Mega’s bug bounty program – one week down, “a few billion billion years” to go

Mega, the cloud storage service brought to you by larger-than-life New Zealand digeratus Kim Dotcom, has released the first feedback on its bug bounty program.

Mega, in case you missed it, is a recent reincarnation of the controversial Kiwi file-sharing service Megaupload.

Megaupload imploded a year ago when Dotcom was arrested in New Zealand to face extradition to the USA on serious criminal charges, including racketeering (organised criminality) and money laundering.

The background to the charges was the allegedly vast amount of pirated material hosted on the Megaupload site.

On the anniversary of the big fella’s arrest (in case you haven’t come across Dotcom before, he’s said to have the impressive vital statistics of 200cm and 135kg – he’s the silhouette on the left in the image above), Mega arose from the ashes of Megaupload.

This time the company aims to sidestep accusations that it’s a front for piracy by using built-in cryptography so that it doesn’t, and indeed cannot, know what you’re uploading and downloading.

As we put it when Mega launched, “all it does is to store a giant pile of shredded cabbage on your behalf.”

Cryptanalysts and cypherpunks soon took aim at some aspects of Mega’s cryptography.

Critics came up with some interesting commentary about its design and implementation, such as:

  • Disapproving of the random number generation technique used when setting up your encryption keys.
  • Questioning the cryptographic mechanism for generating confirmation links sent by email.
  • Wondering how Mega could claim to offer a deduplication feature if it genuinely knew nothing about the content of your uploads.
  • Lamenting that most of Mega’s secure content servers used only 1024-bit public keys, currently considered the lowest rung of acceptability.

Mega soon fired its own verbal broadside back, declaring itself “not too impressed with the results.”

The company was particularly scathing of the critique of its cheap-and-cheerful 1024-bit keys, pointing out that the 1024-bit-protected content was itself protected by a cryptographic checksum authenticated with 2048-bit security, so there.

That counterblast was followed a critique from hacking group fail0verflow, pointing out that Mega’s programmers had got the implementation of the 2048-bit-protected checksum all wrong.

This time, Mega hit back with actions, not words, quickly adapting its own code to repair the mistakes, and rightly earning praise for the speed of its response.

Instead of concatenating all checksummed files and computing a single “combo-checksum”, Mega began to publish separate checksums for each file.

Checksumming all files as if they were one is imprecise because you can alter the boundaries between the combined files without changing the checksum.

Subtle attacks might be possible by shifting JavaScript code out of one source file into another.

And instead of using a forgeable CBC-MAC checksum, it switched to SHA-256.

Shortly after that, Mega got onto the front foot and announced bug bounties that would pay “up to €10,000 per bug, depending on its complexity and impact potential.”

It also published two outright challenges that are worth €10,000 each.

One requires you to to find the decryption key for a file on the site. (Decrypting the file is not enough. You have to recover the key, which is a somewhat stronger result.) The other requires you to recover the user’s password from a confirmation email link.

Whatever you think of Mega, its founder, its raison d’etre, its bombasticity and even the value of the bounties its offering, it nevertheless reflects to the company’s credit that it came out with the bounties at all.

And just a week after the bounties were announced, Mega has announced the first “interim results,” as it calls them.

No mention of how much was paid to whom for exactly what, but no-one’s pulled off a crown jewels crack yet (or Severity V and Severity VI in Mega’s terminology: remote code execution or worse).

That’s good news for Mega, though of course it’s only a week into the bug bounty program.

Nevertheless, the company is as gung-ho as ever, needlessly mentioning that it is “needless to mention that nobody cracked any of the brute-force challenges yet (please check back in a few billion billion years).”

Let’s hope the Megabloggers are right…

Image of cabbage, including the shredded stuff, courtesy of Shutterstock.