Kim Dotcom’s Number 2 On A Mad First Week At Mega

Bram van der Kolk talks to TechWeekEurope about the cloud filesharing service’s troubled first week

It was never going to be the quietest of starts at Mega. Not only was it founded by two serial irritators of US law enforcement, in the form of the audacious Kim Dotcom and his more reserved number two Bram van der Kolk, but it made some big promises, including a pledge to be “The Privacy Company”. It got plenty of media attention, threw some ostentatious parties and no doubt already has a sizeable user base.

But the claim around privacy seemed unfounded when security pros started poking holes in the code and the encryption used by Mega. There were numerous problems. First was the lack of a password reset option. If you lost your login, you lost your files – end of.

Some slammed the way in which Mega was doing block encryption, using an AES-128 master encryption key, for locking and unlocking user content. At first glance it seemed the encryption key was only defined by the user password, which may not have provided as much entropy or randomness as some would have liked. And Mega was sending AES-based hashes of encryption keys to people via email, opening the door for off-line cracking attempts.

Others wandered about the use of JavaScript pseudorandom-number key generation, with the Math.random function, used to produce a 2048-bit RSA key pair during sign-up. It’s a method known to be “notoriously risky”, said one onlooker.

A Mega start for Kim Dotcom and Co?

There were other issues. Some people didn’t even get their welcome emails, so they couldn’t log in. There was also, perhaps predictably, some downtime. Your correspondent attempted to upload some files on Monday, but to no avail. Kim Dotcom even took to Twitter to apologise for the problems users were having.

Mega is planning on making some changes, including a password reset feature, as outlined in our previous article. Indeed, the cloud file sharing newbie should benefit from all the attention security peeps gave it. “They’re getting some very good security auditing for free,” says Troy Hunt, a security expert from Australia, and a Microsoft MVP.

We caught up with van der Kolk, Mega co-founder and one of the Megaupload crew currently fighting extradition to the US over copyright infringement charges alongside Kim Dotcom, to talk about the crazy first week and what changes were coming.

Given all the hysteria around encryption, what changes can we expect in Mega security?
It is a philosophical question whether it makes sense to go to great lengths to protect users who choose insecure passwords, or whether it makes more sense to educate them about the risks (we are leaning towards the latter and will amend our sign-up procedure accordingly). Therefore, expect no cryptographic changes, but better enforcement of strong passwords.

What do you say to those people who claim you are just using security as a way to deflect legal challenges?
Encryption does not make a difference when it comes to liability for user actions. We are not legally allowed to proactively inspect user files to look for possible copyright violations, and we are legally obliged to heed takedown notices for encrypted files.

Do you have any figures on uptake since you kicked things off on Sunday? Any geographical data?
User response has been overwhelming and continues to be strong, especially out of Europe and South America, and they are uploading a lot – at times, we have seen in excess of 500 new files uploaded every second.

Have you had any calls from law enforcement related to the site yet?
Not yet.

How much was invested in the creation of Mega and when do you think you might turn a profit?
The only investment so far was for server infrastructure. Everybody else has been working without a penny, and this includes our fantastic legal team.

Where are the servers based? Are there many in the US? And what kind of infrastructure are you running in your data centres?
We have servers in Germany and New Zealand. We will not deploy servers in questionable jurisdictions. We use standard hardware for now.

What happens if you and other Megaupload defendants are eventually found guilty and can’t manage the site anymore? Who takes over?
We will have an unindicted backup admin team in place.

What updates can we expect in the coming months in terms of usability?
We hope to implement at least half of the development roadmap outlined in our on-site blog.

How do you feel things have gone thus far, given the bugs, the security issues and the downtime that was apparent?
It could have gone smoother, but considering the fact that 50,000 freshly written lines of code, running on freshly deployed server infrastructure and barely tested, went from zero to millions of visitors within hours, it wasn’t that bad.

As far as real and virtual security issues are concerned, we had a major one (XSS, fixed within 30 minutes) and an embarrassing one (AES-based hashing, fixed within 24 hours), while the remainder of the allegations were largely based on false assumptions regarding deduplication and unspecific fundamentalism (“If you can break SSL, you can break Mega!”). We hope that this will improve over time and that more real issues get reported for us to fix.

How well do you know Internet security? Try our quiz and find out!