature will be added soon allowing you to add your own randomness into the process.

2. Deduplication is only ever done on the already-encrypted data, so Mega still doesn’t see the raw content.

3. Choose a decent password.

To which critics will probably reply to say:

1. Mouse and keyboard movements aren’t very good additional sources of randomness.

2. Knowing that two files are the same, even without knowing the content, nevertheless leaks information about the data.

3. That’s still a bit like saying to a driver before he sets off, “Don’t have a crash!”

There are other issues to consider, too, like just how much you want to entrust to the cloud under any circumstances.

As Naked Security’s Chester Wisniewski warns on Technews Daily:

I wouldn't recommend storing your most sensitive information in the cloud, encryption or not. How much trust do you grant to convicted felons under other circumstances?

In short, expect more controversy about Mega and its perceived security. I’m sure that Kim Dotcom wouldn’t want it any other way!