MEGA users: perhaps you find this of interest

Reading:

Watching

6 Likes

MEGA has fixed the two vulnerabilities that can lead to user data decryption on all clients (RSA key recovery and plaintext recovery), mitigated a third one (framing), and plans to address the remaining two of the discovered issues in upcoming updates.

The fixes aren’t perfect countermeasures, but they don’t impact user experience and don’t require users to re-encrypt their stored data, change their password, or create new keys.

The cloud service provider claims that there are no signs of user accounts or data being accessed inappropriately, either from insiders or outsiders.

“Seeing how seemingly innocuous cryptographic design shortcuts taken almost a decade ago backfire under scrutiny by three of the sector’s brightest minds is both frightening and intellectually fascinating,” comments MEGA on the findings.

“The very high threshold of exploitability, despite the broad range of identified cryptographic flaws, provides a certain sense of relief.”

Despite the assurances by MEGA that no data was compromised, the research has effectively nullified MEGA’s data confidentiality assurances that differentiated them from their competition for over a decade.

1 Like

Oh my…

You have to be pretty nuts to believe such confidentiality assurances in the first place…
Cloud is a freaking other people’s computer!

honka_animated-128px-21

6 Likes

Cloud is a freaking other people’s computer!

True, I only use it to host files like this one (GZDoom/Zandronum mod I made, shameless plug)

2 Likes

Thanks for the update. I only use Mega as a fall back to my regular strategies, but it’s good to know.

I am considering pCloud. Any thoughts?

Aint dat da truth.

I’m using pcloud and I like it a lot. I use free version, because I don’t have much stuff to keep in cloud.

1 Like

All other reasonings are pure BS from their start!

1 Like
1 Like

The Researchers say this:

Chief among the weaknesses is an RSA Key Recovery Attack that makes it possible for MEGA (itself acting maliciously) or a resourceful nation-state adversary in control of its API infrastructure to recover a user’s RSA private key by tampering with 512 login attempts and decrypt the stored content.

Well, if your cloud provider itself is malicious you are defenseless. Same applies for apple cloud, google cloud or any other cloud provider.

Also, “a resourceful nation-state adversary” always has possibilities to get into your cloud.

I am not sure if this whole article is MEGA specific or if it is basically true for most of the cloud providers.

2 Likes

Well there are storage services that encrypt the data before it is ever uploaded. So if there is client side encryption I don’t see the problem…

How many instances of hacked encrypted clouds does “it” really need?

I like how instead of just taking ownership of the fact that they screwed up they try to pass blame to the previous owner :rofl:

If you encrypt the data before its sent they have nothing they can get :grin: trust no company

2 Likes

Common policy among marketing strategists, it seems.

1 Like

syncthing for my really private stuff I need synced across my computers and phone (keepass file e. g. ).

MEGA for anything els in the coud. I like the multiplatform support and the mega-cli on my raspi.

Unless you are using your own encryption, you are still trusting their encryption. There is nothing to say their encryption algorithms aren’t flawed or malicious.

That is why I recommend encrypting any non-public data you store in the cloud with industry standard encryption you control prior to uploading it.

4 Likes

And then, the question might arise…

why willingly upload any private data to a cloud at all, regardless of their marketing?!

  • Availability - Sometimes you need your data to available everywhere
  • Offsite - If you want live offsite storage, the cloud is the best way
2 Likes

But,

—to be aware of any involved risks!

(Most people aren’t, see MSOffice-365, etc. …)

What of MS Active Directory, MS Outlook, MS Exchange, etc.?

Marketeers are driving an un-before-seen level of lucidity against us, while complaining about being hacked all the time, on a daily basis?

Blaming things on adversaries like Russia or China are the habitual responses. Usually the blames come without much proof.