RegulationSecuritySurveillance-ITWorkspace

Kim Dotcom: £8.5k For The Man Or Woman Who Breaks Mega’s Security

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

Google + Linkedin Subscribe to our newsletter Write a comment

Mega mogul presents a challenge to hackers everywhere

The unerringly ostentatious Kim Dotcom has responded to criticisms of the security on his Mega cloud locker service, with a challenge: break the encryption, show how you did it, and he will pay you €10,000 (£8,630).

Despite claims it was to be “The Privacy Company”, using open source encryption methods, a number of experts looked at the security on Mega in horror. There were a host of problems, including the use of a password to define one of the encryption keys used to secure files, which may not have provided as much randomness as some would have liked.

The fact that there was no password reset option will make things especially frustrating for anyone who forgetstheir login details too.

kim-dotcom-continues-internet-crusade-with-new-super-private-mega-website_hBut New Zealand-based  Dotcom believes the improvements made to his service’s security have made the site close to unbreakable, and Mega staff remain bullish about the site’s privacy qualities. That’s why Dotcom, making the announcement over Twitter, offered €10,000. He also noted that, despite the criticisms, as far as he knows Mega’s encryption remains unbroken.

Confident Kim Dotcom

Kim Dotcom is following what other Web companies do, including Facebook, Google and others, in offering money to those who find flaws. However, at £8,630, Dotcom is offering more than the average payout for flaws on Facebook or Google, which rarely surpass £1,000.

In an interview with TechWeekEurope last month, co-founder of Mega, Bram van der Kolk, said it was unlikely any more changes would be made to the encryption, beyond the newly-implemented password reset option,

The password reset capability is there now, but is only usable in two cases. First, when users are already logged in and, second, where users are not logged in but their account is empty. That means anyone who has forgotten their password and has already uploaded files will not be able to access them again.

“Password resets with data present are considerably more tricky — we do not want a breach of your e-mail account to jeopardize the integrity of your files — and will be addressed at a later stage,” a blog post from Mega read today.

Mega continues to face claims of illegal filesharing on the site.  Dotcom claimed this week that only 0.001 percent of files on Mega have been removed for potential copyright infringement. Mega has even apologised for mistakenly removing some files, although it may appear odd to some that any files have been taken down at all, given no one is supposed to have access to files other than users.

The issue is a hot one, since Mega is a follow-up to Dotcom’s previous venture, Megaupload, which landed him and van der Kolk in hot water with the US authorities. The issue is unresolved and the two are still facing potential extradtion to the US.

Meanwhile, third-party sites have attempted to piggyback on Mega to potentially provide illegal download services.

Mega-search.me emerged earlier this week, offering crowdsourced link indexing to files. Mega quickly moved to shut off Mega-Search.me from its files, although the site said it would be delivering a “solution” to counter script that deleted all files indexed by Mega-search.

“It has come to Mega’s attention that there are micro search engines that use our (M) logo and other Mega branding without authorisation,” the Mega blog read. “Worse, such site(s) were reported in a highly publicised manner and purport to be globally available search engines, but don’t have their own DMCA [Digital Millenium Copyright Act] takedown policy or registered DMCA agent.”

Such search services could be a threat to Dotcom’s freedom, given he is not supposed to be launching anything similar to Megaupload, according to his bail conditions.

Kim Dotcom and his number two will find out whether they will be extradited to the US at a hearing later this year.

Are you a security expert? Try our quiz!